The terminal server profile is stored as part of
the userParameters blob. This attribute is made of a number of other settings,
not just terminal server specific ones.You can manipulate these settings via
WTSSetUserConfig()
BOOL WTSSetUserConfig( LPTSTR
pServerName, LPTSTR pUserName,
A few items to note.
1) This appears to be a domain based DFS root\link which is located at :
d:\public\geos2
2) It also appears that you may be scanning d:\public\geos2 with some type
of anti-virus solution, hence the event ID 13567, when the AV software
checks these files, FRS is triggered and
It is indeed NOT a good thing.
I would not do this.
FRS is not meant to replicate this type of dynamic data (profiles) you may
experience data loss or perhaps FRS breakdowns (depending on size, number of
files, and amount of change per file).
Clarification on the data loss - this would not be
Title: [ActiveDir] Group Policy at the Site Level With Remote VPN Users - Wrong Site Applied
See http://support.microsoft.com/?id=816045
- Original Message -
From:
Jeff Salisbury
To: '[EMAIL PROTECTED]'
Sent: Wednesday, June 02, 2004 10:32
PM
Subject: RE:
http://www.microsoft.com/downloads/details.aspx?FamilyID=8cde4028-e247-45be-bab9-ac851fc166a4DisplayLang=en
or
http://support.microsoft.com/default.aspx?scid=kb;en-us;824209Product=winsvr2003
you may want to look at these..
-steve
- Original Message -
From: Kern, Tom [EMAIL
There is also an app called CConnect - or concurrent connections. This
requires a SQL backend (or msde I suppose) but the next version will use
NDNC's if I recall.
See http://support.microsoft.com/?kbid=237282
-steve
- Original Message -
From: Eric Fleischman [EMAIL PROTECTED]
To:
Here is a (cheap hack) way:
copy the text below to a script:
'
set events = getobject(winmgmts:\\.).ExecNotificationQuery(select * from
__instancedeletionevent within 2 where targetinstance isa 'win32_process'
and targetinstance.name =
If you simply want:
Same users\groups
Same OU structure
Same GPO's
I highly suggest you look at GPMC (group policy mgmt console) scripts...
CreateEnvironmentFromXML.wsf
CreateXMLFromEnvironment.wsf
-steve
- Original Message -
From: Glenn Corbett [EMAIL PROTECTED]
To: [EMAIL
Do you have the full text for the 12294 error? The
error data may be of interest here.
- Original Message -
From:
[EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, June 15, 2004 8:57
AM
Subject: [ActiveDir] NTDS Replication
Problems
Here is something
How does this one relate specifically to restricted groups? This applies to
a whole slew of items.. the worst offender IMO being a hub and spoke topo
with file system permissions being pushed down to sysvol or dfs link\root
which is replicated.
-steve
- Original Message -
From: joe
Title: Message
Windows Server 2003 - if you are at forest
functionality level 2, will allow a domain rename.
That may be a reason
to move.. is that what you are asking?
- Original Message -
From:
Ken Rinehart
To: [EMAIL PROTECTED]
Sent: Tuesday, June 22, 2004
I may be a bit off here on the scenario thought i'd comment.
1. You can do an Auth restore without a non-auth restore in Simon's
scenario.
2. If this is Win2k3 you could optionally re-animate the object from the
deleted items, and we retain the SID as well as a few other key (relative)
attributes
On the wildly off chance that you are running XP RTM - also see
http://support.microsoft.com/default.aspx?scid=kb;en-us;320258
- Original Message -
From: Bob Free [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, July 06, 2004 2:08 PM
Subject: Re: [ActiveDir] Having Activer
DISABLE_OUTBOUND_REPL will just refuse the sync request. If you want it to
override it you can use /force option.
- Original Message -
From: Graham Turner [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, July 07, 2004 10:59 AM
Subject: [ActiveDir] disable_outbound_repl
just
seems to disable intrasite in my test...
repadmin running command /options against server
Criscolablpr06.Stevechild.Stevedom.Stevedns.Criscolab
Current DC Options: DISABLE_OUTBOUND_REPL
---
Replicate Now
---
The following error occurred during
in 2003 you can use
redircmp.exe
or
redirusr.exe
C:\WINDOWS\system32redircmp.exe /?
