[ActiveDir] Strange Issue This Morning
Win23 AD: From workstations in subnet A: I can not map to server shares in subnet B. But if I log in to the DC-1 in subnet A I have no problem mapping to all shares on my subnets. And I can also see all admin shares on workstations. The same goes for subnet B when I log in to a workstation. I cannot see server shares in subnet A. I can log into DC-2 in subnet B and access all shares. Both DCs are DNS servers. Both servers replicate fine and no strange log. Internet access is fine. Firewalls have been turned off. WTF!! So in other words, only the domain controllers can see and map to all the nodes in the LAN. Ping fails from DC-1 subnet A to machines in subnet B. DCs have been restarted. No problem with user logon because both DCs are working properly and replicating fine. I am convince it is a switch issue. -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] Strange Issue This Morning
FQDN\path... There are other emails that went out to the rest of the campus after I sent mine to the listserv so I believe it is probably a routing issue. Z.V. Al Mulnick wrote: When you say that they cannot see the shares, how are you checking? FQDN\path or Computer Browser or some variation of that? On 1/12/07, *Za Vue * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Win23 AD: From workstations in subnet A: I can not map to server shares in subnet B. But if I log in to the DC-1 in subnet A I have no problem mapping to all shares on my subnets. And I can also see all admin shares on workstations. The same goes for subnet B when I log in to a workstation. I cannot see server shares in subnet A. I can log into DC-2 in subnet B and access all shares. Both DCs are DNS servers. Both servers replicate fine and no strange log. Internet access is fine. Firewalls have been turned off. WTF!! So in other words, only the domain controllers can see and map to all the nodes in the LAN. Ping fails from DC-1 subnet A to machines in subnet B. DCs have been restarted. No problem with user logon because both DCs are working properly and replicating fine. I am convince it is a switch issue. -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] DFS-R replication through a firewall
We open port 135 for our subnets only. We made changes to registry to force high ports through a range and open those ports in firewall policy. -Z.V. Almeida Pinto, Jorge de wrote: Hi Everyone, I assume everyone knows about: How to restrict FRS replication traffic to a specific static port http://support.microsoft.com/kb/319553 I was wondering about the configuration for DFS-R. Does anyone have experience with that working through a firewall? (instead of opening 135 and a range of high ports) Thanks! cheers, Jorge Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] Vista GPO
Win23 AD Machines: ThinkCentre 8215. Vista Enterprise: So far my 4 test machines in my lab have been loosing the CD/DVD Rom drives. Have to delete registry and restart machines each time. This is also occurring at home. Also half of my network printers do not work. No Vista print drivers on the server yet. Other than that, GPO is locking down the desktop pretty good. Control Panel items all removed, IE 7 is locked down, etc. -Z.V. Rich Milburn wrote: Am I the only one who remembers the teeth-pulling necessary to get people to make the move to XP? Or to Win2K? Both of which were a fairly big leap. XP was seen as eye candy with very little benefit over Win2K (but with licensing and deployment and compatibility problems that could be avoided by staying on a perfectly good platform). I had to write up several papers on what was different and better in XP than in Win2K (not where I work now, just for the record...) I think in 2 years we're going to see a similar situation. The more IT types dig into Vista, and see solutions to problems that either have no solution in XP, or require workarounds and make-do's (is that a word?), the more people will start to see the point in upgrading. I think the same goes for Longhorn. So... this is just my opinion, but I think that one would be remiss in not digging into Vista now to see if there's more than just eye candy and extensive hardware requirements... So far, in my experience, I've been pretty surprised at the things that will run on Vista. Conversely, there are a few things we have that still do not work on XP. We use Win2K VMs for those handful of things. --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
[ActiveDir] Vista GPO
Anyone know what and where the GPO plugin for Win2003 on the Vista DVD is called and located? -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] Vista GPO
Sorry. Exactly what Ben wrote. Thanks.. -Z.V. WATSON, BEN wrote: Maybe he may be referring to the location of any possible new ADM files included with Vista. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Thursday, December 14, 2006 10:34 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO What do you mean Za? I'm not familiar with any GPO plug-in for Win2K3, unless you mean the LDIF files that are in sources\adprep on the Vista CD? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Thursday, December 14, 2006 9:57 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Vista GPO Anyone know what and where the GPO plugin for Win2003 on the Vista DVD is called and located? -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] what is the meaning of OT in front of the subject
Off Topic? Ramon Linan wrote: Some of the subjects have that OT preceding the subject, what's that? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Who keeps creating this folder files?!
Audit the folder. J B wrote: Argh! On one of our file servers, there is a "public" directory that allows any authenticated user to do anything within it (minus changing permissions). MP3 files and folders appear there every so often and are removed soon thereafter. Is there some way for me to tell who has created these folders and MP3 files? Every time I check, no one is currently accessing the files - which would be an easy way for me to know...
Re: [ActiveDir] Group Policy Problem
1) Log errors checked? 2)NTFS permissions on Sysvol checked? 3) DNS checked? 4) Go to a client and run GPRESULT.exe? 5) Ran DNSDiag.exe? 6) Other GPOs work? -Z.V. Lloyd Williams wrote: The problem I am having with group policies has the following two symptoms 1) domain member computers are getting windows cannot query for the list of group policy objects in the event log 2) When I try and edit group policies I get either access denied, or cannot write to something like C:\WINDOWS\SYSVOL\sysvol\Domain Name\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9} It would seem the group policy contained in the {31B2F340-016D-11D2-945F-00C04FB984F9} folder is missing There are several folder which are named similar i.e. {31B2F340-016D-11D2-945F-00C04FB984F9}_NTFRS_01ececf7 I.e. have NTFRS appended to them. I have tried to recreate the policy by running DCGPOFIX . it recreates the {31B2F340-016D-11D2-945F-00C04FB984F9} folder with the policy. But after a few seconds this folder gets an NTFRS appended to it and all the error come back. It seems after recreating the group policy active directory just removes it. Has any one experience any thing similar or have any suggestions. BTW I have about 4 DC s in the domain Lloyd
[ActiveDir] Lenovo Battery Recall
Lenovo Thinkpad battery recall. Please see link.. http://www-307.ibm.com/pc/support/site.wss/document.do?sitestyle=lenovolndocid=BATT-LENOVO -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] FileSharing Issue
Got a strange issue this morning: Env: Windows 2003 AD Clients: All XP w/sp 2 1) Machine A maps fine to all local wkstn and servers on its domain (Domain A) (firewall service disabled) 2) Other machines (diff subnet but same domain) mapped fine to machine A 3) Machine A cannot map to server in another Domain B, different subnet 4) Other machines in Domain A maps fine to Domain B 5) \\servername prompts for normal windows credentials on Machine A but server does not accept them. No problem from other machines in the same subnet using same GPO Anyone seen this? I thought it could be a winsock issue, but netdiag /test:winsock /v showed no problem with winsock. -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Seperate Administrator password policy
