RE: [ActiveDir] OT: Outlook Web Access Split DNS
Title: RE: [ActiveDir] OT: Outlook Web Access & Split DNS Hi, Hum... maybe doing a network trace between your workstation and the exhcange server, u will see what happened between logon process and what DNS does your exchange server calls for resolving your domain. An other tool is ExBPA that u can download at http://www.microsoft.com/downloads/details.aspx?familyid=dbab201f-4bee-4943-ac22-e2ddbd258df3displaylang=en This tool points u with configuration problem of your Exchange server/Exchange organisationas well as your AD conf. It advices u, when problems are detected, whow u can tweak and resolve your Exchange/AD infrastructure. Try installingExBPA and see reports. There maybe a clue for your OWA pb At last, U should ask forassistance on the ExchangeList at http://www.msexchange.org/- "Discussion List". U have to join for postinga question to Exchange Guru's :) Cheers, Yann De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Lamberty, DaveEnvoyé: mercredi 29 juin 2005 04:21À: ActiveDir@mail.activedir.orgObjet: RE: [ActiveDir] OT: Outlook Web Access Split DNS I'm not using FBA, and I've tried several different forms of domain names (e.g., domain, domain\, domain.org, domain.org\). None seem to work. Or, as I just discovered, they don't work with IE (at least on XP SP2). Setting the default domain to domain\ works if you're using Firefox--you get right in without specifying a domain in the username field. I'd have expected them to both be the same, or if one worked it would be IE. Not so. I've inherited this Exchange server, andthe guywho set it up is long gone (isn't this a familiar theme on this list?). I'm considering just whacking the whole thing and starting over, but I'm new enough to Exchange to know that may not be advisable in the short term. People are currently able to send and receive e-mail, so it's not totally hosed up. Looks like I'll be doing a little reading over the holiday weekend, though. If anyone has any other advice, I'd appreciate it. Thanks! --Dave From: [EMAIL PROTECTED] on behalf of TIROA YANNSent: Tue 6/28/2005 16:36To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Outlook Web Access Split DNS Hi :) If I understand u, u set "domain" in the ESM and the logon page always return the domain.com\username ? 1)Try toset "domain.org" in ESM rather than "domain" 2) See this link to hardcoded "domain" in the Logon.asp file of your OWA Logon page. http://www.msexchange.org/tutorials/OWA2003Forms-based-Authentication-default-domain.html That supposes u use FBA ( Forms-based Authentication ) in your exchange. Let us know how it goes for u :) Cheers, Yann De: [EMAIL PROTECTED] de la part de Lamberty, DaveDate: mar. 28/06/2005 22:59À: ActiveDir@mail.activedir.orgObjet : RE: [ActiveDir] OT: Outlook Web Access Split DNS The correct domain is actually set in ESM (and changes are replicated toIIS), but the OWA web site still requires users to enter the domain namewith their username.The same thing happens both internally and externally when accessing theOWA site. Assume the following:Internal DNS domain name: domain.orgExternal DNS domain name: domain.comNetBIOS domain name: domainIf I just enter username password, the login fails, and the logon boxreturns with domain.com\username in the username field. That won't work,though, as the user accounts exist in the internal domain. If you entereither domain.org\username or domain\username, and a password, you login just fine.The fact that the failed logon returns with the external domain nameappended to the username makes me think this is a DNS issue, but I'mpretty new to Exchange so that's just my shot in the dark. Any othersuggestions on where to look?Thanks!--Dave-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Crawford, ScottSent: Monday, June 27, 2005 6:00 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Outlook Web Access Split DNSWell, you can, and it will work for a while, but Exchange will reset itto whatever is set in Exchange Enterprise Manager. You can change it bybrowsing to Organization/AdministrativeGroup/Servers/Server/Protocols/HTTP/Exchange Virtual Server/Exchange,right click Exchange, Properties, Access tab, Authentication and setwhatever options you like. Whatever you set here will show up in IIS.-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of joeSent: Monday, June 27, 2005 5:43 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Outlook Web Access Split DNSThis isn't my specialty but I believe you can set the default authdomain in the IIS settings where you configure authentication types. joe-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Lamberty, DaveSent: Monday, June 27, 2005 6:00 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Outlook Web
RE: [ActiveDir] OT: Outlook Web Access Split DNS
I had forgotten about the BPA. Good info--thanks! --Dave -Original Message- From: [EMAIL PROTECTED] on behalf of TIROA YANN Sent: Wed 6/29/2005 01:57 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Outlook Web Access Split DNS Hi, Hum... maybe doing a network trace between your workstation and the exhcange server, u will see what happened between logon process and what DNS does your exchange server calls for resolving your domain. An other tool is ExBPA that u can download at http://www.microsoft.com/downloads/details.aspx?familyid=dbab201f-4bee-4943-ac22-e2ddbd258df3displaylang=en This tool points u with configuration problem of your Exchange server/Exchange organisation as well as your AD conf. It advices u, when problems are detected, whow u can tweak and resolve your Exchange/AD infrastructure. Try installing ExBPA and see reports. There maybe a clue for your OWA pb At last, U should ask for assistance on the ExchangeList at http://www.msexchange.org/ - Discussion List. U have to join for posting a question to Exchange Guru's :) Cheers, Yann De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Lamberty, Dave Envoyé : mercredi 29 juin 2005 04:21 À : ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] OT: Outlook Web Access Split DNS I'm not using FBA, and I've tried several different forms of domain names (e.g., domain, domain\, domain.org, domain.org\). None seem to work. Or, as I just discovered, they don't work with IE (at least on XP SP2). Setting the default domain to domain\ works if you're using Firefox--you get right in without specifying a domain in the username field. I'd have expected them to both be the same, or if one worked it would be IE. Not so. I've inherited this Exchange server, and the guy who set it up is long gone (isn't this a familiar theme on this list?). I'm considering just whacking the whole thing and starting over, but I'm new enough to Exchange to know that may not be advisable in the short term. People are currently able to send and receive e-mail, so it's not totally hosed up. Looks like I'll be doing a little reading over the holiday weekend, though. If anyone has any other advice, I'd appreciate it. Thanks! --Dave From: [EMAIL PROTECTED] on behalf of TIROA YANN Sent: Tue 6/28/2005 16:36 To: ActiveDir@mail.activedir.org Subject: RE : [ActiveDir] OT: Outlook Web Access Split DNS Hi :) If I understand u, u set domain in the ESM and the logon page always return the domain.com\username ? 1) Try to set domain.org in ESM rather than domain 2) See this link to hardcoded domain in the Logon.asp file of your OWA Logon page. http://www.msexchange.org/tutorials/OWA2003Forms-based-Authentication-default-domain.html That supposes u use FBA ( Forms-based Authentication ) in your exchange. Let us know how it goes for u :) Cheers, Yann De: [EMAIL PROTECTED] de la part de Lamberty, Dave Date: mar. 28/06/2005 22:59 À: ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] OT: Outlook Web Access Split DNS The correct domain is actually set in ESM (and changes are replicated to IIS), but the OWA web site still requires users to enter the domain name with their username. The same thing happens both internally and externally when accessing the OWA site. Assume the following: Internal DNS domain name: domain.org External DNS domain name: domain.com NetBIOS domain name: domain If I just enter username password, the login fails, and the logon box returns with domain.com\username in the username field. That won't work, though, as the user accounts exist in the internal domain. If you enter either domain.org\username or domain\username, and a password, you log in just fine. The fact that the failed logon returns with the external domain name appended to the username makes me think this is a DNS issue, but I'm pretty new to Exchange so that's just my shot in the dark. Any other suggestions on where to look? Thanks! --Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott Sent: Monday, June 27, 2005 6:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Outlook Web Access Split DNS Well, you can, and it will work for a while, but Exchange will reset it to whatever is set in Exchange Enterprise Manager. You can change it by browsing to Organization/Administrative Group/Servers/Server/Protocols/HTTP/Exchange Virtual Server/Exchange, right click Exchange, Properties, Access tab, Authentication and set whatever options you like. Whatever you set here will show up in IIS. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, June 27, 2005 5:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Outlook Web Access Split DNS This isn't my specialty but I
RE: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED
I misspoke. One is jao-dc1 and the other is jao-ad. Those are the only two DC's in the network. There was an old DC many moons ago but it has long since been demoted. I'll look at the metadata and see if I see any junk as well. R- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Williams (RRE) Sent: Tuesday, June 28, 2005 1:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED Roberthold on a sec, before you open a case. Are those your only two DC's? their names are DC1 DC2?? In your FRS debug log, you see that the EPT_S_NOT_REGISTERED is referring to jao-ad.lajao.org. Was jao-ad at some point a domain controller or does that name have any other significance to you? If that used to be a DC, then I'd recommend going through this article to remove all the metadata junk: 216498 How to remove data in Active Directory after an unsuccessful domain http://support.microsoft.com/?id=216498 You didn't mention any other problems, but if you once had this jao-ad server as a DC then the KCC on your other DC's would be complaining in the event log because they can't replicate with jao-ad. If I just saved you $245, a big THANK YOU will do :-) Come to think of it, if I just saved YOU $245 dollars then I just cost myself $245 dollars (I own part of the company of course). Please disregard everything above...LOL :-) Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. Leali Sent: Tuesday, June 28, 2005 2:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED Tried your suggestion and the file does replicate in both directions in the sysvol folder. Firewalls are off on both DC's and I successful did portqry on the ports shown in the KB article (NtFRS Service MS NT Directory DRS). My ports were slightly different but I was guessing that was expected behavior. (DC1 used 1071,1025,1030 and DC2 used 1053,1026,1027) Guess I'll take your other advise and open a case with PSS. Thanks! Robert -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Williams (RRE) Sent: Tuesday, June 28, 2005 11:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED Hey Robert...you mentioned I can put a txt file in my sysvol share on one DC and see it replicate to the other DC. Which DC did you put the file on? My point is that maybe replication is broken in only one direction. Try putting a file on each DC named DCNAME.txt and see if you see that file replicate in *both* directions. Usually that error would indicate that there are RPC communication problems or that the FRS service is stopped but you said it was running. Maybe FRS is broken in one direction due to the firewall running on the other side (just a stab in the dark without knowing if FRS is replicating in both directions yet). FRS is pretty sticky sometimes and the detailed documentation is rather difficult to come across...it may be a good idea to open a case with PSS if you really wanna get to the bottom of things. Or you can feel free to keep posting here but it may take weeks to get all the details out so that any progress would be made (FRS is hard enough to troubleshoot in person sometimes...hehe) I hope that was helpful; have a great afternoon! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. Leali Sent: Tuesday, June 28, 2005 10:15 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED I'm getting the following error when I run the FRSDIAG utility. FRSDiag v1.7 on 6/28/2005 8:08:25 AM .\jao-dc1 on 2005-06-28 at 8.08.25 AM Checking for errors in Directory Service Event Log passed Checking for minimum FRS version requirement ... passed Checking for errors/warnings in ntfrsutl ds ... passed Checking for Replica Set configuration triggers... passed Checking for suspicious file Backlog size... passed Checking Overall Disk Space and SYSVOL structure (note: integrity is not checked)... passed Checking for suspicious inlog entries ... passed Checking for suspicious outlog entries ... passed Checking for appropriate staging area size ... passed Checking for errors in debug logs ... ERROR on NtFrs_0004.log : EPT_S_NOT_REGISTERED(This may indicate that DNS returns the IP address of the wrong computer. Check DNS records being returned, Check if FRS is currently running on
