RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT
Have you looked at MIIS? Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas W Stelley Sent: Friday, January 26, 2007 10:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT Same topic, but this one is for Notes Admin/Gurus as well. I populate the mail attribute in AD with the Notes Users primary internet address. Does anyone have a script or method that will allow me to publish in AD the same info for groups and other addresses for users. Even something that can query Domino for all users and groups and return all addresses into a file, I can use that as a basis to update AD with proxy info etc. Thanks in advance. Douglas Stelley IT Engineer Seneca Nation Health Department (716)532-5582 x5404 [EMAIL PROTECTED] Brian Cline [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/26/2007 09:47 AM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] How to find non-primary SMTP addresses? Ah, yes, good call. Almost forgot that it changes that, too. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wells, James Arthur Sent: Friday 26 January 2007 08:44 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? It should also update the 'mail' attribute to the new primary SMTP: address. --James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline Sent: Friday, January 26, 2007 7:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Out of curiosity, when setting a different primary e-mail address to an address that already exists as a secondary, does ADUC do anything more than change the prefix on the old primary address from 'SMTP' to 'smtp' and vice-versa for the new primary? Brian Cline, Applications Developer Department of Information Technology GP Trucking Company, Inc. 803.936.8595 Direct Line 800.922.1147 Toll-Free (x8595) 803.739.1176 Fax -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Thursday 25 January 2007 19:52 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] How to find non-primary SMTP addresses? In addition to what Ulf said, there also isn't any practical way to query for users that have secondary addresses vs. only having a primary and there isn't any practical way to just get the secondary addresses out of the proxyAddresses attribute. You essentially need to get all the data and then check for the values that are prefixed with lower case smtp. Maybe Joe R. has a neat trick with ADFind to make this easier, but LDAP itself doesn't help much. Joe K. - Original Message - From: Ulf B. Simon-Weidner To: ActiveDir@mail.activedir.org Sent: Thursday, January 25, 2007 6:00 PM Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Hi Stu, I don't think there's a way to expose mulitvalued attributes with CSVDE - you'd either have to use LDIFDE or VBScript or anything else to view all values of those attributes. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214 C811D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stu Packett Sent: Freitag, 26. Januar 2007 00:53 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] How to find non-primary SMTP addresses? How does one go about getting the non-primary SMTP addresses for every Exchange user? I can't seem to find a way via csvde, but maybe I'm doing something wrong. Thanks again. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.17.12/653 - Release Date: 1/26/2007 11:11 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.17.12/653 - Release Date: 1/26/2007 11:11 AM
RE: [ActiveDir] Shares with Computer Account Permissions
Sure. IPsec. Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Tuesday, January 09, 2007 5:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Shares with Computer Account Permissions I was asked today whether it was possible to allow or deny access to shares not just based on user accounts, but also upon computer accounts. My immediate response was that I didn’t think so. So I tested it by simply creating a folder up on our file server, and added the computer account for my workstation and denying it access completely. This made no difference to my permissions when trying to access it from this workstation. So my question is this, is there any way to design access permissions in such a way so you could not only allow access to a share to a certain security group, but also to this security group only when they are accessing it on hosts that we have explicitly defined? ~Ben -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.16.7/620 - Release Date: 1/8/2007 4:12 PM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.16.7/620 - Release Date: 1/8/2007 4:12 PM
RE: [ActiveDir] Shares with Computer Account Permissions
It wouldn't stop all traffic to the server, you would just have to be specific about the rules you constructed in the IPsec policy. Unless by all traffic, you mean all shares on the server, in which case, that's where NTFS/share permissions would come in. Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, January 09, 2007 5:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Shares with Computer Account Permissions Hi Laura, That’s what I thought of first but that would stop all traffic to the server, not just a particular share. Mike Thommes _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Tuesday, January 09, 2007 4:19 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Shares with Computer Account Permissions Sure. IPsec. Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Tuesday, January 09, 2007 5:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Shares with Computer Account Permissions I was asked today whether it was possible to allow or deny access to shares not just based on user accounts, but also upon computer accounts. My immediate response was that I didn’t think so. So I tested it by simply creating a folder up on our file server, and added the computer account for my workstation and denying it access completely. This made no difference to my permissions when trying to access it from this workstation. So my question is this, is there any way to design access permissions in such a way so you could not only allow access to a share to a certain security group, but also to this security group only when they are accessing it on hosts that we have explicitly defined? ~Ben -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.16.7/620 - Release Date: 1/8/2007 4:12 PM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.16.7/620 - Release Date: 1/8/2007 4:12 PM -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.16.7/620 - Release Date: 1/8/2007 4:12 PM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.16.7/620 - Release Date: 1/8/2007 4:12 PM
RE: [ActiveDir] Shares with Computer Account Permissions
HYPERLINK http://www.microsoft.com/technet/network/sdiso/default.mspxhttp://www.micr osoft.com/technet/network/sdiso/default.mspx _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, January 09, 2007 5:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Shares with Computer Account Permissions Hi Laura, That’s what I thought of first but that would stop all traffic to the server, not just a particular share. Mike Thommes _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Tuesday, January 09, 2007 4:19 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Shares with Computer Account Permissions Sure. IPsec. Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Tuesday, January 09, 2007 5:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Shares with Computer Account Permissions I was asked today whether it was possible to allow or deny access to shares not just based on user accounts, but also upon computer accounts. My immediate response was that I didn’t think so. So I tested it by simply creating a folder up on our file server, and added the computer account for my workstation and denying it access completely. This made no difference to my permissions when trying to access it from this workstation. So my question is this, is there any way to design access permissions in such a way so you could not only allow access to a share to a certain security group, but also to this security group only when they are accessing it on hosts that we have explicitly defined? ~Ben -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.16.7/620 - Release Date: 1/8/2007 4:12 PM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.16.7/620 - Release Date: 1/8/2007 4:12 PM -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.16.7/620 - Release Date: 1/8/2007 4:12 PM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.16.7/620 - Release Date: 1/8/2007 4:12 PM
RE: [ActiveDir] Shares with Computer Account Permissions
No, you can use IPsec to allow or deny access to the machine based on host (as well as filtering by protocol, etc.), and use user accounts to restrict share access. The end result is that specific users can access only from specific machines. The restrictions to different shares would be based on the combination of IPsec policies and user account. Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Tuesday, January 09, 2007 5:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Shares with Computer Account Permissions So you can use IPSec to allow or deny access to a network share based on originating host? Would you mind elaborating on this a little bit? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Tuesday, January 09, 2007 2:19 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Shares with Computer Account Permissions Sure. IPsec. Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Tuesday, January 09, 2007 5:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Shares with Computer Account Permissions I was asked today whether it was possible to allow or deny access to shares not just based on user accounts, but also upon computer accounts. My immediate response was that I didn’t think so. So I tested it by simply creating a folder up on our file server, and added the computer account for my workstation and denying it access completely. This made no difference to my permissions when trying to access it from this workstation. So my question is this, is there any way to design access permissions in such a way so you could not only allow access to a share to a certain security group, but also to this security group only when they are accessing it on hosts that we have explicitly defined? ~Ben -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.16.7/620 - Release Date: 1/8/2007 4:12 PM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.16.7/620 - Release Date: 1/8/2007 4:12 PM -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.16.7/620 - Release Date: 1/8/2007 4:12 PM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.16.7/620 - Release Date: 1/8/2007 4:12 PM
RE: [ActiveDir] OT: Vista Resource Monitor blank
Then you weren't referring to Performance Monitor (if you'd said that you launched it from Task Manager, I wouldn't have thought you meant Perfmon). Resource Monitor and Performance Monitor are not the same thing, and it *is* normal for *Perfmon* to launch with no counters, which is why I asked you for clarification. The only thing I can think of is that there is a delay before display begins when you launch Resource Monitor from Task Manager. Since you can't reproduce the problem, it's difficult to give you a solid answer, but if you are able to reproduce the issue, please post how you did so so that others can see if they can duplicate it. I have been unable to reproduce the problem on my machines after waking them from sleep, but if you are able to come up with a reproducible scenario, I'm certainly willing to test it. Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Friday, December 15, 2006 11:18 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Vista Resource Monitor blank Yes I was. I often launch the resource monitor from task manager and its not blank. But in this instance it was. So I find it hard to believe its normal. Thanks for the reply anyway Laura. Cheers M@ On 12/15/06, Laura A. Robinson [EMAIL PROTECTED] wrote: Are you referring to Performance Monitor? If so, that's normal. You have to pick the objects and counters that you want to watch. Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Friday, December 15, 2006 5:34 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Vista Resource Monitor blank Has anyone ever seen the resource monitor of Vista RTM blank with no CPU/Mem/Disk etc... details at all? Last night I noticed when I used resource monitor it didnt display anything. Task Manager showed activity as expected but not the resource monitor. I assumed it was possibly due to the machine waking up from sleep but couldn't repro it. Cheers M@ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.15.18/586 - Release Date: 12/13/2006 6:13 PM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.15.20/588 - Release Date: 12/15/2006 10:02 AM List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.15.20/588 - Release Date: 12/15/2006 10:02 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.15.21/589 - Release Date: 12/15/2006 5:10 PM List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] OT: Vista Resource Monitor blank
One additional clarification- Resource Monitor (aka Resource View) does use the same objects as Perfmon, but it's a different, (usually) pre-configured view into resource utilization. This still doesn't help with your problem, but I didn't want to give the impression that the two are not connected in any way. :-) Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Friday, December 15, 2006 11:18 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Vista Resource Monitor blank Yes I was. I often launch the resource monitor from task manager and its not blank. But in this instance it was. So I find it hard to believe its normal. Thanks for the reply anyway Laura. Cheers M@ On 12/15/06, Laura A. Robinson [EMAIL PROTECTED] wrote: Are you referring to Performance Monitor? If so, that's normal. You have to pick the objects and counters that you want to watch. Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Friday, December 15, 2006 5:34 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Vista Resource Monitor blank Has anyone ever seen the resource monitor of Vista RTM blank with no CPU/Mem/Disk etc... details at all? Last night I noticed when I used resource monitor it didnt display anything. Task Manager showed activity as expected but not the resource monitor. I assumed it was possibly due to the machine waking up from sleep but couldn't repro it. Cheers M@ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.15.18/586 - Release Date: 12/13/2006 6:13 PM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.15.20/588 - Release Date: 12/15/2006 10:02 AM List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.15.20/588 - Release Date: 12/15/2006 10:02 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.15.21/589 - Release Date: 12/15/2006 5:10 PM List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Vista GPO
So Microsoft should encourage their bad practices? Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 12:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO People don't seem to have a problem with that concept when it comes to game consoles :) Bad analogy. Go stand in the corner, no wii for you :) When people start running their businesses on game consoles, then you can come back and compare. For now, it's just plain incomprehensible that you can't manage ADMX from anything but Vista. Yeah, ideally we would want to encourage clients to NOT manage things directly from servers, and to ensure that IF they are going to introduce Vista, the IT folks' machines should be doing the dog-fooding, but realistically, the ideal is always the exception in this field. Microsoft should know that. People will insist on managing GPO directly from the DCs, best practices be damned. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services HYPERLINK x-excid://3277/uri:http://www.akomolafe.com; \nwww.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon _ From: Darren Mar-Elia Sent: Fri 12/15/2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO I hear you Rich. I had a long discussion with someone on the GP newsgroups who thought that the fact that XP and 2003 couldn't read Vista GP settings was an abomination and a scandal of the highest order and that MS should be beaten for their insolence (I'm paraphrasing :-)). But, yes, we should all be used to the fact that sometimes, you have to adopt the new stuff to get the new toys. People don't seem to have a problem with that concept when it comes to game consoles :) Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Friday, December 15, 2006 9:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Sorry, I understand it's different, what I meant was merely that we had some growing pains like this when XP first came out. Our practice then became to use only XP desktops for GP management. I think there's a tendency to think this is such a terrible thing, this backwards-incompatibility, and we might forget that Vista is not new with this, we had similar issues before. And who remembers the teeth-pulling to get people to move to Active Directory?? --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, December 15, 2006 10:05 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO This is actually a little different because if you view a GPO that was created with Vista, using XP or 2003, none of the ADMX settings can actually be read at all, because they are a completely new format that GPEditor or GPMC on those older platforms don't understand. In fact, those XP or 2003 will happily copy up the ADMs into the Vista GPO like they used to do, and you're back to each GPO storing ADMs in SYSVOL. What I've been recommending to folks is that once you introduce Vista desktops into your environment, use Vista for all your ongoing GP management. The Vista ADMXs are a superset of the latest and greatest ADMs (i.e. they include 2003, XP and Vista settings) so you can happily manage Vista and non-Vista targeted GP settings from a Vista machine. Darren Darren Mar-Elia CTO Founder www.sdmsoftware.com [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Friday, December 15, 2006 6:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO You may recall, there was a similar case when XP came out too - if memory serves, you had to manage XP GPO settings from an XP box - if you opened them on Win2K, there were problems (I can't recall now exactly what those problems were... it would corrupt the policy? Lose the settings?) anyway so there are tons more settings (+ side) and you have to use Vista for now (- side, sorta). I wouldn't be too surprised if they fix that with the next server and XP SP... but I haven't
RE: [ActiveDir] Vista GPO
And it's the clueful customers who (rightly) become angry when something in a product that exists purely for backward compatibility opens a security hole. Now, I'm not saying that all security holes are due to backward compatibility, and I'm not saying that every bit of code that comes out of Redmond is perfect. However, I have said for years that many of the things that people don't like about Microsoft's products are the result of backward compatibility, not bad coding or a lack of consideration on the part of Microsoft's programmers. As somebody else (Darren? Richard?) said, there is a point where a line has to be drawn in the sand. I personally don't see anything dictatorial about requiring a Vista+ machine to edit *VISTA* policies. I mean, seriously, if you're writing Vista GPOs, that would imply that you're using Vista machines, and if you're using Vista machines, what is the issue with using one of those Vista machines as your editing workstation? I think that that *IS* a very pragmatic, realistic approach. Sorry, I just don't follow your logic on this one. That said, my opinions are purely my own, do not represent those of my employer, are not intended to represent those of my employer and for all I know, may even pi$$ off my employer. :-) Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 1:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO I wouldn't put it in those words. But, yeah, I would expect Microsoft to be... shall we say...pragmatic, realistic. Something like, enable its customers to run their businesses. I mean, refrain from dictating its wishes. You know? Because at the end of the day, it is the clueless customers that actually write the checks that add up to those billions in the vault. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services HYPERLINK x-excid://3277/uri:http://www.akomolafe.com; \nwww.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon _ From: Laura A. Robinson Sent: Fri 12/15/2006 10:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO So Microsoft should encourage their bad practices? Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 12:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO People don't seem to have a problem with that concept when it comes to game consoles :) Bad analogy. Go stand in the corner, no wii for you :) When people start running their businesses on game consoles, then you can come back and compare. For now, it's just plain incomprehensible that you can't manage ADMX from anything but Vista. Yeah, ideally we would want to encourage clients to NOT manage things directly from servers, and to ensure that IF they are going to introduce Vista, the IT folks' machines should be doing the dog-fooding, but realistically, the ideal is always the exception in this field. Microsoft should know that. People will insist on managing GPO directly from the DCs, best practices be damned. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services HYPERLINK x-excid://3277/uri:http://www.akomolafe.com; \nwww.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon _ From: Darren Mar-Elia Sent: Fri 12/15/2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO I hear you Rich. I had a long discussion with someone on the GP newsgroups who thought that the fact that XP and 2003 couldn't read Vista GP settings was an abomination and a scandal of the highest order and that MS should be beaten for their insolence (I'm paraphrasing :-)). But, yes, we should all be used to the fact that sometimes, you have to adopt the new stuff to get the new toys. People don't seem to have a problem with that concept when it comes to game consoles :) Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Friday, December 15, 2006 9:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Sorry, I understand it's different, what I meant was merely that we had some growing pains like this when XP first came out. Our practice then became to use only XP desktops for GP management. I
RE: [ActiveDir] Vista GPO
BTW, I would disagree with your assessment of Microsoft's customer base. I work in Microsoft's largest district, with our largest customers, and I find them far from clueless. I also find very few clueless folks writing us checks that add up to those billions in the vault. Do I run into misinformed people? Absolutely. Clueless? Not really. Well, not among my customers, anyway. :-) Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Friday, December 15, 2006 2:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO And it's the clueful customers who (rightly) become angry when something in a product that exists purely for backward compatibility opens a security hole. Now, I'm not saying that all security holes are due to backward compatibility, and I'm not saying that every bit of code that comes out of Redmond is perfect. However, I have said for years that many of the things that people don't like about Microsoft's products are the result of backward compatibility, not bad coding or a lack of consideration on the part of Microsoft's programmers. As somebody else (Darren? Richard?) said, there is a point where a line has to be drawn in the sand. I personally don't see anything dictatorial about requiring a Vista+ machine to edit *VISTA* policies. I mean, seriously, if you're writing Vista GPOs, that would imply that you're using Vista machines, and if you're using Vista machines, what is the issue with using one of those Vista machines as your editing workstation? I think that that *IS* a very pragmatic, realistic approach. Sorry, I just don't follow your logic on this one. That said, my opinions are purely my own, do not represent those of my employer, are not intended to represent those of my employer and for all I know, may even pi$$ off my employer. :-) Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 1:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO I wouldn't put it in those words. But, yeah, I would expect Microsoft to be... shall we say...pragmatic, realistic. Something like, enable its customers to run their businesses. I mean, refrain from dictating its wishes. You know? Because at the end of the day, it is the clueless customers that actually write the checks that add up to those billions in the vault. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services HYPERLINK x-excid://3277/uri:http://www.akomolafe.com; \nwww.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon _ From: Laura A. Robinson Sent: Fri 12/15/2006 10:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO So Microsoft should encourage their bad practices? Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 12:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO People don't seem to have a problem with that concept when it comes to game consoles :) Bad analogy. Go stand in the corner, no wii for you :) When people start running their businesses on game consoles, then you can come back and compare. For now, it's just plain incomprehensible that you can't manage ADMX from anything but Vista. Yeah, ideally we would want to encourage clients to NOT manage things directly from servers, and to ensure that IF they are going to introduce Vista, the IT folks' machines should be doing the dog-fooding, but realistically, the ideal is always the exception in this field. Microsoft should know that. People will insist on managing GPO directly from the DCs, best practices be damned. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services HYPERLINK x-excid://3277/uri:http://www.akomolafe.com; \nwww.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon _ From: Darren Mar-Elia Sent: Fri 12/15/2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO I hear you Rich. I had a long discussion with someone on the GP newsgroups who thought that the fact that XP and 2003 couldn't read Vista GP settings was an abomination and a scandal of the highest order and that MS should be beaten for their insolence (I'm paraphrasing :-)). But, yes, we should all be used
RE: [ActiveDir] Vista GPO
Since many of us are in the habit of expressing various opinions, perhaps we should refrain from characterizing those with which we disagree as the height of professional arrogance and misinformed. See, if we start doing that, I might express the opinion that referring to Microsoft's customers as clueless and insisting that Microsoft should accommodate cluelessness at the expense of new product development, security and code review (which is exactly what the expense is to devote resources to doing nothing but backporting new features) is the height of professional inexperience, myopia and lack of exposure to sophisticated IT environments. But I won't. :-) Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 2:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Tim, it is the height of professional arrogance to think that anyone who don't/can't/won't do things the way you think they should be done (best practices) are lazy and uninformed. I know you said that it is just your opinion, and, if I were like you, I would hazard that it is a misinformed opinion. But I won't. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services HYPERLINK x-excid://3277/uri:http://www.akomolafe.com; \nwww.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon _ From: Tim Vander Kooi Sent: Fri 12/15/2006 10:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO They won’t do it if Microsoft makes it so they CAN’T do it. I feel Microsoft should be applauded for forcing admins to do their jobs correctly for a change, instead of giving in to the lazy or uninformed amongst us. Just my opinion, Tim From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 11:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO People don't seem to have a problem with that concept when it comes to game consoles :) Bad analogy. Go stand in the corner, no wii for you :) When people start running their businesses on game consoles, then you can come back and compare. For now, it's just plain incomprehensible that you can't manage ADMX from anything but Vista. Yeah, ideally we would want to encourage clients to NOT manage things directly from servers, and to ensure that IF they are going to introduce Vista, the IT folks' machines should be doing the dog-fooding, but realistically, the ideal is always the exception in this field. Microsoft should know that. People will insist on managing GPO directly from the DCs, best practices be damned. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services HYPERLINK x-excid://3277/uri:http:/www.akomolafe.com \nwww.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon _ From: Darren Mar-Elia Sent: Fri 12/15/2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO I hear you Rich. I had a long discussion with someone on the GP newsgroups who thought that the fact that XP and 2003 couldn't read Vista GP settings was an abomination and a scandal of the highest order and that MS should be beaten for their insolence (I'm paraphrasing :-)). But, yes, we should all be used to the fact that sometimes, you have to adopt the new stuff to get the new toys. People don't seem to have a problem with that concept when it comes to game consoles :) Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Friday, December 15, 2006 9:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Sorry, I understand it's different, what I meant was merely that we had some growing pains like this when XP first came out. Our practice then became to use only XP desktops for GP management. I think there's a tendency to think this is such a terrible thing, this backwards-incompatibility, and we might forget that Vista is not new with this, we had similar issues before. And who remembers the teeth-pulling to get people to move to Active Directory?? --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland
RE: [ActiveDir] OT: Vista Resource Monitor blank
Are you referring to Performance Monitor? If so, that's normal. You have to pick the objects and counters that you want to watch. Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Friday, December 15, 2006 5:34 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Vista Resource Monitor blank Has anyone ever seen the resource monitor of Vista RTM blank with no CPU/Mem/Disk etc... details at all? Last night I noticed when I used resource monitor it didnt display anything. Task Manager showed activity as expected but not the resource monitor. I assumed it was possibly due to the machine waking up from sleep but couldn't repro it. Cheers M@ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.15.18/586 - Release Date: 12/13/2006 6:13 PM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.15.20/588 - Release Date: 12/15/2006 10:02 AM List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Vista GPO
We're releasing the Vista management tools for Windows ME at the same time that we release them for Microsoft Bob, IIRC. ;-) Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander Kooi Sent: Friday, December 15, 2006 3:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Well said. But while you’re at it, could you let someone know that I very upset that I can’t manage my Vista GPOs from my Windows ME PC. Thanks much. ;-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Friday, December 15, 2006 1:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO And it's the clueful customers who (rightly) become angry when something in a product that exists purely for backward compatibility opens a security hole. Now, I'm not saying that all security holes are due to backward compatibility, and I'm not saying that every bit of code that comes out of Redmond is perfect. However, I have said for years that many of the things that people don't like about Microsoft's products are the result of backward compatibility, not bad coding or a lack of consideration on the part of Microsoft's programmers. As somebody else (Darren? Richard?) said, there is a point where a line has to be drawn in the sand. I personally don't see anything dictatorial about requiring a Vista+ machine to edit *VISTA* policies. I mean, seriously, if you're writing Vista GPOs, that would imply that you're using Vista machines, and if you're using Vista machines, what is the issue with using one of those Vista machines as your editing workstation? I think that that *IS* a very pragmatic, realistic approach. Sorry, I just don't follow your logic on this one. That said, my opinions are purely my own, do not represent those of my employer, are not intended to represent those of my employer and for all I know, may even pi$$ off my employer. :-) Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 1:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO I wouldn't put it in those words. But, yeah, I would expect Microsoft to be... shall we say...pragmatic, realistic. Something like, enable its customers to run their businesses. I mean, refrain from dictating its wishes. You know? Because at the end of the day, it is the clueless customers that actually write the checks that add up to those billions in the vault. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services HYPERLINK x-excid://3277/uri:http:/www.akomolafe.com \nwww.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon _ From: Laura A. Robinson Sent: Fri 12/15/2006 10:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO So Microsoft should encourage their bad practices? Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 12:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO People don't seem to have a problem with that concept when it comes to game consoles :) Bad analogy. Go stand in the corner, no wii for you :) When people start running their businesses on game consoles, then you can come back and compare. For now, it's just plain incomprehensible that you can't manage ADMX from anything but Vista. Yeah, ideally we would want to encourage clients to NOT manage things directly from servers, and to ensure that IF they are going to introduce Vista, the IT folks' machines should be doing the dog-fooding, but realistically, the ideal is always the exception in this field. Microsoft should know that. People will insist on managing GPO directly from the DCs, best practices be damned. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services HYPERLINK x-excid://3277/uri:http:/www.akomolafe.com \nwww.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon _ From: Darren Mar-Elia Sent: Fri 12/15/2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO I hear you Rich. I had a long discussion with someone on the GP newsgroups who thought that the fact that XP and 2003 couldn't read Vista GP settings was an abomination and a scandal of the highest order
RE: [ActiveDir] Vista GPO
of caution and assume that it hasn't. Don't take that statement as anything resembling a hint as to what Microsoft will or won't do around ADMX editing. I really don't know and couldn't say if I did. I'm simply observing that as an MVP, you are covered by NDAs just as Microsoft employees, vendors, contractors, etc. are, and you therefore know that sometimes idle speculation or theoretical discussion is just that. For you to take an abstract statement I made regarding historical issues around backward compatibility and imply that I was stating that ADMX editing from pre-Vista platforms opens a security hole is, in my opinion, inappropriate. I prefer to assume that it was a simple mistake rather than an intentional misstatement designed to imply that I had made such a proclaimation. Last, I feel that I should reiterate that all of the above is purely my own personal opinion and is in no way intended to represent the opinions of my coworkers, my customers, my employer, my cat, my imaginary friend or my favorite Martian. Please forgive my Bob Dole-ish use of the third-party referencing in much of the above, but I'd really like to make it clear that I'm expressing my own opinions here, and they are the same opinions I held when I worked for various other employers. :-) Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 3:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Know your audience. Know your customers. Know your consumers. I can't speak to whether or not you pi$$ off your employer, but I can name a few of your colleagues in the trenches (because I run into them every now and then) who will be more than glad to tell you that there are more that go into a client's administrative decision making, technology adoption, PO approval, etc, than best practices. I will not speak to the security hole boogey-man that you are floating because I don't think you want us veering into that arena. Imagine what it would sound like if we start saying that MS is not making AMDX administration available on non-Vista/LH platform because of security issues. No, you don't want that. So, what you are left with is nothing but Best Practices. You want to draw a line because it is the sensible thing to do. Well, my logic is that a lot of things make sense in my head and in my labs. They just don't translate well in the real brick and mortar life out there. People are going to administer their GPOs from their servers for any number of reasons. These same people will NOT install LH until RTM+x number of years. These people are the ones paying my bills. They are the ones paying yours. Unless you are actually making the case that MS is aware of some technical inhibitions to making ADMX administrable from legacy OSes, there is no compelling reason why MS should not factor in HOW its customers uses its products/technologies when decisions as to whether or not to make something available. It is this unwillingness/reluctance to relate to the real-word and to insist on a set of prescriptive mandates that continue to hurt MS in many places. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services HYPERLINK x-excid://3277/uri:http://www.akomolafe.com; \nwww.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon _ From: Laura A. Robinson Sent: Fri 12/15/2006 11:26 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO And it's the clueful customers who (rightly) become angry when something in a product that exists purely for backward compatibility opens a security hole. Now, I'm not saying that all security holes are due to backward compatibility, and I'm not saying that every bit of code that comes out of Redmond is perfect. However, I have said for years that many of the things that people don't like about Microsoft's products are the result of backward compatibility, not bad coding or a lack of consideration on the part of Microsoft's programmers. As somebody else (Darren? Richard?) said, there is a point where a line has to be drawn in the sand. I personally don't see anything dictatorial about requiring a Vista+ machine to edit *VISTA* policies. I mean, seriously, if you're writing Vista GPOs, that would imply that you're using Vista machines, and if you're using Vista machines, what is the issue with using one of those Vista machines as your editing workstation? I think that that *IS* a very pragmatic, realistic approach. Sorry, I just don't follow your logic on this one. That said, my opinions are purely my own, do not represent those of my employer, are not intended to represent
RE: [ActiveDir] Vista GPO