Come on.. You mean searching for a _vbscript_ to check password length yields nothing on Google.com? Here is a start: == Dim User Dim UserName Dim UserDomain UserDomain = "DomainToManage" UserName = "UserName" Set User = GetObject("WinNT://" UserDomain "/" UserName ",user") Response.Write user.PasswordMinimumLength == Perhaps username can be changed to domain admins and use GPO to apply to the admin group? Anyway, I am sure some can finish the rest. -Z.V. NOTE: Make sure you have the latest scripting engines on the workstation you run this script from. Download the latest scripting engines here: Microsoft Scripting Home Page Bahta, Nathaniel V CTR USAF NASIC/SCNA wrote: Yeah thats what me and my coworkers have been debating, what method to use to check password length. We are looking through perl modules to see if there are any that can actually do what we are talking about. So far no luck with it, but the search continues. Do you know of any module that does what we speak of? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of joe Sent: Thursday, August 31, 2006 7:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Seperate Administrator password policy How are you guys checking password length after the fact? -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Katrin Wilhelm Sent: Thursday, August 31, 2006 6:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Seperate Administrator password policy I agree to Za, But adjust the script so that it automatically locks the account should it not be 15 characters long then they have to change it. Just and idea from a newbie. Kat From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Za Vue Sent: Thursday, 31 August 2006 10:39 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Seperate Administrator password policy Would it be easier just to ask them to use 15 characters? Run a small script to check on the numbers of characters after the passwords have been changed. If under 15 than ask them to change it again. -Z.V. Almeida Pinto, Jorge de wrote: third party software could be an option for example: http://www.anixis.com/products/ppe/default.htm jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNA Sent: Thursday, August 31, 2006 14:15 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Seperate Administrator password policy Just wanted to field this to see if it makes any sense to any of you guys. We are going to implement a mandatory 15 character password policy for all of our administrator accounts. The only way that makes sense is a subdomain with a separate password policy, since there is only one per domain. I also know that I have to edit the minPwdLength attribute and the uASCompat attribute to make this work on the subdomain. Can anyone think of another method of doing this? Thanks, Nate Bahta This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
Re: [ActiveDir] Auto Logon
Tried this and it did not work. I do not have time to worry about it for now. -Z.V [EMAIL PROTECTED] wrote: I had this problem about a year ago. I got it working in the end by changing the logon name from "user" to "[EMAIL PROTECTED]" and it worked fine, give that a go and let us know what happens C. Za Vue [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 29/08/2006 13:16 Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject [ActiveDir] Auto Logon Domain: Windows 2003 Clients: Xp w/sp2 Problem: The autologon registry hack on 3 of my lab machines will not stay permanent. All machines restart each morning at 2:00 AM and they automatically log in to the domain. In the morning if I re-apply the auto logon registry hack the machines work fine the rest of the day, no matter how many reboots.Comments? Suggestions? Thanks, Z.V. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Seperate Administrator password policy
Would it be easier just to ask them to use 15 characters? Run a small script to check on the numbers of characters after the passwords have been changed. If under 15 than ask them to change it again. -Z.V. Almeida Pinto, Jorge de wrote: third party software could be an option for example: http://www.anixis.com/products/ppe/default.htm jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNA Sent: Thursday, August 31, 2006 14:15 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Seperate Administrator password policy Just wanted to field this to see if it makes any sense to any of you guys. We are going to implement a mandatory 15 character password policy for all of our administrator accounts. The only way that makes sense is a subdomain with a separate password policy, since there is only one per domain. I also know that I have to edit the minPwdLength attribute and the uASCompat attribute to make this work on the subdomain. Can anyone think of another method of doing this? Thanks, Nate Bahta This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
Re: [ActiveDir] Auto Logon
NO. These are the same identical machines using the same image and same GPO. Firewall settings are applied through GPO. The only different with the building is that there are a mix of wiring so some machines can only connect at 10 megabits and some at 100 megabits. The switches are gigabit switches.(We are waiting on a new building so we are not upgrading any wiring and the current building will be demolished.) I disabled the reboot task for now. Maybe a reimage sometime in the near future will solve the problem. Thanks for the responses. -Z.V. Gurvinder Trehan wrote: Is their any utility to block ports manually! Thanks Gurvinder Trehan List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Auto Logon
Domain: Windows 2003 Clients: Xp w/sp2 Problem: The autologon registry hack on 3 of my lab machines will not stay permanent. All machines restart each morning at 2:00 AM and they automatically log in to the domain. In the morning if I re-apply the auto logon registry hack the machines work fine the rest of the day, no matter how many reboots.Comments? Suggestions? Thanks, Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Auto Logon
GPO is being applied, but if the problem is caused by GPO than it would also affected all the lab machines and not just three. When the machine is at the logon screen I can look at the winlogon registry remotely and see that it has not been modified. I will try what Christopher Drewery suggested first. Z.V. Kurt Falde wrote: Throw regmon on the box with a filter for that specific key to try to see when it is being overwritten. If it's every 90 min could be you have a GPO somewhere that's doing it for you. Run a RSOP using GPMC against the machine/user and check for the setting to see if a GPO is being applied to it. Kurt Falde -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Tuesday, August 29, 2006 8:17 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Auto Logon Domain: Windows 2003 Clients: Xp w/sp2 Problem: The autologon registry hack on 3 of my lab machines will not stay permanent. All machines restart each morning at 2:00 AM and they automatically log in to the domain. In the morning if I re-apply the auto logon registry hack the machines work fine the rest of the day, no matter how many reboots.Comments? Suggestions? Thanks, Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] User AutoEnrollment
Event Source: AutoEnrollment EventID: 15 Does anyone have a better definition of what this is? Half of my machines cannot find the domain this morning. Lots of eventid 15 showed up. I went into GPO and disabled autorollment in both computer and user settings. BAM! Everyone can log on again. -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Firewall block Group Policy
The article below works well. I push the registry to my machines via GPO. My ports used are 5001-5051. -Z.V. Darren Mar-Elia wrote: Check out this article for restricting the range of dynamic ports used by RPC/DCOM. http://msdn.microsoft.com/library/default.asp?url=""> Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide,the definitiveresource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Andy Wang Sent: Thursday, July 27, 2006 12:02 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Firewall block Group Policy Hi, When user on VPN network, they can not apply Group Policy since there is a firewall between VPN network and Internal network. Now, I need to find out how many ports are required to allow clients to successfully apply group policy. Based on KB832017, "To successfully apply Group Policy, a client must be able to contact a domain controller over the DCOM, ICMP, LDAP, SMB, and RPC protocols." Here is the list port information: Application protocol Protocol Ports DCOM TCP + UDP random port number between 1024 - 65534 ICMP (ping) ICMP 20 LDAP TCP 389 SMB TCP 445 RPC TCP 135, random port number between 1024 - 65534 It is not feasible to open up so many high ports (1024 - 65534). So do you have any recommendation for this issue? Thanks in advance! Andy
Re: [ActiveDir] Reset home page via GPO
My labs are set up so that way. Users can add as many links as they care to, but at 3:00AM every morning the labs reboot all their links will be gone excepts the links specified with GPO. -Z.V. Larry Wahlers wrote: Hello, colleagues, Our HR department wants everybody's IE home page reset to our intranet home page. I presume the way to do this is via GPO, and apply it only to the users' OU. Are there any issues (other than political ones, of course) with doing this? (Just an aside: We're back to work following the worst power outtage in St. Louis history. Over 500,000 people without power for several days, and nearly 200,000 still out. Very interesting week we just had.) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Computer Hang at Applying Computer Settings
I am not sure whether it was this forum or the other forum I am also on, but some of us were having problems with XP boxes hanging on "Applying Computer Settings". I believe this may be due to the size of UDP packets utilized by Kerberos. One can force Kerberos to go through TCP instead of UDP http://support.microsoft.com/?kbid=244474 . Or increase the packet size of UDP, http://technet2.microsoft.com/WindowsServer/en/Library/0d2ba911-c0ef-42c6-8264-e982c3cbd43d1033.mspx?mfr=true . -Z.V.