RE: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED
It's appears as if it's a recurring error. I agree with your logic about not fixing what isn't broken. I waited a week before I posted her to see if the error cleared. No luck.How long does it take the FRSlogs to wrap? Can they be cleared manually? R- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Patrick Sent: Tuesday, June 28, 2005 2:07 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED So even though you are replicating fine both ways and you don't see any real problem - you want to open a PSS case for this error in a debug log? Is this a consistent error in your FRS logs or was it a one time error? I dunno - just seems kinda silly to me to tshoot something which may have been a passing network hiccup or is simply not occurring any more. FRSdiag is simply parsing out your FS logs for keywords - as long as those entries are in your logs ( until the logs wrap) you will get the alert. The real deal is to see if your latest log entries have the same error. my .02 steve - Original Message - From: Robert N. Leali [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 11:38 AM Subject: RE: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED Tried your suggestion and the file does replicate in both directions in the sysvol folder. Firewalls are off on both DC's and I successful did portqry on the ports shown in the KB article (NtFRS Service MS NT Directory DRS). My ports were slightly different but I was guessing that was expected behavior. (DC1 used 1071,1025,1030 and DC2 used 1053,1026,1027) Guess I'll take your other advise and open a case with PSS. Thanks! Robert -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Williams (RRE) Sent: Tuesday, June 28, 2005 11:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED Hey Robert...you mentioned I can put a txt file in my sysvol share on one DC and see it replicate to the other DC. Which DC did you put the file on? My point is that maybe replication is broken in only one direction. Try putting a file on each DC named DCNAME.txt and see if you see that file replicate in *both* directions. Usually that error would indicate that there are RPC communication problems or that the FRS service is stopped but you said it was running. Maybe FRS is broken in one direction due to the firewall running on the other side (just a stab in the dark without knowing if FRS is replicating in both directions yet). FRS is pretty sticky sometimes and the detailed documentation is rather difficult to come across...it may be a good idea to open a case with PSS if you really wanna get to the bottom of things. Or you can feel free to keep posting here but it may take weeks to get all the details out so that any progress would be made (FRS is hard enough to troubleshoot in person sometimes...hehe) I hope that was helpful; have a great afternoon! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. Leali Sent: Tuesday, June 28, 2005 10:15 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED I'm getting the following error when I run the FRSDIAG utility. FRSDiag v1.7 on 6/28/2005 8:08:25 AM .\jao-dc1 on 2005-06-28 at 8.08.25 AM Checking for errors in Directory Service Event Log passed Checking for minimum FRS version requirement ... passed Checking for errors/warnings in ntfrsutl ds ... passed Checking for Replica Set configuration triggers... passed Checking for suspicious file Backlog size... passed Checking Overall Disk Space and SYSVOL structure (note: integrity is not checked)... passed Checking for suspicious inlog entries ... passed Checking for suspicious outlog entries ... passed Checking for appropriate staging area size ... passed Checking for errors in debug logs ... ERROR on NtFrs_0004.log : EPT_S_NOT_REGISTERED(This may indicate that DNS returns the IP address of the wrong computer. Check DNS records being returned, Check if FRS is currently running on the target server. Check if Ntfrs is registered with the End-Point-Mapper on target server!) : SndCsMain: 700: 883: S0: 18:16:33 ++ ERROR - EXCEPTION (06d9) : WStatus: EPT_S_NOT_REGISTERED ERROR on NtFrs_0004.log : EPT_S_NOT_REGISTERED(This may indicate that DNS returns the IP address of the wrong computer. Check DNS records being returned, Check if FRS is currently running on the target server. Check if Ntfrs is registered with the End-Point-Mapper on target server!) : SndCsMain: 700: 884:
RE: [ActiveDir] Error while adding user to AD
Hi Steve, Been awhile. That last postdid comeacross weird. :o) I should have been clear on the DSID and it changing with binaries if there are line numbering changes in the code, I didn't think to mention it. Thanks for clarifying. For the most part, the DSIDs aren't extremely useful unless you have source access. It generally isn't worth recording DSIDs and mapping them to problems unless you are also including in that map OS info, at the least version and SP level but hotfixes can throw you off as well depending on what got touched. Also thanks for the pointer on decoding that first part of the extended error. I have always wondered what that was but never made the connection to winerror. Now I need to update my code that dumps the extended error info in LDAP calls to actually decode that message as well. It would be useful. Can ADSI be forced to dothis op correctly (i.e. in the correct order)? I can't recall havingseen an example of it. The examples I am aware of are allseveral steps - set basicattribs andsetinfo(), set password set uac and setinfo(). I can create an account with LDAP API and give it a password and have it enabled out of the gate[1]but since I haven't seen ADSIdo it I generally just tell people to do it in a multistep operation as I have no clue why ADSI didn't do it and would rather avoid that question, much easier. Too many people usingADSIand also many people don't know if the tools they are using use ADSI or something else and I would rather avoid all of it. If ADSI *can* do it in a single stepthen I can stop telling people to do multistep ops which in my opinion is much cleaner and faster. Thanks joe [1] In admod you can add a new user to a K3 domain with password hot and ready to go like this (one line) admod -b cn=testuser,cn=users,dc=domain,dc=com -add -kerbenc objectclass::user samaccountname::testuseruseraccountcontrol::512 unicodepwd::testpassword pwdlastset::-1 This won't work in a 2K domain because admod doesn't support SSL yet. It works for K3 (all) because you don't need SSL and because I change the order of how the attributes are submitted to the server. The UAC attribute will always follow the unicodepwd attribute though it was pure dumb luck versus knowing there was an ordering issue. Had I run into the ordering issue I would have been pretty confused I expect. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve LinehanSent: Wednesday, June 29, 2005 1:23 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Error while adding user to AD Resending do to a formatting error on my part, sorry for the duplicate post but it is much easier to read with the lines wrapped. J -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Tuesday, June 28, 2005 11:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error while adding user to AD Just to add a few more things to the thread. If this is Windows Server 2003 RTM then you may be hitting a known issue if your provisioning tool uses LDAP to create the accounts and the attributes are not in a specific order. Do to a change made in Windows 2003 if you created a user using LDAP and the unicodepwd attribute was not specified before the useracountcontrol attribute in your LDAP Modification request and the useraccountcontrol was not setting the account disabled then we would return the error that the password did not meet complexity requirements even if the password did meet the requirements. Since LDAP operations are supposed to be atomic this behavior was incorrect and a fix was created. This fix is in Windows Server 2003 SP1 so if you are running into this particular scenario on Windows Server 2003 RTM and can not go to SP1 then you can call Microsoft and request the hotfix for KB 891299 (note this KB is currently not public). I also wanted to point out that the DSID number will not normally be that helpful to those outside of Microsoft and that the DSID can have different values across different versions of the binary even if it is referring to the same error. What can be helpful however is the first part of the error after the Server_Info tag because it is an error/status message. In this case using the handy err.exe tool that is available on the download.microsoft.com site you will find that the error you received is: C:\toolserr 052D # for hex 0x52d / decimal 1325 : ERROR_PASSWORD_RESTRICTION winerror.h # Unable to update the password. The value provided for the # new password does not meet the length, complexity, or # history requirement of the domain. # 1 matches found for "052D" So now that you have read all of this you are saying prove it to me so here are the repro steps that will produce the above error on Windows Server 2003 RTM (note Windows 2000 server was not affected) and of course if you run it
RE: [ActiveDir] Group Management
We have a centralized security department, and we used to do group management this way. As you found, it gets to be a chore, and the security people really don't know what the groups are for anyway. What we ended up doing was creating an OU structure that mimics our business unit divisions[1]. Each unit's groups are stored under their OU. We have one person at each business called a "security administrator". Each security administrator has rights to manage all the groups in their OU. Their job is to accept security related requests from their users and either handle them themselves (in the case of group management), or forward to corp security (new user setup, etc). [1]. We use alias names for each business unit (ie bu01, bu02, etc) because business units have a nasty habit of changing names. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, June 28, 2005 10:05 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Group Management Hi all, sorry up front for the long post. I'm curious how larger organizations manage groups in AD, with respect to authorizing users to be added to/removed from a group. I don't mean the security around the administration, but the supporting business processes and workflows. We've just centralized security administration, and this has created a problem with group administration on quite a large scale. Our security admins will get a request to add UserA to GroupA. Since they have inherited the job, there isnt a clear 'owner' of GroupA, be it an IT owner like the SQL group, or a business owner like the Radiology dept. If its a group that ultimately get you admin rights on all SQL servers or access to patient data...you can see the problem developing here. The problem is really two-fold, the security aspects, as well as the time it takes to complete the request. (multiply it by 1500 requests a day and the admins are really backed up) I'm wondering if anyone has had success with a self-service web-based request system, or something similar, and what made it successful? Ideally, the goal here is to get a detailed request into the admin group with all the info and approvals already in it. Thanks in advance, rb