Deji, I've had enough of you attributing statements to me that I have not made, and therefore I am finished with this conversation. Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 4:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Did I actually say that clueless folks are writing you checks? Or are you projecting? That those who write you checks but don't/can't/won't do things the right way (according to you) are clueless, and you don't like their checks? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services HYPERLINK x-excid://3277/uri:http://www.akomolafe.com; \nwww.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon _ From: Laura A. Robinson Sent: Fri 12/15/2006 12:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO BTW, I would disagree with your assessment of Microsoft's customer base. I work in Microsoft's largest district, with our largest customers, and I find them far from clueless. I also find very few clueless folks writing us checks that add up to those billions in the vault. Do I run into misinformed people? Absolutely. Clueless? Not really. Well, not among my customers, anyway. :-) Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Friday, December 15, 2006 2:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO And it's the clueful customers who (rightly) become angry when something in a product that exists purely for backward compatibility opens a security hole. Now, I'm not saying that all security holes are due to backward compatibility, and I'm not saying that every bit of code that comes out of Redmond is perfect. However, I have said for years that many of the things that people don't like about Microsoft's products are the result of backward compatibility, not bad coding or a lack of consideration on the part of Microsoft's programmers. As somebody else (Darren? Richard?) said, there is a point where a line has to be drawn in the sand. I personally don't see anything dictatorial about requiring a Vista+ machine to edit *VISTA* policies. I mean, seriously, if you're writing Vista GPOs, that would imply that you're using Vista machines, and if you're using Vista machines, what is the issue with using one of those Vista machines as your editing workstation? I think that that *IS* a very pragmatic, realistic approach. Sorry, I just don't follow your logic on this one. That said, my opinions are purely my own, do not represent those of my employer, are not intended to represent those of my employer and for all I know, may even pi$$ off my employer. :-) Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 1:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO I wouldn't put it in those words. But, yeah, I would expect Microsoft to be... shall we say...pragmatic, realistic. Something like, enable its customers to run their businesses. I mean, refrain from dictating its wishes. You know? Because at the end of the day, it is the clueless customers that actually write the checks that add up to those billions in the vault. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services HYPERLINK x-excid://3277/uri:http://www.akomolafe.com; \nwww.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon _ From: Laura A. Robinson Sent: Fri 12/15/2006 10:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO So Microsoft should encourage their bad practices? Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 12:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO People don't seem to have a problem with that concept when it comes to game consoles :) Bad analogy. Go stand in the corner, no wii for you :) When people start running their businesses on game consoles, then you can come back and compare. For now, it's just plain incomprehensible that you can't manage ADMX from anything but Vista. Yeah, ideally we would want to encourage clients to NOT manage things directly from servers, and to ensure
RE: [ActiveDir] DesktopStandard
GPO Vault Enterprise (to be called Microsoft Advanced Group Policy Management) will be part of the Microsoft Desktop Optimization Pack for SA is slated for release in Spring/Summer of 2007. The Policy Maker Standard Edition and Share Manager tools are targeted for a subsequent release. Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nathan Casey Sent: Friday, December 15, 2006 5:38 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DesktopStandard Does anyone have any new info on when MS will update the Desktopstandard product to work with Windows Vista? Thanks Nathan List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.15.20/588 - Release Date: 12/15/2006 10:02 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.15.20/588 - Release Date: 12/15/2006 10:02 AM List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] DesktopStandard
Or an even better, more official answer: http://download.microsoft.com/download/6/4/F/64F5DC66-832A-4DF3-BAF4-3B4E7FB 9E500/datasheet-faqs.pdf Q: When can I order Microsoft Desktop Optimization Pack for Software Assurance and when will it be available? A: You may order Microsoft Desktop Optimization Pack for Software Assurance from the January 2007 Price List. The software will be available in the February VL Kit shipment and MVLS download site. The initial release of the Microsoft Desktop Optimization Pack for Software Assurance will only include SoftGrid v4.1. As other technologies become available they will be added to the media kit that will ship within the monthly Select and EA kits. The remaining technologies (Microsoft Diagnostic and Recovery Toolset, Microsoft Advanced Group Policy Management, and Microsoft Asset Inventory Service) will be available by the end of Q2 CY 2007. HTH, Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nathan Casey Sent: Friday, December 15, 2006 5:38 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DesktopStandard Does anyone have any new info on when MS will update the Desktopstandard product to work with Windows Vista? Thanks Nathan List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.15.20/588 - Release Date: 12/15/2006 10:02 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.15.20/588 - Release Date: 12/15/2006 10:02 AM List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] OT: Vista Activation and KMS
You know, there's one thing I may have forgotten to mention- there's a good whitepaper on this. :-P Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MikeM Sent: Saturday, December 09, 2006 12:10 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Vista Activation and KMS So Laura, correct me if I'm wrong, but are you suggesting we read the white paper? Seriously, thank you for all of the input on this matter. -MM- On 12/8/06, Laura A. Robinson HYPERLINK mailto:[EMAIL PROTECTED][EMAIL PROTECTED] wrote: 1. The entire conversation is ~450 BYTES of traffic. If you can't swing that over six months, you have bigger problems than activation. SSL-based VPN changes nothing. Connectivity is connectivity. Why do you assume that activation can't occur over an SSL-based VPN? 2. If you have no links at all, either look at a KMS host at the remote sites, or look at MAK activation. 3. Who said anything about you having to have two different images? Folks, please read the whitepapers and try this out before you reject it. The expression tilting at windmills comes to mind with some of these objections. Laura _ From: HYPERLINK mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] [mailto:HYPERLINK mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of HYPERLINK mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] Sent: Friday, December 08, 2006 11:41 AM To: HYPERLINK mailto:ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Vista Activation and KMS If it's so well baked then how do you support multiple remote offices with slow VPN links, or none at all? How do you support field users without a VPN client, or using an SSL based VPN? Making us use two different images (one for each key type) isn't a solution since it doubles our support work and clients may move from one model to the other. There are plenty of situations where it just doesn't work well for IT in the real world. Thanks, Andrew Fidel Laura A. Robinson HYPERLINK mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] Sent by: HYPERLINK mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] 12/05/2006 04:43 PM Please respond to HYPERLINK mailto:ActiveDir@mail.activedir.org; [EMAIL PROTECTED] To HYPERLINK mailto:ActiveDir@mail.activedir.org; [EMAIL PROTECTED] cc Subject RE: [ActiveDir] OT: Vista Activation and KMS The Windows Server 2003 KMS host will be out soon. In the meantime, Vista is perfectly acceptable to use and it's incredibly simple to decommission it as a KMS host when you implement a Win2K3 host. No TAM support needed. Again, I'd really encourage people to thorougly read the documents I referenced before, because I'm seeing a lot of confusion on this list that indicates that people aren't really understanding how this works (not you in particular, Susan, just a general comment as I've been watching the VLA comments for a little while). Or if you're Neil, you can schedule a LiveMeeting and I'll explain it, because Neil's company is one of my district's customers. ;-) Laura -Original Message- From: HYPERLINK mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] [mailto:HYPERLINK mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, December 05, 2006 3:21 PM To: HYPERLINK mailto:ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: Re: [ActiveDir] OT: Vista Activation and KMS I personally am not ready to stick a Vista box as a Licensing server. ISA still doesn't have a firewall client that works for one... and I've yet to find a a/v that doesn't BSOD my tablet pc or act strangely on another box I built. In fact I'm still using my Technet 'for testing purposes' ones as I'm not ready to play with my VL ones. Activation on the VL ones means I'm serious to roll...and quite frankly.. I'm not. I still want to see a more formal support story on Activations in general for folks that aren't TAM supported... YMMV and all that. Laura A. Robinson wrote: I am not at all talking about solutions that don't exist today. Go to a Vista machine and take a look at slmgr.vbs. Laura -- -- *From:* HYPERLINK mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] [mailto:HYPERLINK mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] *On Behalf Of *Tim Vander Kooi *Sent:* Tuesday, December 05, 2006 12:39 PM *To:* HYPERLINK mailto:ActiveDir@mail.activedir.org; [EMAIL PROTECTED] *Subject:* RE: [ActiveDir] OT: Vista Activation and KMS While Laura and yourself make valid points, you are both talking about solutions that do not exist today. I'm just trying to help the OP with the problem he is having right now. Getting into the full licensing overhead of Vista, not to mention LH, could, and undoubtedly will, take weeks
RE: [ActiveDir] OT: Vista Activation and KMS
1. The entire conversation is ~450 BYTES of traffic. If you can't swing that over six months, you have bigger problems than activation. SSL-based VPN changes nothing. Connectivity is connectivity. Why do you assume that activation can't occur over an SSL-based VPN? 2. If you have no links at all, either look at a KMS host at the remote sites, or look at MAK activation. 3. Who said anything about you having to have two different images? Folks, please read the whitepapers and try this out before you reject it. The expression tilting at windmills comes to mind with some of these objections. Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, December 08, 2006 11:41 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Vista Activation and KMS If it's so well baked then how do you support multiple remote offices with slow VPN links, or none at all? How do you support field users without a VPN client, or using an SSL based VPN? Making us use two different images (one for each key type) isn't a solution since it doubles our support work and clients may move from one model to the other. There are plenty of situations where it just doesn't work well for IT in the real world. Thanks, Andrew Fidel Laura A. Robinson [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/05/2006 04:43 PM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] OT: Vista Activation and KMS The Windows Server 2003 KMS host will be out soon. In the meantime, Vista is perfectly acceptable to use and it's incredibly simple to decommission it as a KMS host when you implement a Win2K3 host. No TAM support needed. Again, I'd really encourage people to thorougly read the documents I referenced before, because I'm seeing a lot of confusion on this list that indicates that people aren't really understanding how this works (not you in particular, Susan, just a general comment as I've been watching the VLA comments for a little while). Or if you're Neil, you can schedule a LiveMeeting and I'll explain it, because Neil's company is one of my district's customers. ;-) Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, December 05, 2006 3:21 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Vista Activation and KMS I personally am not ready to stick a Vista box as a Licensing server. ISA still doesn't have a firewall client that works for one... and I've yet to find a a/v that doesn't BSOD my tablet pc or act strangely on another box I built. In fact I'm still using my Technet 'for testing purposes' ones as I'm not ready to play with my VL ones. Activation on the VL ones means I'm serious to roll...and quite frankly.. I'm not. I still want to see a more formal support story on Activations in general for folks that aren't TAM supported... YMMV and all that. Laura A. Robinson wrote: I am not at all talking about solutions that don't exist today. Go to a Vista machine and take a look at slmgr.vbs. Laura -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Tim Vander Kooi *Sent:* Tuesday, December 05, 2006 12:39 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] OT: Vista Activation and KMS While Laura and yourself make valid points, you are both talking about solutions that do not exist today. I’m just trying to help the OP with the problem he is having right now. Getting into the full licensing overhead of Vista, not to mention LH, could, and undoubtedly will, take weeks and/or months. For right now, at this very moment, using your VL key (and I will continue to refer to it as a VL key as long as the page on which I am reading it says “ Volume License Product Keys” at the top of it) for Vista – KMS will allow you to activate your installation via the web just fine. This is not something I would do for an entire enterprise, but for your first few test machines on your production network I would do it. Again YMMV, Tim *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Harvey Kamangwitz *Sent:* Tuesday, December 05, 2006 10:28 AM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] OT: Vista Activation and KMS If you have any kind of a complex environment, you'll find volume activation to be very frustrating indeed: 1. The KMS service can't support more than one key, so if you have Longhorn VL clients in your environment you have to put up a second
RE: [ActiveDir] NetBT errors 4321
Okay, and you've ruled out all of this stuff? HYPERLINK http://www.eventid.net/display.asp?eventid=4321eventno=1822source=NetBTp hase=1http://www.eventid.net/display.asp?eventid=4321eventno=1822source=N etBTphase=1 If so, can you do an ipconfig /all on each machine? You can anonymize an octet or two so as to protect your IPs. Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simon Bembridge Sent: Thursday, December 07, 2006 2:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NetBT errors 4321 Laura, Sorry for not getting back sooner, the answer to your questions our. Both IP addresses are DC’s The first IP address is the one exhibiting all the NETBT 4321 event log errors, the second IP address is the DC refusing the name to be claimed. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: 05 December 2006 01:28 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NetBT errors 4321 Okay, first question- is the first xxx.xxx.xxx.xxx address the same as the second xxx.xxx.xxx.xxx, or are they actually different addresses? Second, if we're talking two IPs, which one is the DC's IP? Basically, I can't get enough from your genericized [I made that word up] error to figure out which machine is which, where this error came from, what machine(s) is/are identified by the IPs in the error, and therefore, why I should care about the Nbstat entries. :-) Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simon Bembridge Sent: Monday, December 04, 2006 4:23 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] NetBT errors 4321 Hi All, I cannot find a resolution to event log error that we are having within our development domain the event is logged every 3-6 mins. I have exhausted the internet results but to no avail, any help would be greatly appreciated. We have two DC’s living on different subnets both acting as BH servers. 1st DC holds all FSMO roles, single domain, D FFL 2003 Anyway below is the event log message I have done all the searches possible and come up with nothing at all. Source NetBT EventID: 4321 The name “DEV….:Id” Could not be registered on the interface with IP address xxx.xxx.xxx.xxx The machine with the IP address xxx.xxx.xxx.xxx did not allow the name to be claimed by the machine. The results of both DC’s are as follows: Nbtstat –an DC1 DC2 00 unique 00 unique 00 Group 00 Group 1c Group 1c Group 20 Unique 20 Unique 1D Unique 1E Group 1E Group -MSBROWSE Mac address -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006 7:18 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006 7:18 AM -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.15.14/578 - Release Date: 12/7/2006 1:27 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.15.14/578 - Release Date: 12/7/2006 1:27 AM
RE: [ActiveDir] What is Websence
http://www.websense.com/docs/Datasheets/en/v6.3/Websense_ProductOverview.pdf http://www.websense.com/global/en/Partners/TAPartners/SecurityEcosystem/ Depending upon which websense product you're referencing, it can be an appliance or just software. Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra Sent: Thursday, December 07, 2006 6:30 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] What is Websence Is it a box or software driven web filtering. Please provide some info on this. -- Thanks, RD List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.15.14/578 - Release Date: 12/7/2006 1:27 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.15.14/578 - Release Date: 12/7/2006 1:27 AM List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] OT: Vista Activation and KMS
Okay, let me see if I can summarize this in a gazillion words or less... There are two types of activations for Vista- MAK activation and KMS activation. MAK activation works much like an MSDN subscription. You tell Microsoft how many MAK activations you want to purchase. Microsoft sells you a MAK key with that many activations. A machine that is activated via MAK activation never has to renew. A MAK-activated client either directly contacts Microsoft servers for activation or (in 2007, when the VAMT tool is released) it activates against a proxy in your company that feeds the activation to Microsoft activation servers. If you reinstall the OS and specify MAK activation again, then that will use another of your allocated activations. MAK activation is designed for machines that are NEVER connected to your network (VPN counts as connected) in any given six-month period. Therefore, we're talking about a machine that goes out your door and you don't see it again for a very long time. MAK keys should not be commonly or lightly used. In the reinstall scenario, much as you can now, you can contact Microsoft at that time and explain the situation and get another activation. KMS activation DOES NOT REPORT ANYTHING TO MICROSOFT. You activate the KMS host against a Microsoft activation server, and your KMS clients get activated by YOUR KMS host. Once a week, they try to renew. If renewal is successful, the KMS client now has six months from that day to renew again. The client will still renew once a week and will be extending that six month window each time. In other words, you always have six months from initial activation or renewal of activation before the client MUST contact a KMS host again. If it's day 179 and your KMS host has been down that entire time, when you bring it back up on day 179, your clients can renew their activations for another six months. During those 179 days while the KMS host was down, they are unaffected unless their 180 days of validity expired during that time and they were unable to locate and contact another KMS server. If you reinstall the OS on a KMS-activated client, IT DOESN'T MATTER, because Microsoft doesn't track KMS clients. In fact, even the KMS server only keeps track of the last fifty activations it has performed. Now, if you want to keep this information for your own records, you can easily extract it from the event logs or you can use the MOM management pack for KMS. With KMS activation, you are simply saying to Microsoft, we anticipate that we will have 10,000 [or whatever] Vista clients. Therefore, we'll pay you for that many Vista clients. That's the end of the story as far as Microsoft is concerned. If you exceed 10,000 active Vista clients, then you're in violation of your agreement, but Microsoft won't know about it via some magic mechanism. KMS-activated clients don't talk to Microsoft. They talk to your KMS host. The step-by-step guide I referenced tends to look dry and overwhelming to people and I suspect that many folks don't really sit down and take the time to read it thoroughly (can't blame 'em), but it really is all explained there. Laura Hopefully I didn't put any typos or other doofusness in the above; it's been a bad week for me when it comes to typing. :-) _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade Sent: Thursday, December 07, 2006 5:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Vista Activation and KMS I have read all this, and it seems any thing but straight forward to me. It looks like we are going to have to invest a lot more money in managing licenses. I could also find nothing about what happens if we need to re-install Windows. It appears we need to re-activate, and it appears as its a new sid it will use a second license... Any one any pointers on this? _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: 05 December 2006 00:57 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Vista Activation and KMS Actually, it is clearly documented, along with a lot more information on KMS, MAK and Vista Volume Activation (btw, Volume Licensing doesn't exist in Vista; VL and VA are not the same things). You probably don't want to get me started on a big long explanation of how volume activation works, so I'll just point you to this site: HYPERLINK http://www.microsoft.com/technet/windowsvista/plan/volact.mspxhttp://www.m icrosoft.com/technet/windowsvista/plan/volact.mspx :-) I highly recommend both the FAQ and the step-by-step guide. The latter provides information on how to change from KMS to MAK and vice versa (there are several ways), as well as documentation of defaults, configuration options, etc. Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander Kooi Sent: Monday, December 04, 2006 2:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT
RE: [ActiveDir] Is it possible to determine who created an AD object?
I'd say that you should test it. Create and link a policy where you've set system objects: default owner for objects created by members of the administrators group to Object creator. Then create a user in AD and check the ownership. Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, December 05, 2006 2:25 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? ? can you explain? Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address _ From: [EMAIL PROTECTED] on behalf of Laura A. Robinson Sent: Tue 2006-12-05 01:45 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? Which will have no effect on the ownership of the directory objects. Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Monday, December 04, 2006 4:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? look at the owner if it lists ADMINISTRATORS, you might wanna change the security option in the default DCs GPO which is called: system objects: default owner for objects created by members of the administrators group Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address _ From: [EMAIL PROTECTED] on behalf of Mitch Reid Sent: Mon 2006-12-04 21:14 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Is it possible to determine who created an AD object? ? We had a few user accounts that were deleted and then recreated and nobody will take responsibility. I used ADSIedit to verify the creation date/time. While auditing is enabled, the Security log rolled and we missed the event (yes I know it's an issue). Is there a way to see who created the the user object? Thanks, Mitch. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006 7:18 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006 7:18 AM -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006 7:18 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.9/571 - Release Date: 12/5/2006 11:50 AM attachment: winmail.dat
RE: [ActiveDir] OT: Vista Activation and KMS
Inline... _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harvey Kamangwitz Sent: Tuesday, December 05, 2006 11:28 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Vista Activation and KMS If you have any kind of a complex environment, you'll find volume activation to be very frustrating indeed: 1. The KMS service can't support more than one key, so if you have Longhorn VL clients in your environment you have to put up a second KMS infrastructure for them. Actually, when you purchase a KMS key, you get to activate TWO KMS hosts with that key, up to ten times each. Therefore, you don't have to put up a second KMS infrastructure. 2. You can't (rather, shouldn't) use autodiscovery If you do have both LH and Vista. The KMS client can't distinguish between a KMS with LH and a KMS with Vista, and there's nothing in the client that says oh, I hit a KMS but it has the wrong key so try again immediately so ~50% of a client's activation attempts will fail. So remove the DNS records for the LH KMS, or am I misunderstanding your point? 3. Autodiscovery isn't practical if you have more than a few forests that don't trust the forest your KMS is in. All admins of the untrusted forests must manually register the _vlmcs record in their forest to find the KMS. slmgr.vbs. We're not talking about a ton of records here or a difficult population mechanism. ...the list goes on. (I haven't even mentioned the practical aspects of volume activation in a lab or firewalled environment.) I'd be happy to discuss your options around them if you should decide to elaborate further. It's not a fully-baked solution. I would tend to disagree. From a technical standpoint, I think it's pretty well-baked. From a business process standpoint, it's still coming up to speed. Depending on your environment, it might be easier to scrap the whole autodiscovery, create a DNS CNAME with a couple of KMS behind it, stuff the FQDN in the KMS client's registry if you have a standard build, and fugeddaboutit :-). I'm not really understanding your concerns about autodiscovery. Could you be more specific about your environment? Laura On 12/4/06, Laura A. Robinson HYPERLINK mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] wrote: KMS runs on Vista (now), will run on Longhorn when Longhorn is released, and will also run on Win2K3 as soon as we finish making the Win2K3 install. :-) Laura -Original Message- From: HYPERLINK mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] [mailto:HYPERLINK mailto:[EMAIL PROTECTED] \n [EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, December 04, 2006 1:12 PM To: HYPERLINK mailto:ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: Re: [ActiveDir] OT: Vista Activation and KMS Nope, I've done it web based. At the present time there are two kinds of keycodes up on MVLS.. one that wants a KMS, the other that will phone home to Redmond automatically. Have your MVLS folks request the other type of key is my understanding how this will work for now. The KMS type won't be out until Longhorn. KMS activations will have to phone home to your servers twice a year. Brian Cline wrote: I was testing out the RTM of Vista Enterprise last night and noticed I didn't have to enter a key at any point during the install. When Windows tried to activate, it told me there was a DNS error, so I suspected it looks for a local activation server by default. Sure enough, in the DNS cache was a lookup for a nonexistent _vlmcs._tcp.domain.com. Upon further research, it appears Microsoft has not released KMS yet, and I couldn't find any option to activate directly with Microsoft. For the moment, is telephone activation the only option? Brian Cline, Applications Developer Department of Information Technology GP Trucking Company, Inc. 803.936.8595 Direct Line 800.922.1147 Toll-Free (x8595) 803.739.1176 Fax -- Letting your vendors set your risk analysis these days? HYPERLINK http://www.threatcode.com/; \nhttp://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... HYPERLINK http://blogs.technet.com/sbs; \nhttp://blogs.technet.com/sbs List info : HYPERLINK http://www.activedir.org/List.aspx; \nhttp://www.activedir.org/List.aspx List FAQ: HYPERLINK http://www.activedir.org/ListFAQ.aspx; \nhttp://www.activedir.org/ListFAQ.aspx List archive: HYPERLINK http://www.mail-archive.com/activedir@mail.activedir.org/; \nhttp://www.mail-archive.com/activedir@mail.activedir.org/ -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006 7:18 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006 7
RE: [ActiveDir] OT: Vista Activation and KMS
I am not at all talking about solutions that don't exist today. Go to a Vista machine and take a look at slmgr.vbs. Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander Kooi Sent: Tuesday, December 05, 2006 12:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Vista Activation and KMS While Laura and yourself make valid points, you are both talking about solutions that do not exist today. I’m just trying to help the OP with the problem he is having right now. Getting into the full licensing overhead of Vista, not to mention LH, could, and undoubtedly will, take weeks and/or months. For right now, at this very moment, using your VL key (and I will continue to refer to it as a VL key as long as the page on which I am reading it says “ Volume License Product Keys” at the top of it) for Vista – KMS will allow you to activate your installation via the web just fine. This is not something I would do for an entire enterprise, but for your first few test machines on your production network I would do it. Again YMMV, Tim From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harvey Kamangwitz Sent: Tuesday, December 05, 2006 10:28 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Vista Activation and KMS If you have any kind of a complex environment, you'll find volume activation to be very frustrating indeed: 1. The KMS service can't support more than one key, so if you have Longhorn VL clients in your environment you have to put up a second KMS infrastructure for them. 2. You can't (rather, shouldn't) use autodiscovery If you do have both LH and Vista. The KMS client can't distinguish between a KMS with LH and a KMS with Vista, and there's nothing in the client that says oh, I hit a KMS but it has the wrong key so try again immediately so ~50% of a client's activation attempts will fail. 3. Autodiscovery isn't practical if you have more than a few forests that don't trust the forest your KMS is in. All admins of the untrusted forests must manually register the _vlmcs record in their forest to find the KMS. ...the list goes on. (I haven't even mentioned the practical aspects of volume activation in a lab or firewalled environment.) It's not a fully-baked solution. Depending on your environment, it might be easier to scrap the whole autodiscovery, create a DNS CNAME with a couple of KMS behind it, stuff the FQDN in the KMS client's registry if you have a standard build, and fugeddaboutit :-). On 12/4/06, Laura A. Robinson HYPERLINK mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] wrote: KMS runs on Vista (now), will run on Longhorn when Longhorn is released, and will also run on Win2K3 as soon as we finish making the Win2K3 install. :-) Laura -Original Message- From: HYPERLINK mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] [mailto:HYPERLINK mailto:[EMAIL PROTECTED] \n [EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, December 04, 2006 1:12 PM To: HYPERLINK mailto:ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: Re: [ActiveDir] OT: Vista Activation and KMS Nope, I've done it web based. At the present time there are two kinds of keycodes up on MVLS.. one that wants a KMS, the other that will phone home to Redmond automatically. Have your MVLS folks request the other type of key is my understanding how this will work for now. The KMS type won't be out until Longhorn. KMS activations will have to phone home to your servers twice a year. Brian Cline wrote: I was testing out the RTM of Vista Enterprise last night and noticed I didn't have to enter a key at any point during the install. When Windows tried to activate, it told me there was a DNS error, so I suspected it looks for a local activation server by default. Sure enough, in the DNS cache was a lookup for a nonexistent _vlmcs._tcp.domain.com. Upon further research, it appears Microsoft has not released KMS yet, and I couldn't find any option to activate directly with Microsoft. For the moment, is telephone activation the only option? Brian Cline, Applications Developer Department of Information Technology GP Trucking Company, Inc. 803.936.8595 Direct Line 800.922.1147 Toll-Free (x8595) 803.739.1176 Fax -- Letting your vendors set your risk analysis these days? HYPERLINK http://www.threatcode.com/; \nhttp://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... HYPERLINK http://blogs.technet.com/sbs; \nhttp://blogs.technet.com/sbs List info : HYPERLINK http://www.activedir.org/List.aspx; \nhttp://www.activedir.org/List.aspx List FAQ: HYPERLINK http://www.activedir.org/ListFAQ.aspx; \nhttp://www.activedir.org/ListFAQ.aspx List archive: HYPERLINK http://www.mail-archive.com/activedir@mail.activedir.org/; \nhttp://www.mail-archive.com
RE: [ActiveDir] OT: Vista Activation and KMS
Doh! Okay, now I think I get what you're referencing in item 1. There's a reason for that- LH isn't out yet. When LH is out, that won't be an issue. :-) Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Tuesday, December 05, 2006 12:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Vista Activation and KMS Inline... _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harvey Kamangwitz Sent: Tuesday, December 05, 2006 11:28 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Vista Activation and KMS If you have any kind of a complex environment, you'll find volume activation to be very frustrating indeed: 1. The KMS service can't support more than one key, so if you have Longhorn VL clients in your environment you have to put up a second KMS infrastructure for them. Actually, when you purchase a KMS key, you get to activate TWO KMS hosts with that key, up to ten times each. Therefore, you don't have to put up a second KMS infrastructure. 2. You can't (rather, shouldn't) use autodiscovery If you do have both LH and Vista. The KMS client can't distinguish between a KMS with LH and a KMS with Vista, and there's nothing in the client that says oh, I hit a KMS but it has the wrong key so try again immediately so ~50% of a client's activation attempts will fail. So remove the DNS records for the LH KMS, or am I misunderstanding your point? 3. Autodiscovery isn't practical if you have more than a few forests that don't trust the forest your KMS is in. All admins of the untrusted forests must manually register the _vlmcs record in their forest to find the KMS. slmgr.vbs. We're not talking about a ton of records here or a difficult population mechanism. ...the list goes on. (I haven't even mentioned the practical aspects of volume activation in a lab or firewalled environment.) I'd be happy to discuss your options around them if you should decide to elaborate further. It's not a fully-baked solution. I would tend to disagree. From a technical standpoint, I think it's pretty well-baked. From a business process standpoint, it's still coming up to speed. Depending on your environment, it might be easier to scrap the whole autodiscovery, create a DNS CNAME with a couple of KMS behind it, stuff the FQDN in the KMS client's registry if you have a standard build, and fugeddaboutit :-). I'm not really understanding your concerns about autodiscovery. Could you be more specific about your environment? Laura On 12/4/06, Laura A. Robinson HYPERLINK mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] wrote: KMS runs on Vista (now), will run on Longhorn when Longhorn is released, and will also run on Win2K3 as soon as we finish making the Win2K3 install. :-) Laura -Original Message- From: HYPERLINK mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] [mailto:HYPERLINK mailto:[EMAIL PROTECTED] \n [EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, December 04, 2006 1:12 PM To: HYPERLINK mailto:ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: Re: [ActiveDir] OT: Vista Activation and KMS Nope, I've done it web based. At the present time there are two kinds of keycodes up on MVLS.. one that wants a KMS, the other that will phone home to Redmond automatically. Have your MVLS folks request the other type of key is my understanding how this will work for now. The KMS type won't be out until Longhorn. KMS activations will have to phone home to your servers twice a year. Brian Cline wrote: I was testing out the RTM of Vista Enterprise last night and noticed I didn't have to enter a key at any point during the install. When Windows tried to activate, it told me there was a DNS error, so I suspected it looks for a local activation server by default. Sure enough, in the DNS cache was a lookup for a nonexistent _vlmcs._tcp.domain.com. Upon further research, it appears Microsoft has not released KMS yet, and I couldn't find any option to activate directly with Microsoft. For the moment, is telephone activation the only option? Brian Cline, Applications Developer Department of Information Technology GP Trucking Company, Inc. 803.936.8595 Direct Line 800.922.1147 Toll-Free (x8595) 803.739.1176 Fax -- Letting your vendors set your risk analysis these days? HYPERLINK http://www.threatcode.com/; \nhttp://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... HYPERLINK http://blogs.technet.com/sbs; \nhttp://blogs.technet.com/sbs List info : HYPERLINK http://www.activedir.org/List.aspx; \nhttp://www.activedir.org/List.aspx List FAQ: HYPERLINK http://www.activedir.org/ListFAQ.aspx; \nhttp://www.activedir.org/ListFAQ.aspx List archive: HYPERLINK http://www.mail-archive.com/activedir
RE: [ActiveDir] OT: Behaving
Yes, but so do most people. ;-) _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson Sent: Tuesday, December 05, 2006 10:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Possessed PCs But I bet when you sit down in front of a computer, it knows it had better behave…. :) _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Monday, December 04, 2006 8:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Possessed PCs The watch thing happened to me until the East Coast blackout of 2003. I used to have baskets of dead watches. Since the blackout, I've been able to wear watches. They still die a lot faster than they do on other people if they're battery-powered, but at least I can wear 'em now. I also beta tested a watch for Timex (I kid you not; who knew they beta test watches, anyway?) that had a battery that was supposed to be guaranteed to last three years. It made it nine months on me, which is a personal record. I also have street light, um, issues. However, I have never been kidnapped by aliens. Born of them, perhaps, but not kidnapped by any. :-) Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Guest Sent: Monday, December 04, 2006 5:21 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Possessed PCs Your father is probably mild…. HYPERLINK http://amasci.com/weird/unusual/zap.htmlhttp://amasci.com/weird/unusual/za p.html these guys (if you believe them) have real problems. Mike Guest IT Solutions HML Padiham DDI: +44 (0)1282 682550 Internal Extension: (61) 2550 _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 01 December 2006 23:58 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Possessed PCs Happens with my father and watches as well. The man cannot wear a watch without it dying within weeks. But thats another story. If you can isolate the symptoms to time of day or even the remote chance its a bad ballast (flouresent lighting used to cause occasional problems with old CRTs), etc. Atleast you can start to wittle things down a bit. But in this case it sounds like RF overlap. Perhaps there is one mouse that is emitting too strong a signal. I was a bit thrown this morning though when I thought I read that this was happening with corded devices as well. Brent Eads Employee Technology Solutions, Inc. Office: (312) 762-9224 Fax: (312) 762-9275 The contents contain privileged and/or confidential information intended for the named recipient of this email. ETSI (Employee Technology Solutions, Inc.) does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email in error, please reply to us immediately and delete the document. Viruses, Malware, Phishing and other known and unknown electronic threats: It is the recipient/client's duties to perform virus scans and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect. Any loss/damage incurred by using this material is not the sender's responsibility. Liability will be limited to resupplying the material. Message scanned by TrendMicro *** This email is intended only for the addressee named above. As this email may contain confidential or privileged information, if you are not the named addressee or receive this message in error, please notify us immediately, delete it and do not make use of or copy it. This message is protected by copyright. HML accepts no responsibility for viruses found in this message or any file attachment. Homeloan Management Limited Registered in England No. 2214839 1 Providence Place, Skipton, North Yorkshire BD23 2HL -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.6/565 - Release Date: 12/2/2006 9:39 PM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006 7:18 AM -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.9/571 - Release Date: 12/5/2006 11:50 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.9/571 - Release Date: 12/5/2006 11:50 AM
RE: [ActiveDir] Is it possible to determine who created an AD object?