Re: [ActiveDir] Computer Hang at Applying Computer Settings
This happened on a lot of my computers, randomly. For the past few weeks everyone has been quiet. -Z.V. Matt Hargraves wrote: That may or may not be the issue. Can the user login to any computer or is it just this one? On 7/7/06, Za Vue [EMAIL PROTECTED] wrote: I am not sure whether it was this forum or the other forum I am also on, but some of us were having problems with XP boxes hanging on "Applying Computer Settings". I believe this may be due to the size of UDP packets utilized by Kerberos. One can force Kerberos to go through TCP instead of UDP http://support.microsoft.com/?kbid=244474 . Or increase the packet size of UDP, http://technet2.microsoft.com/WindowsServer/en/Library/0d2ba911-c0ef-42c6-8264-e982c3cbd43d1033.mspx?mfr=true . -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Group Policy question
Do they know more about GPO than you? Than give them the rights. Make their work easier..and probably yours. What are you afraid of? That someone will go wild on GPO and abuse your AD? Than turn on auditing. -Z.V. Larry Wahlers wrote: Colleagues, Our Microcomputer Support group wants the ability to create Group Policy objects and apply them to various workstations. I've taken a few classes in AD, but I'm a tad shaky on how to give these folks just barely enough privs to create GPO's and only link them to the OU's I choose. It would seem that I should add the whole Micro group to the Group Policy Creator Owners group in the Users OU, but the description Members in this group can modify group policy for the domain scares me a bit. Unless, of course, it is *also* necessary to use the Delegate Control wizard on whatever OU's they need, thus limiting their power to link GPO's to only those OU's. All suggestions from you knowledgeable AD Admins gratefully accepted! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Drive Map Issue
Got a drive mapping issue maybe some of you can help. Environment: W3K AD Clients: ALL XP w/sp2 For some reason passwords cannot be remembered for persistent mapped drives to other servers not in my domain, connecting as a user on the remote servers. All drives will showed as disconnected. If I click on a drive I am prompted for username/password. So I retype the username and password to reconnect. I have done and make sure: 1) Security Settings\Security Options\Network Access:Do not allowed storage of credentials or .NET Passports for network authentication is set to disabled 2) Added the remote account and password into my local User Accounts-Advanced-Manage Passwords tab. 3) If I do net use o: \\server\share /user:username password it doesn't work...however 4) If I do net use o: \\server\share /user:username and type in the password when prompted everything is fine. WTF! Any suggestion? -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Drive Map Issue
I am logging into the wkstn with a domain account and accessing a Windows 2003 standalone server. -Z.V. Richard Kline wrote: So you are logging into the first machine with a local account and accessing the remote shares using the credentials of a domain account or a local account specific to the other machine? If so, then I believe that the password is not retained by design. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Wednesday, June 21, 2006 7:38 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Drive Map Issue Got a drive mapping issue maybe some of you can help. Environment: W3K AD Clients: ALL XP w/sp2 For some reason passwords cannot be remembered for persistent mapped drives to other servers not in my domain, connecting as a user on the remote servers. All drives will showed as disconnected. If I click on a drive I am prompted for username/password. So I retype the username and password to reconnect. I have done and make sure: 1) Security Settings\Security Options\Network Access:Do not allowed storage of credentials or .NET Passports for network authentication is set to disabled 2) Added the remote account and password into my local User Accounts-Advanced-Manage Passwords tab. 3) If I do net use o: \\server\share /user:username password it doesn't work...however 4) If I do net use o: \\server\share /user:username and type in the password when prompted everything is fine. WTF! Any suggestion? -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Drive Map Issue
If worked before the user got a new computer. Z.V. Richard Kline wrote: So you are logging into the first machine with a local account and accessing the remote shares using the credentials of a domain account or a local account specific to the other machine? If so, then I believe that the password is not retained by design. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Wednesday, June 21, 2006 7:38 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Drive Map Issue Got a drive mapping issue maybe some of you can help. Environment: W3K AD Clients: ALL XP w/sp2 For some reason passwords cannot be remembered for persistent mapped drives to other servers not in my domain, connecting as a user on the remote servers. All drives will showed as disconnected. If I click on a drive I am prompted for username/password. So I retype the username and password to reconnect. I have done and make sure: 1) Security Settings\Security Options\Network Access:Do not allowed storage of credentials or .NET Passports for network authentication is set to disabled 2) Added the remote account and password into my local User Accounts-Advanced-Manage Passwords tab. 3) If I do net use o: \\server\share /user:username password it doesn't work...however 4) If I do net use o: \\server\share /user:username and type in the password when prompted everything is fine. WTF! Any suggestion? -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir]
Unsubscribe? Atila Firmino wrote: Hi everybody, Ill be on vacation and I need to stop receiving messages from this list. How can I do that? Thanks Atila Firmino Essa mensagem destinada exclusivamente ao seu destinatrio e pode conter informaes confidenciais, protegidas por sigilo profissional ou cuja divulgao seja proibida por lei. O uso no autorizado de tais informaes proibido e est sujeito s penalidades cabveis. This message is intended exclusively for its addressee and may contain information that is confidential and protected by a professional privilege or whose disclosure is prohibited by law. Unauthorized use of such information is prohibited and subject to applicable penalties. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] UserName Psswd Script
I need to map to a windows standalone server from a domain machine with a different username and password other than the domain account. Anyone care to share a script? Thank you, Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] UserName Psswd Script
Solved my own problem.. Thank you.. Za Vue wrote: I need to map to a windows standalone server from a domain machine with a different username and password other than the domain account. Anyone care to share a script? Thank you, Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] DNS Question
Quick DNS question for you all. DNS server- W23K Domain-W23K How do you add the URL http://www.test2.math.smith.edu to the domain Physics.Smith.edu in DNS? Use CNAME? If the URL was www.test2.physics.smith.edu than a simple host(A) would be fine. Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] DNS - How to tell the static DNS IP-addresses per server
How about netdom query fsmo Z.V. [EMAIL PROTECTED] wrote: The thing is this: I will be demoting a domain controller which is also running DNS. I would like to know which other servers have specified this dc as their DNS server (in their tcp/ip settings I mean). Is there some way to check this, from the command line for example? Like for instance checking which fsmo roles are held by which dc's via ntdsutil. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] PCs hang at Applying computer settings after upgradingDCsto2K3 SP1
Just curious..how does everyone handle RPC ports on your LAN? I reg. hacked all servers to use ports 5001-5099. The ports are than enabled with GPO and allowed only specific subnets to come through. I know..I have to manually keyed in all 100 entries. -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] PCs hang at Applying computer settings after upgradingDCsto 2K3 SP1
If you have to open high ports than what are the reasons of having a firewall in the first place? -Z.V. Clay, Justin (ITS) wrote: Darren, RPC connects initially on 135 and then the DC tells the client to establish a new connection on one of the free high ports. They start at 1024 and move up from there, so if there are already 2 clients connected starting at 1024, then the next client would be told to connect to the DC on port 1026 and so on. At least thats my understanding of it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darren Mar-Elia Sent: Friday, June 02, 2006 5:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] PCs hang at "Applying computer settings" after upgradingDCs to 2K3 SP1 Good to know Justin. Exactly where were higher ports blocked? At the DCs? Did MS say what wasexpecting touse those higher ports? Presumably some RPC communication? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Clay, Justin (ITS) Sent: Friday, June 02, 2006 2:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] PCs hang at "Applying computer settings" after upgradingDCs to 2K3 SP1 Well everyone, its fixed. Its something that even MS is a bit surprised at, although they say they have seen it before. Essentially, the last year since this forest has been deployed, high ports (1024-65535) have been blocked at the firewall but for whatever reason, everything seemed to work fine. Installing SP1 apparently changed something, or fixed something that finally made it a requirement to have those high ports open. They opened 1024-65535 on our Checkpoint firewall and the login times instantly went from 4-8 minutes back down to the usual few seconds. It sucks to have to learn about things like this by killing a production environment for 4 hours and burning some Premiere Support hours, but at least we know what to look for when we upgrade some of our other domains to SP1! Thanks to everyone for all the suggestions and help, its always appreciated! Also, to everyone else that was experiencing this issue, Id be interested to know if a firewall or router ACL blocking high ports is the cause of the problem for you! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Clay, Justin (ITS) Sent: Friday, June 02, 2006 2:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] PCs hang at "Applying computer settings" after upgradingDCs to 2K3 SP1 Nope, I can get to them from the client PCs just fineI was able to drill down into all of the policies that I tried. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al Mulnick Sent: Friday, June 02, 2006 1:34 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] PCs hang at "Applying computer settings" after upgradingDCs to 2K3 SP1 Any problems accessing \\domain\sysvol\domain\Policies ? On 6/2/06, Clay, Justin (ITS) [EMAIL PROTECTED] wrote: Hopefully the attachment comes through. The interesting part, and where most of the time delay is seen is here: USERENV(42c.2f0) 12:36:47:528 ProcessGPOs: Machine role is 2. USERENV(42c.2f0) 12:37:50:606 MyGetUserName: GetUserNameEx failed with 1753. USERENV(42c.2f0) 12:37:50:606 MyGetUserName: Retrying call to GetUserNameEx in 1/2 second. USERENV(42c.2f0) 12:38:54:371 MyGetUserName: GetUserNameEx failed with 1753. USERENV(42c.2f0) 12:38:54:371 MyGetUserName: Retrying call to GetUserNameEx in 1/2 second. USERENV(42c.2f0) 12:39:58:027 MyGetUserName: GetUserNameEx failed with 1753. USERENV(42c.2f0) 12:39:58:027 MyGetUserName: Retrying call to GetUserNameEx in 1/2 second. USERENV(42c.2f0) 12:41:01:573 MyGetUserName: GetUserNameEx failed with 1753. USERENV(42c.2f0) 12:41:01:573 ProcessGPOs: MyGetUserName failed with 1753. USERENV(42c.2f0) 12:41:01:573 ProcessGPOs: No WMI logging done in this policy cycle. USERENV(42c.2f0) 12:41:01:573 ProcessGPOs: Processing failed with error 1753. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al Mulnick Sent: Friday, June 02, 2006 12:19 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] PCs hang at "Applying computer settings" after upgradingDCs to 2K3 SP1 I think a different thread mentioned that DNS was about 90% of the cause of this type of behavior. It's not the only one however. What keeps rebooting? The DC? Or the workstations? If the workstations, not only ethereal but Darren's suggestion of logging is a good idea. On 6/2/06, Za Vue [EMAIL PROTECTED] wrote: Finally..someone is also experiencing this problem. My DCs are Windows 2003 SP1 also. It seems to hang every 3-4 reboots. My first thought was DNS DNS.. but NetDiag, Repl, DCDia