Usage:
redircmp CONTAINER-DN
where CONTAINER-DN is the distinguished name of the container
that will become the default location for newly created computer objects
Note: The domain functional
aware of this. I'm trying to figure understand if the manual change
will work in 2k domains/dcs.
--Brian
-Original Message-
From: Steve Patrick [mailto:[EMAIL PROTECTED]
Sent: Sun 7/11/2004 1:20 AM
To: [EMAIL PROTECTED]
Cc:
Subject: Re: [ActiveDir] Redirecting Comps
in 2003 you can
You can indeed have a user be a power user - or even an admin, and remove
the ability to create shares.
Bruce already pointed out, if they are not power users or admins then they
already cannot create file\print shares.
There is a registry value called SrvsvcShareFileInfo under
a generic SD modifer tool, you point at the binary store and
it
yanks out the value and displays it or modifies it. I may actually make,
inshock a gui! /inshock. :o)
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Patrick
Sent: Friday, July
Have you investigated why your DIT is over 20 gigs? IMO this is abnormal for
MOST orgs..
-steve
- Original Message -
From: Eric Fleischman [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Saturday, August 07, 2004 11:28 AM
Subject: RE: [ActiveDir] W2K DC Performance - ADC Failure
Ok if
Can you elaborate on the sentence:
" But a few
days ago, I had to reinstall my AD exchange server due to AD crash. After
that, I was unable to generate ssl cert."
Was the Certificate Server installed prior or after
that event?
I assume you installed an Enterprise CA -
please correct me
Can you enable Schannel logs per http://support.microsoft.com/default.aspx?scid=kb;EN-US;260729and
then make the app and system logs available?
-steve
- Original Message -
From:
[EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, August 26, 2004 3:09
PM
Hi Eric
You can get client site information from
nltest.exe:
C:\nltest /DSGETSITEotherThe
command completed successfully
You could call DsGetSiteName() directly as
well.
You can also parse the registry entry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Hi Tim,
Allow me to summarize and see if we are on the same
page :)
AD domain name: childdomain.domain.com
Primary DNS suffix for DC1 and DC2:
domain.com
Out of curiousity - is there an AD domain called
"domain.com"?
I assume that at some point "... a number of years
ago" someone
Not a great situation there, if it were me I would probably back my CA
services, DB, logs, registry and key(s) - then uninstall the service.
Disjoin the machine , rejoin - reinstall cert services and follow
procedures like:
http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;Q298138
my
input.
Tim
From: Steve Patrick
[mailto:[EMAIL PROTECTED] Sent: Saturday, August 28, 2004 11:04
PMTo:
[EMAIL PROTECTED]Subject: Re: [ActiveDir] DC DNS Suffix
does not match Domain's DNS Suffix
Hi Tim,
Allow me to summarize and see if
we
Hi Brian
Be careful about adding acls to the domain head like this - it can result in
a large increase to the size of your database (in Win2k - 2k3 fixes this via
an improved single instance store)
As for your how to...
Go to the domain head - properties, security.
Go to Advanced, click ADD
In XP Sp2 there is a reg key to prevent USB drives
IN A LIMITED SCENARIO from loading...
This is NOT a GPO but you can push it via GPO\ADM
etc.. ( tattoo)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control
\StorageDevicePolicies
Data Type: DWORDValue Name: WriteProtectValue: 1
Also
Dunno if this is still a problem for you - but if it is:
Given that SYSVOL is really just a dfs root - is the DFS service running on
the DC?
If this were me I would:
Install Etherreal on a client (free net sniffer)
Run ipconfig /flushdns
Run klist purge - say yes to purge all tickets
Start the
If you are only concerned about the RSL - does it help to know that in XP
and greater this isnt an issue?
http://support.microsoft.com/default.aspx?scid=kb;en-us;292726
steve
- Original Message -
From: Brett Shirley [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Monday,
Hi
In order to deploy user certificates (versus machine) you need to use a
Win2k3 CA. It is not clear from your mail which type you need to deploy,
user versus machine, so I just thought I would mention it.
steve
- Original Message -
From: Halonen Sami [EMAIL PROTECTED]
To:
For users\groups you can use a security filter as
opposed to a WMI filter.
see http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url="">
steve patrick
- Original Message -
From:
Jason B
To: ActiveDir@mail.