Have you tested this? _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, December 05, 2006 12:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? If you are member of ADMINISTRATORS directly or indirectly through a CUSTOM group it will by default list ADMINISTRATORS. Changing the policy lists the object creator. If you are member of DOMAIN ADMINS also, it will list DOMAIN ADMINS…. Is this what you mean? If the latter is the case check with REPADMIN /SHOWOBJMETA on which DC the object was created (also note the date and time). On the DC that is listed as the originating DC for the account creation check the security log. If it concerns SECURITY PRINICIPAL objects you might be lucky if you have configured Account Management for SUCCESS (also the default if I’m not mistaken). If it concerns OTHER objects you are lucky if you have configured directory service access for SUCCESS (also the default if I’m not mistaken) AND you have configured one or more SACLs on objects or Ous with objects that should be audited jorge _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: dinsdag 5 december 2006 18:20 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? I'd say that you should test it. Create and link a policy where you've set system objects: default owner for objects created by members of the administrators group to Object creator. Then create a user in AD and check the ownership. Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, December 05, 2006 2:25 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? ? can you explain? Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) * Tel : +31-(0)40-29.57.777 * Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address _ From: [EMAIL PROTECTED] on behalf of Laura A. Robinson Sent: Tue 2006-12-05 01:45 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? Which will have no effect on the ownership of the directory objects. Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Monday, December 04, 2006 4:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? look at the owner if it lists ADMINISTRATORS, you might wanna change the security option in the default DCs GPO which is called: system objects: default owner for objects created by members of the administrators group Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) * Tel : +31-(0)40-29.57.777 * Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address _ From: [EMAIL PROTECTED] on behalf of Mitch Reid Sent: Mon 2006-12-04 21:14 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Is it possible to determine who created an AD object? ? We had a few user accounts that were deleted and then recreated and nobody will take responsibility. I used ADSIedit to verify the creation date/time. While auditing is enabled, the Security log rolled and we missed the event (yes I know it's an issue). Is there a way to see who created the the user object? Thanks, Mitch. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006 7:18 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006 7:18 AM -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006 7:18 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.9/571 - Release Date: 12/5/2006 11:50 AM -- No virus found in this incoming message. Checked by AVG Free
RE: [ActiveDir] OT: Vista Activation and KMS
I suspect that people aren't really familiarizing themselves with how activation works. It's really not rocket science once you understand it. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phillip Partipilo Sent: Tuesday, December 05, 2006 1:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Vista Activation and KMS As much effort is going into the whole activation thing, why not just ship it with a bloody dongle already. Phillip Partipilo Parametric Solutions Inc. Jupiter, Florida (561) 747-6107 _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harvey Kamangwitz Sent: Tuesday, December 05, 2006 11:28 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Vista Activation and KMS If you have any kind of a complex environment, you'll find volume activation to be very frustrating indeed: 1. The KMS service can't support more than one key, so if you have Longhorn VL clients in your environment you have to put up a second KMS infrastructure for them. 2. You can't (rather, shouldn't) use autodiscovery If you do have both LH and Vista. The KMS client can't distinguish between a KMS with LH and a KMS with Vista, and there's nothing in the client that says oh, I hit a KMS but it has the wrong key so try again immediately so ~50% of a client's activation attempts will fail. 3. Autodiscovery isn't practical if you have more than a few forests that don't trust the forest your KMS is in. All admins of the untrusted forests must manually register the _vlmcs record in their forest to find the KMS. ...the list goes on. (I haven't even mentioned the practical aspects of volume activation in a lab or firewalled environment.) It's not a fully-baked solution. Depending on your environment, it might be easier to scrap the whole autodiscovery, create a DNS CNAME with a couple of KMS behind it, stuff the FQDN in the KMS client's registry if you have a standard build, and fugeddaboutit :-). On 12/4/06, Laura A. Robinson HYPERLINK mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] wrote: KMS runs on Vista (now), will run on Longhorn when Longhorn is released, and will also run on Win2K3 as soon as we finish making the Win2K3 install. :-) Laura -Original Message- From: HYPERLINK mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] [mailto:HYPERLINK mailto:[EMAIL PROTECTED] \n [EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, December 04, 2006 1:12 PM To: HYPERLINK mailto:ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: Re: [ActiveDir] OT: Vista Activation and KMS Nope, I've done it web based. At the present time there are two kinds of keycodes up on MVLS.. one that wants a KMS, the other that will phone home to Redmond automatically. Have your MVLS folks request the other type of key is my understanding how this will work for now. The KMS type won't be out until Longhorn. KMS activations will have to phone home to your servers twice a year. Brian Cline wrote: I was testing out the RTM of Vista Enterprise last night and noticed I didn't have to enter a key at any point during the install. When Windows tried to activate, it told me there was a DNS error, so I suspected it looks for a local activation server by default. Sure enough, in the DNS cache was a lookup for a nonexistent _vlmcs._tcp.domain.com. Upon further research, it appears Microsoft has not released KMS yet, and I couldn't find any option to activate directly with Microsoft. For the moment, is telephone activation the only option? Brian Cline, Applications Developer Department of Information Technology GP Trucking Company, Inc. 803.936.8595 Direct Line 800.922.1147 Toll-Free (x8595) 803.739.1176 Fax -- Letting your vendors set your risk analysis these days? HYPERLINK http://www.threatcode.com/; \nhttp://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... HYPERLINK http://blogs.technet.com/sbs; \nhttp://blogs.technet.com/sbs List info : HYPERLINK http://www.activedir.org/List.aspx; \nhttp://www.activedir.org/List.aspx List FAQ: HYPERLINK http://www.activedir.org/ListFAQ.aspx; \nhttp://www.activedir.org/ListFAQ.aspx List archive: HYPERLINK http://www.mail-archive.com/activedir@mail.activedir.org/; \nhttp://www.mail-archive.com/activedir@mail.activedir.org/ -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006 7:18 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006 7:18 AM List info : HYPERLINK http://www.activedir.org/List.aspx; \nhttp://www.activedir.org/List.aspx List FAQ: HYPERLINK http://www.activedir.org/ListFAQ.aspx; \nhttp
RE: [ActiveDir] Is it possible to determine who created an AD object?
Test what I wrote in my other response. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, December 05, 2006 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? ? which part? Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address _ From: [EMAIL PROTECTED] on behalf of Laura A. Robinson Sent: Tue 2006-12-05 19:44 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? Have you tested this? _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, December 05, 2006 12:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? If you are member of ADMINISTRATORS directly or indirectly through a CUSTOM group it will by default list ADMINISTRATORS. Changing the policy lists the object creator. If you are member of DOMAIN ADMINS also, it will list DOMAIN ADMINS…. Is this what you mean? If the latter is the case check with REPADMIN /SHOWOBJMETA on which DC the object was created (also note the date and time). On the DC that is listed as the originating DC for the account creation check the security log. If it concerns SECURITY PRINICIPAL objects you might be lucky if you have configured Account Management for SUCCESS (also the default if I’m not mistaken). If it concerns OTHER objects you are lucky if you have configured directory service access for SUCCESS (also the default if I’m not mistaken) AND you have configured one or more SACLs on objects or Ous with objects that should be audited jorge _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: dinsdag 5 december 2006 18:20 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? I'd say that you should test it. Create and link a policy where you've set system objects: default owner for objects created by members of the administrators group to Object creator. Then create a user in AD and check the ownership. Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, December 05, 2006 2:25 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? ? can you explain? Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) * Tel : +31-(0)40-29.57.777 * Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address _ From: [EMAIL PROTECTED] on behalf of Laura A. Robinson Sent: Tue 2006-12-05 01:45 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? Which will have no effect on the ownership of the directory objects. Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Monday, December 04, 2006 4:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? look at the owner if it lists ADMINISTRATORS, you might wanna change the security option in the default DCs GPO which is called: system objects: default owner for objects created by members of the administrators group Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) * Tel : +31-(0)40-29.57.777 * Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address _ From: [EMAIL PROTECTED] on behalf of Mitch Reid Sent: Mon 2006-12-04 21:14 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Is it possible to determine who created an AD object? ? We had a few user accounts that were deleted and then recreated and nobody will take responsibility. I used ADSIedit to verify the creation date/time. While auditing is enabled, the Security log rolled and we missed the event (yes I know it's an issue). Is there a way to see who created the the user object? Thanks, Mitch. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended
RE: [ActiveDir] Is it possible to determine who created an AD object?
DING DING DING!!! WE HAVE A WINNER! System Object != Directory Object. If you're really feeling like having fun, test this out with file system objects and with messing around with Domain Admins versus Administrators membership. Okay, maybe not everybody finds that fun. Never mind. :-) Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Tuesday, December 05, 2006 3:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? I did Laura's test (the thread was wearing me down ;-)). Even with the policy set to Object Creator it still shows Domain Admins as the owner if I create an object with an account that is member of Domain Admins. In my case the Domain Admins group is a member of the built-in Administrators group. This means that I saw the option in the security tab to change the ownership from Domain Admins to either Administrators or the account I was logged in with. The conclusion is that you can't use this policy to change the behaviour for AD accounts. Might be different for local accounts on member servers and workstations - but I haven't tested this. Tony -- Original Message -- From: Laura A. Robinson [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Date: Tue, 05 Dec 2006 13:44:47 -0500 Have you tested this? _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, December 05, 2006 12:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? If you are member of ADMINISTRATORS directly or indirectly through a CUSTOM group it will by default list ADMINISTRATORS. Changing the policy lists the object creator. If you are member of DOMAIN ADMINS also, it will list DOMAIN ADMINS…. Is this what you mean? If the latter is the case check with REPADMIN /SHOWOBJMETA on which DC the object was created (also note the date and time). On the DC that is listed as the originating DC for the account creation check the security log. If it concerns SECURITY PRINICIPAL objects you might be lucky if you have configured Account Management for SUCCESS (also the default if I’m not mistaken). If it concerns OTHER objects you are lucky if you have configured directory service access for SUCCESS (also the default if I’m not mistaken) AND you have configured one or more SACLs on objects or Ous with objects that should be audited jorge _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: dinsdag 5 december 2006 18:20 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? I'd say that you should test it. Create and link a policy where you've set system objects: default owner for objects created by members of the administrators group to Object creator. Then create a user in AD and check the ownership. Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, December 05, 2006 2:25 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? ? can you explain? Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) * Tel : +31-(0)40-29.57.777 * Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address _ From: [EMAIL PROTECTED] on behalf of Laura A. Robinson Sent: Tue 2006-12-05 01:45 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? Which will have no effect on the ownership of the directory objects. Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Monday, December 04, 2006 4:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? look at the owner if it lists ADMINISTRATORS, you might wanna change the security option in the default DCs GPO which is called: system objects: default owner for objects created by members of the administrators group Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) * Tel : +31-(0)40-29.57.777 * Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address _ From
RE: [ActiveDir] OT: Vista Activation and KMS
The Windows Server 2003 KMS host will be out soon. In the meantime, Vista is perfectly acceptable to use and it's incredibly simple to decommission it as a KMS host when you implement a Win2K3 host. No TAM support needed. Again, I'd really encourage people to thorougly read the documents I referenced before, because I'm seeing a lot of confusion on this list that indicates that people aren't really understanding how this works (not you in particular, Susan, just a general comment as I've been watching the VLA comments for a little while). Or if you're Neil, you can schedule a LiveMeeting and I'll explain it, because Neil's company is one of my district's customers. ;-) Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, December 05, 2006 3:21 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Vista Activation and KMS I personally am not ready to stick a Vista box as a Licensing server. ISA still doesn't have a firewall client that works for one... and I've yet to find a a/v that doesn't BSOD my tablet pc or act strangely on another box I built. In fact I'm still using my Technet 'for testing purposes' ones as I'm not ready to play with my VL ones. Activation on the VL ones means I'm serious to roll...and quite frankly.. I'm not. I still want to see a more formal support story on Activations in general for folks that aren't TAM supported... YMMV and all that. Laura A. Robinson wrote: I am not at all talking about solutions that don't exist today. Go to a Vista machine and take a look at slmgr.vbs. Laura -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Tim Vander Kooi *Sent:* Tuesday, December 05, 2006 12:39 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] OT: Vista Activation and KMS While Laura and yourself make valid points, you are both talking about solutions that do not exist today. I’m just trying to help the OP with the problem he is having right now. Getting into the full licensing overhead of Vista, not to mention LH, could, and undoubtedly will, take weeks and/or months. For right now, at this very moment, using your VL key (and I will continue to refer to it as a VL key as long as the page on which I am reading it says “ Volume License Product Keys” at the top of it) for Vista – KMS will allow you to activate your installation via the web just fine. This is not something I would do for an entire enterprise, but for your first few test machines on your production network I would do it. Again YMMV, Tim *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Harvey Kamangwitz *Sent:* Tuesday, December 05, 2006 10:28 AM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] OT: Vista Activation and KMS If you have any kind of a complex environment, you'll find volume activation to be very frustrating indeed: 1. The KMS service can't support more than one key, so if you have Longhorn VL clients in your environment you have to put up a second KMS infrastructure for them. 2. You can't (rather, shouldn't) use autodiscovery If you do have both LH and Vista. The KMS client can't distinguish between a KMS with LH and a KMS with Vista, and there's nothing in the client that says oh, I hit a KMS but it has the wrong key so try again immediately so ~50% of a client's activation attempts will fail. 3. Autodiscovery isn't practical if you have more than a few forests that don't trust the forest your KMS is in. All admins of the untrusted forests must manually register the _vlmcs record in their forest to find the KMS. ...the list goes on. (I haven't even mentioned the practical aspects of volume activation in a lab or firewalled environment.) It's not a fully-baked solution. Depending on your environment, it might be easier to scrap the whole autodiscovery, create a DNS CNAME with a couple of KMS behind it, stuff the FQDN in the KMS client's registry if you have a standard build, and fugeddaboutit :-). On 12/4/06, *Laura A. Robinson* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: KMS runs on Vista (now), will run on Longhorn when Longhorn is released, and will also run on Win2K3 as soon as we finish making the Win2K3 install. :-) Laura -Original Message- From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED
RE: [ActiveDir] Is it possible to determine who created an AD object?
BTW, speaking strictly about directory objects, if you use an account that is NOT a member of Domain Admins but IS a member of Administrators (DLG), the ownership of the object works exactly the same way as it does if the account is a member of Domain Admins and not a direct member of Administrators. File system objects are still a bit different. :-) Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Tuesday, December 05, 2006 3:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? I did Laura's test (the thread was wearing me down ;-)). Even with the policy set to Object Creator it still shows Domain Admins as the owner if I create an object with an account that is member of Domain Admins. In my case the Domain Admins group is a member of the built-in Administrators group. This means that I saw the option in the security tab to change the ownership from Domain Admins to either Administrators or the account I was logged in with. The conclusion is that you can't use this policy to change the behaviour for AD accounts. Might be different for local accounts on member servers and workstations - but I haven't tested this. Tony -- Original Message -- From: Laura A. Robinson [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Date: Tue, 05 Dec 2006 13:44:47 -0500 Have you tested this? _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, December 05, 2006 12:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? If you are member of ADMINISTRATORS directly or indirectly through a CUSTOM group it will by default list ADMINISTRATORS. Changing the policy lists the object creator. If you are member of DOMAIN ADMINS also, it will list DOMAIN ADMINS…. Is this what you mean? If the latter is the case check with REPADMIN /SHOWOBJMETA on which DC the object was created (also note the date and time). On the DC that is listed as the originating DC for the account creation check the security log. If it concerns SECURITY PRINICIPAL objects you might be lucky if you have configured Account Management for SUCCESS (also the default if I’m not mistaken). If it concerns OTHER objects you are lucky if you have configured directory service access for SUCCESS (also the default if I’m not mistaken) AND you have configured one or more SACLs on objects or Ous with objects that should be audited jorge _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: dinsdag 5 december 2006 18:20 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? I'd say that you should test it. Create and link a policy where you've set system objects: default owner for objects created by members of the administrators group to Object creator. Then create a user in AD and check the ownership. Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, December 05, 2006 2:25 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? ? can you explain? Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) * Tel : +31-(0)40-29.57.777 * Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address _ From: [EMAIL PROTECTED] on behalf of Laura A. Robinson Sent: Tue 2006-12-05 01:45 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? Which will have no effect on the ownership of the directory objects. Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Monday, December 04, 2006 4:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? look at the owner if it lists ADMINISTRATORS, you might wanna change the security option in the default DCs GPO which is called: system objects: default owner for objects created by members of the administrators group Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) * Tel : +31-(0)40-29.57.777 * Mobile : +31-(0)6-26.26.62.80
RE: [ActiveDir] Is it possible to determine who created an AD object?
No, Jorge, Tony did not confirm what you wrote, he confirmed what I wrote in my very first reply to you in this thread. I quote: Even with the policy set to Object Creator it still shows Domain Admins as the owner if I create an object with an account that is member of Domain Admins. The policy you reference HAS NO EFFECT on directory objects. No matter what that policy is set to, the owner of any directory object created by a member of Domain Admins and/or Administrators IS OWNED BY DOMAIN ADMINISTRATORS- NOT the Object creator. Again, I would encourage you to test this yourself. One of the things I always do is to test things before I make assertions about them, and sometimes I don't really have a clear understanding until I test something myself and see how it actually works. I think that if you test this out, you'll find that you may currently misunderstand the policy and what it affects. Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, December 05, 2006 3:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? ? just like I wrote it and tony confirmed it do you have other experiences? Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address _ From: [EMAIL PROTECTED] on behalf of Laura A. Robinson Sent: Tue 2006-12-05 21:17 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? Test what I wrote in my other response. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, December 05, 2006 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? ? which part? Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address _ From: [EMAIL PROTECTED] on behalf of Laura A. Robinson Sent: Tue 2006-12-05 19:44 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? Have you tested this? _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, December 05, 2006 12:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? If you are member of ADMINISTRATORS directly or indirectly through a CUSTOM group it will by default list ADMINISTRATORS. Changing the policy lists the object creator. If you are member of DOMAIN ADMINS also, it will list DOMAIN ADMINS…. Is this what you mean? If the latter is the case check with REPADMIN /SHOWOBJMETA on which DC the object was created (also note the date and time). On the DC that is listed as the originating DC for the account creation check the security log. If it concerns SECURITY PRINICIPAL objects you might be lucky if you have configured Account Management for SUCCESS (also the default if I’m not mistaken). If it concerns OTHER objects you are lucky if you have configured directory service access for SUCCESS (also the default if I’m not mistaken) AND you have configured one or more SACLs on objects or Ous with objects that should be audited jorge _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: dinsdag 5 december 2006 18:20 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? I'd say that you should test it. Create and link a policy where you've set system objects: default owner for objects created by members of the administrators group to Object creator. Then create a user in AD and check the ownership. Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, December 05, 2006 2:25 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? ? can you explain? Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) * Tel : +31-(0)40-29.57.777 * Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address _ From: [EMAIL PROTECTED] on behalf of Laura A. Robinson Sent: Tue 2006-12-05 01:45 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir
RE: [ActiveDir] Is it possible to determine who created an AD object?