RE: [ActiveDir] Group Management
Brian, I have a perl CGI script that allows the owner of a group to manage it's members. We use it for distribution lists, but it would work for any groups. It might take a few mods to work in your environment, but you are welcome to it if you like. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Tuesday, June 28, 2005 10:15 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Group Management I wish we had a system to do that here. I wont create any group without the managed by attribute being populated. This way I can then pass off the membership management to whomever. I havent really identified yet the magnitude of the problem here, but, were going to figure out a way to get that attribute populated on as many groups as possible and then it will tie into a web portal for AD mgmt that were developing in house. IMHO thats the way to go. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, June 28, 2005 10:05 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Group Management Hi all, sorry up front for the long post. I'm curious how larger organizations manage groups in AD, with respect to authorizing users to be added to/removed from a group. I don't mean the security around the administration, but the supporting business processes and workflows. We've just centralized security administration, and this has created a problem with group administration on quite a large scale. Our security admins will get a request to add UserA to GroupA. Since they have inherited the job, there isnt a clear 'owner' of GroupA, be it an IT owner like the SQL group, or a business owner like the Radiology dept. If its a group that ultimately get you admin rights on all SQL servers or access to patient data...you can see the problem developing here. The problem is really two-fold, the security aspects, as well as the time it takes to complete the request. (multiply it by 1500 requests a day and the admins are really backed up) I'm wondering if anyone has had success with a self-service web-based request system, or something similar, and what made it successful? Ideally, the goal here is to get a detailed request into the admin group with all the info and approvals already in it. Thanks in advance, rb
Re: [ActiveDir] Default Domain Policy Issues
Hi Steve, I ended up calling MS, time restraints for deadlines just not worth the sweat. Anyway, the engineer I got told me of a hotfix for this particular issue KB890338. We deployed this on the PDC Emulator but that did not fix anything, the article does state installing the hotfix on all DC's in the domain. I'm hoping this will work, already put in a change for bouncing all DC's tonight. Then put up a case for recovering the cost for the call. Will keep you posted. Thanks, Devan. Original Message Follows From: Steve Patrick [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Default Domain Policy Issues Date: Tue, 28 Jun 2005 12:37:33 -0700 Sonar and Ultrasound may indeed tell you everything is OK - since FRS is actually doing its job (replicating the data back in properly) However you could have enough latency in site replication where something (like the AD in some cases) is causing the file to be replicated back out towards the original change due to changes. Maybe the changes are not fast enough to be caught via the FRS churn warning indicator. There is a process where, as Joe noted, the AD and FRS are kept in sync for domain password policies. The real trick here is to find the originating change and determine why that server caused the original FRS change order (IMHO) First of all you need to make sure that replication is actually working end to end- it sounds like you have done this scenario: DC1 is your PDCE and you change password policy from A to B DC10 is another DC which receives the value B but then reverts back to A - this eventually gets replicated back to DC1 and now all DC's show original value of A The hard way but I dont know any others since I never have really used frsdiag\sonar\ultrasound On DC10 run ntfrsutl idtable Find the file name - in your case gpttmpl.inf and make sure it is the correct one by mapping the ParentGuid back to 31B2F340-016D-11D2-945F-00C04FB984F9 Note the OriginatorGuid value To match the OriginatorGUID to a machine you have to gather the ntfrsutl configtable data from the DCs and match the ReplicaVersionGuid to the OriginatorGuid value on the file. This can all be scripted into a batch file to parse all the data - or -- wait someone just told me you can also do this (mapping the GUIDS to server) via frsdiag here: http://www.microsoft.com/downloads/details.aspx?FamilyId=43CB658E-8553-4DE7-811A-562563EB5EBFdisplaylang=en Good luck! steve - Original Message - From: Devan Pala [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 10:19 AM Subject: RE: [ActiveDir] Default Domain Policy Issues Hi Darren, 22 Domain Controllers at Windows 2000/ SP4. Just about 15mins ago I restarted the NTfrs service on DC's then I made the change on the PDC Emulator on the password policy. I noted down the file size and time stamp of that gpttmpl.inf file. It's set to 11:58 (CST) today when I changed the policy. While looking at some of the other DC's its set to last year (perhaps the last time I made a change to the scurity policies. Now I will wait for it to replicate then see what happens. What if this file reverts back to what it was (with last years time stamp), any thoughts at that point... Your help is very much appreciated. Thanks, Firefox - Rediscover the web Original Message Follows From: Darren Mar-Elia [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Default Domain Policy Issues Date: Tue, 28 Jun 2005 09:45:48 -0700 How many DCs do you have and what OS version? First thing you can do is go to the PDC role holder DC, look at the file at \SYSVOL\domain\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE \Microsoft\Windows NT\SecEdit\gpttmpl.inf. Note its size, and date/timestamp. Then check the same file on all other DCs. They should be the same. This is the file that delivers the security policy within the Default Domain Policy. If its not in synch, then you could be getting the differences you are experiencing. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala Sent: Tuesday, June 28, 2005 7:00 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Default Domain Policy Issues Well I've just downloaded Sonar and Ultrasoound. Sonar tells me evrything is OK! Not sure what I'm looking for actually, how can I pinpoint which DC is causing the reversion back to the old setting (being authoratative)? Thanks, Original Message Follows From: joe [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Default Domain Policy Issues Date: Mon, 27 Jun 2005 18:28:13 -0400 I would check very carefully to verify the policy has made it properly to all DCs. It is possible
RE: [ActiveDir] OT: Outlook Web Access Split DNS
Title: RE: [ActiveDir] OT: Outlook Web Access Split DNS Its been a while, but we had similar problems when we had multiple authentication forms checked in ESM. Specifically, Windows Integrated. Right now, the only thing we have checked is Basic with a default domain of evangel.edu. Naturally, make sure you use SSL. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lamberty, Dave Sent: Tuesday, June 28, 2005 9:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Outlook Web Access Split DNS I'm not using FBA, and I've tried several different forms of domain names (e.g., domain, domain\, domain.org, domain.org\). None seem to work. Or, as I just discovered, they don't work with IE (at least on XP SP2). Setting the default domain to domain\ works if you're using Firefox--you get right in without specifying a domain in the username field. I'd have expected them to both be the same, or if one worked it would be IE. Not so. I've inherited this Exchange server, andthe guywho set it up is long gone (isn't this a familiar theme on this list?). I'm considering just whacking the whole thing and starting over, but I'm new enough to Exchange to know that may not be advisable in the short term. People are currently able to send and receive e-mail, so it's not totally hosed up. Looks like I'll be doing a little reading over the holiday weekend, though. If anyone has any other advice, I'd appreciate it. Thanks! --Dave From: [EMAIL PROTECTED] on behalf of TIROA YANN Sent: Tue 6/28/2005 16:36 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Outlook Web Access Split DNS Hi :) If I understand u, u set domain in the ESM and the logon page always return the domain.com\username ? 1)Try toset domain.org in ESM rather than domain 2) See this link to hardcoded domain in the Logon.asp file of your OWA Logon page. http://www.msexchange.org/tutorials/OWA2003Forms-based-Authentication-default-domain.html That supposes u use FBA ( Forms-based Authentication ) in your exchange. Let us know how it goes for u :) Cheers, Yann De: [EMAIL PROTECTED] de la part de Lamberty, Dave Date: mar. 28/06/2005 22:59 À: ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] OT: Outlook Web Access Split DNS The correct domain is actually set in ESM (and changes are replicated to IIS), but the OWA web site still requires users to enter the domain name with their username. The same thing happens both internally and externally when accessing the OWA site. Assume the following: Internal DNS domain name: domain.org External DNS domain name: domain.com NetBIOS domain name: domain If I just enter username password, the login fails, and the logon box returns with domain.com\username in the username field. That won't work, though, as the user accounts exist in the internal domain. If you enter either domain.org\username or domain\username, and a password, you log in just fine. The fact that the failed logon returns with the external domain name appended to the username makes me think this is a DNS issue, but I'm pretty new to Exchange so that's just my shot in the dark. Any other suggestions on where to look? Thanks! --Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Crawford, Scott Sent: Monday, June 27, 2005 6:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Outlook Web Access Split DNS Well, you can, and it will work for a while, but Exchange will reset it to whatever is set in Exchange Enterprise Manager. You can change it by browsing to Organization/Administrative Group/Servers/Server/Protocols/HTTP/Exchange Virtual Server/Exchange, right click Exchange, Properties, Access tab, Authentication and set whatever options you like. Whatever you set here will show up in IIS. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of joe Sent: Monday, June 27, 2005 5:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Outlook Web Access Split DNS This isn't my specialty but I believe you can set the default auth domain in the IIS settings where you configure authentication types. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Lamberty, Dave Sent: Monday, June 27, 2005 6:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Outlook Web Access Split DNS When users log in to our Outlook Web Access site, they must enter their username in the format domainname\username, as the domain name isn't being passed. I'd like to be able to pass the domain name so users don't have to remember to enter it when they log on (and reduce help desk call volume by about 50%...). We're not using ISA Server, and have just a single Exchange 2003 server for our mail. AD is