If you installed the CA on the PDC then did you
install it as an Enterprise CA?
If this is a production environment you should
reallyunderstand the PKIneeds for your company currently,
andany future plans.
In a nutshell you need a Domain Controller
certor Server Auth cert on the DCwith the
See
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techref/en-us/Default.asp?url=/Resources/Documentation/windowsserv/2003/all/techref/en-us/w2k3tr_dfs_how.asp
for info and controlling it in 2k3
In windows 2000 you can use
Just a note - you can find the where the
object was deleted from in 2k or 2k3 by looking at the metadata via repadmin
/showmeta on the deleted object. You can pass it the objectGuid had via
looking at the deleted object. If you had auditing cranked up for AD then you
should be able to hit
There is sample code in the PSDK
- Original Message -
From:
IAN FRASER
To: ActiveDir@mail.activedir.org
Sent: Monday, May 31, 2004 10:03 AM
Subject: [ActiveDir] Display
Specifiers
Hi
I''ve knocked together a few custom scripts to against a
#16 Looks like this has been around since early 2004 ( i dont have a non SP1
2003 DC to test on right now)
Basically you set the first bit on the flags attribute of the Display
Specifiers object - cn=Display Specifiers,cn=Configuration etc... and then
it will disable drag and drop.
#15 - You
HA!
My email was sorted backwards in date.,. sorry bout
this.
steve
- Original Message -
From:
Steve
Patrick
To: ActiveDir@mail.activedir.org
Sent: Saturday, April 02, 2005 7:47
AM
Subject: Re: [ActiveDir] Display
Specifiers
There is sample code
correct.
Your first case uses implicit mapping - it requires
the UPN of the user match the AltSubjectName in the cert.
Your 2nd and 3rd case are correct as
well.
Here are some more links for you:
Step-by-Step Guide to Mapping Certificates to User
SC.EXE can reset the perms on the SCM
See http://blogs.msdn.com/spatdsg/archive/2005/05/20/420624.aspx
C:\sc sdshow scmanager
This is SP1 info
D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA
;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
This is the RTM info:
Curious.What kind of pruning are you talking about?
steve
- Original Message -
From: Dean Wells [EMAIL PROTECTED]
To: Send - AD mailing list [EMAIL PROTECTED]
Sent: Monday, June 13, 2005 12:11 PM
Subject: RE: [ActiveDir] DCPROMO over a 128\256K line
The pruning is undocumented
Did you verify that you had proper settings under:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ESENT\Performance
Perhaps export the key and paste it in here?
steve
- Original Message -
From: WILLIAMS, J.D. [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Tuesday,
Message-
From: Steve Patrick [mailto:[EMAIL PROTECTED]
Sent: Tuesday, June 14, 2005 9:49 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] ESE Perf Mon problems
Did you verify that you had proper settings under:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ESENT\Performance
counter info)
lodctr %systemroot%\system32\esentprf.ini
steve
- Original Message -
From: Steve Patrick [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Wednesday, June 15, 2005 6:40 PM
Subject: Re: [ActiveDir] ESE Perf Mon problems
remove the value for Disable Performance
Be careful here as you have possible data loss - I suggest contacting PSS as
there is some experience with this situation and you may be able to recover
the data from the CSC info you mentioned.
If I recall they were adding some switches to CSCUtil to deal with this.
my .02
steve
-
A few questions:
1. The Enterprise CA is running on 2003 Sp1 - is this 2003 Standard or
Enterprise editions OS?
2. When you open the MMC for cert templates - do you see the templates
available?
3. If you run this cmd: certutil -template what is the output?
4. If you run certutil -config
What OS and what Service pack are all DC's at?
steve
- Original Message -
From: Devan Pala [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Monday, June 27, 2005 3:01 PM
Subject: [ActiveDir] Default Domain Policy Issues
Hi all,
After making changes to the Password Policy
So even though you are replicating fine both ways and you don't see any real
problem - you want to open a PSS case for this error in a debug log?