Just to make sure everybody understands what I am saying, I'm going to summarize this one last time. If I create an object in AD while I am logged on with an account that is a member of Domain Admins, Domain Admins becomes the owner of the object. NOT the Administrators group. NOT the object creator. DOMAIN ADMINS. If I create an obect in AD while I am logged in with an account that is NOT a member of Domain Admins and IS a member of the built-in Administrators group in Active Directory, DOMAIN ADMINS STILL becomes the owner of the object. NOT Administrators, and NOT the object creator. Period. End of story. The group policy setting System objects: Default owner for objects created by members of the Administrators group DOES NOT AFFECT DIRECTORY OBJECTS. Test. It. Yourself. :-) Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, December 05, 2006 3:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? ? just like I wrote it and tony confirmed it do you have other experiences? Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address _ From: [EMAIL PROTECTED] on behalf of Laura A. Robinson Sent: Tue 2006-12-05 21:17 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? Test what I wrote in my other response. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, December 05, 2006 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? ? which part? Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address _ From: [EMAIL PROTECTED] on behalf of Laura A. Robinson Sent: Tue 2006-12-05 19:44 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? Have you tested this? _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, December 05, 2006 12:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? If you are member of ADMINISTRATORS directly or indirectly through a CUSTOM group it will by default list ADMINISTRATORS. Changing the policy lists the object creator. If you are member of DOMAIN ADMINS also, it will list DOMAIN ADMINS…. Is this what you mean? If the latter is the case check with REPADMIN /SHOWOBJMETA on which DC the object was created (also note the date and time). On the DC that is listed as the originating DC for the account creation check the security log. If it concerns SECURITY PRINICIPAL objects you might be lucky if you have configured Account Management for SUCCESS (also the default if I’m not mistaken). If it concerns OTHER objects you are lucky if you have configured directory service access for SUCCESS (also the default if I’m not mistaken) AND you have configured one or more SACLs on objects or Ous with objects that should be audited jorge _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: dinsdag 5 december 2006 18:20 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? I'd say that you should test it. Create and link a policy where you've set system objects: default owner for objects created by members of the administrators group to Object creator. Then create a user in AD and check the ownership. Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, December 05, 2006 2:25 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? ? can you explain? Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) * Tel : +31-(0)40-29.57.777 * Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address _ From: [EMAIL PROTECTED] on behalf of Laura A. Robinson Sent: Tue 2006-12-05 01:45 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? Which will have no effect on the ownership of the directory
RE: [ActiveDir] Is it possible to determine who created an AD object?
Yaargh. Now I started messing around further, because when I first tested this when this thread began so as to verify my rather rusty recollection, my recollection was that it worked as Jorge outlined (only for accounts that are members of the Administrators group in the domain and not for Domain Admins). At that time, I found the behavior I've listed, which I attributed to my misremembering the functionality of that setting. I tried it over and over again in various permutations because I could have sworn that it didn't work that way before. Over and over I got the results I mentioned below, which is why I kept pushing for somebody to test it. Now, however, Jorge got me thinking again, and I started testing this yet again (I swear, this is about the twentieth time I've done this in two or three days). Ready for the fluke in my results? If I create the test object on the PDC emulator, the owner shows as the creator. If I create it on other DCs, the owner shows as Domain Admins- even though the account isn't even a member of that group. I'm going to test this further to see if I can figure out what's going on here and get a final answer on this. Stay tuned.. ;-) Thanks, Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Tuesday, December 05, 2006 5:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? Just to make sure everybody understands what I am saying, I'm going to summarize this one last time. If I create an object in AD while I am logged on with an account that is a member of Domain Admins, Domain Admins becomes the owner of the object. NOT the Administrators group. NOT the object creator. DOMAIN ADMINS. If I create an obect in AD while I am logged in with an account that is NOT a member of Domain Admins and IS a member of the built-in Administrators group in Active Directory, DOMAIN ADMINS STILL becomes the owner of the object. NOT Administrators, and NOT the object creator. Period. End of story. The group policy setting System objects: Default owner for objects created by members of the Administrators group DOES NOT AFFECT DIRECTORY OBJECTS. Test. It. Yourself. :-) Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, December 05, 2006 3:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? ? just like I wrote it and tony confirmed it do you have other experiences? Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address _ From: [EMAIL PROTECTED] on behalf of Laura A. Robinson Sent: Tue 2006-12-05 21:17 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? Test what I wrote in my other response. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, December 05, 2006 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? ? which part? Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address _ From: [EMAIL PROTECTED] on behalf of Laura A. Robinson Sent: Tue 2006-12-05 19:44 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? Have you tested this? _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, December 05, 2006 12:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? If you are member of ADMINISTRATORS directly or indirectly through a CUSTOM group it will by default list ADMINISTRATORS. Changing the policy lists the object creator. If you are member of DOMAIN ADMINS also, it will list DOMAIN ADMINS…. Is this what you mean? If the latter is the case check with REPADMIN /SHOWOBJMETA on which DC the object was created (also note the date and time). On the DC that is listed as the originating DC for the account creation check the security log. If it concerns SECURITY PRINICIPAL objects you might be lucky if you have configured Account Management for SUCCESS (also the default if I’m not mistaken). If it concerns OTHER objects you are lucky if you have configured directory service access for SUCCESS (also the default if I’m not mistaken) AND you have
RE: [ActiveDir] Is it possible to determine who created an AD object?
See my most recent post. Are you performing your testing on the PDC emulator? I'm really a bit baffled as to what's going on at this point and am curious if you've been testing on multiple DCs so I can see if you get the same results I do. Thanks, Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, December 05, 2006 5:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? ? oh, and yes I did test it and got the results I mentioned earlier...when not a member of DA but a member of Adms it lists the object creator after changing the policy Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address _ From: [EMAIL PROTECTED] on behalf of Laura A. Robinson Sent: Tue 2006-12-05 22:48 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? BTW, speaking strictly about directory objects, if you use an account that is NOT a member of Domain Admins but IS a member of Administrators (DLG), the ownership of the object works exactly the same way as it does if the account is a member of Domain Admins and not a direct member of Administrators. File system objects are still a bit different. :-) Laura -Original Message- From: [EMAIL PROTECTED] [HYPERLINK mailto:[EMAIL PROTECTED]mailto:[EMAIL PROTECTED] edir.org] On Behalf Of Tony Murray Sent: Tuesday, December 05, 2006 3:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? I did Laura's test (the thread was wearing me down ;-)). Even with the policy set to Object Creator it still shows Domain Admins as the owner if I create an object with an account that is member of Domain Admins. In my case the Domain Admins group is a member of the built-in Administrators group. This means that I saw the option in the security tab to change the ownership from Domain Admins to either Administrators or the account I was logged in with. The conclusion is that you can't use this policy to change the behaviour for AD accounts. Might be different for local accounts on member servers and workstations - but I haven't tested this. Tony -- Original Message -- From: Laura A. Robinson [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Date: Tue, 05 Dec 2006 13:44:47 -0500 Have you tested this? _ From: [EMAIL PROTECTED] [HYPERLINK mailto:[EMAIL PROTECTED]mailto:[EMAIL PROTECTED] edir.org] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, December 05, 2006 12:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? If you are member of ADMINISTRATORS directly or indirectly through a CUSTOM group it will by default list ADMINISTRATORS. Changing the policy lists the object creator. If you are member of DOMAIN ADMINS also, it will list DOMAIN ADMINS�. Is this what you mean? If the latter is the case check with REPADMIN /SHOWOBJMETA on which DC the object was created (also note the date and time). On the DC that is listed as the originating DC for the account creation check the security log. If it concerns SECURITY PRINICIPAL objects you might be lucky if you have configured Account Management for SUCCESS (also the default if I�m not mistaken). If it concerns OTHER objects you are lucky if you have configured directory service access for SUCCESS (also the default if I�m not mistaken) AND you have configured one or more SACLs on objects or Ous with objects that should be audited jorge _ From: [EMAIL PROTECTED] [HYPERLINK mailto:[EMAIL PROTECTED]mailto:[EMAIL PROTECTED] edir.org] On Behalf Of Laura A. Robinson Sent: dinsdag 5 december 2006 18:20 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? I'd say that you should test it. Create and link a policy where you've set system objects: default owner for objects created by members of the administrators group to Object creator. Then create a user in AD and check the ownership. Laura _ From: [EMAIL PROTECTED] [HYPERLINK mailto:[EMAIL PROTECTED]mailto:[EMAIL PROTECTED] edir.org] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, December 05, 2006 2:25 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? ? can you explain? Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services
[ActiveDir] Resending because I kept sending via the wrong account.
Okay, folks, I think I may have an answer to the behavior I've been seeing with an account that is NOT a Domain Admin but IS an Administrator not showing as the individual owner of the object when the policy is set to object creator. The only thing I can think of is this- I've been doing this all via TS connections. I'm not sure how I managed to do it, but I'm guessing that I never actually logged off the TestLaura account after I removed it from Domain Admins and made it a member of Administrators instead. I could have sworn that I'd logged the darn thing off a whole buncha times, but that's the only possibility that could explain why I was seeing the behavior I was seeing. I feel like an idiot now. :-) (No agreement from the peanut gallery, please; everybody has a bad day. I just tend to have mine very publicly.) In any case, PLEASE DO NOT USE DOMAIN ADMIN ACCOUNTS FOR ROUTINE TASKS THAT CAN BE PERFORMED USING NON-DA ACCOUNTS. (sorry, not yelling, just too lazy to do psuedo-italics) None of this ownership stuff and policy changing has any effect on accounts that are members of Domain Admins, only on accounts that are members of the domain's Administrators group without being DAs. You will still not be able to use ownership as a reliable indicator of object creator REGARDLESS. Since object owners can *give* ownership to anybody they desire (this has been possible since the NT days, just not exposed in the GUI until post Win2K), there's nothing to guarantee that that hasn't been done. If you want to know which user account was used to create objects in the directory, use the event logs and auditing. Do not use object ownership. Thank you very much, and we now return you to your regularly-scheduled programming. I'm gonna go eat. :-D Laura P.S. There were a bunch of rambling posts I sent before this one, but I think this one actually sums stuff up well enough, and I'm sure you're tired of seeing posts from me at this point! :-) To summarize: If you're not as dain bramaged as I am and you set the System Objects: Default owner...: policy to object creator, accounts that are members of Administrators but are NOT members of Domain Admins will show as the initial owner of the objects they create. Accounts that are members of Domain Admins will be unaffected by the policy. -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.9/571 - Release Date: 12/5/2006 11:50 AM List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Is it possible to determine who created an AD object?
Which will have no effect on the ownership of the directory objects. Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Monday, December 04, 2006 4:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? look at the owner if it lists ADMINISTRATORS, you might wanna change the security option in the default DCs GPO which is called: system objects: default owner for objects created by members of the administrators group Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address _ From: [EMAIL PROTECTED] on behalf of Mitch Reid Sent: Mon 2006-12-04 21:14 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Is it possible to determine who created an AD object? ? We had a few user accounts that were deleted and then recreated and nobody will take responsibility. I used ADSIedit to verify the creation date/time. While auditing is enabled, the Security log rolled and we missed the event (yes I know it's an issue). Is there a way to see who created the the user object? Thanks, Mitch. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006 7:18 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006 7:18 AM attachment: winmail.dat
RE: [ActiveDir] OT: Vista Activation and KMS
Actually, it is clearly documented, along with a lot more information on KMS, MAK and Vista Volume Activation (btw, Volume Licensing doesn't exist in Vista; VL and VA are not the same things). You probably don't want to get me started on a big long explanation of how volume activation works, so I'll just point you to this site: HYPERLINK http://www.microsoft.com/technet/windowsvista/plan/volact.mspxhttp://www.m icrosoft.com/technet/windowsvista/plan/volact.mspx :-) I highly recommend both the FAQ and the step-by-step guide. The latter provides information on how to change from KMS to MAK and vice versa (there are several ways), as well as documentation of defaults, configuration options, etc. Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander Kooi Sent: Monday, December 04, 2006 2:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Vista Activation and KMS You need to go to Control Panel System then at the bottom select Change Product Key. This will allow you to enter your VL key which will result in Vista activating via the web. Definitely not well documented unfortunately. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline Sent: Monday, December 04, 2006 11:45 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Vista Activation and KMS I was testing out the RTM of Vista Enterprise last night and noticed I didn't have to enter a key at any point during the install. When Windows tried to activate, it told me there was a DNS error, so I suspected it looks for a local activation server by default. Sure enough, in the DNS cache was a lookup for a nonexistent _vlmcs._tcp.domain.com. Upon further research, it appears Microsoft has not released KMS yet, and I couldn't find any option to activate directly with Microsoft. For the moment, is telephone activation the only option? Brian Cline, Applications Developer Department of Information Technology GP Trucking Company, Inc. 803.936.8595 Direct Line 800.922.1147 Toll-Free (x8595) 803.739.1176 Fax -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006 7:18 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006 7:18 AM
RE: [ActiveDir] OT: Vista Activation and KMS
HYPERLINK http://www.microsoft.com/technet/windowsvista/plan/volact1.mspx#StepsforImp lementingConfigDeployingKMShttp://www.microsoft.com/technet/windowsvista/pl an/volact1.mspx#StepsforImplementingConfigDeployingKMS See the section entitled, To install KMS hosts for KMS activation The short answer is, slmgr.vbs is about to become your new best friend. :-) BTW, there's also information there on configuring the SRV records for the KMS host so you won't get that error again. Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline Sent: Monday, December 04, 2006 12:45 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Vista Activation and KMS I was testing out the RTM of Vista Enterprise last night and noticed I didn't have to enter a key at any point during the install. When Windows tried to activate, it told me there was a DNS error, so I suspected it looks for a local activation server by default. Sure enough, in the DNS cache was a lookup for a nonexistent _vlmcs._tcp.domain.com. Upon further research, it appears Microsoft has not released KMS yet, and I couldn't find any option to activate directly with Microsoft. For the moment, is telephone activation the only option? Brian Cline, Applications Developer Department of Information Technology GP Trucking Company, Inc. 803.936.8595 Direct Line 800.922.1147 Toll-Free (x8595) 803.739.1176 Fax -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006 7:18 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006 7:18 AM
RE: [ActiveDir] NetBT errors 4321
Okay, first question- is the first xxx.xxx.xxx.xxx address the same as the second xxx.xxx.xxx.xxx, or are they actually different addresses? Second, if we're talking two IPs, which one is the DC's IP? Basically, I can't get enough from your genericized [I made that word up] error to figure out which machine is which, where this error came from, what machine(s) is/are identified by the IPs in the error, and therefore, why I should care about the Nbstat entries. :-) Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simon Bembridge Sent: Monday, December 04, 2006 4:23 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] NetBT errors 4321 Hi All, I cannot find a resolution to event log error that we are having within our development domain the event is logged every 3-6 mins. I have exhausted the internet results but to no avail, any help would be greatly appreciated. We have two DC’s living on different subnets both acting as BH servers. 1st DC holds all FSMO roles, single domain, D FFL 2003 Anyway below is the event log message I have done all the searches possible and come up with nothing at all. Source NetBT EventID: 4321 The name “DEV….:Id” Could not be registered on the interface with IP address xxx.xxx.xxx.xxx The machine with the IP address xxx.xxx.xxx.xxx did not allow the name to be claimed by the machine. The results of both DC’s are as follows: Nbtstat –an DC1 DC2 00 unique 00 unique 00 Group 00 Group 1c Group 1c Group 20 Unique 20 Unique 1D Unique 1E Group 1E Group -MSBROWSE Mac address -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006 7:18 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006 7:18 AM
RE: [ActiveDir] Granting rights to 'Manage GPOs'
So why not change the default security in the schema so that your service
account is included?
Laura
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Monday, December 04, 2006 4:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Granting rights to 'Manage GPOs'
I'd prefer to grant the service the rights it *needs* rather than carte
blanche Domain Admins rights. However, as new GPOs are created, only the
default (Schema defined?) ACLs are applied, which includes DAs but will
*not* include my service account.
Back to the drawing board...
neil
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves
Sent: 04 December 2006 04:38
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Granting rights to 'Manage GPOs'
You might want to set the account to have non-interactive rights, since I'm
assuming that it runs a service that actually handles all the changes - then
grant it membership within the Domain Admins group - that would fix the
issue once and for all, unless you've changed Domain Admins to not have the
ability to edit GPOs, though it's automatically granted every time a new GPO
is created, regardless of what permissions were before.
On 11/25/06, Darren Mar-Elia HYPERLINK
mailto:[EMAIL PROTECTED][EMAIL PROTECTED] wrote:
Neil-
Assuming the setgpocreationpermissions script didn't fail in some way, I
think the next step would be to check the perms on the various objects that
should get this right. Namely, the service account you're granting access to
should have the Create GroupPolicyContainer right over the
cn=policies,cn=system container in AD and, similarly on the SYSVOL Policies
folder, it should have Change rights over that container.
Darren
Darren Mar-Elia
For comprehensive Windows Group Policy Information, check out HYPERLINK
http://www.gpoguy.com/; \nwww.gpoguy.com-- the best source for GPO FAQs,
video training, tools and whitepapers. Also check out the HYPERLINK
http://www.amazon.com/gp/product/0735622175/qid=1122367169/sr=8-1/ref=pd_bb
s_1/104-1133146-9411929?v=glancen=283155 \nWindows Group Policy Guide, the
definitive resource for Group Policy information.
Group Policy Management solutions at HYPERLINK http://www.sdmsoftware.com/;
\nSDM Software
From: HYPERLINK mailto:[EMAIL PROTECTED]
[EMAIL PROTECTED] [mailto:HYPERLINK
mailto:[EMAIL PROTECTED] \n
[EMAIL PROTECTED] On Behalf Of HYPERLINK
mailto:[EMAIL PROTECTED] [EMAIL PROTECTED]
Sent: Friday, November 24, 2006 6:57 AM
To: HYPERLINK mailto:ActiveDir@mail.activedir.org;
[EMAIL PROTECTED]
Subject: [ActiveDir] Granting rights to 'Manage GPOs'
I am attempting to assign rights to a service account [sys-zzz], used by a
Group Policy Management tool (3rd party) so that the service account has the
necessary rights to 'manage' all GPOs in the domain.
Aside from app specific rights, I have assigned the following rights using
GPMC scripts [scripts shown below]:
1. Create/edit GPO links at the root of the domain and all child containers
cscript %programfiles%\gpmc\scripts\SetSOMPermissions.wsf xxx.yyy
xxx\sys-zzz /Permission:linkgpos /Inherit /Domain:xxx.yyy
2. Create new GPOs in the domain
cscript %programfiles%\gpmc\scripts\SetGPOCreationPermissions.wsf
xxx\sys-zzz /Domain:xxx.yyy
3. Edit, delete and mod security rights to all existing GPOs in the domain
cscript %programfiles%\gpmc\scripts\GrantPermissionOnAllGPOs.wsf
xxx\sys-zzz /Permission:fulledit /Domain:xxx.yyy
To cut a long story short, step 2 does not appear to grant the required
'create' right [GP mgmt tool complains of an access denied issue].
However, if I manually (using GPMC) add the service account to the list of
objects permitted to create GPOs in the domain [instead of using the script
in step 2], then the GP Management app functions fine.
Has anyone encountered a similar issues? Are there newer version of the GPMC
scripts? [I have GPMC with SP1]
Just to add to the strangeness of this issue, if I execute the same scripts
above but against a different domain (same service account) the 3rd party
app functions fine in that other domain :/
Any comments?
Thanks,
neil
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this
RE: [ActiveDir] OT: Possessed PCs
The watch thing happened to me until the East Coast blackout of 2003. I used to have baskets of dead watches. Since the blackout, I've been able to wear watches. They still die a lot faster than they do on other people if they're battery-powered, but at least I can wear 'em now. I also beta tested a watch for Timex (I kid you not; who knew they beta test watches, anyway?) that had a battery that was supposed to be guaranteed to last three years. It made it nine months on me, which is a personal record. I also have street light, um, issues. However, I have never been kidnapped by aliens. Born of them, perhaps, but not kidnapped by any. :-) Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Guest Sent: Monday, December 04, 2006 5:21 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Possessed PCs Your father is probably mild…. HYPERLINK http://amasci.com/weird/unusual/zap.htmlhttp://amasci.com/weird/unusual/za p.html these guys (if you believe them) have real problems. Mike Guest IT Solutions HML Padiham DDI: +44 (0)1282 682550 Internal Extension: (61) 2550 _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 01 December 2006 23:58 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Possessed PCs Happens with my father and watches as well. The man cannot wear a watch without it dying within weeks. But thats another story. If you can isolate the symptoms to time of day or even the remote chance its a bad ballast (flouresent lighting used to cause occasional problems with old CRTs), etc. Atleast you can start to wittle things down a bit. But in this case it sounds like RF overlap. Perhaps there is one mouse that is emitting too strong a signal. I was a bit thrown this morning though when I thought I read that this was happening with corded devices as well. Brent Eads Employee Technology Solutions, Inc. Office: (312) 762-9224 Fax: (312) 762-9275 The contents contain privileged and/or confidential information intended for the named recipient of this email. ETSI (Employee Technology Solutions, Inc.) does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email in error, please reply to us immediately and delete the document. Viruses, Malware, Phishing and other known and unknown electronic threats: It is the recipient/client's duties to perform virus scans and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect. Any loss/damage incurred by using this material is not the sender's responsibility. Liability will be limited to resupplying the material. Message scanned by TrendMicro *** This email is intended only for the addressee named above. As this email may contain confidential or privileged information, if you are not the named addressee or receive this message in error, please notify us immediately, delete it and do not make use of or copy it. This message is protected by copyright. HML accepts no responsibility for viruses found in this message or any file attachment. Homeloan Management Limited Registered in England No. 2214839 1 Providence Place, Skipton, North Yorkshire BD23 2HL -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.6/565 - Release Date: 12/2/2006 9:39 PM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006 7:18 AM
RE: [ActiveDir] OT: Vista Activation and KMS
KMS runs on Vista (now), will run on Longhorn when Longhorn is released, and will also run on Win2K3 as soon as we finish making the Win2K3 install. :-) Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, December 04, 2006 1:12 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Vista Activation and KMS Nope, I've done it web based. At the present time there are two kinds of keycodes up on MVLS.. one that wants a KMS, the other that will phone home to Redmond automatically. Have your MVLS folks request the other type of key is my understanding how this will work for now. The KMS type won't be out until Longhorn. KMS activations will have to phone home to your servers twice a year. Brian Cline wrote: I was testing out the RTM of Vista Enterprise last night and noticed I didn't have to enter a key at any point during the install. When Windows tried to activate, it told me there was a DNS error, so I suspected it looks for a local activation server by default. Sure enough, in the DNS cache was a lookup for a nonexistent _vlmcs._tcp.domain.com. Upon further research, it appears Microsoft has not released KMS yet, and I couldn't find any option to activate directly with Microsoft. For the moment, is telephone activation the only option? Brian Cline, Applications Developer Department of Information Technology GP Trucking Company, Inc. 803.936.8595 Direct Line 800.922.1147 Toll-Free (x8595) 803.739.1176 Fax -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006 7:18 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006 7:18 AM List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Granting rights to 'Manage GPOs'
Note to self: read all other responses before typing one of your own. :-)
Laura
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson
Sent: Monday, December 04, 2006 8:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Granting rights to 'Manage GPOs'
So why not change the default security in the schema so that your service
account is included?
Laura
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Monday, December 04, 2006 4:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Granting rights to 'Manage GPOs'
I'd prefer to grant the service the rights it *needs* rather than carte
blanche Domain Admins rights. However, as new GPOs are created, only the
default (Schema defined?) ACLs are applied, which includes DAs but will
*not* include my service account.
Back to the drawing board...
neil
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves
Sent: 04 December 2006 04:38
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Granting rights to 'Manage GPOs'
You might want to set the account to have non-interactive rights, since I'm
assuming that it runs a service that actually handles all the changes - then
grant it membership within the Domain Admins group - that would fix the
issue once and for all, unless you've changed Domain Admins to not have the
ability to edit GPOs, though it's automatically granted every time a new GPO
is created, regardless of what permissions were before.
On 11/25/06, Darren Mar-Elia HYPERLINK
mailto:[EMAIL PROTECTED][EMAIL PROTECTED] wrote:
Neil-
Assuming the setgpocreationpermissions script didn't fail in some way, I
think the next step would be to check the perms on the various objects that
should get this right. Namely, the service account you're granting access to
should have the Create GroupPolicyContainer right over the
cn=policies,cn=system container in AD and, similarly on the SYSVOL Policies
folder, it should have Change rights over that container.
Darren
Darren Mar-Elia
For comprehensive Windows Group Policy Information, check out HYPERLINK
http://www.gpoguy.com/; \nwww.gpoguy.com-- the best source for GPO FAQs,
video training, tools and whitepapers. Also check out the HYPERLINK
http://www.amazon.com/gp/product/0735622175/qid=1122367169/sr=8-1/ref=pd_bb
s_1/104-1133146-9411929?v=glancen=283155 \nWindows Group Policy Guide, the
definitive resource for Group Policy information.
Group Policy Management solutions at HYPERLINK http://www.sdmsoftware.com/;
\nSDM Software
From: HYPERLINK mailto:[EMAIL PROTECTED]
[EMAIL PROTECTED] [mailto:HYPERLINK
mailto:[EMAIL PROTECTED] \n
[EMAIL PROTECTED] On Behalf Of HYPERLINK
mailto:[EMAIL PROTECTED] [EMAIL PROTECTED]
Sent: Friday, November 24, 2006 6:57 AM
To: HYPERLINK mailto:ActiveDir@mail.activedir.org;
[EMAIL PROTECTED]
Subject: [ActiveDir] Granting rights to 'Manage GPOs'
I am attempting to assign rights to a service account [sys-zzz], used by a
Group Policy Management tool (3rd party) so that the service account has the
necessary rights to 'manage' all GPOs in the domain.
Aside from app specific rights, I have assigned the following rights using
GPMC scripts [scripts shown below]:
1. Create/edit GPO links at the root of the domain and all child containers
cscript %programfiles%\gpmc\scripts\SetSOMPermissions.wsf xxx.yyy
xxx\sys-zzz /Permission:linkgpos /Inherit /Domain:xxx.yyy
2. Create new GPOs in the domain
cscript %programfiles%\gpmc\scripts\SetGPOCreationPermissions.wsf
xxx\sys-zzz /Domain:xxx.yyy
3. Edit, delete and mod security rights to all existing GPOs in the domain
cscript %programfiles%\gpmc\scripts\GrantPermissionOnAllGPOs.wsf
xxx\sys-zzz /Permission:fulledit /Domain:xxx.yyy
To cut a long story short, step 2 does not appear to grant the required
'create' right [GP mgmt tool complains of an access denied issue].
However, if I manually (using GPMC) add the service account to the list of
objects permitted to create GPOs in the domain [instead of using the script
in step 2], then the GP Management app functions fine.
Has anyone encountered a similar issues? Are there newer version of the GPMC
scripts? [I have GPMC with SP1]
Just to add to the strangeness of this issue, if I execute the same scripts
above but against a different domain (same service account) the 3rd party
app functions fine in that other domain :/
Any comments?