[ActiveDir] Can't get rid of old DC in Sites and Services
Title: Can't get rid of old DC in Sites and Services I have a DC, which used to have all FISMO roles, that is causing me grief. The server had issues so I put the roles on another DC and demoted it to a member server. I then deleted all of the static site links that I had set up and let AD configure them automatically. It has been working fine for a while, but now, for some reason, this server is still being seen as a DC because some of the other DC=B9s are still trying to replicate with it. I went into Sites and Services and deleted the links, but it won=B9t actually let me deleted the server container for that DC that isn=B9t a DC anymore. I= t says it can=B9t delete the DSA object. How the heck do I get rid of this DC in AD once and for all. Thanks, Mark Orlando IT Dept. Linden Public Schools
RE: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED
I guess with regard to how long it will take the logs to wrap...it depends on too many things to even try and predict...for instance, you can log different severities of info (by modifying reg settings)...or you can also set in the registry how many log files you wish to keep. Maybe even more relevant is how much data you're replicating and the rate of change for files...too much stuff to predict. :-) You can however just stop your ntfrs service and delete all the ntfrs_000x.log files. Then you would see if that same error came back. FRSDiag will keep reporting it as an error because part of its job is to scan all the log files and look for errors...so it will keep reporting those same errors as log as they are in the log files. I hope it doesn't come back...it would be rather strange to me that you get that error and are able to replicate in both directions. Did you by any chance have any other DC's in this domain in the past...did you maybe rebuild this DC with the same name and not do a metadata cleanup first to remove the old DC's data...I'm reaching here for various things that might produce that error...since you're replicating fine in both directions what my next suspicion would be is that you have some left over connection objects from another server. Check something real quick while you're there... Open up adsiedit.msc (from the support tools I believe). Go to the following location: -Domain[yourdomain.com] --DC=yourdomain,DC=com CN=System CN=File Replication Service --CN=Domain System Volume (SYSVOL share) How many nTFRSMember objects do you see in there on the right pane (should be 2 for you)? Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. Leali Sent: Wednesday, June 29, 2005 9:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED It's appears as if it's a recurring error. I agree with your logic about not fixing what isn't broken. I waited a week before I posted her to see if the error cleared. No luck.How long does it take the FRSlogs to wrap? Can they be cleared manually? R- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Patrick Sent: Tuesday, June 28, 2005 2:07 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED So even though you are replicating fine both ways and you don't see any real problem - you want to open a PSS case for this error in a debug log? Is this a consistent error in your FRS logs or was it a one time error? I dunno - just seems kinda silly to me to tshoot something which may have been a passing network hiccup or is simply not occurring any more. FRSdiag is simply parsing out your FS logs for keywords - as long as those entries are in your logs ( until the logs wrap) you will get the alert. The real deal is to see if your latest log entries have the same error. my .02 steve - Original Message - From: Robert N. Leali [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 11:38 AM Subject: RE: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED Tried your suggestion and the file does replicate in both directions in the sysvol folder. Firewalls are off on both DC's and I successful did portqry on the ports shown in the KB article (NtFRS Service MS NT Directory DRS). My ports were slightly different but I was guessing that was expected behavior. (DC1 used 1071,1025,1030 and DC2 used 1053,1026,1027) Guess I'll take your other advise and open a case with PSS. Thanks! Robert -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Williams (RRE) Sent: Tuesday, June 28, 2005 11:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED Hey Robert...you mentioned I can put a txt file in my sysvol share on one DC and see it replicate to the other DC. Which DC did you put the file on? My point is that maybe replication is broken in only one direction. Try putting a file on each DC named DCNAME.txt and see if you see that file replicate in *both* directions. Usually that error would indicate that there are RPC communication problems or that the FRS service is stopped but you said it was running. Maybe FRS is broken in one direction due to the firewall running on the other side (just a stab in the dark without knowing if FRS is replicating in both directions yet). FRS is pretty sticky sometimes and the detailed documentation is rather difficult to come across...it may be a good idea to open a case with PSS if you really wanna get to the bottom of things. Or you can feel free to keep posting here but it may take weeks to get all the details out so that any progress would be made (FRS is hard
[ActiveDir] Policy that could effect accessing network share
Title: Can't get rid of old DC in Sites and Services Does anyone know of a policy that could be applied that would deny a user from connecting to a network share that they have permissions to? We have a folder shared on one system that the group the user is in has permissions to both on the share and file security level. But when i put in the unc to get to the share i get a denied error. I believe it is a policy that is affecting this. THanks Jeff
Re: [ActiveDir] Can't get rid of old DC in Sites and Services
Hi Mark Are the other DCs replicating with anybody else? Has the updated configuration reached them yet? If their only replication partners were that one DC they may not know it has been demoted. In that case you should be able to create a manual connection to a DC that knows the dead DC is gone, let it replicate and update itself, then let the KCC find another path. We had the same problem when a hub site DC with multiple spokes got changed. The hubsite replicated the changes to a single DC during demotion but because the other DCs were configured to only replicate with the hubsite they did not know the hub DC was gone until the hub DC told them it was gone. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] |-+-- | | Mark Orlando | | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 06/29/2005 11:57 AM AST| | | Please respond to | | | ActiveDir | |-+-- --| | | | To: Active Directory Mailing List ActiveDir@mail.activedir.org | | cc: (bcc: James Day/Contractor/NPS) | | Subject: [ActiveDir] Can't get rid of old DC in Sites and Services | --| I have a DC, which used to have all FISMO roles, that is causing me grief. The server had issues so I put the roles on another DC and demoted it to a member server. I then deleted all of the static site links that I had set up and let AD configure them automatically. It has been working fine for a while, but now, for some reason, this server is still being seen as a DC because some of the other DC=B9s are still trying to replicate with it. I went into Sites and Services and deleted the links, but it won=B9t actually let me deleted the server container for that DC that isn=B9t a DC anymore. I= t says it can=B9t delete the DSA object. How the heck do I get rid of this DC in AD once and for all. Thanks, Mark Orlando IT Dept. Linden Public Schools List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Policy that could effect accessing network share
My initial hip-shot would be to look at the Access this computer from the network user right. (Especially if the user in question can't access other resources on the same box, as that would increase my suspicions.) - Laura -Original Message- From: Cothern Jeff D. Team EITC [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 29, 2005 12:06 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Policy that could effect accessing network share Does anyone know of a policy that could be applied that would deny a user from connecting to a network share that they have permissions to? We have a folder shared on one system that the group the user is in has permissions to both on the share and file security level. But when i put in the unc to get to the share i get a denied error. I believe it is a policy that is affecting this. THanks Jeff List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Policy that could effect accessing network share
What are the permissions on the share and NTFS volume ? -Original Message- From: Cothern Jeff D. Team EITC [EMAIL PROTECTED] Date: Wed, 29 Jun 2005 12:05:39 To:ActiveDir@mail.activedir.org Subject: [ActiveDir] Policy that could effect accessing network share Does anyone know of a policy that could be applied that would deny a user from connecting to a network share that they have permissions to? We have a folder shared on one system that the group the user is in has permissions to both on the share and file security level. But when i put in the unc to get to the share i get a denied error. I believe it is a policy that is affecting this. THanks Jeff List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Can't get rid of old DC in Sites and Services
Mark, Sat on a train at the moment, but look for the MS article on how to clean up DC metadata. This should resolve the replication issues. Mark -Original Message- From: Mark Orlando [EMAIL PROTECTED] Date: Wed, 29 Jun 2005 11:57:32 To:Active Directory Mailing List ActiveDir@mail.activedir.org Subject: [ActiveDir] Can't get rid of old DC in Sites and Services I have a DC, which used to have all FISMO roles, that is causing me grief. The server had issues so I put the roles on another DC and demoted it to a member server. I then deleted all of the static site links that I had set up and let AD configure them automatically. It has been working fine for a while, but now, for some reason, this server is still being seen as a DC because some of the other DC=B9s are still trying to replicate with it. I went into Sites and Services and deleted the links, but it won=B9t actually let me deleted the server container for that DC that isn=B9t a DC anymore. I= t says it can=B9t delete the DSA object. How the heck do I get rid of this DC in AD once and for all. Thanks, Mark Orlando IT Dept. Linden Public Schools List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Policy that could effect accessing network share
Hi Jeff... Up in the Computer Configuration\Windows Settings\Security settings\ Local Policies\User Rights Assignments There is both a Deny access to this computer from the network and an allow. You may want to look there. John Cothern Jeff D. Team EITC [EMAIL PROTECTED] To lActiveDir@mail.activedir.org Sent by: cc [EMAIL PROTECTED] ail.activedir.org Subject [ActiveDir] Policy that could effect accessing network share 06/29/2005 11:05 AM Please respond to [EMAIL PROTECTED] tivedir.org Does anyone know of a policy that could be applied that would deny a user from connecting to a network share that they have permissions to? We have a folder shared on one system that the group the user is in has permissions to both on the share and file security level. But when i put in the unc to get to the share i get a denied error. I believe it is a policy that is affecting this. THanks Jeff List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT: scheduler account?