Is this a consistent error in your FRS logs or was it a one time error? I
dunno - just seems kinda silly to me to tshoot something which may have been
a
Sonar and Ultrasound may indeed tell you everything is OK - since FRS is
actually doing its job (replicating the data back in properly)
However you could have enough latency in site replication where something
(like the AD in some cases) is causing the file to be replicated back out
towards the
One more thing - since you are on Win2k you might as well make sure you are
on the latest Win2k FRS version - which is 896712 (youll need to call into
PSS to get this one)
steve
- Original Message -
From: Steve Patrick [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Tuesday
in the
domain.
I'm hoping this will work, already put in a change for bouncing all DC's
tonight. Then put up a case for recovering the cost for the call.
Will keep you posted.
Thanks,
Devan.
Original Message Follows
From: Steve Patrick [EMAIL PROTECTED]
Reply-To: ActiveDir
Of Steve Patrick
Sent: Sunday, July 24, 2005 2:12 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to find creator of computer account?
You may want to test setting this policy on the DC's
Computer Configuration \ Windows Settings \ Local Policies \ Security
Option
Ha! Nice response...
On another note - GPMC has built in APIs for this and there is a script
included with it that will export your OU,groups and users as well as GPO's
of course, to an XML file and then you can use that to reimport.
I cant recall the name of it right now.. something about
Check out Dsrevoke.exe:
http://www.microsoft.com/downloads/details.aspx?FamilyID=77744807-c403-4bda-b0e4-c2093b8d6383DisplayLang=en
From the docs and stuff..
Dsrevoke is a command-line tool that can be used on domain controllers that
are running Windows Server 2003 or Windows 2000 Server
In the Scheduled Tasks UI - goto Advanced and view log what shows up?
steve
- Original Message -
From: Cothern Jeff D. Team EITC [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Friday, August 12, 2005 3:30 PM
Subject: RE: [ActiveDir] Task scheduler
Nothing is showing up in
Sorry about the name - I just setup my new computer and email last night -
not trying to mask myself or anything.
steve patrick
- Original Message -
From: me [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Friday, August 19, 2005 8:08 AM
Subject: Re: [ActiveDir] OMG
If the target is XP+ something like:
wmic /output:data.htm path
Win32_PerfFormattedData_PerfProc_Process GET PercentProcessorTime,NAME
/FORMAT:htable.xsl start data.htm
Might work for you - you can even target machines
remotely with the /NODE switch.
Leave off the /format param if you
This is by design (albeit bad IMO)
IIRC this wont occur if 3 or fewer profiles
sync , due to design.
steve
- Original Message -
From:
Noah Eiger
To: ActiveDir@mail.activedir.org
Sent: Thursday, September 08, 2005 6:24
PM
Subject: [ActiveDir] Offline Files
://support.microsoft.com/default.aspx?scid=kb;en-us;811660
steve patrick
[EMAIL PROTECTED]
st.netTo
Sent by: ActiveDir@mail.activedir.org
[EMAIL PROTECTED
perhaps the following reg key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Non-Driver Signing
steve
- Original Message -
From: Creamer, Mark [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Sunday, September 25, 2005 6:52 AM
Subject: [ActiveDir] OT: TS Security Warning and GPO
We
There is no hardcoded limitation on DN - there is a max 255 RDN length.
steve
- Original Message -
From: Chuck Chopp [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Thursday, September 29, 2005 7:47 PM
Subject: [ActiveDir] Maximum distinguished name length?
Looking at the
This is definitely an upgradeable component.
Can you gather the following data:
certutil -dstemplate dstemplate.txt
certutil -ds ds.txt
And make them available ( or email them to me )
thanks
steve
- Original Message -
From: Harding, Devon [EMAIL PROTECTED]
To:
Depends -
If the backup was made on a DC which was the
CA - and it is a System State backup ( recommended method for CA's ) then
Yes
If the backup was made on a DC which was the
CA - and it is the CA database and key(s) then no.
If the backup was made on a member server CA - no.
BTW here
clarification added to my Yes and No
answers...
