Hi, Thanks .. I think this along the lines of what I need to do! When I do this I see the computer objects now have the security set the way the other ones, though these are grey (inherited I suppose vs black for the computers freshly joined).
The FQDN is still blank on these computers on the AD users and computers tab, but it looks like this is the right trail. Just got back from lunch will try it out Thanks again -----Original Message----- From: Rich Milburn [mailto:[EMAIL PROTECTED] Sent: Monday, December 08, 2003 1:55 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Migrated NT4 domain member's computers have incor rect rights in 2 003 AD Little bit different track, and I'm sure you've found this article but just in case, there's a KB article that addresses these error numbers: http://support.microsoft.com/default.aspx?scid=kb;EN-US;258503 At the end of the article it shows how to set the permissions for the domain in ADUC, you can set these for the OU and it should inherit to the computer objects in that OU - when you add access in the security tab of the OU, click advanced, find and highlight the account you added, click edit, make sure Apply onto says "This object and all child objects" (the default is "This object only"). I'm not familiar with the specific issue you're having, but if you need to change the security on the computer objects this should do it to them all at once. Rich -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, December 08, 2003 12:20 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Migrated NT4 domain member's computers have incor rect rights in 2 003 AD Thanks Rich .. Yes that makes sense. I understand the concept. Looks like I have to create a new policy. I just don't see how I can set the security permissions on the computer itself this as my original problem. My upgraded computers (the ones that need to go in the new OU) don't have the system group in its permissions. They also different permissions than newly joined computers. When I go through the Group Policy Editor, I don't see where I can set those options. User rights assignment (act part of OS, etc) doesn't have these. I am looking specifically to set the rights that show when you right click on the computer itself and go to that security tab, so it matches the rights that are granted when a computer joins the domain. Thanks again for writing back -----Original Message----- From: Rich Milburn [mailto:[EMAIL PROTECTED] Sent: Monday, December 08, 2003 1:14 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Migrated NT4 domain member's computers have incor rect rights in 2 003 AD The GPMC shows you what GPOs a given container inherits, and in what order they are applied. So unless you have Block Inheritance enabled on your GPTEST OU, you'll still see the Default Domain GPO is inherited even though it's not linked there (you just had to know this before the GPMC). Settings defined in a GPO you link to the GPTEST OU will override ones which are defined in the Default Domain GPO. This way you can leave the Default Domain GPO alone (and not affect all computers in the domain), and apply the settings you need to the new OU only. Does that make sense? Rich -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, December 08, 2003 11:18 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Migrated NT4 domain member's computers have incor rect rights in 2 003 AD I installed group policy management console and looked at the linking a GP to the new OU (GPTEST). Under the inheritance tab the default domain policy is inherited. Still a little lost .. thanks -----Original Message----- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Monday, December 08, 2003 9:46 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Migrated NT4 domain member's computers have incorrect rights in 2 003 AD Guido wrote: *** 2003 even allows you to change the Default Computers container into a normal OU which allows you to set GPOs etc. - but I preferr using a different OU and keeping the default configured as is. *** This sounds like good advice to me. I'm sure there are 3rd party products out there that expect to see CN=Users in the structure. Not sure how they'll cope if it isn't present. Tony ---------- Original Message ---------------------------------- Wrom: GPKYLEJGDGVCJVTLBXFGGMEPYOQKEDOTWFAOBUZXUWLSZLKBRNVWWCUFPEGAUTFJM Reply-To: [EMAIL PROTECTED] Date: Mon, 8 Dec 2003 15:32:22 +0100 instead of correcting the security on each one of them, you may want to create a new OU for the machines and set the security for the computer accounts via inheritance on the OU. 2003 even allows you to change the Default Computers container into a normal OU which allows you to set GPOs etc. - but I preferr using a different OU and keeping the default configured as is. /Guido -----Original Message----- Wrom: VRESKPNKMBIPBARHDMNNSKVFVWRKJVZCMHVIBGDADRZFS Sent: Samstag, 6. Dezember 2003 07:12 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Migrated NT4 domain member's computers have incor rect rights in 2 003 AD Problem is I have about 70 PCs who need this. I would rather not rejoin the domain on all of them. Looks like can be solved by changing rights in AD users and computers Why do I have to remain in mixed mode? The desktops are 2000 or XP. Thanks for your reply -----Original Message----- Wrom: QHYUCDDJBLVLMHAALPTCXLYRWTQTIPWIGYOKSTTZRCLBDX Sent: Friday, December 05, 2003 5:19 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Migrated NT4 domain member's computers have incorrect rights in 2 003 AD I unjoined and re-joined mine to the domain, this will work as long as you are running mixed mode, Or keep one nt4 dc around ----- Original Message ----- Wrom: RQBGJSNBOHMKHJYFMYX To: <[EMAIL PROTECTED]> Sent: Friday, December 05, 2003 10:53 AM Subject: [ActiveDir] Migrated NT4 domain member's computers have incorrect rights in 2 003 AD > Hi All, > > I did an in place upgrade from NT 4 -> 2003 AD > > The computers already part of the NT4 domain, get event 5788 and 5789 logon > errors in their system event logs. (though they are able to logon) > > Upon closer examination, newly joined computers to the domain have different > security rights when viewed in AD users and computers (advanced view). > Specifically, Authenticated users has 'read' checked and there is the > existence of the system group with full control security (on newly > joined clients to domain (2000 and XP) whereas the system group is not > listed in previous domain members. If I manually change the rights, > the errors stop (and the fully qualified computer name appears in the > general tab whereas it > is blank on pre-existing domain members) > > Is there any way to change all these security rights on the computers > that were part of the NT4 domain when upgraded via a script or other > method than > manually changing each computer's rights? > > Thanks -- BTW this maillist is a life saver! > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