Thanks,
neil
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law
RE: [ActiveDir] _msdcs not propagated in AXFR
Please tell me that you're making that up. Otherwise I'll have to stab myself in the eye with a fork. My Business Words fail me. :-) Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, December 04, 2006 9:13 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] _msdcs not propagated in AXFR We install the Kitchen Sink service too don't forget ;-) (wait until we start talking about the My Business OU...that's usually good for another freak out or two) Laura A. Robinson wrote: Small point- dcpromo creates those zones as mentioned in the original question *if* you have not configured DNS beforehand, *if* you tell dcpromo to go ahead and do it for you, and *if* you're building the forest root domain. If you have configured DNS beforehand, how the zones get created (as stub zones, as subdomains, etc.) will depend on that preconfiguration. If you're not building the forest root domain, the subdomain already exists and dcpromo is just populating it. I bring this up only because there are many companies that have existing DNS infrastructures and it's important to know that default is not equivalent to mandatory. It is not a requirement that the _msdcs zone be either a separate zone or a subdomain in an existing zone, whether it's a stub or a full zone, etc. Of course, since we're talking SBS, all of this goes out the window (no pun intended). SBS is its own freaky little animal. Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hans Halbmayr Sent: Monday, December 04, 2006 1:06 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] _msdcs not propagated in AXFR Usually dcpromo creates all these zones. Windows creates these zones in a forest partition. If you have a linux DNS server just create another slave zone of _msdcs.example.com. The gray one is only the delegation. Hans - Original Message From: Michael B Allen [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] Sent: Saturday, December 2, 2006 5:39:26 PM Subject: Re: [ActiveDir] _msdcs not propagated in AXFR Ok, so basically _msdcs is just a separate zone. Do Windows DNS setups usually do this? I'm using SBS. I have a bind DNS server running on a linux machine with a slave zone for example.com. The AXFR doesn't have those records (aside from the NS record). So what you're saying is that I need to setup another slave zone for the _msdcs subdomain? Mike On Sat, 2 Dec 2006 03:02:22 -0800 (PST) Hans Halbmayr [EMAIL PROTECTED] wrote: Hi Mike, the gray one is the delegation of the zone. The _msdcs ist a subdomain of your forest root. Because it is needed all over the forest it is delegated. Regards Hans - Original Message From: Michael B Allen [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] Sent: Saturday, December 2, 2006 12:15:29 AM Subject: Re: [ActiveDir] _msdcs not propagated in AXFR I'm not sure I understand. In DNS admin I see two zones. One for _msdcs.example.com with all the usual _msdcs records and one for example.com which incedentally has an NS record for _msdcs.example.com. The little folder thingy for this _msdcs is grey which I guess signifies that it's some kind of link to the other zone? So I understand why the _msdcs records other than the one NS record are not transferring but I don't understand why the structure is split into two zones and if I can/should do something about it. Mike On Fri, 1 Dec 2006 11:27:14 -0800 Akomolafe, Deji [EMAIL PROTECTED] wrote: Seen this? http://support.microsoft.com/kb/817470 Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Michael B Allen Sent: Fri 12/1/2006 9:40 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] _msdcs not propagated in AXFR Does anyone know why the _msdcs records are not returned in an AXFR DNS query? This means that slave zones will not have those records and that software querying for a domain controller may not find one. Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http
RE: [ActiveDir] [OT] Can you run DHCP on a XP computer??
Which would probably be a licensing violation. :-) _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, December 02, 2006 4:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT] Can you run DHCP on a XP computer?? Yes, I believe there are at least one or two DHCP Server Open Source projects that will run on Windows XP. The Windows DHCP server won't from my knowledge, though I would surmise it may be possible to hack a machine to do so if someone really wanted to. -- O'Reilly Active Directory Third Edition - HYPERLINK http://www.joeware.net/win/ad3e.htmhttp://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Group, Russ Sent: Friday, December 01, 2006 12:33 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Can you run DHCP on a XP computer?? Hi all Someone told me you can run DECO on a computer running Windows XP. I was totally unaware of this. Does any one have any information about this? -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.4/563 - Release Date: 12/2/2006 9:59 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.4/563 - Release Date: 12/2/2006 9:59 AM
RE: [ActiveDir] Split pagefile
Larry, You can reboot the server the same way you can change the pagefile size- connect to it in Computer Management, right-click the server, choose Properties, Advanced. At the bottom of the property sheet, there will be a button labeled shut down, but when you click it, it will give you other options than just shutting the machine down. HTH, Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Friday, December 01, 2006 10:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Split pagefile Laura, Thanks ever so much for all your help. I will be trying some of these things soon, but for now, I'm one of the over 400,000 people in St. Louis without power. My workplace is closed, too, so I might end up waiting it out One question, if you don't mind and have a minute: How do I reboot the server if I can't log on? Many thanks again. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Thursday, November 30, 2006 8:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Split pagefile Inline... Thanks for replying, Laura! Sure thing. You wrote: Are you able to connect to the server via Computer Management? Yes. Then you can use that to reconfigure the pagefile, making very, very sure you click Set. :-) After you've connected to it in CM, right click the computer, choose Properties, go to the Advanced tab, yada yada yada. If so, can you see the service statuses and event logs on the server? Yes. I looked all through the event logs, and didn't see anything relating to terminal services failures. And the terminal services service is started. How about the security log? Are you seeing logon failures? Can you telnet to the RDP port? If you mean, can I telnet to the server by name or by its IP address, no. But yes, I can telnet to port 3389 on the server, and the cursor sits there and blinks at me, but as soon as I hit any key, I get back to my command prompt. Okay, port's open. Can you map a drive to a share on the server? Yes. And, in fact, I have the same 2Gb pagefile on C: that I had before, and no pagefile on E: So, I'm thinking that A. I forgot to hit the set button, or B. The server got confused. The snow might have made it sluggish. (That's a joke, folks.) See above for remedy (hopefully). When you say you can't log on, do you get the logon dialog box and a failure to let you log on, or do you get no remote desktop UI at all? No remote desktop UI at all. I immediately get the disconnected from server message. Okay. Try logging on with a different account that has TS connection permissions. Check the security logs. If you're not auditing logon events, you'll need to do that. Check the terminal services permissions, etc. Maybe do a preemptive reboot (or just do it as part of that pagefile adjustment) and see if anything changes. If none of that works, there's still more stuff to check, but I'm tired of typing right now and hopefully one of the above things will determine the issue. Laura (probably a bit overcaffeinated now; can you tell?) No problem. I'm snowed in, but the server is running. I guess what I'd like to do is see if I can reset the pagefile and reboot the server, all remotely, and still manage to terminal service to it and log in. Thanks for your help, Laura. You deserve many pats on the back, attagirls, and stuff. No problem, and no pats necessary. Laura -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006 5:07 AM List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.3/561 - Release Date: 12/1/2006 6:36 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.3/561 - Release Date: 12/1/2006 6:36 AM List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] dynamic variables within an event log entry?
Actually, I'm thinking that extracting the information from the event log is the best approach to take, so you're thinking along the same lines as I am. The information is there, it's organized, it's filterable, it's exportable, and that's why it's there. :-) Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Friday, December 01, 2006 7:24 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dynamic variables within an event log entry? Hi Laura, (Brian’s answer came in after I sent my email out.) The problem with using adfind (in my experience) is that the creator (Caller User Name) is not part of the AD object’s attributes, only the owner, which will be “Domain Admins” for accounts created by members of Domain Admins (as you pointed out). I would like my daily report to contain the actual name (samaccountname) that created the account. Maybe the only way I can create the report I am looking for (account name, DN, when created, and creator name) is to collect eventid 624 records and filter them on creation date. However, I am still looking for suggestions. Thanks. Mike Thommes _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Thursday, November 30, 2006 11:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dynamic variables within an event log entry? Okay, the below totally cracked me up. :-) Brian gave you the ADFind answer, but I guess I would also ask in what format you need to retrieve this information and whether or not you're plugging it into something. I'm not sure that last sentence even made sense, sorry. I'm sleep deprived. Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, November 30, 2006 10:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dynamic variables within an event log entry? Tony and Laura, Thanks for the replies! Actually, I am already trapping eventid 624 and I see the “Caller User Name:” entry with the right value. Where I got confused was when I built a daily job using adfind (with the –owner switch) to produce a list of users created during the previous 24 hours. Laura’s #2 answer explains why I see what I do for accounts created by members of the “Domain Admins”. Her #1 answer is going to make me rethink how we do some of the account creations. Her #3 answer begs the question of how would I construct a query to produce new accounts created over a 24 hour period? Adfind was the first (and maybe only) tool that popped into my head to do this. Other suggestions? Thanks! Mike Thommes _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Thursday, November 30, 2006 8:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dynamic variables within an event log entry? 1. This is one of the eight gazillion reasons to discourage the use of accounts that are Domain Admins for routine purposes that can be achieved without that level of rights. 2. By default, when a member of the Domain Admins group creates an object in the directory, the Domain Admins group becomes the owner of the object. That is by design. 3. When I create an object with an account that is a member of Domain Admins, the creator of the object shows as that account, not as Domain Admins. Why aren't you just looking at that value in the event logs, rather than looking at the ownership of the object? That's why auditing allows tracking of who creates/modifies/deletes directory objects. Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, November 30, 2006 7:33 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] dynamic variables within an event log entry? I wonder if someone could explain to me (or point me at some reference) about what mechanism is used to populate the information in a Windows event log entry. The reason why I ask is that I see in the Security log when a new user account is created by an account which is a member of the Domain Admins group, the _OBJECT_OWNER=XYZ\Domain Admins , not XYZ\adminacct1 . If it is created by an account that is a member of the Account Operators group, then _OBJECT_OWNER=XYZ\operacct1, not XYZ\Account Operators . This makes auditing somewhat less worthwhile. Is this design on purpose or a deficiency? Any help is appreciated. Thanks! Mike Thommes -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006 5:07 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006 5:07 AM -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database
[ActiveDir] OT: Geeks on Thanksgiving
Well, yeah, but not when there's nummy food to be eaten, naps to be taken and games to watch! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson Sent: Friday, December 01, 2006 10:03 AM To: ActiveDir@mail.activedir.org Subject: RE: RE: RE: [ActiveDir] Split pagefile Hey, I thought you loved it when people got all geeky :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Thursday, November 30, 2006 6:39 PM To: ActiveDir@mail.activedir.org Subject: OT: RE: RE: [ActiveDir] Split pagefile I was out eating turkey. You people were reading the list? Dang, that's dedication! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson Sent: Thursday, November 30, 2006 5:22 PM To: ActiveDir@mail.activedir.org Subject: RE: RE: [ActiveDir] Split pagefile I think Susan brought this up last week or so. Here's the link she gave. I can't find the original post http://blogs.technet.com/petergal/archive/2006/03/23/422993.aspx -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Thursday, November 30, 2006 2:21 PM To: ActiveDir@mail.activedir.org Subject: OT: RE: [ActiveDir] Split pagefile You know, you can actually do your own crashdump analysis. We even used to teach people how to do it back in the NT4 days. I loved that class. :-D Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Don Hoehn Sent: Thursday, November 30, 2006 2:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Split pagefile Hi, Best practice used to be to put the pagefile on a different BUS than the OS. The idea is that you can read/write to both the OS and the PF at the same time. We always put the entire PF on a separate bus/drive in it's own partition. That way you have the added speed of a bus apart from the OS bus and a contiguous PF. We never bothered with a C: swapfile because we could never afford to send the dump to M$ for decryption. :-} Don -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Thursday, November 30, 2006 11:07 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Split pagefile Hi, I have an answer and a question about the same. Most of my servers have 2 partition, one for the OS and the other for data, I always put the pagefile in the data partition, so yes, you can have the have the whole thing in a different partition or hard drive. Actually, Linux system always create a swap partition just for that purpose, so I wonder if it would be more efficient to always create a partition just for the pagefile... Anyone knows? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Thursday, November 30, 2006 12:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Split pagefile Sorry for the reply to my own post, but this article: http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003 /AdminTips /Miscellaneous/EnhancePerformancebyMovingthePagefile.html says I can move the whole thing to a different partition. I'll leave a meg on the C drive just for the dumpfile, which we limit to 64K, in case the system crashes and I can actually figure out how to read the dumpfile. But, really, is it OK to leave absolutely NO pagefile on C:/? We normally leave at least 200Mb on the C: partition when we move the rest to a different drive. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Thursday, November 30, 2006 9:55 AM To: Exchange Discussions Subject: Split pagefile Colleagues, Is there a best practice for splitting the pagefile on Exchange 2003 across multiple drives? My C drive is up to nearly 9GB used out of 10GB, and I'd like to move off most of the 3GB pagefile to maybe the database drive. We have only 500 users on that system, so performance shouldn't be too much of an issue. Thanks in advance, folks. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 _ List posting FAQ: http
RE: [ActiveDir] OT: Possessed PCs
Was the cursor moving in what appeared to be a directed fashion (as if somebody invisible was moving the mouse), or was it moving around unpredictably? Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline Sent: Friday, December 01, 2006 11:07 AM To: Active Directory Mailing List Subject: [ActiveDir] OT: Possessed PCs Yesterday we had several people complain that their cursor was moving around on its own, but not erratically or quickly as one would suspect might be the case of a mouse issue. I used SMS remote tools to watch one person's screen, and she noted that the way the cursor moved while I was in there checking things was exactly the same way it was moving before -- it was just as though someone was actually in there. Now I can't begin to describe how odd this is -- but I can't seem to find any common denominator for the folks who experienced this problem (so far, three or four). Some have wireless mice with a short range and good batteries with no problems otherwise, whereas the others have standard, working USB mice. I have seen this before where the language bar was detecting office and keyboard noise through the microphone as dictated commands to do thing, but the problem persisted on the first PC after I disabled it, and I don't think that particular model has a built-in mic. I checked the event logs and the only person who used the SMS remote control was me, so I can't imagine that anyone else would have been remoting it either. So far today I have not heard any more complaints, but nevertheless I'm still curious yet baffled. All PCs have updated virus and spyware definitions. Does anyone have ideas on where to start looking if this problem surfaces again? If it continues we'll have the corporate chaplain bring in his exorcist buddy. Brian Cline, Applications Developer Department of Information Technology GP Trucking Company, Inc. 803.936.8595 Direct Line 800.922.1147 Toll-Free (x8595) 803.739.1176 Fax -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.3/561 - Release Date: 12/1/2006 6:36 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.3/561 - Release Date: 12/1/2006 6:36 AM
RE: [ActiveDir] dynamic variables within an event log entry?
Too bad I didn't actually put a verb in that second sentence. :-) That SHOULD have read, When a user who is a member of the Domain Admins group CREATES AN OBJECT, by default, the DA group is the *owner* of the object. No wonder you have a hard time following my posts. ;-) Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe Sent: Friday, December 01, 2006 11:30 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dynamic variables within an event log entry? Yep, you're right...I didn't distinguish the difference the first time around. Good info as always. Thanks! _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Friday, December 01, 2006 12:02 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dynamic variables within an event log entry? Nope, it's not a typo- note the difference between *owner* and *creator*. When a user who is a member of the Domain Admins group, by default, the DA group is the *owner* of the object. However, what is logged in the audit (security event) log does list the specific account that was used to *create* the object. As far as changing the behavior for #2, there is a group policy setting System Objects: Default owner for objects created by members of the Administrators group in the Computer Configuration\Windows Settings\Local Policies\Security Options section of group policy. That setting can be set to Administrators group or to Object creator. That may be what you're thinking of. That setting, however, refers to system objects (thus the system objects predicate. :-) ) You may also be thinking of the ability in the property sheets for any object to set the owner of DA-owned objects to either a specific DA account or to the group. I don't remember you misreading one of my posts; you must have a much better memory than I do. Then again, I usually can't remember what I ate for breakfast. :-) Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe Sent: Thursday, November 30, 2006 10:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dynamic variables within an event log entry? Hi Laura, I know I misread one of your posts once before, so I'm sorry in advance if I'm doing it again (!), but aren't you making a conflicting statement in nos. 2 3 below? Or is #3 supposed to say that is NOT a member of Domain Admins... ? Also, is there a mechanism of some sort which changes the behavior in #2 such that the actual account used would become the object's owner (rather than DAs group)? I remember reading something like this once, but I could be thinking of something else way off base :-( In any case, I completely agree that delegating the creation right is the [way!] better option here! Thanks as always, DaveC _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Thursday, November 30, 2006 9:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dynamic variables within an event log entry? 1. This is one of the eight gazillion reasons to discourage the use of accounts that are Domain Admins for routine purposes that can be achieved without that level of rights. 2. By default, when a member of the Domain Admins group creates an object in the directory, the Domain Admins group becomes the owner of the object. That is by design. 3. When I create an object with an account that is a member of Domain Admins, the creator of the object shows as that account, not as Domain Admins. Why aren't you just looking at that value in the event logs, rather than looking at the ownership of the object? That's why auditing allows tracking of who creates/modifies/deletes directory objects. Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, November 30, 2006 7:33 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] dynamic variables within an event log entry? I wonder if someone could explain to me (or point me at some reference) about what mechanism is used to populate the information in a Windows event log entry. The reason why I ask is that I see in the Security log when a new user account is created by an account which is a member of the Domain Admins group, the _OBJECT_OWNER=XYZ\Domain Admins , not XYZ\adminacct1 . If it is created by an account that is a member of the Account Operators group, then _OBJECT_OWNER=XYZ\operacct1, not XYZ\Account Operators . This makes auditing somewhat less worthwhile. Is this design on purpose or a deficiency? Any help is appreciated. Thanks! Mike Thommes -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006 5:07 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database
RE: [ActiveDir] OT: Vista Stuck on Completing Upgrade
PSS is up to speed on Vista. :-) Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dmitri Gavrilov Sent: Friday, December 01, 2006 12:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Vista Stuck on Completing Upgrade Something installed on your XP machine is confusing setup/upgrade. Get a hold of the logs, you can do this after reboot, or perhaps even during setup (IIRC Shift-F10 still works). Look for setupact.log and perhaps something called migration log. There are a couple of folders setup creates in the root of the system drive -- they will likely be there. If cannot find, try searching the files with latest timestamps. Looks at the logs -- there might be clues there. If nothing helps, call PSS and open a case. I am not sure they are up the speed in Vista yet, but I guess they have to find somebody to resolve your issue anyway... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Thursday, November 30, 2006 8:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Vista Stuck on Completing Upgrade Anyone? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Wednesday, November 29, 2006 7:52 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Vista Stuck on Completing Upgrade I know it's not AD realated but have anyone had any issues upgrading XP to Vista RTM and got stuck on 'Completing Upgrade (64%)...'? I've removed all AV burning related software it has been stuck at this position for over 12 hours now. When I force reboot, it rolls back to Windows XP. Any Ideas? btw: is there another mailing list for these type of questions? -Devon This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.3/561 - Release Date: 12/1/2006 6:36 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.3/561 - Release Date: 12/1/2006 6:36 AM List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Can you run DHCP on a XP computer??
What's DECO? (I'm guessing a typo, but want to make sure you're not referring to some third-party DHCP service.) If you are referring to the Microsoft DHCP service, I think whoever told you that is confused, perhaps by having seen the DHCP client service in the services list? Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Group, Russ Sent: Friday, December 01, 2006 12:33 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Can you run DHCP on a XP computer?? Hi all Someone told me you can run DECO on a computer running Windows XP. I was totally unaware of this. Does any one have any information about this? -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.3/561 - Release Date: 12/1/2006 6:36 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.3/561 - Release Date: 12/1/2006 6:36 AM
RE: [ActiveDir] OT: Possessed PCs
When I go near wireless mice/keyboards, they stop working. (I can provide witnesses to this.) Want me to visit your office? ;-) Laura P.S. How densely clustered are these users? Does one user's interference stop if you turn off the other user's mouse? Seems like it'd be a quick way to verify that it's not somebody between them before you start cubicle crawling. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline Sent: Friday, December 01, 2006 3:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Possessed PCs Since this morning, we've ruled out the possibility of the USB mice being affected as well. Apparently those folks with USB mice who complained were not having the same kind of cursor movement -- it was just the seldom jumpy cursor (where it spasms between 2-3 pixels while idle) usually seen only with optical mice. Fortunately I've been able to see it in action today, and it definitely seems to be coming from someone else's mouse as it appears to be normal mouse movements. The affected users are roughly 30-40 feet away, so we're checking to see if there is someone between of all of them who has a wireless mouse. I like the idea of prohibiting the devices altogether. Would definitely save a lot of time -- I've not been able to get much serious work done today. -- Brian Cline _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Klassen Sent: Friday 01 December 2006 12:57 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Possessed PCs Usually I see this from interference using wireless mice. Usually it’s caused by people with other wireless devices close by and they are both operating on the same channel. RF can operate through walls, so interference doesn’t have to be line of sight and can come through walls, from above or below if transmitting omnidirectionally. Just had this recently where a bunch of staffers with laptops got wireless external keypads, all the same make and model, and found the range of these things was 20 feet. Cell Phones, Microwaves, and other common items may also cause this for the same reasons. I no longer allow wireless devices in my environments just to save the hassle. You say this also happens with some wired usb mice? Have you tried moving these to a different USB port on the system, preferably connected to a different USB controller? Scott Klassen From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline Sent: Friday, December 01, 2006 10:07 AM To: Active Directory Mailing List Subject: [ActiveDir] OT: Possessed PCs Yesterday we had several people complain that their cursor was moving around on its own, but not erratically or quickly as one would suspect might be the case of a mouse issue. I used SMS remote tools to watch one person's screen, and she noted that the way the cursor moved while I was in there checking things was exactly the same way it was moving before -- it was just as though someone was actually in there. Now I can't begin to describe how odd this is -- but I can't seem to find any common denominator for the folks who experienced this problem (so far, three or four). Some have wireless mice with a short range and good batteries with no problems otherwise, whereas the others have standard, working USB mice. I have seen this before where the language bar was detecting office and keyboard noise through the microphone as dictated commands to do thing, but the problem persisted on the first PC after I disabled it, and I don't think that particular model has a built-in mic. I checked the event logs and the only person who used the SMS remote control was me, so I can't imagine that anyone else would have been remoting it either. So far today I have not heard any more complaints, but nevertheless I'm still curious yet baffled. All PCs have updated virus and spyware definitions. Does anyone have ideas on where to start looking if this problem surfaces again? If it continues we'll have the corporate chaplain bring in his exorcist buddy. Brian Cline, Applications Developer Department of Information Technology GP Trucking Company, Inc. 803.936.8595 Direct Line 800.922.1147 Toll-Free (x8595) 803.739.1176 Fax -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.3/561 - Release Date: 12/1/2006 6:36 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.3/561 - Release Date: 12/1/2006 6:36 AM
RE: [ActiveDir] OT: Possessed PCs
The mouse, or the guy? _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline Sent: Friday, December 01, 2006 4:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Possessed PCs Yep, that was it. The one guy sitting between them all replaced his batteries a few days ago, which is when the problems began. I almost took a sledgehammer to that thing :-) -- Brian Cline _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline Sent: Friday 01 December 2006 13:42 To: Active Directory Mailing List Subject: RE: [ActiveDir] OT: Possessed PCs Just to update... I was finally able to catch this in action. It stopped as soon as I unplugged the wireless keyboard/mouse device from the PC. It appears that one particular person's wireless mouse is crossing signal with select others, but none of the nearby mice are the culprit. It still occurs after the affected devices are reset with the connect button on the kb/mouse receiver. This could get interesting... _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline Sent: Friday 01 December 2006 11:07 To: Active Directory Mailing List Subject: [ActiveDir] OT: Possessed PCs Yesterday we had several people complain that their cursor was moving around on its own, but not erratically or quickly as one would suspect might be the case of a mouse issue. I used SMS remote tools to watch one person's screen, and she noted that the way the cursor moved while I was in there checking things was exactly the same way it was moving before -- it was just as though someone was actually in there. Now I can't begin to describe how odd this is -- but I can't seem to find any common denominator for the folks who experienced this problem (so far, three or four). Some have wireless mice with a short range and good batteries with no problems otherwise, whereas the others have standard, working USB mice. I have seen this before where the language bar was detecting office and keyboard noise through the microphone as dictated commands to do thing, but the problem persisted on the first PC after I disabled it, and I don't think that particular model has a built-in mic. I checked the event logs and the only person who used the SMS remote control was me, so I can't imagine that anyone else would have been remoting it either. So far today I have not heard any more complaints, but nevertheless I'm still curious yet baffled. All PCs have updated virus and spyware definitions. Does anyone have ideas on where to start looking if this problem surfaces again? If it continues we'll have the corporate chaplain bring in his exorcist buddy. Brian Cline, Applications Developer Department of Information Technology GP Trucking Company, Inc. 803.936.8595 Direct Line 800.922.1147 Toll-Free (x8595) 803.739.1176 Fax -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.3/561 - Release Date: 12/1/2006 6:36 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.3/561 - Release Date: 12/1/2006 6:36 AM
RE: [ActiveDir] Split pagefile
Yes, it's okay, with the crashdump caveats that you've already acknowledged and accommodated. It's also a good idea to split pagefiles across multiple spindles for performance reasons when possible. I don't know if that's relevant in your case, but whenever you have the opportunity to split pagefile across disks (not partitions, disks), you get an associated read/write bump as a result. P.S. They may have said that in the article you reference below; I didn't actually click the link and read it. :-) Laura (Robinson, not Hunter) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Thursday, November 30, 2006 12:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Split pagefile Sorry for the reply to my own post, but this article: http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003 /AdminTips /Miscellaneous/EnhancePerformancebyMovingthePagefile.html says I can move the whole thing to a different partition. I'll leave a meg on the C drive just for the dumpfile, which we limit to 64K, in case the system crashes and I can actually figure out how to read the dumpfile. But, really, is it OK to leave absolutely NO pagefile on C:/? We normally leave at least 200Mb on the C: partition when we move the rest to a different drive. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Thursday, November 30, 2006 9:55 AM To: Exchange Discussions Subject: Split pagefile Colleagues, Is there a best practice for splitting the pagefile on Exchange 2003 across multiple drives? My C drive is up to nearly 9GB used out of 10GB, and I'd like to move off most of the 3GB pagefile to maybe the database drive. We have only 500 users on that system, so performance shouldn't be too much of an issue. Thanks in advance, folks. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange To subscribe: http://e-newsletters.internet.com/discussionlists.html/ To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006 5:07 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006 5:07 AM List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Split pagefile
There must be a pagefile on the boot drive in order to facilitate a crash dump [*if* that is a concern for the environment]; dumps cannot be directed to another partition. So in that respect, it does matter, but it is not a hard requirement that there be a pagefile on the boot drive. Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Thursday, November 30, 2006 12:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Split pagefile It really shouldn't matter whether or not the page file resides on the boot partition or not. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Thursday, November 30, 2006 9:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Split pagefile Sorry for the reply to my own post, but this article: http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003 /AdminTips /Miscellaneous/EnhancePerformancebyMovingthePagefile.html says I can move the whole thing to a different partition. I'll leave a meg on the C drive just for the dumpfile, which we limit to 64K, in case the system crashes and I can actually figure out how to read the dumpfile. But, really, is it OK to leave absolutely NO pagefile on C:/? We normally leave at least 200Mb on the C: partition when we move the rest to a different drive. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Thursday, November 30, 2006 9:55 AM To: Exchange Discussions Subject: Split pagefile Colleagues, Is there a best practice for splitting the pagefile on Exchange 2003 across multiple drives? My C drive is up to nearly 9GB used out of 10GB, and I'd like to move off most of the 3GB pagefile to maybe the database drive. We have only 500 users on that system, so performance shouldn't be too much of an issue. Thanks in advance, folks. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange To subscribe: http://e-newsletters.internet.com/discussionlists.html/ To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006 5:07 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006 5:07 AM List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Split pagefile
That's only if you select the custom size radio button and try to set it to less than 16MB. If you select the no paging file option, it works fine. Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson Sent: Thursday, November 30, 2006 12:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Split pagefile I think 2k3r2 requires at least 16MB on C:. At least that is the error message I have gotten before when I tried to make it smaller than that. In 2000 I could make it 10MB without it complaining. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Thursday, November 30, 2006 11:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Split pagefile Sorry for the reply to my own post, but this article: http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003 /AdminTips /Miscellaneous/EnhancePerformancebyMovingthePagefile.html says I can move the whole thing to a different partition. I'll leave a meg on the C drive just for the dumpfile, which we limit to 64K, in case the system crashes and I can actually figure out how to read the dumpfile. But, really, is it OK to leave absolutely NO pagefile on C:/? We normally leave at least 200Mb on the C: partition when we move the rest to a different drive. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Thursday, November 30, 2006 9:55 AM To: Exchange Discussions Subject: Split pagefile Colleagues, Is there a best practice for splitting the pagefile on Exchange 2003 across multiple drives? My C drive is up to nearly 9GB used out of 10GB, and I'd like to move off most of the 3GB pagefile to maybe the database drive. We have only 500 users on that system, so performance shouldn't be too much of an issue. Thanks in advance, folks. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange To subscribe: http://e-newsletters.internet.com/discussionlists.html/ To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006 5:07 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006 5:07 AM List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Split pagefile
When I do that, I try to dedicate an entire spindle to the pagefile, if possible. It eliminates competition for disk I/O from other sources. If I can't devote a full spindle, I do tend to do a pagefile partition just because it gives the pagefile a nice, clean sandbox of its own without data storage creeping into its space. That said, all of the configuration is completely dependent upon hardware and software configuration. In other words, just because I've done things this way, that doesn't necessarily mean that I'm advising it as a best practice. Heck, it doesn't even necessarily mean that it's a good idea. :-) Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Thursday, November 30, 2006 1:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Split pagefile Hi, I have an answer and a question about the same. Most of my servers have 2 partition, one for the OS and the other for data, I always put the pagefile in the data partition, so yes, you can have the have the whole thing in a different partition or hard drive. Actually, Linux system always create a swap partition just for that purpose, so I wonder if it would be more efficient to always create a partition just for the pagefile... Anyone knows? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Thursday, November 30, 2006 12:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Split pagefile Sorry for the reply to my own post, but this article: http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003 /AdminTips /Miscellaneous/EnhancePerformancebyMovingthePagefile.html says I can move the whole thing to a different partition. I'll leave a meg on the C drive just for the dumpfile, which we limit to 64K, in case the system crashes and I can actually figure out how to read the dumpfile. But, really, is it OK to leave absolutely NO pagefile on C:/? We normally leave at least 200Mb on the C: partition when we move the rest to a different drive. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Thursday, November 30, 2006 9:55 AM To: Exchange Discussions Subject: Split pagefile Colleagues, Is there a best practice for splitting the pagefile on Exchange 2003 across multiple drives? My C drive is up to nearly 9GB used out of 10GB, and I'd like to move off most of the 3GB pagefile to maybe the database drive. We have only 500 users on that system, so performance shouldn't be too much of an issue. Thanks in advance, folks. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange To subscribe: http://e-newsletters.internet.com/discussionlists.html/ To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006 5:07 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006 5:07 AM List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Split pagefile
Larry wrote: It's also a good idea to split pagefiles across multiple spindles It will be on a RAID-5 array, so technically yes, it will be across multiple spindles. Yup. I usually create a separate partition on the array and drop the pagefile there. That's mostly just because I'm a little OCD, though. :-) Laura -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006 5:07 AM List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
OT: RE: [ActiveDir] Split pagefile
You know, you can actually do your own crashdump analysis. We even used to teach people how to do it back in the NT4 days. I loved that class. :-D Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Don Hoehn Sent: Thursday, November 30, 2006 2:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Split pagefile Hi, Best practice used to be to put the pagefile on a different BUS than the OS. The idea is that you can read/write to both the OS and the PF at the same time. We always put the entire PF on a separate bus/drive in it's own partition. That way you have the added speed of a bus apart from the OS bus and a contiguous PF. We never bothered with a C: swapfile because we could never afford to send the dump to M$ for decryption. :-} Don -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Thursday, November 30, 2006 11:07 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Split pagefile Hi, I have an answer and a question about the same. Most of my servers have 2 partition, one for the OS and the other for data, I always put the pagefile in the data partition, so yes, you can have the have the whole thing in a different partition or hard drive. Actually, Linux system always create a swap partition just for that purpose, so I wonder if it would be more efficient to always create a partition just for the pagefile... Anyone knows? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Thursday, November 30, 2006 12:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Split pagefile Sorry for the reply to my own post, but this article: http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003 /AdminTips /Miscellaneous/EnhancePerformancebyMovingthePagefile.html says I can move the whole thing to a different partition. I'll leave a meg on the C drive just for the dumpfile, which we limit to 64K, in case the system crashes and I can actually figure out how to read the dumpfile. But, really, is it OK to leave absolutely NO pagefile on C:/? We normally leave at least 200Mb on the C: partition when we move the rest to a different drive. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Thursday, November 30, 2006 9:55 AM To: Exchange Discussions Subject: Split pagefile Colleagues, Is there a best practice for splitting the pagefile on Exchange 2003 across multiple drives? My C drive is up to nearly 9GB used out of 10GB, and I'd like to move off most of the 3GB pagefile to maybe the database drive. We have only 500 users on that system, so performance shouldn't be too much of an issue. Thanks in advance, folks. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange To subscribe: http://e-newsletters.internet.com/discussionlists.html/ To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006 5:07 AM -- No virus found in this outgoing message. Checked by AVG Free Edition.