I have found a user account in my AD named Scheduler with a Display name of Scheduler Service Account and a Description of Gives the Scheduler network access. I don't know where it comes from. I don't see it in child domain ADs. Does anyone know the origin of this account? Maybe some software installation did it? TIA! Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Policy that could effect accessing network share
Authenticated users is in the access this computer from the network. There error is Access to the resource \\server\share has been disallowed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E. Sent: Wednesday, June 29, 2005 12:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Policy that could effect accessing network share My initial hip-shot would be to look at the Access this computer from the network user right. (Especially if the user in question can't access other resources on the same box, as that would increase my suspicions.) - Laura -Original Message- From: Cothern Jeff D. Team EITC [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 29, 2005 12:06 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Policy that could effect accessing network share Does anyone know of a policy that could be applied that would deny a user from connecting to a network share that they have permissions to? We have a folder shared on one system that the group the user is in has permissions to both on the share and file security level. But when i put in the unc to get to the share i get a denied error. I believe it is a policy that is affecting this. THanks Jeff List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Can't get rid of old DC in Sites and Services
Title: Can't get rid of old DC in Sites and Services Do a metadata cleanup See Q216498 Cheers, #JORGE# From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Orlando Sent: woensdag 29 juni 2005 17:58 To: Active Directory Mailing List Subject: [ActiveDir] Can't get rid of old DC in Sites and Services I have a DC, which used to have all FISMO roles, that is causing me grief. The server had issues so I put the roles on another DC and demoted it to a member server. I then deleted all of the static site links that I had set up and let AD configure them automatically. It has been working fine for a while, but now, for some reason, this server is still being seen as a DC because some of the other DC=B9s are still trying to replicate with it. I went into Sites and Services and deleted the links, but it won=B9t actually let me deleted the server container for that DC that isn=B9t a DC anymore. I= t says it can=B9t delete the DSA object. How the heck do I get rid of this DC in AD once and for all. Thanks, Mark Orlando IT Dept. Linden Public Schools This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] Policy that could effect accessing network share
Ok I believe I may know what it is but it brings up another delima. It appears to be an issue with the security of internet explorer. In the local internet part I need to add in the file://servername I need this to happen for all users. Anyone know of a way I can do this? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Wednesday, June 29, 2005 12:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Policy that could effect accessing network share Authenticated users is in the access this computer from the network. There error is Access to the resource \\server\share has been disallowed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E. Sent: Wednesday, June 29, 2005 12:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Policy that could effect accessing network share My initial hip-shot would be to look at the Access this computer from the network user right. (Especially if the user in question can't access other resources on the same box, as that would increase my suspicions.) - Laura -Original Message- From: Cothern Jeff D. Team EITC [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 29, 2005 12:06 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Policy that could effect accessing network share Does anyone know of a policy that could be applied that would deny a user from connecting to a network share that they have permissions to? We have a folder shared on one system that the group the user is in has permissions to both on the share and file security level. But when i put in the unc to get to the share i get a denied error. I believe it is a policy that is affecting this. THanks Jeff List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Policy that could effect accessing network share
Add that server (IP or FQDN) as a Trusted Site via GPO? http://support.microsoft.com/default.aspx?scid=kb;en-us;Q303650 hth, john Cothern Jeff D. Team EITC wrote: Ok I believe I may know what it is but it brings up another delima. It appears to be an issue with the security of internet explorer. In the local internet part I need to add in the file://servername I need this to happen for all users. Anyone know of a way I can do this? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Wednesday, June 29, 2005 12:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Policy that could effect accessing network share Authenticated users is in the access this computer from the network. There error is Access to the resource \\server\share has been disallowed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E. Sent: Wednesday, June 29, 2005 12:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Policy that could effect accessing network share My initial hip-shot would be to look at the Access this computer from the network user right. (Especially if the user in question can't access other resources on the same box, as that would increase my suspicions.) - Laura -Original Message- From: Cothern Jeff D. Team EITC [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 29, 2005 12:06 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Policy that could effect accessing network share Does anyone know of a policy that could be applied that would deny a user from connecting to a network share that they have permissions to? We have a folder shared on one system that the group the user is in has permissions to both on the share and file security level. But when i put in the unc to get to the share i get a denied error. I believe it is a policy that is affecting this. THanks Jeff List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Policy that could effect accessing network share
In the Security Zones under Internet Explorer Maintanence under User Configuration. You can set the settings on your IE settings, and Import them. It will import All of your settings though. So, be sure of what you set there. John Cothern Jeff D. Team EITC [EMAIL PROTECTED] To lActiveDir@mail.activedir.org Sent by: cc [EMAIL PROTECTED] ail.activedir.org Subject RE: [ActiveDir] Policy that could effect accessing network share 06/29/2005 12:09 PM Please respond to [EMAIL PROTECTED] tivedir.org Ok I believe I may know what it is but it brings up another delima. It appears to be an issue with the security of internet explorer. In the local internet part I need to add in the file://servername I need this to happen for all users. Anyone know of a way I can do this? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Wednesday, June 29, 2005 12:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Policy that could effect accessing network share Authenticated users is in the access this computer from the network. There error is Access to the resource \\server\share has been disallowed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E. Sent: Wednesday, June 29, 2005 12:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Policy that could effect accessing network share My initial hip-shot would be to look at the Access this computer from the network user right. (Especially if the user in question can't access other resources on the same box, as that would increase my suspicions.) - Laura -Original Message- From: Cothern Jeff D. Team EITC [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 29, 2005 12:06 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Policy that could effect accessing network share Does anyone know of a policy that could be applied that would deny a user from connecting to a network share that they have permissions to? We have a folder shared on one system that the group the user is in has permissions to both on the share and file security level. But when i put in the unc to get to the share i get a denied error. I believe it is a policy that is affecting this. THanks Jeff List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Policy that could effect accessing network share
OpppsYes, that is a GPO John Cothern Jeff D. Team EITC [EMAIL PROTECTED] To lActiveDir@mail.activedir.org Sent by: cc [EMAIL PROTECTED] ail.activedir.org Subject RE: [ActiveDir] Policy that could effect accessing network share 06/29/2005 12:09 PM Please respond to [EMAIL PROTECTED] tivedir.org Ok I believe I may know what it is but it brings up another delima. It appears to be an issue with the security of internet explorer. In the local internet part I need to add in the file://servername I need this to happen for all users. Anyone know of a way I can do this? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Wednesday, June 29, 2005 12:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Policy that could effect accessing network share Authenticated users is in the access this computer from the network. There error is Access to the resource \\server\share has been disallowed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E. Sent: Wednesday, June 29, 2005 12:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Policy that could effect accessing network share My initial hip-shot would be to look at the Access this computer from the network user right. (Especially if the user in question can't access other resources on the same box, as that would increase my suspicions.) - Laura -Original Message- From: Cothern Jeff D. Team EITC [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 29, 2005 12:06 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Policy that could effect accessing network share Does anyone know of a policy that could be applied that would deny a user from connecting to a network share that they have permissions to? We have a folder shared on one system that the group the user is in has permissions to both on the share and file security level. But when i put in the unc to get to the share i get a denied error. I believe it is a policy that is affecting this. THanks Jeff List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Policy that could effect accessing network share
Ok the server is in the local internet location. But still getting the same error. The file permissions are set for the users. Everything but Full control. Their home directory is mapping correctly. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Singler Sent: Wednesday, June 29, 2005 1:19 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Policy that could effect accessing network share Add that server (IP or FQDN) as a Trusted Site via GPO? http://support.microsoft.com/default.aspx?scid=kb;en-us;Q303650 hth, john Cothern Jeff D. Team EITC wrote: Ok I believe I may know what it is but it brings up another delima. It appears to be an issue with the security of internet explorer. In the local internet part I need to add in the file://servername I need this to happen for all users. Anyone know of a way I can do this? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Wednesday, June 29, 2005 12:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Policy that could effect accessing network share Authenticated users is in the access this computer from the network. There error is Access to the resource \\server\share has been disallowed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E. Sent: Wednesday, June 29, 2005 12:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Policy that could effect accessing network share My initial hip-shot would be to look at the Access this computer from the network user right. (Especially if the user in question can't access other resources on the same box, as that would increase my suspicions.) - Laura -Original Message- From: Cothern Jeff D. Team EITC [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 29, 2005 12:06 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Policy that could effect accessing network share Does anyone know of a policy that could be applied that would deny a user from connecting to a network share that they have permissions to? We have a folder shared on one system that the group the user is in has permissions to both on the share and file security level. But when i put in the unc to get to the share i get a denied error. I believe it is a policy that is affecting this. THanks Jeff List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: scheduler account?