- Original Message -
From:
steve
patrick
To: ActiveDir@mail.activedir.org
Sent: Friday, November 11, 2005 3:29
PM
Subject: Re: [ActiveDir] CertSvc Error
**RESOLVED**
Depends -
If the backup
for starters - check out:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx
and
http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9Edisplaylang=en
steve
- Original Message -
From:
The inlog is the inbound change orders. It would help to know what the
actual error was..
steve
- Original Message -
From: Rick Kingslan [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Saturday, November 26, 2005 6:51 PM
Subject: RE: [ActiveDir] FRSInlog
Both of the
There was an older package from MS which was free-
noted here:
http://weblogs.asp.net/conrad/archive/2003/12/29/46329.aspx
If you want a copy of it ( no guarantees warranties blah blah..) I can
send it to you, it may be a good place to start and you can modify it to
suit your needs.
steve
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of steve patrick
Sent: Saturday, December 17, 2005 12:36 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Active Dir web based management
There was an older package from MS which was free-
noted here:
http
If you really want to test the smartcard dealy, I
built a whole lab around smartcards and VPC , just have to TS to the client
using RDP and SC redir.
But, I too wish VPC had true USB
ports..
steve
- Original Message -
From:
joe
To: ActiveDir@mail.activedir.org
Title: [OT] Generating EFS Recovery Certificate
You can use an MS Ent CA to do this ( just copy and
edit the V2template) .. or youshould be able to specify the
OID "1.3.6.1.4.1.311.10.3.4.1 " in your call to CryptEncodeObject to
create one. Optionally, you can try makecert.exe ( but I have
Just a note:
Specific to EFS built in to the OS:
You dont have to have AD integrated CA's to do this, but the Server hosting
the file share must be trusted for delegation.
There are a number of 'gotchas' in this scenario and it is difficult to
track all the crypto keys involved.
If you plan
Interesting viewpoint Joe,
Care to expand on this specific to EFS?
steve
- Original Message -
From: joe [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Wednesday, January 25, 2006 6:22 AM
Subject: RE: [ActiveDir] OT: Encrypting shared folders
One good need for this is to
- 312.731.3132
From: [EMAIL PROTECTED] on behalf of steve patrick
Sent: Wed 1/25/2006 10:14 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: Encrypting shared folders
Interesting viewpoint Joe,
Care to expand on this specific to EFS?
steve
Take a look here:
http://www.inflectioncorp.com/downloads.html
spat
- Original Message -
From: Lev Zdenek [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Thursday, February 23, 2006 8:10 AM
Subject: RE: [ActiveDir] IIS 6.0 LDAP Auth
I would like to auth. users access to
Seems fair enough to me, its a free tool right?
- Original Message -
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Friday, April 21, 2006 11:43 AM
Subject: [ActiveDir] [ABUSE] - WAS: Perform gpupdate, start or shut downs
through ADUC
Tony,
When did you relax the
If these are XP clients - check out WMI and
JoinDomainOrWorkgroup method - I *think* this will work for you (
specifically in the case where the domain it is currently joined to is no longer
available) but I havent tested this...
steve
- Original Message -
From:
joe
Can you expand on this statement?
I have already applied an instrution to change local user rights
This should be enabled by default in the Domain Controller policy -- Enable
computer and user accounts to be trusted for delegation +r Administrators.
Make sure the you have the user right
A bit confused here... you said:
All that I see in there is netlogon pausing.
and then
DFS and netlogon are both running.
thanks!
steve
- Original Message -
From: Al Lilianstrom [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Wednesday, May 31, 2006 7:03 AM
Subject: Re:
So after you boot and wait for a bit- if you run gpudate /force , it comes
back successful yes?
And netlogon is only paused for a time. Do the DC's point to themselves for
DNS?
If so - you probably are hitting the behavior where we have some delay due
to waiting for an initial AD sync...
Im
Check out USMT 2.6.1 - free download - it is
scriptable.
steve
- Original Message -
From:
Al Mulnick
To: ActiveDir@mail.activedir.org
Sent: Thursday, June 01, 2006 2:38
PM
Subject: Re: [ActiveDir] Profile
migration to new domain
Suggestions? More
You can try
http://support.microsoft.com/?id=824344 How to debug Windows services
Specifically the section:
When a service starts, the service communicates to the Service Control
Manager how long the service must have to start (the time-out period for the
service). If the Service Control
I can think of 2 things that may help - 1 is the
netlogon log - and 2 is a network sniff from the client during the
"nltest /sc_query:domain"
The netlogon log may simply show the denieds but -
it may shows something else which may be useful as well.
steve
- Original Message -
You cannot move from 2000 to 2003 as the database
has changed. You could upgrade to 2k3 ( this would be temporary ) and then move
to another 2k3 server. I know that you said that the HW was old - but perhaps a
temporary sloow 2k3 machine?