RE: [ActiveDir] Delegate VPN rights
Do a 'net search for Active Directory display specifiers. It discusses why some stuff shows up and other stuff doesn't, as well as how to change it. Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Thursday, November 30, 2006 12:35 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegate VPN rights I’m attempting to delegate out the permissions to adjust the Remote Access Permissions under the Dial-In tab in Active Directory for user accounts. When performing an LDAP query, I notice that changes to this setting are recorded in the msNPAllowDialin attribute. Set to False when Deny Access is set, True when Allow Access is set, and “not set” when Control Access through Remote Access Policy is set. However when I attempt to delegate out the rights to a security group so they can modify this, it is not listed as a selectable property. Am I missing something here? Should I be looking for a different property to delegate out this right? Thanks, ~Ben Watson -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006 5:07 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006 5:07 AM
RE: [ActiveDir] Split pagefile
Thanks, Kevin and Ben. I feel all warm and fuzzy and valuable and stuff now. :-D Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Thursday, November 30, 2006 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Split pagefile Ah, that's a nice clarification. I actually wasn't aware of the 16MB limitation for page file size on the boot partition, especially since I had done just what you said. Set the boot partition to no paging file and just set it manually on an alternative disk. Very good to know, thanks for the info Laura. ~Ben -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Thursday, November 30, 2006 10:24 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Split pagefile That's only if you select the custom size radio button and try to set it to less than 16MB. If you select the no paging file option, it works fine. Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson Sent: Thursday, November 30, 2006 12:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Split pagefile I think 2k3r2 requires at least 16MB on C:. At least that is the error message I have gotten before when I tried to make it smaller than that. In 2000 I could make it 10MB without it complaining. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Thursday, November 30, 2006 11:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Split pagefile Sorry for the reply to my own post, but this article: http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003 /AdminTips /Miscellaneous/EnhancePerformancebyMovingthePagefile.html says I can move the whole thing to a different partition. I'll leave a meg on the C drive just for the dumpfile, which we limit to 64K, in case the system crashes and I can actually figure out how to read the dumpfile. But, really, is it OK to leave absolutely NO pagefile on C:/? We normally leave at least 200Mb on the C: partition when we move the rest to a different drive. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Thursday, November 30, 2006 9:55 AM To: Exchange Discussions Subject: Split pagefile Colleagues, Is there a best practice for splitting the pagefile on Exchange 2003 across multiple drives? My C drive is up to nearly 9GB used out of 10GB, and I'd like to move off most of the 3GB pagefile to maybe the database drive. We have only 500 users on that system, so performance shouldn't be too much of an issue. Thanks in advance, folks. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange To subscribe: http://e-newsletters.internet.com/discussionlists.html/ To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006 5:07 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006 5:07 AM List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com
RE: [ActiveDir] Delegate VPN rights
Thank you! I've been giving myself a headache trying to remember the name of the file! I couldn't remember the extension. That said, Ben, still take a look at the display specifiers whitepaper; not all attributes display names match the actual attribute names. I've not checked the one in question. Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Thursday, November 30, 2006 2:50 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Delegate VPN rights You will need to modify dssec.dat to expose the property. http://www.activedir.org/article.aspx?aid=24#11 Tony -- Original Message -- From: WATSON, BEN [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Date: Thu, 30 Nov 2006 09:34:39 -0800 I'm attempting to delegate out the permissions to adjust the Remote Access Permissions under the Dial-In tab in Active Directory for user accounts. When performing an LDAP query, I notice that changes to this setting are recorded in the msNPAllowDialin attribute. Set to False when Deny Access is set, True when Allow Access is set, and not set when Control Access through Remote Access Policy is set. However when I attempt to delegate out the rights to a security group so they can modify this, it is not listed as a selectable property. Am I missing something here? Should I be looking for a different property to delegate out this right? Thanks, ~Ben Watson Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006 5:07 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006 5:07 AM List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Split pagefile
Are you able to connect to the server via Computer Management? Meaning, in the Computer Management console, can you right click on the server and choose Connect to.. or whatever it says, then connect to the problem server? If so, can you see the service statuses and event logs on the server? You can also connect to the remote machine's logs via the event log UI, but Computer Management has all the good goop in it, anyway. Can you telnet to the RDP port? Can you map a drive to a share on the server? When you say you can't log on, do you get the logon dialog box and a failure to let you log on, or do you get no remote desktop UI at all? Laura (probably a bit overcaffeinated now; can you tell?) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Thursday, November 30, 2006 4:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Split pagefile Laura wrote: That's only if you select the custom size radio button and try to set it to less than 16MB. If you select the no paging file option, it works fine. Very good. I just tried that on a test server, and that worked. However, I have a very different problem now. I went ahead and put 16Mb on my C: volume, and 4096Mb on my F: volume, rebooted, the server came up, Exchange is working, but I cannot log onto the server with Remote Desktops anymore. Are these related? Any advice as to how I can get Remote Desktops to this server working again will be greatly appreciated, as St. Louis is now experiencing one of its famous ice storms, and going in to where the server is just isn't an option right now. Larry Wahlers List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006 5:07 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006 5:07 AM List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
OT: RE: RE: [ActiveDir] Split pagefile
That's how you spend your Saturday nights? I suddenly feel waaay cooler (socially speaking) than I did five minutes ago, I gotta tell ya. Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Martin Tuip Sent: Thursday, November 30, 2006 4:48 PM To: ActiveDir@mail.activedir.org Subject: Re: RE: [ActiveDir] Split pagefile Beats having to read SEC17a and NASD guidelines on a saturday night. Martin Tuip MVP-Exchange - Original Message - From: Laura A. Robinson [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, November 30, 2006 12:21 PM Subject: OT: RE: [ActiveDir] Split pagefile You know, you can actually do your own crashdump analysis. We even used to teach people how to do it back in the NT4 days. I loved that class. :-D Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Don Hoehn Sent: Thursday, November 30, 2006 2:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Split pagefile Hi, Best practice used to be to put the pagefile on a different BUS than the OS. The idea is that you can read/write to both the OS and the PF at the same time. We always put the entire PF on a separate bus/drive in it's own partition. That way you have the added speed of a bus apart from the OS bus and a contiguous PF. We never bothered with a C: swapfile because we could never afford to send the dump to M$ for decryption. :-} Don -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Thursday, November 30, 2006 11:07 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Split pagefile Hi, I have an answer and a question about the same. Most of my servers have 2 partition, one for the OS and the other for data, I always put the pagefile in the data partition, so yes, you can have the have the whole thing in a different partition or hard drive. Actually, Linux system always create a swap partition just for that purpose, so I wonder if it would be more efficient to always create a partition just for the pagefile... Anyone knows? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Thursday, November 30, 2006 12:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Split pagefile Sorry for the reply to my own post, but this article: http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003 /AdminTips /Miscellaneous/EnhancePerformancebyMovingthePagefile.html says I can move the whole thing to a different partition. I'll leave a meg on the C drive just for the dumpfile, which we limit to 64K, in case the system crashes and I can actually figure out how to read the dumpfile. But, really, is it OK to leave absolutely NO pagefile on C:/? We normally leave at least 200Mb on the C: partition when we move the rest to a different drive. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Thursday, November 30, 2006 9:55 AM To: Exchange Discussions Subject: Split pagefile Colleagues, Is there a best practice for splitting the pagefile on Exchange 2003 across multiple drives? My C drive is up to nearly 9GB used out of 10GB, and I'd like to move off most of the 3GB pagefile to maybe the database drive. We have only 500 users on that system, so performance shouldn't be too much of an issue. Thanks in advance, folks. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange To subscribe: http://e-newsletters.internet.com/discussionlists.html/ To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail
RE: RE: [ActiveDir] Split pagefile
Ooh, I love it when people get all geeky. Here's a nice little laundry list of links (I love all this alliteration): http://labmice.techtarget.com/troubleshooting/memorydumps.htm If you subscribe to Windows IT Pro, Mark Russinovich [insert awed murmurs and supplicant posturing] wrote an article on it here: http://www.windowsitpro.com/Article/ArticleID/16425/16425.html?Ad=1 ooorrr...you could click on them there handy links that Susan just sent and I'll quit copying and pasting now. :-) Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Thursday, November 30, 2006 4:58 PM To: ActiveDir@mail.activedir.org Subject: RE: RE: [ActiveDir] Split pagefile That is pretty cool, where do I learn about this? do you know of a good url where it tells you how to do your own crashdump analysis? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Thursday, November 30, 2006 3:21 PM To: ActiveDir@mail.activedir.org Subject: OT: RE: [ActiveDir] Split pagefile You know, you can actually do your own crashdump analysis. We even used to teach people how to do it back in the NT4 days. I loved that class. :-D Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Don Hoehn Sent: Thursday, November 30, 2006 2:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Split pagefile Hi, Best practice used to be to put the pagefile on a different BUS than the OS. The idea is that you can read/write to both the OS and the PF at the same time. We always put the entire PF on a separate bus/drive in it's own partition. That way you have the added speed of a bus apart from the OS bus and a contiguous PF. We never bothered with a C: swapfile because we could never afford to send the dump to M$ for decryption. :-} Don -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Thursday, November 30, 2006 11:07 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Split pagefile Hi, I have an answer and a question about the same. Most of my servers have 2 partition, one for the OS and the other for data, I always put the pagefile in the data partition, so yes, you can have the have the whole thing in a different partition or hard drive. Actually, Linux system always create a swap partition just for that purpose, so I wonder if it would be more efficient to always create a partition just for the pagefile... Anyone knows? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Thursday, November 30, 2006 12:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Split pagefile Sorry for the reply to my own post, but this article: http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003 /AdminTips /Miscellaneous/EnhancePerformancebyMovingthePagefile.html says I can move the whole thing to a different partition. I'll leave a meg on the C drive just for the dumpfile, which we limit to 64K, in case the system crashes and I can actually figure out how to read the dumpfile. But, really, is it OK to leave absolutely NO pagefile on C:/? We normally leave at least 200Mb on the C: partition when we move the rest to a different drive. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Thursday, November 30, 2006 9:55 AM To: Exchange Discussions Subject: Split pagefile Colleagues, Is there a best practice for splitting the pagefile on Exchange 2003 across multiple drives? My C drive is up to nearly 9GB used out of 10GB, and I'd like to move off most of the 3GB pagefile to maybe the database drive. We have only 500 users on that system, so performance shouldn't be too much of an issue. Thanks in advance, folks. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange To subscribe: http://e-newsletters.internet.com/discussionlists.html/ To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp
OT: RE: RE: [ActiveDir] Split pagefile
I was out eating turkey. You people were reading the list? Dang, that's dedication! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson Sent: Thursday, November 30, 2006 5:22 PM To: ActiveDir@mail.activedir.org Subject: RE: RE: [ActiveDir] Split pagefile I think Susan brought this up last week or so. Here's the link she gave. I can't find the original post http://blogs.technet.com/petergal/archive/2006/03/23/422993.aspx -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Thursday, November 30, 2006 2:21 PM To: ActiveDir@mail.activedir.org Subject: OT: RE: [ActiveDir] Split pagefile You know, you can actually do your own crashdump analysis. We even used to teach people how to do it back in the NT4 days. I loved that class. :-D Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Don Hoehn Sent: Thursday, November 30, 2006 2:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Split pagefile Hi, Best practice used to be to put the pagefile on a different BUS than the OS. The idea is that you can read/write to both the OS and the PF at the same time. We always put the entire PF on a separate bus/drive in it's own partition. That way you have the added speed of a bus apart from the OS bus and a contiguous PF. We never bothered with a C: swapfile because we could never afford to send the dump to M$ for decryption. :-} Don -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Thursday, November 30, 2006 11:07 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Split pagefile Hi, I have an answer and a question about the same. Most of my servers have 2 partition, one for the OS and the other for data, I always put the pagefile in the data partition, so yes, you can have the have the whole thing in a different partition or hard drive. Actually, Linux system always create a swap partition just for that purpose, so I wonder if it would be more efficient to always create a partition just for the pagefile... Anyone knows? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Thursday, November 30, 2006 12:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Split pagefile Sorry for the reply to my own post, but this article: http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003 /AdminTips /Miscellaneous/EnhancePerformancebyMovingthePagefile.html says I can move the whole thing to a different partition. I'll leave a meg on the C drive just for the dumpfile, which we limit to 64K, in case the system crashes and I can actually figure out how to read the dumpfile. But, really, is it OK to leave absolutely NO pagefile on C:/? We normally leave at least 200Mb on the C: partition when we move the rest to a different drive. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Thursday, November 30, 2006 9:55 AM To: Exchange Discussions Subject: Split pagefile Colleagues, Is there a best practice for splitting the pagefile on Exchange 2003 across multiple drives? My C drive is up to nearly 9GB used out of 10GB, and I'd like to move off most of the 3GB pagefile to maybe the database drive. We have only 500 users on that system, so performance shouldn't be too much of an issue. Thanks in advance, folks. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange To subscribe: http://e-newsletters.internet.com/discussionlists.html/ To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http
RE: [ActiveDir] dynamic variables within an event log entry?
1. This is one of the eight gazillion reasons to discourage the use of accounts that are Domain Admins for routine purposes that can be achieved without that level of rights. 2. By default, when a member of the Domain Admins group creates an object in the directory, the Domain Admins group becomes the owner of the object. That is by design. 3. When I create an object with an account that is a member of Domain Admins, the creator of the object shows as that account, not as Domain Admins. Why aren't you just looking at that value in the event logs, rather than looking at the ownership of the object? That's why auditing allows tracking of who creates/modifies/deletes directory objects. Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, November 30, 2006 7:33 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] dynamic variables within an event log entry? I wonder if someone could explain to me (or point me at some reference) about what mechanism is used to populate the information in a Windows event log entry. The reason why I ask is that I see in the Security log when a new user account is created by an account which is a member of the Domain Admins group, the _OBJECT_OWNER=XYZ\Domain Admins , not XYZ\adminacct1 . If it is created by an account that is a member of the Account Operators group, then _OBJECT_OWNER=XYZ\operacct1, not XYZ\Account Operators . This makes auditing somewhat less worthwhile. Is this design on purpose or a deficiency? Any help is appreciated. Thanks! Mike Thommes -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006 5:07 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006 5:07 AM
RE: [ActiveDir] Split pagefile
Inline... Thanks for replying, Laura! Sure thing. You wrote: Are you able to connect to the server via Computer Management? Yes. Then you can use that to reconfigure the pagefile, making very, very sure you click Set. :-) After you've connected to it in CM, right click the computer, choose Properties, go to the Advanced tab, yada yada yada. If so, can you see the service statuses and event logs on the server? Yes. I looked all through the event logs, and didn't see anything relating to terminal services failures. And the terminal services service is started. How about the security log? Are you seeing logon failures? Can you telnet to the RDP port? If you mean, can I telnet to the server by name or by its IP address, no. But yes, I can telnet to port 3389 on the server, and the cursor sits there and blinks at me, but as soon as I hit any key, I get back to my command prompt. Okay, port's open. Can you map a drive to a share on the server? Yes. And, in fact, I have the same 2Gb pagefile on C: that I had before, and no pagefile on E: So, I'm thinking that A. I forgot to hit the set button, or B. The server got confused. The snow might have made it sluggish. (That's a joke, folks.) See above for remedy (hopefully). When you say you can't log on, do you get the logon dialog box and a failure to let you log on, or do you get no remote desktop UI at all? No remote desktop UI at all. I immediately get the disconnected from server message. Okay. Try logging on with a different account that has TS connection permissions. Check the security logs. If you're not auditing logon events, you'll need to do that. Check the terminal services permissions, etc. Maybe do a preemptive reboot (or just do it as part of that pagefile adjustment) and see if anything changes. If none of that works, there's still more stuff to check, but I'm tired of typing right now and hopefully one of the above things will determine the issue. Laura (probably a bit overcaffeinated now; can you tell?) No problem. I'm snowed in, but the server is running. I guess what I'd like to do is see if I can reset the pagefile and reboot the server, all remotely, and still manage to terminal service to it and log in. Thanks for your help, Laura. You deserve many pats on the back, attagirls, and stuff. No problem, and no pats necessary. Laura -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006 5:07 AM List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] dynamic variables within an event log entry?
Nope, it's not a typo- note the difference between *owner* and *creator*. When a user who is a member of the Domain Admins group, by default, the DA group is the *owner* of the object. However, what is logged in the audit (security event) log does list the specific account that was used to *create* the object. As far as changing the behavior for #2, there is a group policy setting System Objects: Default owner for objects created by members of the Administrators group in the Computer Configuration\Windows Settings\Local Policies\Security Options section of group policy. That setting can be set to Administrators group or to Object creator. That may be what you're thinking of. That setting, however, refers to system objects (thus the system objects predicate. :-) ) You may also be thinking of the ability in the property sheets for any object to set the owner of DA-owned objects to either a specific DA account or to the group. I don't remember you misreading one of my posts; you must have a much better memory than I do. Then again, I usually can't remember what I ate for breakfast. :-) Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe Sent: Thursday, November 30, 2006 10:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dynamic variables within an event log entry? Hi Laura, I know I misread one of your posts once before, so I'm sorry in advance if I'm doing it again (!), but aren't you making a conflicting statement in nos. 2 3 below? Or is #3 supposed to say that is NOT a member of Domain Admins... ? Also, is there a mechanism of some sort which changes the behavior in #2 such that the actual account used would become the object's owner (rather than DAs group)? I remember reading something like this once, but I could be thinking of something else way off base :-( In any case, I completely agree that delegating the creation right is the [way!] better option here! Thanks as always, DaveC _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Thursday, November 30, 2006 9:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dynamic variables within an event log entry? 1. This is one of the eight gazillion reasons to discourage the use of accounts that are Domain Admins for routine purposes that can be achieved without that level of rights. 2. By default, when a member of the Domain Admins group creates an object in the directory, the Domain Admins group becomes the owner of the object. That is by design. 3. When I create an object with an account that is a member of Domain Admins, the creator of the object shows as that account, not as Domain Admins. Why aren't you just looking at that value in the event logs, rather than looking at the ownership of the object? That's why auditing allows tracking of who creates/modifies/deletes directory objects. Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, November 30, 2006 7:33 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] dynamic variables within an event log entry? I wonder if someone could explain to me (or point me at some reference) about what mechanism is used to populate the information in a Windows event log entry. The reason why I ask is that I see in the Security log when a new user account is created by an account which is a member of the Domain Admins group, the _OBJECT_OWNER=XYZ\Domain Admins , not XYZ\adminacct1 . If it is created by an account that is a member of the Account Operators group, then _OBJECT_OWNER=XYZ\operacct1, not XYZ\Account Operators . This makes auditing somewhat less worthwhile. Is this design on purpose or a deficiency? Any help is appreciated. Thanks! Mike Thommes -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006 5:07 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006 5:07 AM This email was sent to you by Reuters, the global news and information company. To find out more about Reuters visit www.about.reuters.com Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006 5:07 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006 5:07 AM
RE: [ActiveDir] dynamic variables within an event log entry?
Okay, the below totally cracked me up. :-) Brian gave you the ADFind answer, but I guess I would also ask in what format you need to retrieve this information and whether or not you're plugging it into something. I'm not sure that last sentence even made sense, sorry. I'm sleep deprived. Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, November 30, 2006 10:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dynamic variables within an event log entry? Tony and Laura, Thanks for the replies! Actually, I am already trapping eventid 624 and I see the “Caller User Name:” entry with the right value. Where I got confused was when I built a daily job using adfind (with the –owner switch) to produce a list of users created during the previous 24 hours. Laura’s #2 answer explains why I see what I do for accounts created by members of the “Domain Admins”. Her #1 answer is going to make me rethink how we do some of the account creations. Her #3 answer begs the question of how would I construct a query to produce new accounts created over a 24 hour period? Adfind was the first (and maybe only) tool that popped into my head to do this. Other suggestions? Thanks! Mike Thommes _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Thursday, November 30, 2006 8:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dynamic variables within an event log entry? 1. This is one of the eight gazillion reasons to discourage the use of accounts that are Domain Admins for routine purposes that can be achieved without that level of rights. 2. By default, when a member of the Domain Admins group creates an object in the directory, the Domain Admins group becomes the owner of the object. That is by design. 3. When I create an object with an account that is a member of Domain Admins, the creator of the object shows as that account, not as Domain Admins. Why aren't you just looking at that value in the event logs, rather than looking at the ownership of the object? That's why auditing allows tracking of who creates/modifies/deletes directory objects. Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, November 30, 2006 7:33 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] dynamic variables within an event log entry? I wonder if someone could explain to me (or point me at some reference) about what mechanism is used to populate the information in a Windows event log entry. The reason why I ask is that I see in the Security log when a new user account is created by an account which is a member of the Domain Admins group, the _OBJECT_OWNER=XYZ\Domain Admins , not XYZ\adminacct1 . If it is created by an account that is a member of the Account Operators group, then _OBJECT_OWNER=XYZ\operacct1, not XYZ\Account Operators . This makes auditing somewhat less worthwhile. Is this design on purpose or a deficiency? Any help is appreciated. Thanks! Mike Thommes -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006 5:07 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006 5:07 AM -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006 5:07 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006 5:07 AM
RE: [ActiveDir] Exclude Vista from GPO
WMI filtering. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Tuesday, November 28, 2006 11:51 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Exclude Vista from GPO I have a GPO set to install Symantec CE 10 on all machines on startup. The problem is there is a different version for Vista and I want to exclude that GPO from running on Vista machines. How can I do this? -Devon _ This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you. -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.14.19/555 - Release Date: 11/27/2006 6:09 PM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.14.19/555 - Release Date: 11/27/2006 6:09 PM
RE: [ActiveDir] Domain and Subdomain. Duplicating accounts
I would definitely be interested to hear exactly what problems he was having; if you find out, please share. :-) (-I'm working on putting smileys everywhere so I fit in with the other kids.) Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Friday, November 17, 2006 1:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain and Subdomain. Duplicating accounts Thanks for the answer Laura, They are running a Unix application that queries the LDAP to find the user :O!!, , unluckily this application does not allow to specify the LDAP source, they have try using GC but that did not work, they also try using ADAM but they were also having trouble with this...I will ask him to describe the problems he was having in both cases and maybe you can give me a hand :D Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Thursday, November 16, 2006 8:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain and Subdomain. Duplicating accounts Besides significantly increasing the likelihood of people logging onto the wrong domain and generating support calls along the lines of where's my stuff? Not really. AD accommodates the same name in multiple domains, as long as the UPNs are different (which they are, or account creation would have failed). Why doesn't the other SA just let people use their regular accounts? Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Thursday, November 16, 2006 4:48 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain and Subdomain. Duplicating accounts Hi, The company I work for has 2 office in 2 different states. The main office is domain.com and other office is a subdomain (sub.domain.com). Our users sometimes go to the other office (sub.domain.com) to work for a week or so, I just found out that other SA has been creating accounts for my users in the subdomain. So now I have same user in the domain and subdomain, beside being a stupid way of doing things is there any technical issue this could create? Thanks Rezuma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- No virus found in this incoming message. Checked by AVG Free Edition. -- No virus found in this outgoing message. Checked by AVG Free Edition. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- No virus found in this incoming message. Checked by AVG Free Edition. -- No virus found in this outgoing message. Checked by AVG Free Edition. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] How to completely isolate a DC?