nope... not a default account in AD. * see the creation date to see if you remember what happened on that date * see the owner to see to who caused the creation Cheers, #JORGE# From: [EMAIL PROTECTED] on behalf of Thommes, Michael M. Sent: Wed 6/29/2005 6:33 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: scheduler account? I have found a user account in my AD named Scheduler with a Display name of Scheduler Service Account and a Description of Gives the Scheduler network access. I don't know where it comes from. I don't see it in child domain ADs. Does anyone know the origin of this account? Maybe some software installation did it? TIA! Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Policy that could effect accessing network share
Problem solved. If you have \\User Configuration\Window settings\Start menu and taskbar Remove run menu from Start menu You will not be able to user unc within internet explorer. The funny thing is I went thru all this just to verify that users could get to a share that a net use mapping was set for. The net use wasn't working in the login.bat file. After pounding head against wall found out that it was due to a \ at the end of the unc path put in the net use command. Thanks for your help New motto around shop is Syntax is everything Jeff -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Wednesday, June 29, 2005 1:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Policy that could effect accessing network share Ok the server is in the local internet location. But still getting the same error. The file permissions are set for the users. Everything but Full control. Their home directory is mapping correctly. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Singler Sent: Wednesday, June 29, 2005 1:19 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Policy that could effect accessing network share Add that server (IP or FQDN) as a Trusted Site via GPO? http://support.microsoft.com/default.aspx?scid=kb;en-us;Q303650 hth, john Cothern Jeff D. Team EITC wrote: Ok I believe I may know what it is but it brings up another delima. It appears to be an issue with the security of internet explorer. In the local internet part I need to add in the file://servername I need this to happen for all users. Anyone know of a way I can do this? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Wednesday, June 29, 2005 12:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Policy that could effect accessing network share Authenticated users is in the access this computer from the network. There error is Access to the resource \\server\share has been disallowed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E. Sent: Wednesday, June 29, 2005 12:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Policy that could effect accessing network share My initial hip-shot would be to look at the Access this computer from the network user right. (Especially if the user in question can't access other resources on the same box, as that would increase my suspicions.) - Laura -Original Message- From: Cothern Jeff D. Team EITC [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 29, 2005 12:06 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Policy that could effect accessing network share Does anyone know of a policy that could be applied that would deny a user from connecting to a network share that they have permissions to? We have a folder shared on one system that the group the user is in has permissions to both on the share and file security level. But when i put in the unc to get to the share i get a denied error. I believe it is a policy that is affecting this. THanks Jeff List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: scheduler account?
Jorge, Thanks for the slap along side of head idea to use ADSIEdit to track down this account! Values of related attributes show this account was created a long time ago when we were an NT4 domain. It has been dispensed with accordingly. Thanks again! Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Wednesday, June 29, 2005 1:09 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: scheduler account? nope... not a default account in AD. * see the creation date to see if you remember what happened on that date * see the owner to see to who caused the creation Cheers, #JORGE# From: [EMAIL PROTECTED] on behalf of Thommes, Michael M. Sent: Wed 6/29/2005 6:33 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: scheduler account? I have found a user account in my AD named Scheduler with a Display name of Scheduler Service Account and a Description of Gives the Scheduler network access. I don't know where it comes from. I don't see it in child domain ADs. Does anyone know the origin of this account? Maybe some software installation did it? TIA! Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Group Management
No, it seemed to make more sense to put it in AD and keep it all in the same place. Using DN syntax attributes to represent the users and groups allows us to take advantage of any changes to those objects without having to implement a sync process and gives us a lot of useful semantics such as no duplications and such. There is a goofy sync app that we have that pushes stuff one way to our Domino system that does use some SQL for metadata, but that was a different circumstance. That whole app could probably be replaced with MIIS very easily now if we had any will to do so. Joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, June 28, 2005 11:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Group Management Did you consider using SQL to store all the metadata for the groups? Thats what Im doing now, or planning to, but Id be interested to hear if you debated this what the final reasoning was. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.
Re: [ActiveDir] Default Domain Policy Issues
Thanks! Ahh yes - it looks like a regression on MS04-011 The reason I asked the original question of OS and Service Pack was due to the original fix (pre Sp4) but I was not aware of the regression. If this is indeed the real problem you will need to apply it to all DC's - it basically stops what is called PFP\PPP process on all DC's except for the PDCE so loops are not introduced. steve - Original Message - From: Devan Pala [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, June 29, 2005 7:30 AM Subject: Re: [ActiveDir] Default Domain Policy Issues Hi Steve, I ended up calling MS, time restraints for deadlines just not worth the sweat. Anyway, the engineer I got told me of a hotfix for this particular issue KB890338. We deployed this on the PDC Emulator but that did not fix anything, the article does state installing the hotfix on all DC's in the domain. I'm hoping this will work, already put in a change for bouncing all DC's tonight. Then put up a case for recovering the cost for the call. Will keep you posted. Thanks, Devan. Original Message Follows From: Steve Patrick [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Default Domain Policy Issues Date: Tue, 28 Jun 2005 12:37:33 -0700 Sonar and Ultrasound may indeed tell you everything is OK - since FRS is actually doing its job (replicating the data back in properly) However you could have enough latency in site replication where something (like the AD in some cases) is causing the file to be replicated back out towards the original change due to changes. Maybe the changes are not fast enough to be caught via the FRS churn warning indicator. There is a process where, as Joe noted, the AD and FRS are kept in sync for domain password policies. The real trick here is to find the originating change and determine why that server caused the original FRS change order (IMHO) First of all you need to make sure that replication is actually working end to end- it sounds like you have done this scenario: DC1 is your PDCE and you change password policy from A to B DC10 is another DC which receives the value B but then reverts back to A - this eventually gets replicated back to DC1 and now all DC's show original value of A The hard way but I dont know any others since I never have really used frsdiag\sonar\ultrasound On DC10 run ntfrsutl idtable Find the file name - in your case gpttmpl.inf and make sure it is the correct one by mapping the ParentGuid back to 31B2F340-016D-11D2-945F-00C04FB984F9 Note the OriginatorGuid value To match the OriginatorGUID to a machine you have to gather the ntfrsutl configtable data from the DCs and match the ReplicaVersionGuid to the OriginatorGuid value on the file. This can all be scripted into a batch file to parse all the data - or -- wait someone just told me you can also do this (mapping the GUIDS to server) via frsdiag here: http://www.microsoft.com/downloads/details.aspx?FamilyId=43CB658E-8553-4DE7-811A-562563EB5EBFdisplaylang=en Good luck! steve - Original Message - From: Devan Pala [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 10:19 AM Subject: RE: [ActiveDir] Default Domain Policy Issues Hi Darren, 22 Domain Controllers at Windows 2000/ SP4. Just about 15mins ago I restarted the NTfrs service on DC's then I made the change on the PDC Emulator on the password policy. I noted down the file size and time stamp of that gpttmpl.inf file. It's set to 11:58 (CST) today when I changed the policy. While looking at some of the other DC's its set to last year (perhaps the last time I made a change to the scurity policies. Now I will wait for it to replicate then see what happens. What if this file reverts back to what it was (with last years time stamp), any thoughts at that point... Your help is very much appreciated. Thanks, Firefox - Rediscover the web Original Message Follows From: Darren Mar-Elia [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Default Domain Policy Issues Date: Tue, 28 Jun 2005 09:45:48 -0700 How many DCs do you have and what OS version? First thing you can do is go to the PDC role holder DC, look at the file at \SYSVOL\domain\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE \Microsoft\Windows NT\SecEdit\gpttmpl.inf. Note its size, and date/timestamp. Then check the same file on all other DCs. They should be the same. This is the file that delivers the security policy within the Default Domain Policy. If its not in synch, then you could be getting the differences you are experiencing. -Original Message- From: [EMAIL PROTECTED]
[ActiveDir] Compare GPO RSOPs
Anyone got a good method to compare two GPOs and determine the delta between the two GPOs being compared ? Thank You ! And have a nice day ! ** Mark Lunsford KAISER PERMANENTE Security Operations Email: [EMAIL PROTECTED] Outside Phone: 925-926-5898 Tie Line Phone: 8-473-5898 C ell: 925-200-4077 Remedy Group: NOPS SECURITY EDOS SYS **
RE: [ActiveDir] Error while adding user to AD