Re: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1
I know almost every admin would probably say it is DNS, but if nslookup,Dcdiag,NetDiag, DC replication, GPOs all work properly or show no error one should assume DNS is working properly. No problem accessing DFS shares. If you sit down on a machine and restart the machine 3-4 times in a row, it would hang at least once. That is my problem. Yes.. I have a Portqry.exe batch file that checks the DC ports every time there is a problem. I have another Portqry script that checks other random ports that are not suppose to be opened-just to make sure the firewall is working properly. There hasn't been a problem. I also run Sniffer Pro v.5. However, things has been quiet this past week so I will wait and see anyone else calls in about it. -Z.V. Al Mulnick wrote: For you it just started?   Are you familiar with tools such as portqry? I know you're familiar with packet sniffers. It might be good to have a look and at least rule out the personal firewalls, the network acls, network firewalls, and the other network issues that can be introduced outside your control.  Al  On 6/3/06, Za Vue [EMAIL PROTECTED] wrote: This doesn't sound right. I have been running SP1 since it was released. This just started last month. -Z.V. Clay, Justin (ITS) wrote: Well everyone, it's fixed. It's something that even MS is a bit surprised at, although they say they have seen it before. Essentially, the last year since this forest has been deployed, high ports (1024-65535) have been blocked at the firewall but for whatever reason, everything seemed to work fine. Installing SP1 apparently changed something, or fixed something that finally made it a requirement to have those high ports open.  They opened 1024-65535 on our Checkpoint firewall and the login times instantly went from 4-8 minutes back down to the usual few seconds. It sucks to have to learn about things like this by killing a production environment for 4 hours and burning some Premiere Support hours, but at least we know what to look for when we upgrade some of our other domains to SP1!  Thanks to everyone for all the suggestions and help, it's always appreciated!  Also, to everyone else that was experiencing this issue, I'd be interested to know if a firewall or router ACL blocking high ports is the cause of the problem for you!   Â
Re: [ActiveDir] HIDE OU
Prying eyes of junior admins? I managed my own AD environment and do not hide any OU or User and we are not trusted with our main campus AD, however, the undergraduate departments are part of the campus AD. It took a year to figure why no one can rename a computer. The computer have to disjoin the domain, rename, and and then rejoin the domain, that is the only way. The main AD guys just said that is the way it is so live with it. I was asked by 2 departments to test it in my domain. I have no problem renaming computer accounts in AD. So we renamed a whole lab w/o any issue. They must have asked for Microsoft's help, and it turned out that the "Builtin" OU was hidden for security reason. For what reason I didn't ask. Authenticated users need READ access to that OU. Why? Microsoft does not know. So after they figured it out I wanted to see how they hide that OU. One way to modify(hide) OUs and Users is to use ldifde.exe. I tested and it did work. So there is my solution. -Z.V. Al Mulnick wrote: I think that's a nice segueway back to asking, "why?"  What is it you need to accomplish that you would hide the OU and it's objects?  On 6/1/06, Timo Ed [EMAIL PROTECTED] wrote: be careful doing that... if you have users in that container and you do not give both the client machine and the user certain read props then policy will break, among other things. If your just trying to hide from AD mmc's then you can set the ShowAdvanceViewOnly attrib which will hide the object unless the admin has enabled 'Advanced View'. Rgds, Tim On 6/2/06, Daniel Gilbert [EMAIL PROTECTED] wrote: We created OU's and removed all users except for Domain Admins (of course we left the SYSTEM access).  The OU never shows up for non-Domain Admins. Domain Admins have full access to the OU and can add as many objects as they want. Dan List info  : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1
Finally..someone is also experiencing this problem. My DCs are Windows 2003 SP1 also. It seems to hang every 3-4 reboots. My first thought was DNS DNS.. but NetDiag, Repl, DCDiag, Nslookup all show no error. Nothing is reported in logs. It is not firewall. I have play with NetBIOS, changing Provider Order in Network Neighborhood-Advanced Settings..nada. This week has been quiet. If someone calls again I have ethereal setup and ready to capture. The thing about my environment is I do not manage the switches or router. I don't know if someone is messing with something. -Z.V. , Justin (ITS) wrote: Hello, Last night we upgraded our 3 Win2K3 domain controllers to SP1. This morning, were getting tons and tons of calls from users who report that their computer sits at Applying computer settings for a good 10 minutes, then another 10 or so minutes at Applying your personalized settings After the upgrade we did start seeing DCOM errors in the System event log, which Ive found many people online have experienced. I fixed it (or at least the DCOM errors went away) by granting Network Service the following rights: Local Launch Remote Launch Local Activation Remote Activation In the Launch and Activation Permissions dialog on the Security tab of the netman component. However, even after the DCOM errors have gone away, we continue to see the same results on the clients. Any ideas? Im considering calling Premier Support, but I figured you guys would be better help than them. Thanks, Justin Clay ITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
Re: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1
Not over here. Log showed GPO applied successful. -Z.V Al Mulnick wrote: Any problems accessing  \\domain\sysvol\domain\Policies  ?  On 6/2/06, Clay, Justin (ITS) [EMAIL PROTECTED] wrote: Hopefully the attachment comes through. The interesting part, and where most of the time delay is seen is here:  USERENV(42c.2f0) 12:36:47:528 ProcessGPOs: Machine role is 2. USERENV(42c.2f0) 12:37:50:606 MyGetUserName: GetUserNameEx failed with 1753. USERENV(42c.2f0) 12:37:50:606 MyGetUserName: Retrying call to GetUserNameEx in 1/2 second. USERENV(42c.2f0) 12:38:54:371 MyGetUserName: GetUserNameEx failed with 1753. USERENV(42c.2f0) 12:38:54:371 MyGetUserName: Retrying call to GetUserNameEx in 1/2 second. USERENV(42c.2f0) 12:39:58:027 MyGetUserName: GetUserNameEx failed with 1753. USERENV(42c.2f0) 12:39:58:027 MyGetUserName: Retrying call to GetUserNameEx in 1/2 second. USERENV(42c.2f0) 12:41:01:573 MyGetUserName: GetUserNameEx failed with 1753. USERENV(42c.2f0) 12:41:01:573 ProcessGPOs: MyGetUserName failed with 1753. USERENV(42c.2f0) 12:41:01:573 ProcessGPOs: No WMI logging done in this policy cycle. USERENV(42c.2f0) 12:41:01:573 ProcessGPOs: Processing failed with error 1753.  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al Mulnick Sent: Friday, June 02, 2006 12:19 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] PCs hang at "Applying computer settings" after upgradingDCs to 2K3 SP1  I think a different thread mentioned that DNS was about 90% of the cause of this type of behavior. It's not the only one however.  What keeps rebooting? The DC? Or the workstations? If the workstations, not only ethereal but Darren's suggestion of logging is a good idea.  On 6/2/06, Za Vue [EMAIL PROTECTED] wrote: Finally..someone is also experiencing this problem. My DCs are Windows 2003 SP1 also. It seems to hang every 3-4 reboots. My first thought was DNS DNS.. but NetDiag, Repl, DCDiag, Nslookup all show no error. Nothing is reported in logs. It is not firewall. I have play with NetBIOS, changing Provider Order in Network Neighborhood-Advanced Settings..nada. This week has been quiet. If someone calls again I have ethereal setup and ready to capture. The thing about my environment is I do not manage the switches or router. I don't know if someone is messing with something.  -Z.V. , Justin (ITS) wrote: Hello,  Last night we upgraded our 3 Win2K3 domain controllers to SP1. This morning, we're getting tons and tons of calls from users who report that their computer sits at "Applying computer settings" for a good 10 minutes, then another 10 or so minutes at "Applying your personalized settings"  After the upgrade we did start seeing DCOM errors in the System event log, which I've found many people online have experienced. I "fixed it" (or at least the DCOM errors went away) by granting Network Service the following rights:  Local Launch Remote Launch Local Activation Remote Activation  In the Launch and Activation Permissions dialog on the Security tab of the netman component. However, even after the DCOM errors have gone away, we continue to see the same results on the clients.  Any ideas? I'm considering calling Premier Support, but I figured you guys would be better help than them.  Thanks,  Justin Clay ITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573  ITS ENTERPRISE SERVICES EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.  ITS ENTERPRISE SERVICES EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
Re: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1
This doesn't sound right. I have been running SP1 since it was released. This just started last month. -Z.V. Clay, Justin (ITS) wrote: Well everyone, its fixed. Its something that even MS is a bit surprised at, although they say they have seen it before. Essentially, the last year since this forest has been deployed, high ports (1024-65535) have been blocked at the firewall but for whatever reason, everything seemed to work fine. Installing SP1 apparently changed something, or fixed something that finally made it a requirement to have those high ports open. They opened 1024-65535 on our Checkpoint firewall and the login times instantly went from 4-8 minutes back down to the usual few seconds. It sucks to have to learn about things like this by killing a production environment for 4 hours and burning some Premiere Support hours, but at least we know what to look for when we upgrade some of our other domains to SP1! Thanks to everyone for all the suggestions and help, its always appreciated! Also, to everyone else that was experiencing this issue, Id be interested to know if a firewall or router ACL blocking high ports is the cause of the problem for you!