You should keep the hostname the same - if
One morepoint - you dont have to have the CA
on a DC just wanted to make sure you knew this. So, in the future ,you dont
have to worry about removing\moving the CA in order to upgrade DC's
steve
- Original Message -
From:
WATSON,
BEN
To:
Please run "certutil -ds
cert-ds.txt"
and sendus ( or me ) the text
file.
steve
- Original Message -
From:
WATSON,
BEN
To: ActiveDir@mail.activedir.org
Sent: Thursday, July 13, 2006 1:42
PM
Subject: RE: [ActiveDir] Moving a
Certificate Authority
- Original Message -
From:
WATSON,
BEN
To: ActiveDir@mail.activedir.org
Sent: Friday, July 14, 2006 10:29
AM
Subject: RE: [ActiveDir] Moving a
Certificate Authority
Hi
Laura,
Indeed, I have moved
the CA to a new server of the same name using
Title: Group Policy won't rerun
a few random ideas - not having any idea where the
problem really lies...
You can gather some basic app deployment
extensionlogs - see q249621
You can make sure you check the event logs for any
related userenv \ related errors
You can enable MSI logging ( if
You cannot remove a CDP extension from a specific
template - it is configured for all certs issued from the issuing
CA.
If he plans to have clients from outside his
network access the DC's of LDAPS - he should reconfigure the CA to include a CDP
which is available outside of his network.
For more info see: http://support.microsoft.com/?id=305475
stuff like:
RidNextRid
DN Path: CN=Rid Set,Cn=computername,ou=domain
controllers,DC=domain,DC=COM The RID that is assigned to
next security principal that is created on the local domain
try this;
http://support.microsoft.com/kb/832481/
User must change password at next logon check box is unavailable
- Original Message -
From: Steve Evans [EMAIL PROTECTED]
To: 'ActiveDir.org' ActiveDir@mail.activedir.org
Sent: Thursday, September 28, 2006 12:44 PM
Subject:
If you have the data I can help now...
It sounds like there is a mixup - or miscommunication, is this lsa crashing
or a memory leak?
Data collection will differ depending on which.
steve
- Original Message -
From: Lucas, Bryan [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Certutil can do this like so:
certutil -store \\mymachine\MY
or you can use a capimon script and CAPICOM.Store
or you can call CertOpenStore see
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/seccrypto/security/system_store_locations.asp
System store locations are opened
Keep in mind that this is only via the ADUC UI - since you have already
delegated this to the user you can use ldp\script etc.. to set the
msNPAllowDialin == true.
It should reflect properly in ADUC when you next view that user..
spat
- Original Message -
From: Ulf B.
Hi Ken
Based on your mail you seem to have the following setup:
F1
F2
|
|
M1--- ISA--- IIS---AppServer
UserA
UserA logs on to M1 and hits the IIS Server which needs to access AppServer
: steve patrick [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Friday, December 29, 2006 4:07 PM
Subject: Re: [ActiveDir] Cross-Forest Kerberos Delegation
Hi Ken
Based on your mail you seem to have the following setup:
F1 F2
-
: From: [EMAIL PROTECTED] [mailto:ActiveDir-
: [EMAIL PROTECTED] On Behalf Of steve patrick
: Sent: Saturday, 30 December 2006 11:11 AM
: To: ActiveDir@mail.activedir.org
: Subject: Re: [ActiveDir] Cross-Forest Kerberos Delegation
:
: Wow that turned out ugly didnt it?
:
: Basically it should
They mean that you should focus the GP mgmt tools on the PDC ( which is the
default config IIRC )
steve
- Original Message -
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
[EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Friday, January 05, 2007 6:25 PM
Subject:
97 matches
Mail list logo