Joe, From the ADSI perspective I have never actually looked into it but I would imagine there is a way to do it since it eventually boils down to an LDAP call. If I get a chance I will see if I can find a sample in ADSI or DirectoryServices.NET. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, June 29, 2005 9:02 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error while adding user to AD Hi Steve, Been awhile. That last postdid comeacross weird. :o) I should have been clear on the DSID and it changing with binaries if there are line numbering changes in the code, I didn't think to mention it. Thanks for clarifying. For the most part, the DSIDs aren't extremely useful unless you have source access. It generally isn't worth recording DSIDs and mapping them to problems unless you are also including in that map OS info, at the least version and SP level but hotfixes can throw you off as well depending on what got touched. Also thanks for the pointer on decoding that first part of the extended error. I have always wondered what that was but never made the connection to winerror. Now I need to update my code that dumps the extended error info in LDAP calls to actually decode that message as well. It would be useful. Can ADSI be forced to dothis op correctly (i.e. in the correct order)? I can't recall havingseen an example of it. The examples I am aware of are allseveral steps - set basicattribs andsetinfo(), set password set uac and setinfo(). I can create an account with LDAP API and give it a password and have it enabled out of the gate[1]but since I haven't seen ADSIdo it I generally just tell people to do it in a multistep operation as I have no clue why ADSI didn't do it and would rather avoid that question, much easier. Too many people usingADSIand also many people don't know if the tools they are using use ADSI or something else and I would rather avoid all of it. If ADSI *can* do it in a single stepthen I can stop telling people to do multistep ops which in my opinion is much cleaner and faster. Thanks joe [1] In admod you can add a new user to a K3 domain with password hot and ready to go like this (one line) admod -b cn=testuser,cn=users,dc=domain,dc=com -add -kerbenc objectclass::user samaccountname::testuseruseraccountcontrol::512 unicodepwd::testpassword pwdlastset::-1 This won't work in a 2K domain because admod doesn't support SSL yet. It works for K3 (all) because you don't need SSL and because I change the order of how the attributes are submitted to the server. The UAC attribute will always follow the unicodepwd attribute though it was pure dumb luck versus knowing there was an ordering issue. Had I run into the ordering issue I would have been pretty confused I expect. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Wednesday, June 29, 2005 1:23 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error while adding user to AD Resending do to a formatting error on my part, sorry for the duplicate post but it is much easier to read with the lines wrapped. J -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Tuesday, June 28, 2005 11:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error while adding user to AD Just to add a few more things to the thread. If this is Windows Server 2003 RTM then you may be hitting a known issue if your provisioning tool uses LDAP to create the accounts and the attributes are not in a specific order. Do to a change made in Windows 2003 if you created a user using LDAP and the unicodepwd attribute was not specified before the useracountcontrol attribute in your LDAP Modification request and the useraccountcontrol was not setting the account disabled then we would return the error that the password did not meet complexity requirements even if the password did meet the requirements. Since LDAP operations are supposed to be atomic this behavior was incorrect and a fix was created. This fix is in Windows Server 2003 SP1 so if you are running into this particular scenario on Windows Server 2003 RTM and can not go to SP1 then you can call Microsoft and request the hotfix for KB 891299 (note this KB is currently not public). I also wanted to point out that the DSID number will not normally be that helpful to those outside of Microsoft and that the DSID can have different values across different versions of the binary even if it is referring to the same error. What can be helpful however is the first part of the error after the Server_Info tag because it is an error/status message. In this case using the handy err.exe tool that is available on the download.microsoft.com site you will find that the error you received is: C:\toolserr 052D # for hex 0x52d /
RE: [ActiveDir] Compare GPO RSOPs
There are no in-the-box tools for this but what I've done in the past to skin it is to use GPMC or gpresults to export GP settings (or RSOP) to an XML or HTML file. Then you can use your favorite diff tool (e.g. Windiff) to compare the differences. That's about the most scientific method I've seen. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, June 29, 2005 12:53 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Compare GPO RSOPs Anyone got a good method to compare two GPOs and determine the delta between the two GPOs being compared ? Thank You ! And have a nice day !**Mark LunsfordKAISER PERMANENTESecurity OperationsEmail: [EMAIL PROTECTED]Outside Phone: 925-926-5898Tie Line Phone: 8-473-5898C ell: 925-200-4077Remedy Group: NOPS SECURITY EDOS SYS**
[ActiveDir] Deny Log on Locally
I'm trying to stop certain users from being able to log on to computers in our lab. I created a group called 'nsaccess' and then created a group policy and added the group I created to the following: Computer Configuration Windows Settings Security Settings Local Policies/User Rights Assignment Deny log on locally Deny log on through Terminal Services For some reason it's not working. Anybody have any ideas. The users have local admin rights once they log onto the machine, as I have the INTERACTIVE group in the local workstations Administrators group. Thanks, -- Matt Brown Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Allow non domain-admin to modify login scripts
We assign our login scripts to each individual user account (not via GPOs) We have a user who needs to modify login scripts, but since he's not a domain admin can't login to our domain controller (which is good). How can we let him modify login scripts by mapping to the DC instead of logging onto it? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
RE : [ActiveDir] Allow non domain-admin to modify login scripts
Hi, You must add him in the Netlogon directory ACLs, and give him read and write permission on this directory: check that permission is applied to this object and the child objects. Then the user maps the netlogon directory by \\your_DC\netlogon and he could modify ALL the scripts belonging to the directory. Cheers, Yann De: [EMAIL PROTECTED] de la part de Rimmerman, Russ Date: mer. 29/06/2005 23:49 À: ActiveDir@mail.activedir.org Objet : [ActiveDir] Allow non domain-admin to modify login scripts We assign our login scripts to each individual user account (not via GPOs) We have a user who needs to modify login scripts, but since he's not a domain admin can't login to our domain controller (which is good). How can we let him modify login scripts by mapping to the DC instead of logging onto it? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ winmail.dat
RE: [ActiveDir] Allow non domain-admin to modify login scripts
The only drawback is that at this point he can easily become an Admin so if you do not trust him as an Admin why give him the ability to modify scripts that he could use to elevate his privilege? One day you logon as a highly privileged user and the logon script fires off and adds this person to a privileged group on your behalf and then removes all traces of it from the logon script so that the audit trail points back to you. Just something to consider or at least try to mitigate by limiting exactly what scripts he is allowed to touch. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Wednesday, June 29, 2005 5:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Allow non domain-admin to modify login scripts Hi, Youmust add him in the Netlogon directory ACLs, and give him read and write permission on this directory: check that permission isapplied to this object and the child objects. Then the usermaps the netlogon directory by \\your_DC\netlogonand he could modify ALL the scripts belonging to the directory. Cheers, Yann De: [EMAIL PROTECTED] de la part de Rimmerman, Russ Date: mer. 29/06/2005 23:49 À: ActiveDir@mail.activedir.org Objet : [ActiveDir] Allow non domain-admin to modify login scripts We assign our login scripts to each individual user account (not via GPOs) We have a user who needs to modify login scripts, but since he's not a domain admin can't login to our domain controller (which is good). How can we let him modify login scripts by mapping to the DC instead of logging onto it? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
RE: [ActiveDir] Allow non domain-admin to modify login scripts
---BeginMessage--- Hmm good point, hadn't thought of that... From: [EMAIL PROTECTED] on behalf of Steve Linehan Sent: Wed 6/29/2005 5:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Allow non domain-admin to modify login scripts The only drawback is that at this point he can easily become an Admin so if you do not trust him as an Admin why give him the ability to modify scripts that he could use to elevate his privilege? One day you logon as a highly privileged user and the logon script fires off and adds this person to a privileged group on your behalf and then removes all traces of it from the logon script so that the audit trail points back to you. Just something to consider or at least try to mitigate by limiting exactly what scripts he is allowed to touch. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Wednesday, June 29, 2005 5:00 PM To: ActiveDir@mail.activedir.org Subject: RE : [ActiveDir] Allow non domain-admin to modify login scripts Hi, You must add him in the Netlogon directory ACLs, and give him read and write permission on this directory: check that permission is applied to this object and the child objects. Then the user maps the netlogon directory by \\your_DC\netlogon file:///\\your_DC\netlogon and he could modify ALL the scripts belonging to the directory. Cheers, Yann De: [EMAIL PROTECTED] de la part de Rimmerman, Russ Date: mer. 29/06/2005 23:49 À: ActiveDir@mail.activedir.org Objet : [ActiveDir] Allow non domain-admin to modify login scripts We assign our login scripts to each individual user account (not via GPOs) We have a user who needs to modify login scripts, but since he's not a domain admin can't login to our domain controller (which is good). How can we let him modify login scripts by mapping to the DC instead of logging onto it? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ winmail.dat---End Message--- ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
RE: [ActiveDir] Allow non domain-admin to modify login scripts
Wouldnt you do it to SYSVOL instead of NETLOGON? From: TIROA YANN on behalf of TIROA YANN Sent: Wed 6/29/2005 4:59 PM To: ActiveDir@mail.activedir.org Subject: RE : [ActiveDir] Allow non domain-admin to modify login scripts Hi, You must add him in the Netlogon directory ACLs, and give him read and write permission on this directory: check that permission is applied to this object and the child objects. Then the user maps the netlogon directory by \\your_DC\netlogon and he could modify ALL the scripts belonging to the directory. Cheers, Yann De: [EMAIL PROTECTED] de la part de Rimmerman, Russ Date: mer. 29/06/2005 23:49 À: ActiveDir@mail.activedir.org Objet : [ActiveDir] Allow non domain-admin to modify login scripts We assign our login scripts to each individual user account (not via GPOs) We have a user who needs to modify login scripts, but since he's not a domain admin can't login to our domain controller (which is good). How can we let him modify login scripts by mapping to the DC instead of logging onto it? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE : [ActiveDir] Allow non domain-admin to modify login scripts
Steve, You're absolutly right ! Russ, make sure that the user u want to grant permission to the netlogon directory is someone u trust, otherwise, as stated steve, he or she could easily take control o your DC :( At least, give him just write persmission on only one script, however, it doesn't change the way of elevating his/her privilege. So be extremelly carefull :) Cheers, Yann De: [EMAIL PROTECTED] de la part de Steve Linehan Date: jeu. 30/06/2005 00:05 À: ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Allow non domain-admin to modify login scripts The only drawback is that at this point he can easily become an Admin so if you do not trust him as an Admin why give him the ability to modify scripts that he could use to elevate his privilege? One day you logon as a highly privileged user and the logon script fires off and adds this person to a privileged group on your behalf and then removes all traces of it from the logon script so that the audit trail points back to you. Just something to consider or at least try to mitigate by limiting exactly what scripts he is allowed to touch. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Wednesday, June 29, 2005 5:00 PM To: ActiveDir@mail.activedir.org Subject: RE : [ActiveDir] Allow non domain-admin to modify login scripts Hi, You must add him in the Netlogon directory ACLs, and give him read and write permission on this directory: check that permission is applied to this object and the child objects. Then the user maps the netlogon directory by \\your_DC\netlogon file:///\\your_DC\netlogon and he could modify ALL the scripts belonging to the directory. Cheers, Yann De: [EMAIL PROTECTED] de la part de Rimmerman, Russ Date: mer. 29/06/2005 23:49 À: ActiveDir@mail.activedir.org Objet : [ActiveDir] Allow non domain-admin to modify login scripts We assign our login scripts to each individual user account (not via GPOs) We have a user who needs to modify login scripts, but since he's not a domain admin can't login to our domain controller (which is good). How can we let him modify login scripts by mapping to the DC instead of logging onto it? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ winmail.dat