[ActiveDir] HIDE OU
I know it has been done and probably asked before..but how do you hide a particular user or OU in AD(W23K)? -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Slow Boot Up
Morning everyone, Recently all my wkstns are taking up to 5 minutes to log in after a restart. Stuck at Applying Computer Settings and Applying Security Settings. Only change to GPO is offline files options are all disabled. While from the desktop it takes up to 30 seconds to load and open up AD snap-in to add a user to a group. Doesn't matter if firewall is turned on or off. No weir logs on DC. DCDIAG and NetDiag showed no errors. My FSMO roles are spread between two DC in two separate subnets. Schema Master, Domain Naming Master, and GC are on the same DC. RID, Infras, and PDC is on the other DC. I thought about promoting another server to a DC. Any thought or idea where to check and look? -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Machine Psswd Age
Anyone know how often machine passwords are renew/reset in the domain? -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Naming conventions (quasi-OT)
Title: Naming conventions (quasi-OT) All workstations are named according to building, room, and staff's initials. Chemistry Building Room 5 and user John Doe- CB-005JD -Z.V. Brian Desmond wrote: {I,A}Unit#{W, L, M}# I/A is specific to us, it differentiates subnet and function Unit # is the location (four digit number) W = Workstation L = Laptop M = Macintosh # = 9 digit asset tag If I need to figure out a users PC name I just ask for the asset tag number and I can figure the rest out. This works for 95K machines in 750 facilities Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Brian Cline Sent: Wednesday, May 24, 2006 1:35 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Naming conventions (quasi-OT) I'm curious to see how some of you (especially at the larger corporations) name your domain-joined computers. At my company we've got about 110 computers in roughly , and for the longest time they've been named after the logon name of the user who primarily operates the PC. (Not a fan of that method myself.) However, when naming or renaming a PC there are cases (such as preparing a replacement PC for a user) where there's already one with the desired name. Our network admin has a horrible habit of putting random numbers at the end when he runs into this problem, rather than using ADUC to remove a ghost computer object (or renaming the existing one when a new one is being prepared for said user). Of course this constantly frustrates me as I can never correctly guess a user's PC name when trying to remote control it during a support call. I've had several ideas in the past, the most favorable being naming them by location then department, then numbering them (for example, CHS-DISP-01 would represent the first dispatcher PC at our Charleston terminal), and automagically renaming the "My Computer" icon on the user's desktop at startup time to reflect the computer name. This way we'd never have to worry about renaming a computer when an employee is terminated, and when I've got a user on the phone I can simply ask them to read the computer name to me. But I was curious to see how you guys go about naming your PCs and how you deal with problems similar to this. -- Brian A. Cline Internet Applications Developer GP Trucking Company, Inc. Direct: 803.936.8595 Toll Free: 800.922.1147 x8595
Re: [ActiveDir] Naming conventions (quasi-OT)
Of course labs and servers are different. -Z.V. Freddy HARTONO wrote: Naming conventions (quasi-OT) I'm assuming with this every person has their own workstation? Or how would it be named for shared workstation.. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Za Vue Sent: Thursday, May 25, 2006 2:10 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Naming conventions (quasi-OT) All workstations are named according to building, room, and staff's initials. Chemistry Building Room 5 and user John Doe- CB-005JD -Z.V. Brian Desmond wrote: {I,A}Unit#{W, L, M}# I/A is specific to us, it differentiates subnet and function Unit # is the location (four digit number) W = Workstation L = Laptop M = Macintosh # = 9 digit asset tag If I need to figure out a users PC name I just ask for the asset tag number and I can figure the rest out. This works for 95K machines in 750 facilities Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Brian Cline Sent: Wednesday, May 24, 2006 1:35 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Naming conventions (quasi-OT) I'm curious to see how some of you (especially at the larger corporations) name your domain-joined computers. At my company we've got about 110 computers in roughly , and for the longest time they've been named after the logon name of the user who primarily operates the PC. (Not a fan of that method myself.) However, when naming or renaming a PC there are cases (such as preparing a replacement PC for a user) where there's already one with the desired name. Our network admin has a horrible habit of putting random numbers at the end when he runs into this problem, rather than using ADUC to remove a ghost computer object (or renaming the existing one when a new one is being prepared for said user). Of course this constantly frustrates me as I can never correctly guess a user's PC name when trying to remote control it during a support call. I've had several ideas in the past, the most favorable being naming them by location then department, then numbering them (for example, CHS-DISP-01 would represent the first dispatcher PC at our Charleston terminal), and automagically renaming the "My Computer" icon on the user's desktop at startup time to reflect the computer name. This way we'd never have to worry about renaming a computer when an employee is terminated, and when I've got a user on the phone I can simply ask them to read the computer name to me. But I was curious to see how you guys go about naming your PCs and how you deal with problems similar to this. -- Brian A. Cline Internet Applications Developer GP Trucking Company, Inc. Direct: 803.936.8595 Toll Free: 800.922.1147 x8595
Re: [ActiveDir] IIS 6
Correct. Using a host file only works for one website, which solved part of the problem. The other site will have to used another port. The main site is registered with the external DNS(BIND), but the other sites are registered with internal DNS(AD) server. No forwarding. When in production all sites will use port 80 on the same server and register with ext. DNS server. -Z.V. Ken Schaefer wrote: : -Original Message- : From: [EMAIL PROTECTED] [mailto:ActiveDir- : [EMAIL PROTECTED] On Behalf Of James Eaton-Lee : Subject: RE: [ActiveDir] IIS 6 : : On Tue, 2006-05-23 at 10:59 +1000, Ken Schaefer wrote: : : -Original Message- : : From: [EMAIL PROTECTED] [mailto:ActiveDir- : : [EMAIL PROTECTED] On Behalf Of Za Vue : : Sent: Tuesday, 23 May 2006 10:54 AM : : To: ActiveDir@mail.activedir.org : : Subject: [ActiveDir] IIS 6 : : : : I have a web server running IIS6 hosting 3 websites-using host : : header. : : How can I access the individual URL using IP? : : : : -Z.V. : : http://10.10.10.10/yourURL.htm : : If you wish to be able to access all three websites, you will either : need to have three IP addresses -or- run the websites on three : different ports (80, 81, 82 etc). : : Or he could edit the hosts file, and then since the host will be sent : in the request to the webserver he'll be given content from the : appropriate virtual host... From my reading of the question, OP wanted to know how to access the sites by IP address. Editing your hosts file doesn't help you with that. Cheers Ken -- My IIS Blog: www.adOpenStatic.com/cs/blogs/ken Tech.Ed Boston 2006 See you there: Everything the web administrator needs to know about MOM 2005 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] IIS 6
I have a web server running IIS6 hosting 3 websites-using host header. How can I access the individual URL using IP? -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] IIS 6
What if all 3 websites uses the same name, index,html? -Z.V. Ken Schaefer wrote: : -Original Message- : From: [EMAIL PROTECTED] [mailto:ActiveDir- : [EMAIL PROTECTED] On Behalf Of Za Vue : Sent: Tuesday, 23 May 2006 10:54 AM : To: ActiveDir@mail.activedir.org : Subject: [ActiveDir] IIS 6 : : I have a web server running IIS6 hosting 3 websites-using host header. : How can I access the individual URL using IP? : : -Z.V. http://10.10.10.10/yourURL.htm If you wish to be able to access all three websites, you will either need to have three IP addresses -or- run the websites on three different ports (80, 81, 82 etc). This is the reason we have HTTP Host Headers - to alleviate the need to lots of IP addresses and ports. Cheers Ken -- My IIS Blog: www.adOpenStatic.com/cs/blogs/ken Tech.Ed Boston 2006 See you there: Everything the web administrator needs to know about MOM 2005 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] IIS 6
Ignore... I figured it out. Z.V Za Vue wrote: What if all 3 websites uses the same name, index,html? -Z.V. Ken Schaefer wrote: : -Original Message- : From: [EMAIL PROTECTED] [mailto:ActiveDir- : [EMAIL PROTECTED] On Behalf Of Za Vue : Sent: Tuesday, 23 May 2006 10:54 AM : To: ActiveDir@mail.activedir.org : Subject: [ActiveDir] IIS 6 : : I have a web server running IIS6 hosting 3 websites-using host header. : How can I access the individual URL using IP? : : -Z.V. http://10.10.10.10/yourURL.htm If you wish to be able to access all three websites, you will either need to have three IP addresses -or- run the websites on three different ports (80, 81, 82 etc). This is the reason we have HTTP Host Headers - to alleviate the need to lots of IP addresses and ports. Cheers Ken -- My IIS Blog: www.adOpenStatic.com/cs/blogs/ken Tech.Ed Boston 2006 See you there: Everything the web administrator needs to know about MOM 2005 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] GTP Disk
How does one undo a GTP partition/disk? -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Is there a way to force users to logon to domain?