From the sound of things, he didn't actually raise it at all yet; he implemented some other change to see if replication was successfully prevented by his repadmin approach. (not that you're wrong, just that I don't think he's even encountered that yet) Now, in answer to the original question, here's the thing- the only way you can permanently prevent any change you make on your victim DC from propagating is to never let it replicate after you've made that change. Some changes can be overwritten by subsequent changes, but unless you've got a whole lot of backups and a whole lot of time on your hands, you're never really rolling back a change once it's made. In respect to your victim DC, this means that if you didn't want the change to propagate, you'd have to bring that bad boy down, kill it and restore from backup or just rebuild and repromote it. Since that's the case, why not just unplug the DC from the rest of the network while you make your change and plug it back in once you've verified success? Having said the above, there's another consideration here- given the item in question that you want to test out, you're really not giving it much of a test. See, if you raise the FL with that DC disconnected from the rest of the network and everything looks fine, that's great, but you won't *really* know that nothing got broken until you reinsert the DC into the replication topology and the change replicates out and oops, lookie there, that machine stuck in the corner is broken now. There's no way for you to discover that until your change has propagated, so isolating the DC on which you raise the FL really isn't buying you any margin of safety. And finally, having babbled about all that stuff, there are lots of checks that happen under the covers when you raise FLs, so it's pretty hard to raise the FL when, for example, there's still an NT BDC floating around somewhere, and as Jorge mentioned, you won't even be able to do it successfully without being able to contact the appropriate role-holder. I can't even think of any network of which I'm aware where raising FL actually broke anything. Rather, the potential problems with raising functional level prematurely usually become obvious at a later time when somebody attempts to do something like introduce an NT BDC into the environment and can't because the FLs are too high. And honestly, I don't even know anybody who has done that except to test whether the stuff we say about functional levels is true. :-) So what's my point? I don't know. Okay, kidding. My point is, if you really want to test this change, you need to build out a lab that is reflective of your production environment and test there, because testing your change on a single production DC is no change at all. Make sense? Probably not; I'm very babbly today. Not to be confused with being boobier. Deji is the boob; I'm the babbler. Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Friday, November 17, 2006 2:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to completely isolate a DC? did you raise it on the DC WITH the PDC FSMO role or just a DC? raising the DFL -- contacts the PDC FSMO raising the FFL -- contacts the schema master FSMO jorge _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Wang Sent: Friday, November 17, 2006 17:38 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] How to completely isolate a DC? The change is to raise domain functional from Windows 2000 native to Windows 2003 mode. As I understand, once I raised domain function level, the ntMixedDomain attribute will be changed along with other functions (like domain controller rename,user password support on the InetOrgPerson objectClass, etc). I want to test it on a isolated production DC first. Just in case something happened, we can shutdown this DC without impact the whole domain. Other than physical isolation or put a firewall in front of the DC, is there any way to do it? Thanks! Andy On 11/17/06, joe HYPERLINK mailto:[EMAIL PROTECTED][EMAIL PROTECTED] wrote: What exactly did you change and how did you change it? -- O'Reilly Active Directory Third Edition - HYPERLINK http://www.joeware.net/win/ad3e.htm; \nhttp://www.joeware.net/win/ad3e.htm _ From: HYPERLINK mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] [mailto:HYPERLINK mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Andy Wang Sent: Thursday, November 16, 2006 3:20 PM To: HYPERLINK mailto:ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: [ActiveDir] How to completely isolate a DC? I need to make a change across our domain. My plan is to make the change on one DC and test it, then roll out to other 50 DCs. I tried to temporarily disable outbound replication of Active Directory with repadmin by doing this: repadmin /options +DISABLE_OUTBOUND_REPL To my surprise, the change I made
RE: [ActiveDir] OT: M$
May I have that fork when you're finished? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura E. Hunter Sent: Friday, November 17, 2006 3:12 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: M$ Great, thanks joe. Now I have to go stab my eyes out with a fork. It's worse than Princess Jorge in the lederhosen at Oktoberfest. On 11/17/06, joe [EMAIL PROTECTED] wrote: I wear boots with lifts. Shirts with padding. And carry hershey's kisses in my cheeks like a squirrel. -- -- No virus found in this outgoing message. Checked by AVG Free Edition. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] OT: M$
I am so grossed out now. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Derek Harris Sent: Friday, November 17, 2006 9:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: M$ Mm... Yummy! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Friday, November 17, 2006 3:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: M$ May I have that fork when you're finished? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura E. Hunter Sent: Friday, November 17, 2006 3:12 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: M$ Great, thanks joe. Now I have to go stab my eyes out with a fork. It's worse than Princess Jorge in the lederhosen at Oktoberfest. On 11/17/06, joe [EMAIL PROTECTED] wrote: I wear boots with lifts. Shirts with padding. And carry hershey's kisses in my cheeks like a squirrel. -- -- No virus found in this outgoing message. Checked by AVG Free Edition. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- No virus found in this incoming message. Checked by AVG Free Edition. -- No virus found in this outgoing message. Checked by AVG Free Edition. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Locating empty GPOs in a domain / forest
Darren is correct. A quick and simple test- create the following policy and link it to an OU where you've placed a test user account: 1. User Configuration\Administrative Templates\Start Menu and Taskbar\Remove Documents menu from Start menu- set to enabled 2. Run gpupdate if you're logged on with the test account (this assumes the test account has the appropriate permissions to create the GPO), or log off and log on as your test user. 3. Click on Start button and note disappearance of Documents menu. 4. Edit policy and change setting to Not configured. 5. Repeat step 2. 6. Repeat step 3 and note reappearance of Documents menu. Having said all of the above, any settings that don't write to one of the following locations *will* tattoo the registry: HKEY_LOCAL_MACHINE \SOFTWARE\policies HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion\policies HKEY_CURRENT_USER \SOFTWARE\policies HKEY_ CURRENT_USER \SOFTWARE\Microsoft\Windows\CurrentVersion\policies A very good tutorial can be found here: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/ management/gp/admtgp.mspx Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, November 16, 2006 4:27 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest I thought 'Not Defined' meant 'ignore this setting and apply it as set elsewhere in other GPOs'. i.e. if it were set and then later set to not defined, the clients would continue to use the setting and ignore the change from enabled to 'not defined'. e.g. wallpaper set to A, originally. Then wallpaper set to 'not defined'. I always believed clients would ignore any 'not defined' settings and thus continue to use wallpaper A. Am I wrong? neil _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: 15 November 2006 18:38 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest If I set an Admin template policy from Enabled to Not Configured, then that GPO with Not Configured needs to be processed at least once by the target in order to remove the setting. So, even though GPMC might report No Settings (and frankly I haven't look at how it reports other areas besides Admin. templates. For example, you can remove a software installation package but it is left in the GPO so that clients can process the removal. Does that mean that the GPO has no settings?) you might still want that GPO around to be able to undo the client--if only for a limited period of time. Darren _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Wednesday, November 15, 2006 9:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest if a GPO had settings and doesn't anymore, it may be needed by users and computers processing GP to undo settings that were previously applied IMHO, no settings means all settings in the GPO are set to Not Defined. Wouldn't it, for the case you mention, need to have reverse settings or original settings and thus have settings? jorge Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address _ From: [EMAIL PROTECTED] on behalf of Darren Mar-Elia Sent: Wed 2006-11-15 17:04 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest Well, it depends upon the purpose of you quest, but you're correct. For example, you may not want to delete a GPO that has no settings (but does have versionNumber 0) because that may be a desirable state for it. In other words, if a GPO had settings and doesn't anymore, it may be needed by users and computers processing GP to undo settings that were previously applied. Unless you know for sure that those settings have been undone, then you can't be sure the GPO is unused. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 15, 2006 7:21 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest Thanks Darren - that assumes the GPO is empty and always was empty, of course :) neil _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: 15 November 2006 15:05 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest Another option is to perform an LDAP search on the cn=policies, cn=system container for GPC objects, and on each GPC object, look for a versionNumber attribute == 0. Its probably slightly faster than first generating the HTML report and then
RE: [ActiveDir] Strange DC behavior and error
That's not entirely accurate, which may be why you see it not working as advertised. :-) http://technet2.microsoft.com/WindowsServer/en/library/71e76587-28f4-4272-a3 d7-7f44ca50c0181033.mspx?mfr=true Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott, Anthony Sent: Thursday, November 16, 2006 10:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Strange DC behavior and error Windows is supposed to get its time from the PDC role holder, sometimes though this does not work as advertised. So I usually issue this command on any new DCs I bring up: W32tm /config /synchfromflags:DOMHIER /update Then: Net stop w32time net start w32time Thanks, Anthony Scott From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of hboogz Sent: Thursday, November 16, 2006 10:21 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange DC behaviour and error the same issue started happening last night about 10:35 last night. this was after i plugged in my DR link to the ad box out at my disaster recovery site. I came in this morning only to find that when i run a NET TIME from my DC's it was resolving this DR Domain Controller. i disconnected the link, reset the local machine passwords, rebooted and all is up now. what gives ? anyone have any ideas ? On 11/15/06, hboogz [EMAIL PROTECTED] wrote: Hey Guys, Thanks for responses. I've been stuck in the data center for the past few hours. Here goes: It all started with this error in the event log: Event Type:Error Event Source:Kerberos Event Category:None Event ID:4 Date:11/15/2006 Time:03:17:45 PM User:N/A Computer:PHMAINDC1 Description: The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/phmaindc1.phippsny.org. The target name used was cifs/PHMAINDC1. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm ( PHIPPSNY.ORG), and the client realm. Please contact your system administrator. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Then it became all of these: Event Type:Warning Event Source:LSASRV Event Category:SPNEGO (Negotiator) Event ID:40960 Date:11/15/2006 Time:03:13:19 PM User:N/A Computer:PHMAINDC1 Description: The Security System detected an authentication error for the server cifs/PHMAINDC1.phippsny.org. The failure code from authentication protocol Kerberos was The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc06d). For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp . Data: : 6d 00 00 c0 m..À Event Type:Error Event Source:Userenv Event Category:None Event ID:1030 Date:11/15/2006 Time:02:58:23 PM User:PHIPPSNY\Administrator Computer:PHMAINDC1 Description: Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Event Type:Error Event Source:Userenv Event Category:None Event ID:1053 Date:11/15/2006 Time:03:03:19 PM User:NT AUTHORITY\SYSTEM Computer:PHMAINDC1 Description: Windows cannot determine the user or computer name. (Access is denied. ). Group Policy processing aborted. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Strangely, the maindc, phmaindc1, lost its forward lookup zone (ad-int) and it's reverse lookup zone ( ad-int ) but my second DC maintained them. I tried adding the zones back into phmaind1, only to get an error indicating invalid data. So, what i did was make all working zones on the working DC primary ( non-ad) and added secondary zones into phmaindc1. i tried, dcdiag /fix and netdiag /fix - but nothing. tried restarting the netlogon service - nothing. I came across the forums that indicated the PTR and A record entries -- didn't find any duplicates or wrong entries, everything is a one-to-one mapping. I then looked inside wins, and didn't see any conflicts. Because I've had issues with wins in the past, i deleted both wins databases and created new ones from scratch. That didn't work. i then attmpeted a net time from the DC in question and got another DC in our DR site. This DR server is not holding any roles and isn't accessible to all of our workstations. I tried to force this server as the authoritative Time server settings the annouceFlags to A, but it didn't take. I disabled the link to the DR site, but the problems persisted. Every
[ActiveDir] Windows PowerShell now available for download
I may have missed it if somebody already posted this, but Windows PowerShell is now available for download: http://www.microsoft.com/downloads/details.aspx?FamilyID=10ee29af-7c3a-4057- 8367-c9c1dab6e2bfDisplayLang=en Enjoy! Laura List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Kerberos is Killing Me!
Is this the same set of machines that are being talked about in the strange DC error thread? I don't remember who it was who originated that one and I want to make sure I'm not asking for something you've already provided. So, if the answer to the above is no, my next question is, can you provide a little more information about the environment? How long has this DC existed as a DC? Was there ever another DC with the same name? Was this DC at any point restored from a backup? Has it been consistently connected to the network? How about the member server- same questions as the DC questions. Thanks, Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of hboogz Sent: Thursday, November 16, 2006 12:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Kerberos is Killing Me! I am having continued issues with Kerberos. I tried running tokensz against the problem server and i get this error message.. C:\Toolstokensz /compute_tokensize /package:negotiate /use_delegation /target_s erver:host/phmaindc1 Name: Negotiate Comment: Microsoft Package Negotiator Current PackageInfo-MaxToken: 12128 Asked for delegate, but didn't get it. Check if server is trusted for delegation. QueryKeyInfo: Signature algorithm = Encrypt algorithm = RSADSI RC4 KeySize = 128 Flags = 2001c Signature Algorithm = -138 Encrypt Algorithm = 26625 QueryContextAttributes (lifespan): Status = 2148074242 0x80090302 SEC_E_NOT_SUPP ORTED any ideas ? I keep getting the following event log message on a domain controller which prevents users from accessing it and authenticating to it. Event Type:Error Event Source:Kerberos Event Category:None Event ID:4 Date:11/16/2006 Time:12:02:37 PM User:N/A Computer:PHMAINDC1 Description: The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/phmaindc1.phippsny.org. The target name used was host/phprint1. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm ( PHIPPSNY.ORG), and the client realm. Please contact your system administrator. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Help! -- HBooGz:\
[ActiveDir] OT: Feisty
It's okay, Joe, you can refer to me as b!tchy, ornery or pi$$y. I admit it. :-) Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, November 16, 2006 11:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: M$ Adrian, of the 41,000+ messages I have archived for this list, this is the only thread I can find that you have responded to It begs one question? If it is so beneath you and you are so lazy, why bother? If this is your way of introducing yourself, some will probably consider it strike 1. While Laura can be feisty, many people do think she is important. I happen to be one of those people. Certainly she has been extremely helpful both here and in the newsgroups and is positively great in personal email and in person though in those forums as well she may get fiesty. Feisty doesn't bother me, what is important is technical quality and how willing people are to share that quality and knowledge. I personally can be a complete ass and kick sand on people, I try to temper it by also being helpful occasionally. So while I don't consider this strike 1 for you, I do hope that you contribute in a positive meaningful manner at some point as Laura has done on many occasions and hopefully will continue to do so. Also, while this thread and others like it are off base, it is part and parcel of this list and I don't expect them to go away any time soon. I don't even wish that they do... If they do, the list might get a little boring as there are strong personalities in this space and the collisions are inevitable. From the standpoint of someone who has met personally a great many of the personalities on the list and looking forward to meeting even more, I actually find it oddly enjoyable at times. OT is in the subject, that is clearly something that folks can filter out if they aren't thrilled with this type of chatter. My only other comment on this at this point is Deji you boob, even if it were Laura Hunter, you should have used a smiley. Knowing all of you personally... I know that either one of them could take you in a fist fight... ;o) If Gil has his ears on, DEC needs a boxing ring and those sumo outfits so people can slam each other in person all in fun. We could have side wagers and everything. Little guys like me won't have a chance but it would be fun just the same. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adrian Teodorescu Sent: Thursday, November 16, 2006 10:35 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: M$ I'm too lazy to write and send you the bill (result : no explanation) and also I'm too bored to enter in this game where you need to be, let's say important Over and out (mom) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Thursday, November 16, 2006 3:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: M$ I'm afraid I don't grok what your point is. Laura (Robinson, not Hunter. Also not Chappell.) _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adrian Teodorescu Sent: Wednesday, November 15, 2006 4:03 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: M$ That's love J Grow up people
RE: [ActiveDir] Kerberos is Killing Me!
1. Is phmaindc1 a DC for PHIPPSNY.ORG? 2. Is phprint1 a member of PHIPPSNY.ORG? 3. Are you able to provide any of the other information I asked about in my other response? Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of hboogz Sent: Thursday, November 16, 2006 2:42 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Kerberos is Killing Me! Thanks Michael, I ran the following command and got the following output. C:\dsquery * (dc=phippsny,dc=org) -filter (servicePrincipalName=host/phmaindc1) dsquery failed:A referral was returned from the server. type dsquery /? for help. On 11/16/06, hboogz [EMAIL PROTECTED] wrote: Joe, how do i find out if there are any duplicate SPN's ? On 11/16/06, joe mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Do you have any duplicate SPNs? Well specifically the SPNs mentioned in the error? -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of hboogz Sent: Thursday, November 16, 2006 12 :09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Kerberos is Killing Me! I am having continued issues with Kerberos. I tried running tokensz against the problem server and i get this error message.. C:\Toolstokensz /compute_tokensize /package:negotiate /use_delegation /target_s erver:host/phmaindc1 Name: Negotiate Comment: Microsoft Package Negotiator Current PackageInfo-MaxToken: 12128 Asked for delegate, but didn't get it. Check if server is trusted for delegation. QueryKeyInfo: Signature algorithm = Encrypt algorithm = RSADSI RC4 KeySize = 128 Flags = 2001c Signature Algorithm = -138 Encrypt Algorithm = 26625 QueryContextAttributes (lifespan): Status = 2148074242 0x80090302 SEC_E_NOT_SUPP ORTED any ideas ? I keep getting the following event log message on a domain controller which prevents users from accessing it and authenticating to it. Event Type:Error Event Source:Kerberos Event Category:None Event ID:4 Date:11/16/2006 Time:12:02:37 PM User:N/A Computer:PHMAINDC1 Description: The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/phmaindc1.phippsny.org. The target name used was host/phprint1. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm ( PHIPPSNY.ORG), and the client realm. Please contact your system administrator. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Help! -- HBooGz:\ -- HBooGz:\ -- HBooGz:\
RE: [ActiveDir] Kerberos is Killing Me!
Why I asked the questions I asked: http://www.eventid.net/display.asp?eventid=4 http://www.eventid.net/display.asp?eventid=4eventno=1968source=Kerberosp hase=1 eventno=1968source=Kerberosphase=1 _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of hboogz Sent: Thursday, November 16, 2006 2:42 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Kerberos is Killing Me! Thanks Michael, I ran the following command and got the following output. C:\dsquery * (dc=phippsny,dc=org) -filter (servicePrincipalName=host/phmaindc1) dsquery failed:A referral was returned from the server. type dsquery /? for help. On 11/16/06, hboogz [EMAIL PROTECTED] wrote: Joe, how do i find out if there are any duplicate SPN's ? On 11/16/06, joe mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Do you have any duplicate SPNs? Well specifically the SPNs mentioned in the error? -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of hboogz Sent: Thursday, November 16, 2006 12 :09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Kerberos is Killing Me! I am having continued issues with Kerberos. I tried running tokensz against the problem server and i get this error message.. C:\Toolstokensz /compute_tokensize /package:negotiate /use_delegation /target_s erver:host/phmaindc1 Name: Negotiate Comment: Microsoft Package Negotiator Current PackageInfo-MaxToken: 12128 Asked for delegate, but didn't get it. Check if server is trusted for delegation. QueryKeyInfo: Signature algorithm = Encrypt algorithm = RSADSI RC4 KeySize = 128 Flags = 2001c Signature Algorithm = -138 Encrypt Algorithm = 26625 QueryContextAttributes (lifespan): Status = 2148074242 0x80090302 SEC_E_NOT_SUPP ORTED any ideas ? I keep getting the following event log message on a domain controller which prevents users from accessing it and authenticating to it. Event Type:Error Event Source:Kerberos Event Category:None Event ID:4 Date:11/16/2006 Time:12:02:37 PM User:N/A Computer:PHMAINDC1 Description: The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/phmaindc1.phippsny.org. The target name used was host/phprint1. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm ( PHIPPSNY.ORG), and the client realm. Please contact your system administrator. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Help! -- HBooGz:\ -- HBooGz:\ -- HBooGz:\
RE: [ActiveDir] Strange DC behaviour and error
Then answer my questions! ;-) Laura snip however, i have another thread whereby Kerberos is just killing me. -- No virus found in this outgoing message. Checked by AVG Free Edition.
RE: [ActiveDir] Domain and Subdomain. Duplicating accounts
Besides significantly increasing the likelihood of people logging onto the wrong domain and generating support calls along the lines of where's my stuff? Not really. AD accommodates the same name in multiple domains, as long as the UPNs are different (which they are, or account creation would have failed). Why doesn't the other SA just let people use their regular accounts? Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Thursday, November 16, 2006 4:48 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain and Subdomain. Duplicating accounts Hi, The company I work for has 2 office in 2 different states. The main office is domain.com and other office is a subdomain (sub.domain.com). Our users sometimes go to the other office (sub.domain.com) to work for a week or so, I just found out that other SA has been creating accounts for my users in the subdomain. So now I have same user in the domain and subdomain, beside being a stupid way of doing things is there any technical issue this could create? Thanks Rezuma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- No virus found in this incoming message. Checked by AVG Free Edition. -- No virus found in this outgoing message. Checked by AVG Free Edition. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Kerberos is Killing Me!
Okay, so basically I can think of a few quickish options: 1. Let somebody who geeks out on this stuff poke around in your DCs. There are obviously lots of caveats around that one (like, why would you let a stranger poke around in your AD, why would somebody want to take on that liability, how would you determine that somebody wasn't a cluebie, etc.) 2. Call PSS and get the benefit of all the warranties and liabilities that come with the support agreement, and let them poke around in your AD. 3. Find a willing geek to get on the phone with you, 'cause typing all this stuff up has to be as difficult for you as it is for the people trying to make heads or tails of the situation. 4. Scrap trying to track down the problem and demote the problem DC, then re-promote it. I hate offering that as a solution as I usually like to dig around and figure out what's causing things, but in this situation it's really hard to troubleshoot your environment simply because there are so many different factors that could come into play that would need to be looked at. And honestly, this smells like there was an imaged DC or something similar somewhere along the line. I believe you that there wasn't; it's just the same kind of behavior that you see in scenarios like that. Wait, hold on a sec... what does a parallel upgrade mean? Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of hboogz Sent: Thursday, November 16, 2006 5:10 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Kerberos is Killing Me! Hey Laura, this is the strange DC error guy...unfortunately. This DC existed for about 4 months. I did a parralle upgrade to 2003 with a new box and promoting it into a windows 2000 domain using adprep /forestprep and adprep /domainprep:gprep. There has never been use of duplicate names. this DC was never restored from a backup. there never has been a duplicate name for any member servers nor have their been any backup restores... I'm able to update DNS registration from this maindc now, because i needed to enable the DHCP client service on the machine. I've tried the following from the problmatic DC: net stop kdc purge kerberos ticket cache using kerbtray reset pwd using netdom net start kdc reboot but i continue to get Replication access denied from one DC to all three of my DC's. I've tried the same as above from a second DC without removing the ticket cahce, but still get the same errors from the phmaindc1 DC. All other DC's replicate with this DC just fine. i've checked the zones through dnscmd and made sure they are alike with regard to zone type.dnscmd /enumzones C:\dnscmd /enumzones Enumerated zone list: Zone count = 5 Zone name Type Storage Properties . Cache AD-Domain 168.192.in-addr.arpa PrimaryAD-Domain Update Rev Aging 31.168.192.in-addr.arpaSecondary FileRev HYPERLINK http://jacwf.phippsny.orgjacwf.phippsny.org Secondary File HYPERLINK http://phippsny.orgphippsny.org Primary AD-Domain Update Aging Command completed successfully. above is PHMAINDC1 Below is PHPRINT1 C:\dnscmd /enumzones Enumerated zone list: Zone count = 5 Zone name Type Storage Properties . Cache AD-Domain 168.192.in-addr.arpa PrimaryAD-Domain Update Rev Aging 31.168.192.in-addr.arpaSecondary FileRev HYPERLINK http://jacwf.phippsny.orgjacwf.phippsny.org Secondary File HYPERLINK http://phippsny.orgphippsny.org Primary AD-Domain Update Aging Command completed successfully. =\ i'm stuck. On 11/16/06, Laura A. Robinson HYPERLINK mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Is this the same set of machines that are being talked about in the strange DC error thread? I don't remember who it was who originated that one and I want to make sure I'm not asking for something you've already provided. So, if the answer to the above is no, my next question is, can you provide a little more information about the environment? How long has this DC existed as a DC? Was there ever another DC with the same name? Was this DC at any point restored from a backup? Has it been consistently connected to the network? How about the member server- same questions as the DC questions. Thanks, Laura _ From: HYPERLINK mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] [mailto:HYPERLINK mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of hboogz Sent: Thursday, November 16,HYPERLINK javascript:void(0) 2006 12 :09 PM To: HYPERLINK mailto:ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: [ActiveDir] Kerberos is Killing Me! I am having continued issues with Kerberos. I tried running tokensz against the problem server and i get this error message.. C:\Toolstokensz
RE: [ActiveDir] Kerberos is Killing Me!
I apologize if I keep asking questions you've already answered, but how many sites are involved here? Of course, by the time this hits the list, any replication that hasn't yet occurred probably will have. :-) Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of hboogz Sent: Thursday, November 16, 2006 5:49 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Kerberos is Killing Me! **Update*** i changed the user account control attribute using the following direction: Did you follow: When using adsiedit: * Connect to the domain NC * Navigate to the Domain Controllers OU * Right click on the DC for which you want to change the UserAccountControl value and select properties * Goto the UserAccountControl attribute * You should see a value (from what you have described): HYPERLINK javascript:void(0)536576 * Change that value to:HYPERLINK javascript:void(0) 532480 i teh followed the instructions found here: Re: access denied HYPERLINK http://technet2.microsoft.com/WindowsServer/en/library/22764cb5-9860-4f8f-9 5e7-337df24edf741033.mspx?mfr=truehttp://technet2.microsoft.com/WindowsServ er/en/library/22764cb5-9860-4f8f-95e7-337df24edf741033.mspx?mfr=true i did this from the phmaindc1 server net stop kdc clear ticket cache reset machine pawd open sites and services and forced replication with phprint -- which succeced opened replmon and synchronized with phprint1. net start kdc ran: repadmin /showreps. replication to phprint1 came up as succesfull however, i still get an error to the child domain indicating access denied. should i wait for AD replication for this to work ? -- No virus found in this outgoing message. Checked by AVG Free Edition.