RE : [ActiveDir] Allow non domain-admin to modify login scripts
No, Do a net share on a dos command on your DC. U will see the exact path of the netlogon share (C:\WINDOWS\SYSVOL\sysvol\domain.fr\SCRIPTS). Netlogon is for scripts, and sysvol is for GPOs +scripts. So a direct mapping to \\your_DC\netlogon share point u directly to the logon scripts directory. Cheers, Yann De: [EMAIL PROTECTED] de la part de Rimmerman, Russ Date: jeu. 30/06/2005 00:43 À: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Allow non domain-admin to modify login scripts Wouldnt you do it to SYSVOL instead of NETLOGON? From: TIROA YANN on behalf of TIROA YANN Sent: Wed 6/29/2005 4:59 PM To: ActiveDir@mail.activedir.org Subject: RE : [ActiveDir] Allow non domain-admin to modify login scripts Hi, You must add him in the Netlogon directory ACLs, and give him read and write permission on this directory: check that permission is applied to this object and the child objects. Then the user maps the netlogon directory by \\your_DC\netlogon and he could modify ALL the scripts belonging to the directory. Cheers, Yann De: [EMAIL PROTECTED] de la part de Rimmerman, Russ Date: mer. 29/06/2005 23:49 À: ActiveDir@mail.activedir.org Objet : [ActiveDir] Allow non domain-admin to modify login scripts We assign our login scripts to each individual user account (not via GPOs) We have a user who needs to modify login scripts, but since he's not a domain admin can't login to our domain controller (which is good). How can we let him modify login scripts by mapping to the DC instead of logging onto it? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat
RE: [ActiveDir] Allow non domain-admin to modify login scripts
I would be extremely picky about letting people update logon scripts. In fact, I previously was when I did ops, it was the DAs and only the DAs. Even doing that and taking "certified" good scripts from other folks and placing them into the proper locations I have experienced some extremely nasty logon issues that weren't really logon issues. The issues were dorked up logon scripts though they presented as logon issues (I typed in my userid and password and it just sits here!!!) and it took me trying to figure out what was broken to realize it was a logon script and those are hours I can never get back into my life for myself, lost forever due to someone else's poor scripting skills.. Basically, allowing someone to write to the share that every single interactive authenticationtouches is not the best way to secure an environment in my opinion. Think how much fun you can have if the person does an update, no one knows it, no one can logon, you think the DCs are hosed, a couple of days later, you realize no one could log on for a couple of days because of a change to the logon script. You go to the person, his response is, nah, it couldn't be. Quite honestly I would ask, why is the perception that the logon script has to change so much? My advice, just say no. Tell them you will copy the new "certified" scriptsinto place every X days where you pick X as a sufficiently painful period that they realize whatever it is they are doing probably shouldn't be done in logon scripts anyway. Let the user finish logging on, then screw them up, that way it doesn't come back to the overworked DAs. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Wednesday, June 29, 2005 5:49 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Allow non domain-admin to modify login scripts We assign our login scripts to each individual user account (not via GPOs) We have a user who needs to modify login scripts, but since he's not a domain admin can't login to our domain controller (which is good). How can we let him modify login scripts by mapping to the DC instead of logging onto it? ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~
Re: [ActiveDir] Allow non domain-admin to modify login scripts
An alternative to allowing write access to s section ofc the sysvol is to use pointer scripts. The script on the sysvol can point to a script on a file Server that the admin can edit. Jim KatoeWW Directory Services ManagerGroupM917 520 0119 - Original Message - From: ActiveDir-owner Sent: 06/29/2005 07:19 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Allow non domain-admin to modify login scripts I would be extremely picky about letting people update logon scripts. In fact, I previously was when I did ops, it was the DAs and only the DAs. Even doing that and taking "certified" good scripts from other folks and placing them into the proper locations I have experienced some extremely nasty logon issues that weren't really logon issues. The issues were dorked up logon scripts though they presented as logon issues (I typed in my userid and password and it just sits here!!!) and it took me trying to figure out what was broken to realize it was a logon script and those are hours I can never get back into my life for myself, lost forever due to someone else's poor scripting skills.. Basically, allowing someone to write to the share that every single interactive authenticationtouches is not the best way to secure an environment in my opinion. Think how much fun you can have if the person does an update, no one knows it, no one can logon, you think the DCs are hosed, a couple of days later, you realize no one could log on for a couple of days because of a change to the logon script. You go to the person, his response is, nah, it couldn't be. Quite honestly I would ask, why is the perception that the logon script has to change so much? My advice, just say no. Tell them you will copy the new "certified" scriptsinto place every X days where you pick X as a sufficiently painful period that they realize whatever it is they are doing probably shouldn't be done in logon scripts anyway. Let the user finish logging on, then screw them up, that way it doesn't come back to the overworked DAs. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Wednesday, June 29, 2005 5:49 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Allow non domain-admin to modify login scripts We assign our login scripts to each individual user account (not via GPOs) We have a user who needs to modify login scripts, but since he's not a domain admin can't login to our domain controller (which is good). How can we let him modify login scripts by mapping to the DC instead of logging onto it? ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~
RE: [ActiveDir] Allow non domain-admin to modify login scripts
Yep, good point. Actually one of my previous customers did exactly that. The home server specified for the user would have a share set up on it that housed a secondary script called from the primary logon script. The primary script would look at the home server when processing and knew from that where to call out to. If there was no home server specified or the home server in question had no secondary logon script to run, the primary script would just continue on its merry way. Also, it would check the OS the user was running on and if it was a server, it would bail out immediately, that helped a little with security. However, the caveats mentioned are the same in terms of breaking the logon process and other security issues that can be raised. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, June 29, 2005 7:28 PMTo: ActiveDirSubject: Re: [ActiveDir] Allow non domain-admin to modify login scripts An alternative to allowing write access to s section ofc the sysvol is to use pointer scripts. The script on the sysvol can point to a script on a file Server that the admin can edit.Jim KatoeWW Directory Services ManagerGroupM917 520 0119 - Original Message - From: ActiveDir-owner Sent: 06/29/2005 07:19 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Allow non domain-admin to modify login scripts I would be extremely picky about letting people update logon scripts. In fact, I previously was when I did ops, it was the DAs and only the DAs. Even doing that and taking "certified" good scripts from other folks and placing them into the proper locations I have experienced some extremely nasty logon issues that weren't really logon issues. The issues were dorked up logon scripts though they presented as logon issues (I typed in my userid and password and it just sits here!!!) and it took me trying to figure out what was broken to realize it was a logon script and those are hours I can never get back into my life for myself, lost forever due to someone else's poor scripting skills.. Basically, allowing someone to write to the share that every single interactive authenticationtouches is not the best way to secure an environment in my opinion. Think how much fun you can have if the person does an update, no one knows it, no one can logon, you think the DCs are hosed, a couple of days later, you realize no one could log on for a couple of days because of a change to the logon script. You go to the person, his response is, nah, it couldn't be. Quite honestly I would ask, why is the perception that the logon script has to change so much? My advice, just say no. Tell them you will copy the new "certified" scriptsinto place every X days where you pick X as a sufficiently painful period that they realize whatever it is they are doing probably shouldn't be done in logon scripts anyway. Let the user finish logging on, then screw them up, that way it doesn't come back to the overworked DAs. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Wednesday, June 29, 2005 5:49 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Allow non domain-admin to modify login scripts We assign our login scripts to each individual user account (not via GPOs) We have a user who needs to modify login scripts, but since he's not a domain admin can't login to our domain controller (which is good). How can we let him modify login scripts by mapping to the DC instead of logging onto it? ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~
Re: [ActiveDir] Allow non domain-admin to modify login scripts
We just create a Login Admin group and gave it rights to the scripts folder on the PDC. Thank You ! And have a nice day ! ** Mark Lunsford KAISER PERMANENTE Security Operations Email: [EMAIL PROTECTED] Outside Phone: 925-926-5898 Tie Line Phone: 8-473-5898 C ell: 925-200-4077 Remedy Group: NOPS SECURITY EDOS SYS **
Re: [ActiveDir] Can't get rid of old DC in Sites and Services
Go for metadatacleanup using ntdsutil. Check http://petri.co.il thx Dibendoo Das Fluent Systems, India --- Mark Orlando [EMAIL PROTECTED] wrote: I have a DC, which used to have all FISMO roles, that is causing me grief. The server had issues so I put the roles on another DC and demoted it to a member server. I then deleted all of the static site links that I had set up and let AD configure them automatically. It has been working fine for a while, but now, for some reason, this server is still being seen as a DC because some of the other DC=B9s are still trying to replicate with it. I went into Sites and Services and deleted the links, but it won=B9t actually let me deleted the server container for that DC that isn=B9t a DC anymore. I= t says it can=B9t delete the DSA object. How the heck do I get rid of this DC in AD once and for all. Thanks, Mark Orlando IT Dept. Linden Public Schools __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/