I have over 100 randomly generated local admin passwords. If I forget the password and the account gets corrupted in AD than I just hack the local admin password. No one logs on locally period! -Z.V. Robert Rutherford wrote: No, and I always find it a relief to have a local admin account in a failure situation. Robert Rutherford QuoStar Solutions Limited -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of AdamT Sent: 16 May 2006 16:26 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Is there a way to force users to logon to domain? On 16/05/06, Olivarez, Sergio J Mr CTNOSC/GD-NS [EMAIL PROTECTED] wrote: Yeah, disregard what I said about just leaving Admins on the "allow logon locally" setting, that's my bad. I guess best thing to do would be delete all existing local user accounts. Can you actually delete localhost\administrator on NT4/2K/XP workstations?
Re: [ActiveDir] Is there a way to force users to logon to domain?
Don't create local accounts. -Z.V. Joe Lagreca wrote: Is there a way to force users to logon to domain, or to disable loging into local computer accounts via GPO? Thanks. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Test Windows 23K Firewall
What is the best and faster way to test Windows firewall. I want to see if a specific port is block when it is supposed to be open. -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OT: Vbscript to disconnect and reconnect persistent drive mappings
That is a lot of statements just to disconnect and connect network drives. Create a batch file and use "net use". Nothing more. -Z.V. Jacqui Hurst wrote: I am trying to write a quick and dirty script for a test lab which will disconnect and reconnect persistent drive mappings. The script is as follows: Set objDrvs = GetObject("winmgmts:").InstancesOf("Win32_NetworkConnection") for each obj in objDrvs strDrive = obj.LocalName strDMapping = obj.RemoteName On Error Resume Next objWshNet.RemoveNetworkDrive strDrive, True, True 'Force removal If Err0 Then 'Log Error Wscript.Echo "Error disconnecting" strDrive Err.Clear End If objWshNet.MapNetworkDrive strDrive, strDMapping If Err0 Then 'Log Error Wscript.Echo "Error remapping " strDrive "(" strDMapping ")" Err.Clear Else Wscript.Echo "Remapped " strDrive "(" strDMapping ")" End If Next The script fails to disconnect any drive mapping and therefore fails to reconnect it. Can anyone advise me where I am going wrong? The ERR value is 424 is that make any sense to anyone. I want to run this on logon but I just running it interativley at the moment. Cheers Jacqui
Re: [ActiveDir] ACtive directory Trusts and firewall configuration
Title: Replication and branch office considerations You can start here: http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/deploy/confeat/adrepfir.mspx -Z.V. [EMAIL PROTECTED] wrote: Dear list! I'm in the need of setting up trust between two existing Active directory domains and i have a few questions regarding this. the goal is that people can logon form either domains with their user credentials and that people can use resources in both domains, we also need the exchange addressbooks in both domain to replicate to each other but thats maybe a different list. Domain A has 8 domain controllers where as the operation master roles are spread on different servers, domain b has only 1 domain controller. We have configured a VPN between the networks so the communication is up and running. My questions are: What ports do i need to open in the firewall to achive this? And do i have to open trust from domain B to all of myDC's in domain A or is it enough to open towards anyDCor a specific DC? (wich server roles does it need) Many thanks in advance. Med vennlig hilsen / Best regards Jan Wilhelmsen IT-Technician Bilia Personbil as kernveien 115 0510, Oslo Norway Tel: +47 22882546 Mob:+47 95928392 Fax: +47 22970387 Mail: [EMAIL PROTECTED] MSN: [EMAIL PROTECTED] Gmail: [EMAIL PROTECTED]
Re: [ActiveDir] Problems with remote acess
Uninstall Terminal Service and enabled Remote Desktop. [EMAIL PROTECTED] wrote: I am tryying to access a computer running windows 2003 via Renote Access. Remote connection is enabled in remote access It worked till some days ago. Now when I try to acces I recieve this message "The client could not connect to the remote computer. Remote connections might not be enabled or the computer might be too busy to accept new connections. It is also possible that network problems are preventing your connection." I tried to disable and enable remote access again with nosuccess. What may be wrong? Adrio Ferreira Ramos Superintendncia de Tecnologia da Informao Depto. de Operaes e Infra-estrutura - CII * [EMAIL PROTECTED] ( 11 - 3388-8193
Re: [ActiveDir] Automatically generated replication links
The links will regenerate, if DNS is working properly. -Z.V. Rimmerman, Russ wrote: If you promote a new domain controller and it doesn't automatically generate the right replication links, is it safe or recommended to delete the link it generated and manually create the replication link? Or if you delete it will it try to automatically generate it again? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
Re: [ActiveDir] AD printer Auditing and logging
Not sure what you are doing, but my System logs show who printed what file, how large, date, time, name of file printed, number of pages. Event #10 on the system log. -Z.V. Jason Yaremchuk wrote: Hi everyone. Wondering if anyone has found a nice way to audit print jobs for AD published printers? I have a large group of users and must keep track of what jobs are printed by whom. I couldnt find any built-in options (I may have missed them) and I looked at a bunch of 3rd party software to monitor and log print jobs. I am using windows 2003 RC2 and was really surprised that of all the print management MS added there was no auditing. What is everyone else doing for print job auditing? Is third party the only way? Thanks in advance, Jason
Re: [ActiveDir] AD printer Auditing and logging
Look at http://www.czsolution.com/print_management/czprs.htm. Jason Yaremchuk wrote: Sorry, should have mentioned this I guess. I work for a school district, we have many onsite tech support people that are just glorified teachers with minimal computer knowldge. They want to be able to see what student printed a 40 page job and stuff like that. The system log will not cut it in terms of user comprehension. I am trying to give them something where they can simply view all jobs, and the source user. I know it seems trivial but it what I have been asked to provide. Jason From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Za Vue Sent: Thursday, March 02, 2006 11:50 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD printer Auditing and logging Not sure what you are doing, but my System logs show who printed what file, how large, date, time, name of file printed, number of pages. Event #10 on the system log. -Z.V. Jason Yaremchuk wrote: Hi everyone. Wondering if anyone has found a nice way to audit print jobs for AD published printers? I have a large group of users and must keep track of what jobs are printed by whom. I couldnt find any built-in options (I may have missed them) and I looked at a bunch of 3rd party software to monitor and log print jobs. I am using windows 2003 RC2 and was really surprised that of all the print management MS added there was no auditing. What is everyone else doing for print job auditing? Is third party the only way? Thanks in advance, Jason
Re: [ActiveDir] MAC Address
Look at the wireless card itself. Ping it and ARP it. GetMac, ipconfig/all, etc. etc. -Z.V. Todd Hofert wrote: I have a client PC that does not list the MAC Address for it's wireless NIC anywhere in the OS. Is there a way to query that info from the card via command prompt or some other method? Thanks Todd This e-mail and any attachments may contain confidential and privileged information. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this e-mail and destroy any copies. Any dissemination or use of this information by a person other than the intended recipient is unauthorized and may be illegal. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] MAC Address
For remote machines I use Hyena. Right click on the machine, properties, and choose network and there it is. Todd Hofert wrote: I have a client PC that does not list the MAC Address for it's wireless NIC anywhere in the OS. Is there a way to query that info from the card via command prompt or some other method? Thanks Todd This e-mail and any attachments may contain confidential and privileged information. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this e-mail and destroy any copies. Any dissemination or use of this information by a person other than the intended recipient is unauthorized and may be illegal. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OT: Tracking File Deletes