RE: [ActiveDir] Is it 2000 or 2003?
It's not an issue. Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bart Van den Wyngaert Sent: Thursday, November 16, 2006 6:07 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Is it 2000 or 2003? Well actually I didn't use the adfind tool yet, when I read the beginning of this thread I looked in the GUI Active Directory Domains and Trust where is listed that my functional level of domain forrest is W2K3 (which I raised some months ago and seems correct). But when I run the gpresult tool, it states that my domain type is Windows 2000, which I find a bit odd. Did I miss something in the upgrade process or something? Is it an issue? On 11/16/06, joe [EMAIL PROTECTED] wrote: AdFind only determines the Directory level, it doesn't look for functional modes or mixed mode. The way I get directory level is through the supportedCapabilities attribute of the rootdse of the DC. Of course it is possible to hit one DC looking for info and I pull the ROOTDSE from that DC and then in the background a referral is processed which ends up getting the info from another DC in another domain (or same domain if looking at app parts). You can get functionality modes from the rootdse attributes domainFunctionality and forestFunctionality. For all of those, just do an AdFind -rootdse And you will see what I am decoding and logically how I ascertain directory level. Mixed mode versus native you simply use the domain NCs nTMixedDomain attribute. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Thursday, November 16, 2006 11:50 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Is it 2000 or 2003? I don't understand where you are seeing this info. Are you referring to the applet that is used to raise the FL? Or something else? As for the flag that is used to identify the directory, it is usually a combination of: msDS-Behavior-Version nTMixedDomain supportedCapabilities Or at least, that is the way I put info. such as server and directory in each of my scripts. Just like Joe does in ADFIND and ADMOD. I believe he does it the same way too. Basically, check msDS-Behavior-Version. If it's 0, check nTMixedDomain. If it's 2, check supportedCapabilities to see whether or not it is ADAM (it's ADAM if one of the supportedCapabilities is 1.2.840.113556.1.4.1851 [LDAP_CAP_ACTIVE_DIRECTORY_ADAM_OID]). In my test lab(s), my directory is considered a 2003 directory. In my labs, I used either DOMAIN.MSC or ADMOD to increase the FLs. --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, November 16, 2006 3:45 PM Subject: RE: [ActiveDir] Is it 2000 or 2003? I've entered this thread late so apologies if the below has already been stated: I recently created a new dev forest, with multiple domains. I too raised DFL and FFL as soon as all domains were built. I do not see the issues you describe and would suggest you download the scripts available here http://www.jadonex.com/ One of the scripts (written by Dean) checks the DFL and FFL for the forest and across all domains. For a manual check, I also look here: FFL === CN=Partitions,CN=Configuration,DC=xxx Attribute msDS-Behavior-Version 0=w2k FFL, 1=interim FFL, 2=w2k3 FFL DFL === CN=domainName,CN=Partitions,CN=Configuration,DC=xxx Attribute msDS-Behavior-Version 0=w2k DFL, 1=interim DFL, 2=w2k3 DFL Hope that helps, neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Onsomu Sent: 16 November 2006 14:35 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it 2000 or 2003? I got curios about this and decide to dcpromo my vm image of windows 2003 R2. After the AD installation (which sits at Windows 2000 for domain type) I raised the functionality for the domain and forest. The result for domain type was windows 2000. I am not sure it is supposed to be different. Anybody out there who can say their install says something else? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, November 15, 2006 3:15 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Is it 2000 or 2003? Were these clean installs or inplace? Bart Van den Wyngaert wrote: Well I also have a strange thing... It concerns 2 SBS 2003 systems. Some months ago I raised both domain and forrest
RE: [ActiveDir] Kerberos is Killing Me!
You can leave the IP the same. If the demotion fails or goes awry in some respect, you may have to do some metadata cleanup in addition to the DNS cleanup (which I'm guessing is what Deji meant by AD/DNS/Sites, but just in case...). Given the, um, quirkiness of this environment, I suspect you may have a difficult demotion ahead. I assume you've done metadata cleanup before? If not, feel free to post, or just spend a lot of time typing ? at the ntdstuil prompts. I know there's a really good how-to out there somewhere on using NTDSUTIL for this purpose, but to be honest, I'm pooped and I have to be up early to talk NAP with one customer and convince another that Volume License Activation isn't Evil Empire Voodoo designed to suck all of the money out of their bank accounts. Otherwise, I'd dig it up for you. Then again, I may be thinking of something I wrote, in which case it'll be hard to find by searching the Internet. ;-) Seriously, though, if you can't find anything helpful, I'm sure any number of people on this list have either great links or great documents they wrote on using NTDSUTIL for metadata cleanup. Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of hboogz Sent: Friday, November 17, 2006 2:09 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Kerberos is Killing Me! Thanks Deji. I understand. I will re-examine the event log in the morning and plan for a demotion over the weekend. besides removing the reference from AD/DNS/Sites, is there something else i should do or look to remove the reference ? Also, should i change the IP address ? This i really don't want to do if i really don't have to... ? Thanks. On 11/16/06, Akomolafe, Deji HYPERLINK mailto:[EMAIL PROTECTED][EMAIL PROTECTED] wrote: I believe I recommended this early on in the thread. Sometimes, it's easier (wiser) to not fight the fire. Demote, clean it out of AD/DNS/Sites. If you have the luxury, wipe and reinstall the box, otherwise, just do a rename of the box. Renaming it is strongly recommended unless you have scripts and applications into which you have hard-coded the name. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon _ From: hboogz Sent: Thu 11/16/2006 7:35 PM To: HYPERLINK mailto:ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: Re: [ActiveDir] Kerberos is Killing Me! AD sites. 3 one including the DR-site. regarding the question about demoting then promoting...if i have to go that route, should i keep the same server name ? On 11/16/06, Laura A. Robinson HYPERLINK mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I apologize if I keep asking questions you've already answered, but how many sites are involved here? Of course, by the time this hits the list, any replication that hasn't yet occurred probably will have. :-) Laura _ From: HYPERLINK mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] [mailto:HYPERLINK mailto:[EMAIL PROTECTED] \n [EMAIL PROTECTED] On Behalf Of hboogz Sent: Thursday, November 16, 2006 5:49 PM To: HYPERLINK mailto:ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: Re: [ActiveDir] Kerberos is Killing Me! **Update*** i changed the user account control attribute using the following direction: Did you follow: When using adsiedit: * Connect to the domain NC * Navigate to the Domain Controllers OU * Right click on the DC for which you want to change the UserAccountControl value and select properties * Goto the UserAccountControl attribute * You should see a value (from what you have described): 536576 * Change that value to: 532480 i teh followed the instructions found here: Re: access denied HYPERLINK http://technet2.microsoft.com/WindowsServer/en/library/22764cb5-9860-4f8f-9 5e7-337df24edf741033.mspx?mfr=true \nhttp://technet2.microsoft.com/WindowsServer/en/library/22764cb5-9860-4f8f- 95e7-337df24edf741033.mspx?mfr=true i did this from the phmaindc1 server net stop kdc clear ticket cache reset machine pawd open sites and services and forced replication with phprint -- which succeced opened replmon and synchronized with phprint1. net start kdc ran: repadmin /showreps. replication to phprint1 came up as succesfull however, i still get an error to the child domain indicating access denied. should i wait for AD replication for this to work ? -- No virus found in this outgoing message. Checked by AVG Free Edition. -- HBooGz:\ -- HBooGz:\ -- No virus found in this incoming message. Checked by AVG Free Edition. -- No virus found in this outgoing message. Checked by AVG Free Edition.
RE: [ActiveDir] Strange DC behaviour and error
Indeed you have! ;-) Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of hboogz Sent: Thursday, November 16, 2006 8:44 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange DC behaviour and error lol. i did laura -- i think I've poured my life out in that thread. =) On 11/16/06, Laura A. Robinson HYPERLINK mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Then answer my questions! ;-) Laura snip however, i have another thread whereby Kerberos is just killing me. -- No virus found in this outgoing message. Checked by AVG Free Edition. -- HBooGz:\ -- No virus found in this incoming message. Checked by AVG Free Edition. -- No virus found in this outgoing message. Checked by AVG Free Edition.
RE: [ActiveDir] OT: M$
Clearly there are differing opinions about whether it's merely "slang" or
whether it's an inappropriate slur. Simpler just not to use it, don't you think?
I mean, I don't refer to the USAF as the "useless air farce" and expect its
members to think that's funny.
I
don't take offense when people refer to Microsoft as "borg" or talk about
"drinking the Kool-Aid"; in fact, I have been known to reference both myself.
However, I remember the origin of "M$" (unlike, I suspect, some of those who use
the phrase and think it's funny), and I think it's ignorant and inappropriate
for people to use it on a Microsoft-centric list.
Laura
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bahta,
Nathaniel V CTR USAF NASIC/SCNASent: Monday, November 13, 2006 5:48
AMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] OT: M$
You have to be able to laugh at yourself. M$ is a
tounge in cheek _expression_ and certainly a corporation like Microsoft can
laugh at itself when M$ is used as slang in its reference. Thats why
wenickname really big guys tiny.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Albert
DuroSent: Sunday, November 12, 2006 10:27 PMTo:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT:
M$
being conciliatory is laudable, but I think you're missing
the point. It's not wether anybody is offended or not -- the question is
why does someone come into a peaceful gathering casting offense.
Especially when it's not necessary. If someone deliberately spits on the
dinner table, do you say 'oh, well, he didn't hit any plate, let's just forget
it' ? or even worse, 'he hit someone else's plate -- no
worries.'
- Original Message -
From:
[EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Friday, November 10, 2006 9:08
AM
Subject: RE: [ActiveDir] OT: M$
I highly doubt that any MS employee takes offence at what is surely
as tongue in cheek _expression_.
Let's not get _too_ PC please :/
neil
-Original Message-From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]On Behalf Of Laura A.
RobinsonSent: Thursday, November 09, 2006 6:14 PMTo:
ActiveDir@mail.activedir.orgSubject:
[ActiveDir] OT: M$
Just out of curiosity, whatmakes people
think it's appropriate to refer toMicrosoft as "M$" on an MS-focused
mailing list whose participants include Microsoft employees, Microsoft
contractors, Microsoft MVPs and various other people who may have a
relatively positiveview of Microsoft?
Laura
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jitendra
KalyankarSent: Thursday, November 09, 2006 10:16
AMTo: ActiveDir@mail.activedir.orgSubject: Re:
[ActiveDir] Beginner's Book on Scripting - WSH or
_vbscript_?
This is the link to M$ to start with...very good info
http://msdn.microsoft.com/library/default.asp?url="">
-- Sincerely,J
On 11/9/06, Stu
Packett [EMAIL PROTECTED]
wrote:
Hello
everyone. After reading through a lot of the posts on this
mailing list, I realize I could make my job easier if I knew how to
script. I have no experience in scripting, but would like to
know what books do you recommend as a beginner's book on
scripting? Also, I don't really know the difference between WSH
and _vbscript_, so if anyone could explain that, I'd appreciate
that. After browsing through Amazon, I saw several books on WSH
and _vbscript_, but don't know where I should focus on. I'm also
open to computer based training (CBT) videos of any exist.
Thanks in advance.
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of
this email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in
reliance on it. Email is not a secure method of communication and
Nomura
International plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the
presence of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought
then please request a hard copy. Unless otherwise stated
this email: (1)
is not, and should not be treated or relied upon as,
investment
research; (2) contains views or opinions that are
RE: [ActiveDir] OT: M$
There's a reason for the "OT" portion of the subject line, you know. ;-) Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert RutherfordSent: Monday, November 13, 2006 6:42 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: M$ Can we kill this thread now, please? Rob Robert Rutherford QuoStar Solutions Limited T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. RobinsonSent: 13 November 2006 11:31To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: M$ Clearly there are differing opinions about whether it's merely "slang" or whether it's an inappropriate slur. Simpler just not to use it, don't you think? I mean, I don't refer to the USAF as the "useless air farce" and expect its members to think that's funny. I don't take offense when people refer to Microsoft as "borg" or talk about "drinking the Kool-Aid"; in fact, I have been known to reference both myself. However, I remember the origin of "M$" (unlike, I suspect, some of those who use the phrase and think it's funny), and I think it's ignorant and inappropriate for people to use it on a Microsoft-centric list. Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNASent: Monday, November 13, 2006 5:48 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: M$ You have to be able to laugh at yourself. M$ is a tounge in cheek _expression_ and certainly a corporation like Microsoft can laugh at itself when M$ is used as slang in its reference. Thats why wenickname really big guys tiny. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Albert DuroSent: Sunday, November 12, 2006 10:27 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: M$ being conciliatory is laudable, but I think you're missing the point. It's not wether anybody is offended or not -- the question is why does someone come into a peaceful gathering casting offense. Especially when it's not necessary. If someone deliberately spits on the dinner table, do you say 'oh, well, he didn't hit any plate, let's just forget it' ? or even worse, 'he hit someone else's plate -- no worries.' - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, November 10, 2006 9:08 AM Subject: RE: [ActiveDir] OT: M$ I highly doubt that any MS employee takes offence at what is surely as tongue in cheek _expression_. Let's not get _too_ PC please :/ neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Laura A. RobinsonSent: Thursday, November 09, 2006 6:14 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: M$ Just out of curiosity, whatmakes people think it's appropriate to refer toMicrosoft as "M$" on an MS-focused mailing list whose participants include Microsoft employees, Microsoft contractors, Microsoft MVPs and various other people who may have a relatively positiveview of Microsoft? Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jitendra KalyankarSent: Thursday, November 09, 2006 10:16 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Beginner's Book on Scripting - WSH or _vbscript_? This is the link to M$ to start with...very good info http://msdn.microsoft.com/library/default.asp?url=""> -- Sincerely,J On 11/9/06, Stu Packett [EMAIL PROTECTED] wrote: Hello everyone. After reading through a lot of the posts on this mailing list, I realize I could make my job easier if I knew how to script. I have no experience in scripting, but would like to know what books do you recommend as a beginner's book on scripting? Also, I don't really know the difference between WSH and _vbscript_, so if anyone could explain that, I'd appreciate that. After browsing through Amazon, I saw
RE: [ActiveDir] OT: M$
Exactly. M$ just isn't funny. Borg, kool-aid, those are funny. M$ isn't. Go figure. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNASent: Monday, November 13, 2006 7:46 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: M$ Useless Air Farce would not be found funny because its just that, not funny. Funnier is US Chair Force. Thats funny, and people here laugh at it all the time. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert RutherfordSent: Monday, November 13, 2006 7:32 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: M$ ;oP Rob Robert Rutherford QuoStar Solutions Limited T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. RobinsonSent: 13 November 2006 12:16To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: M$ There's a reason for the "OT" portion of the subject line, you know. ;-) Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert RutherfordSent: Monday, November 13, 2006 6:42 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: M$ Can we kill this thread now, please? Rob Robert Rutherford QuoStar Solutions Limited T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. RobinsonSent: 13 November 2006 11:31To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: M$ Clearly there are differing opinions about whether it's merely "slang" or whether it's an inappropriate slur. Simpler just not to use it, don't you think? I mean, I don't refer to the USAF as the "useless air farce" and expect its members to think that's funny. I don't take offense when people refer to Microsoft as "borg" or talk about "drinking the Kool-Aid"; in fact, I have been known to reference both myself. However, I remember the origin of "M$" (unlike, I suspect, some of those who use the phrase and think it's funny), and I think it's ignorant and inappropriate for people to use it on a Microsoft-centric list. Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNASent: Monday, November 13, 2006 5:48 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: M$ You have to be able to laugh at yourself. M$ is a tounge in cheek _expression_ and certainly a corporation like Microsoft can laugh at itself when M$ is used as slang in its reference. Thats why wenickname really big guys tiny. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Albert DuroSent: Sunday, November 12, 2006 10:27 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: M$ being conciliatory is laudable, but I think you're missing the point. It's not wether anybody is offended or not -- the question is why does someone come into a peaceful gathering casting offense. Especially when it's not necessary. If someone deliberately spits on the dinner table, do you say 'oh, well, he didn't hit any plate, let's just forget it' ? or even worse, 'he hit someone else's plate -- no worries.' - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, November 10, 2006 9:08 AM Subject: RE: [ActiveDir] OT: M$ I highly doubt that any MS employee takes offence at what is surely as tongue in cheek _expression_. Let's not get _too_ PC please :/ neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Laura A. RobinsonSent: Thursday, November 09, 2006 6:14 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: M$ Just out of curiosity, whatmakes people think it's appropriate to refer toMicrosoft as "M$" on an MS-focused mailing list whose
RE: [ActiveDir] OT: M$
Disclaimer #1: "You" in the below refers to a generic "you", not a specific person. Disclaimer #2: My opinions are in no way intended to represent those of my employer. They're my own, and they were my opinions long before I became a Microsoft employee. That said... You know what I find amazing here? It has been clearly expressed that there *are* people who find the term irritating (and I assure you, I'm not the only one; I'm just the only one who states it publicly), yet you're still arguing that because *you* think it's funny, it's therefore okay to use it. Please explain this logic to me. Ifyou meet somebody who asks you not to call him "Tiny" because he hates the nickname, do you make a point to call him "Tiny"? If you do, then you have some serious personal issues. If you don't do that, then why do you think it's okay to continue to justify using a name on a Microsoft-centric list that is populated by Microsoft-centric people that you've been told *is* offensive to some of those people? This isn't about political correctness and it isn't about different senses of humor. It's about somebody having stated flat-out that the "M$" term is offensive to her (and, again, to a lot more people than you realize) and you continuing to assert that it's just fine for you to use it. Some people might consider that incredibly childish and ignorant. Did it never occur to you simply to not use or defend the use ofthe term, regardless of whether you think I'm oversensitive about it? It certainly occurred to the person who originally posted it to stop using the term, and he didn't have to have an argument that boils down to "I think it's funny, so you need to just get over it" before stating that he wouldn't continue to use the term. I found that very adult of him. I don't, however, find it particularly adult to continue to defend the use of a tasteless, inaccurate, slighting moniker because *you* think it's "funny". Most Microsoft employees are not nearly as well-paid as the public seems to think, and yet, the VAST majority of them contribute their own time and money to charitable organizations. I can give you statistics if you like; Microsoft is actually first in terms of per-capita employee philanthropy. The insistence upon referring to the company as "M$" displays a tremendous amount of ignorance and rudeness to those employees, IMO. Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNASent: Monday, November 13, 2006 8:44 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: M$ Exactly, is exactly right. You cant impose your own humor preferences on someone because you consider it unfunny. You just dont laugh. You can't stop bad jokes, because someone, somewhere is laughing at them. Just not you. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. RobinsonSent: Monday, November 13, 2006 8:20 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: M$ Exactly. M$ just isn't funny. Borg, kool-aid, those are funny. M$ isn't. Go figure. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNASent: Monday, November 13, 2006 7:46 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: M$ Useless Air Farce would not be found funny because its just that, not funny. Funnier is US Chair Force. Thats funny, and people here laugh at it all the time. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert RutherfordSent: Monday, November 13, 2006 7:32 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: M$ ;oP Rob Robert Rutherford QuoStar Solutions Limited T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. RobinsonSent: 13 November 2006 12:16To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: M$ There's a reason for the "OT" portion of the subject line, you know. ;-) Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert RutherfordSent: Monday, November 13, 2006 6:42 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: M$ Can we kill this thread now, please? Rob Robert Rutherford QuoStar Solutions Limited T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com
RE: [ActiveDir] OT: M$
You
may doubt it, but I don't. It's a moniker that implies (aside from childishness
on the part of the person who uses it) that Microsoft is a company that is all
about corporate greed. That's an unfair characterization and IMO, is insulting
to the 75%+ of Microsoft employees who spend a lot of their own time and money
in philanthropic pursuits. It's also dismissive of the actual motivation of most
Microsoft employees who I know, which is to produce software that makes
businesses and people more equipped to do what they need to
do.
This
is just my personal opinion and is in no way intended to represent the views of
my employer, which, as it happens, is Microsoft.
So
yes, there are Microsoft employees who find it offensive.
Laura
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Friday, November 10, 2006 12:08
PMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] OT: M$
I highly doubt that any MS employee takes offence at what is surely as
tongue in cheek _expression_.
Let's not get _too_ PC please :/
neil
-Original Message-From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]On Behalf Of Laura A.
RobinsonSent: Thursday, November 09, 2006 6:14 PMTo:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT:
M$
Just out of curiosity, whatmakes people think
it's appropriate to refer toMicrosoft as "M$" on an MS-focused mailing
list whose participants include Microsoft employees, Microsoft contractors,
Microsoft MVPs and various other people who may have a relatively
positiveview of Microsoft?
Laura
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jitendra
KalyankarSent: Thursday, November 09, 2006 10:16
AMTo: ActiveDir@mail.activedir.orgSubject: Re:
[ActiveDir] Beginner's Book on Scripting - WSH or
_vbscript_?
This is the link to M$ to start with...very good info
http://msdn.microsoft.com/library/default.asp?url="">
-- Sincerely,J
On 11/9/06, Stu
Packett [EMAIL PROTECTED] wrote:
Hello
everyone. After reading through a lot of the posts on this mailing
list, I realize I could make my job easier if I knew how to
script. I have no experience in scripting, but would like to know
what books do you recommend as a beginner's book on scripting?
Also, I don't really know the difference between WSH and _vbscript_, so if
anyone could explain that, I'd appreciate that. After browsing
through Amazon, I saw several books on WSH and _vbscript_, but don't know
where I should focus on. I'm also open to computer based training
(CBT) videos of any exist. Thanks in advance.
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance
on it. Email is not a secure method of communication and
Nomura
International plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the
presence of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought
then please request a hard copy. Unless otherwise stated
this email: (1) is
not, and should not be treated or relied upon as,
investment
research; (2) contains views or opinions that are solely those of
the author and do
not necessarily represent those of NIplc; (3) is intended
for informational
purposes only and is not a recommendation, solicitation or
offer to buy or
sell securities or related financial instruments. NIplc
does not provide
investment services to private customers. Authorised and
regulated by the
Financial Services Authority. Registered in England
no. 1550505 VAT
No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP.
A member of the Nomura group of companies.
RE: [ActiveDir] OT: M$
That's the secret share we use for the man. It's where we keep the collective intelligence that allows us to represent our single self as multiple entities. Laura I am Dsylexia of Borg. Your a$$ will be laminated. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of William Lefkovics Sent: Friday, November 10, 2006 3:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: M$ What does all this have to do with the hidden administrative share on the M: drive? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura E. Hunter Sent: Thursday, November 09, 2006 6:17 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: M$ You're not a fake employee, I've seen you. :-) BrettSh, too. It's that Stuart Kwan guy whose existence I'm doubting. (Come on, was that enough to inspire the rarity that is a Stuart Kwan ActiveDir post? Please? PLEASE?!?!?!?!?!?!?!?!?!?!? ;-)) On 11/9/06, Eric Fleischman [EMAIL PROTECTED] wrote: Not that I really care if people say M$ or not, but I thought I'd comment on one thing, in the name of full disclosure.. My participation on this list has __nothing__ to do with money. I don't get compensated on any level for this. Heck, I don't even work on AD anymore, so this is like 2 degrees of separation away from anything that MS compensates me for. So, is MS out to make $? Sure. Is AD part of that money-making strategy? Sure. Does that have anything to do with MS employee participation on this list? I don't think so. Others (at least those that I can recall posting here as I type this mail) on this list fall in to the same boat. A couple of them don't work on AD anymore either. Why do I hang out here? I do it because I care about customers and about AD/ADAM. It has nothing to do with my salary. It's also why I still blog about AD, answer newsgroup questions, answer internal questions (DLs, PSS, MCS, other PGs, etc.), handle direct emails from a myriad of non-MS people (some I know, some are totally out of the blue), fix code for people that ask for help, etc. I don't get paid for any of this. ~Eric Borg #145719302 Insert conspiracy theory here about how this whole mail is a lie and the man actually wrote it on behalf of the fake employee that goes by Eric Fleischman List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] OT: M$
There's no anger or distress on my end (and I doubt there's any on
anybody else's part, either). I'm simply pointing out that yes, there are
Microsoft employees who don't find the slur amusing. No emotional investment, I
assure you. :-)
Laura
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Friday, November 10, 2006 5:24
PMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] OT: M$
it's friday, can't we all just get along?
--
Original message -- From: "Laura A. Robinson"
[EMAIL PROTECTED]
You may doubt it, but I don't. It's a moniker that implies (aside
from childishness on the part of the person who uses it) that Microsoft is a
company that is all about corporate greed. That's an unfair characterization
and IMO, is insulting to the 75%+ of Microsoft employees who spend a lot of
their own time and money in philanthropic pursuits. It's also dismissive of
the actual motivation of most Microsoft employees who I know, which is to
produce software that makes businesses and people more equipped to do what
they need to do.
This is just my personal opinion and is in no way intended to
represent the views of my employer, which, as it happens, is
Microsoft.
So
yes, there are Microsoft employees who find it
offensive.
Laura
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Friday, November 10, 2006
12:08 PMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] OT: M$
I highly doubt that
any MS employee takes offence at what is surely as tongue in cheek
_expression_.
Let's not get _too_
PC please :/
neil
-Original Message-From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]On Behalf Of Laura A.
RobinsonSent: Thursday, November 09, 2006 6:14
PMTo: ActiveDir@mail.activedir.orgSubject:
[ActiveDir] OT: M$
Just out of curiosity, whatmakes people
think it's appropriate to refer toMicrosoft as "M$" on an
MS-focused mailing list whose participants include Microsoft employees,
Microsoft contractors, Microsoft MVPs and various other people who may
have a relatively positiveview of Microsoft?
Laura
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Jitendra KalyankarSent: Thursday, November 09, 2006
10:16 AMTo: ActiveDir@mail.activedir.orgSubject:
Re: [ActiveDir] Beginner's Book on Scripting - WSH or
_vbscript_?
This is the link to M$ to start with...very good info
http://msdn.microsoft.com/library/default.asp?url="">
-- Sincerely,J
On 11/9/06, Stu
Packett [EMAIL PROTECTED]
wrote:
Hello
everyone. After reading through a lot of the posts on this
mailing list, I realize I could make my job easier if I knew how to
script. I have no experience in scripting, but would like to
know what books do you recommend as a beginner's book on
scripting? Also, I don't really know the difference between
WSH and _vbscript_, so if anyone could explain that, I'd appreciate
that.. After browsing through Amazon, I saw several books on
WSH and _vbscript_, but don't know where I should focus on. I'm
also open to computer based training (CBT) videos of any
exist. Thanks in advance.
PLEASE READ:
The information contained in this email is confidential and
intended for
the named recipient(s) only. If you are not an intended
recipient of
this email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in
reliance on it. Email is not a secure method of communication and
Nomura
International plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the
presence of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is
sought then please request a hard copy. Unless otherwise stated
this email:
(1) is not, and should not be treated or relied upon as,
investment
research; (2) contains views or opinions that are solely those of