Enable AUDITING on the folder and when someone deletes a file/folder you will get something similar below. * Event Type: Success Audit Event Source: Security Event Category: Object Access Event ID: 560 Date: 2/8/2006 Time: 12:24:41 PM User: DOmain\username Computer: Domain Description: Object Open: Object Server: Security Object Type: File Object Name: C:\Software\NetDiag.log Handle ID: 348 Operation ID: {0,15535362} Process ID: 4 Image File Name: Primary User Name: THEO2$ Primary Domain: Domain Primary Logon ID: (0x0,0x3E7) Client User Name: username Client Domain: Domain Client Logon ID: (0x0,0xEB26BD) Accesses: DELETE ReadAttributes Privileges: - Restricted Sid Count: 0 Access Mask: 0x10080 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Hi All-Please Help
I see some flamming to come. :-D -Z.V. Dan Tesch wrote: Cisco has discussion forums on their own site, I have received some answers there before - http://forum.cisco.com/eforum/servlet/NetProf?page=main Hi All My name is Marwa , i am from egypt. Actually , i am looking for Cisco Discussion Forums. I did a search on Google i could not find any thing. i want to have a discussion list like this list for Active Directory but for Cisco As well. Please, if there is any one know it, send me the URL. Hope the best Thanks Best Regards, Marwa, List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] LDAP Error
Okay you guys. On one of my DC I keep getting an LDAP error when I run netdiag /test:LDAP. I get the error "[FATAL] Cannot do negotiate authenticated ldap_bin to 'dc.domain.edu': Invalid Credentials" The domain account and password was recently changed. In the System Log: Event Type: Warning Event Source: Kerberos Event Category: None Event ID: 14 Date: 2/7/2006 Time: 11:50:58 AM User: N/A Computer: DC Description: There were password errors using the Credential Manager. To remedy, launch the Stored User Names and Passwords control panel applet, and reenter the password for the credential domain\adminaccount. (adminaccount is old admin) __ Where is the "Stored User Names and Passwords" applet? -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] LDAP Error
Found it... Problem solved.. Za Vue wrote: Okay you guys. On one of my DC I keep getting an LDAP error when I run netdiag /test:LDAP. I get the error "[FATAL] Cannot do negotiate authenticated ldap_bin to 'dc.domain.edu': Invalid Credentials" The domain account and password was recently changed. In the System Log: Event Type: Warning Event Source: Kerberos Event Category: None Event ID: 14 Date: 2/7/2006 Time: 11:50:58 AM User: N/A Computer: DC Description: There were password errors using the Credential Manager. To remedy, launch the Stored User Names and Passwords control panel applet, and reenter the password for the credential domain\adminaccount. (adminaccount is old admin) __ Where is the "Stored User Names and Passwords" applet? -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] event id 1000 only
OS? shereen naser wrote: Hi list, the users are having this error event ID 1000 only with no event ID 1058 or 1030, its only this error: "Windows cannot access the file gpt.ini for GPO The file must be present at the location . (). Group Policy processing aborted." I checked the Sysvol folder and the permissions are correct, what else could cause this message? thank List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] View User's Logs
I want to find out how many workstations a local admin have been logging on. Can this be done through any AD snap-in? -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] IIS 6 Urgent Help
Thanks Ken. -Z.V. Ken Schaefer wrote: You have entered the command incorrectly. From the screenshot you have entered ISSuba (there is a missing I). The actual command you need to run is: rundll %windir%\system32\iissuba.dll, RegisterIISSUBA Cheers Ken F List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] IIS 6 Urgent Help
I am trying to enable subauthentication in IIS 6. There are some copy right contents that usernames and passwords are required to view. Digest Authentication is through AD accounts. When I run..rundll32 systemroot\system32\issuba,RegisterIISSUBA I get the attached error. Environment: W23K AD Server: W23K Web Edt. Hopefully someone can help. Thanks.. Z.V. attachment: IIS.JPG
Re: [ActiveDir] Reset Local Admin Passwords
It is hard to keep track of 1000 local machines and their administrator accounts and passwords. I go with the idea of keeping them the same. Just run scripts to change them regularly and have strong passwords. I like to script everything. You mean you wan to have 1000 different admin accounts and passwords store on a spreadsheet? What if the SID corrupts than what? You have to open the file, browse over the names and passwords, etc. and log in locally and rejoin the domain. They are just workstations. So if one or two got hacked.. you re-image them. User files and folders are store on a server right? Turn off file sharing to the clients, they don't need file sharing turn on. If you need to remotely access(Hyena, Dameware, etc) manage the workstations than enable the firewall, but only allow access to the clients from a single workstation IP, your machine or multiple IPs. This should be done thru GPO. Block out the 65000+ ports and allow only ports you need...Kerberos, AD Replication(forced), DNS, etc. -Z.V. Okay, just to offer a counterpoint to your underlying plan - you do realise that by using a single local admin password across your enterprise, if even -one- of those workstations gets the admin password compromised, the attacker who did so now has local admin rights to every workstation on your network? With apologies to Jesper Johannsen[1], it's one of those How to get your network hacked in 10 easy steps things - if I've just compromised the local admin password of WorkstationA, what do you think is going to be the very first password I try when I move on to try and compromise WorkstationB? [1] And additional apologies for the fact that I'm sure I just spelled his name wrong. -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] IE and group policy
What is wrong with upgrading IE to version 6 on all machines? It can also be done with GPO. Z.V. shereen naser wrote: I have a group policy that adds specific links to the favorites for all the users, users who log in to specific computers do not see the favorites that they should see, if I upgrade those machines from IE5 to IE6 the group policy is applied and the users can see the favorites, why does that happen? and do I have to upgrade all the IE5 machines in this case or there is a work around? thank you List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Problem accessing Shared resource
I also have a share issue that is annoying, but I learned to live with it. _vbscript_s maps a drive properly, but I cannot access "some folders". The error, "The specified server cannot perform the requested operation." However, on the same workstation, if I do \\servname\share than I can access everything fine. All permissions are propagated from parent folder, have double checked. The shares are on a member server. Server: All Windows 2003 w/sp1 Clients: All XP w/sp2 McNicholas, Joe wrote: Take a look at: Q281308 Connecting to SMB share on a Windows 2000-based computer or a Windows Server 2003-based computer may not work with an alias name http://support.microsoft.com/default.aspx?scid=kb;en-us;281308 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] Sent: 30 January 2006 12:09 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Problem accessing Shared resource Hi everyone. Im having a problem with windows 2003, and I need your help We have a shared resource in a widnows 2003 server, we created a DNS Alias to acces it Ex: resource.mydomina.com.br When My users try access it, they are prompted a screen to enter user name and password. All security right are correct.. We had that problem installing Service Pack 1, before running SecurityConfiguration Wizard. But in that Server it is not installed. The most strange of all is that we try to acces from another computer it works I dont know what to do.. adriao List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Problem accessing Shared resource
Just did a search and found KB896427 that may solve my problem. -Z.V. Za Vue wrote: I also have a share issue that is annoying, but I learned to live with it. _vbscript_s maps a drive properly, but I cannot access "some folders". The error, "The specified server cannot perform the requested operation." However, on the same workstation, if I do \\servname\share than I can access everything fine. All permissions are propagated from parent folder, have double checked. The shares are on a member server. Server: All Windows 2003 w/sp1 Clients: All XP w/sp2 McNicholas, Joe wrote: Take a look at: Q281308 Connecting to SMB share on a Windows 2000-based computer or a Windows Server 2003-based computer may not work with an alias name http://support.microsoft.com/default.aspx?scid=kb;en-us;281308 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] Sent: 30 January 2006 12:09 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Problem accessing Shared resource Hi everyone. Im having a problem with windows 2003, and I need your help We have a shared resource in a widnows 2003 server, we created a DNS Alias to acces it Ex: resource.mydomina.com.br When My users try access it, they are prompted a screen to enter user name and password. All security right are correct.. We had that problem installing Service Pack 1, before running SecurityConfiguration Wizard. But in that Server it is not installed. The most strange of all is that we try to acces from another computer it works I dont know what to do.. adriao List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Outlook Exchange
1) File--Import/Export 2) Export to a file 3) Choose .pst 4) Choose folder 5) Browse to where you want to store the .pst file 6) Click finish If this is not want you wanted than please rephrase your question. -Z.V. Subject: RE: [ActiveDir] Outlook Exchange NOBODY??? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of patrick Sent: Thursday, January 12, 2006 10:20 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Outlook Exchange Could someone please expand on how to setup a PST and how to get it to download to the pst so as not to stay on the email server? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Windows update out of control??? [signed]
Sounds like a GPO lock down, permissions, or corrupted .CPL. -Z.V. Chris Neves [c] wrote: I was wondering if anyone else has lost control of the auto-updating feature of windows xp? When I go into the control panel of almost all of my window xp pro computer the auto-update settings are grayed out and unable to change them. Did this feature come down in a windows update or is it some dormant setting that was for some reason activated? Any help on this? It's driving me bonkers! Chris Neves Assistant Technology Coordinator Glendive Public Schools (406) 377-5265 ext 198 What is so wrong with reinventing the wheel? What about inventing fire over and over? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Schedueled Tasks script in GPO
Gpupdate /force on wkstn and DC run with no error? -Z.V. Harding, Devon wrote: The script works with the non-privileged user logged in. Just not through the GPO. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darren Mar-Elia Sent: Monday, January 09, 2006 11:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schedueled Tasks script in GPO Doesthe user running the job have the privileges to create and modify AT jobs? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Harding, Devon Sent: Monday, January 09, 2006 8:25 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Schedueled Tasks script in GPO When I run this script manually, it works and deletes system created At jobs. But when I place this in a logon script in GPO, it doesnt run. Any reason why? On Error Resume Next strComputer = "." Set objWMIService = GetObject("winmgmts:" _ "{impersonationLevel=impersonate}!\\" strComputer "\root\cimv2") Set colScheduledTasks = objWMIService.ExecQuery _ ("Select * from Win32_ScheduledJob") For Each objTask in colScheduledTasks intJobID = objTask.JobID Set objInstance = objWMIService.Get _ ("Win32_ScheduledJob.JobID=" intJobID) objInstance.Delete Next Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OT: Patch Management
Title: OT: Patch Management Pretty much all patch management applications require a server. -Z.V. Pohlschneider, Chris wrote: Does anyone have recommendations for patch management software that could be installed on a desktop type system to manage a network with 120 nodes for updates and patches. I was looking at WSUS, but the requirements are that you need a server OS, plus the minimum requirements were pretty stout. Thanks in advance for recommendations!! Chris Pohlschneider Network Administrator Cenveo-Sidney 937-497-2136 [EMAIL PROTECTED] Cenveo is your visual communications connection for a broad portfolio of services and products including eServices, envelopes, offset and digital printing, labels and business documents List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OT: Patch Management
We tested on wkstations and servers and decided it was not worth the hefty price. My opinion is that it is too slow, tested on a duel CPU P4 system. (Personally I think the GUI is ugly) We ran into firewall issues as well. I have a dedicated W23K server for WSUS, no problem. Microsoft workstations, Microsoft servers, why not make everything Microsoft? Makes life easier in my environment. Now if I can only get rid of those damn Macs. Z.V. Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: Shavlik runs from my Desktop. Za Vue wrote: Pretty much all patch management applications require a server. -Z.V. Pohlschneider, Chris wrote: Does anyone have recommendations for patch management software that could be installed on a desktop type system to manage a network with 120 nodes for updates and patches. I was looking at WSUS, but the requirements are that you need a server OS, plus the minimum requirements were pretty stout. Thanks in advance for recommendations!! Chris Pohlschneider Network Administrator Cenveo-Sidney 937-497-2136 [EMAIL PROTECTED] Cenveo is your visual communications connection for a broad portfolio of services and products including eServices, envelopes, offset and digital printing, labels and business documents List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Windows 2003 Server
Impressive long signature. lol -Z. V. Lord, Joe wrote: Try stopping the print services first Joseph H. Lord Jr. Principal Network Administrator MCT; MOUS, CCNA, A+; MCP, MCSE, MCP+I (NT4); MCP, MCSE, MCSA (W2K); EIT / Shared Services / Cardinal Health 1515 Ivac Way Creedmoor, NC 27522 919-528-5200 Main, 5234 VM, 5237 Fax List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Cannot Rename Workstation
I have an admin from across the campus that cannot rename a workstation in W23 AD. He is an admin of the OU. The only way to rename is to disjoin AD and rejoin with a new name. I am thinking that it could a delegation issue. Thought and help.. -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] IIS6 Coldfusion MX 7
Sorry if this is not AD related, but I am having a hard time trying to get ColdFusion MX 7 running on a W23K Srv Web Edt. IIS6 is running fine. The CFMX7 ODBC services won't install. -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] IIS6 Coldfusion MX 7
After over 20 times of removing and reinstalling, I think I got it working again. Will do some testing. Thanks for those that replied. -Za Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: Error messages? Log files? Events? Za Vue wrote: Sorry if this is not AD related, but I am having a hard time trying to get ColdFusion MX 7 running on a W23K Srv Web Edt. IIS6 is running fine. The CFMX7 ODBC services won't install. -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] DHCP(ot)
Sounds like a squabble between Unix and Windows gurus. Who wants to control what service. If you will not be responsible for it than let them do. -Za Tom Kern wrote: Thanks. I think it has something to do with the "Network Group" wanting to have more control and central management over "Network Services" while the "Windows Group" manages "Windows" related stuff. They seem to make an artifical distinction(to me) between "Windows" stuff and "Network Infra" stuff. Also, they probably will make the argument that having this centrally managed in this manner will be more secure and managable. In addition, they wrongly think that because Bluecat has an embedded linux kernel and thus fewer "moving parts", its somehow more secure. At least thats my interpetation. To counter, I think DHCP is so intergrated with DDNS and thus AD, that you shouldn't make that seperation in this case. Also, I don't think less moving parts makes something automatically more secure. But thats just my uninformed opinion. Any other more informed ideas would be great. Thanks again On 12/19/05, Al Mulnick [EMAIL PROTECTED] wrote: I can honestly second that suggestion as the best advice. There are few technical reasons to make somebody want to purchase a third party DHCP server. I've seen some organizations spend big money (better than .5 million USD) on DNS solutions for no relevant technical reason, so I would not be surprised to see somebody want a third party DHCP solution for similar reasons. There are a few features that thirdparty DHCP vendors can implement that might be required by your company. I'd be surprised though to hear that your company suddenly has that set of requirements. Other reasons not to change? Added complexity that translate into added return to service times in the event of outages. Often solutions like this come with added learning and added processes that you otherwise wouldn't need/want. Lots of hidden costs in that sense. hope this helps, al On 12/19/05, Coleman, Hunter [EMAIL PROTECTED] wrote: Ask your company what problem they hope to solve, or what added functionality they hope to get, by going with a 3rd party product. Then ask them if that problem/functionality is worth the purchase and implementation cost. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Monday, December 19, 2005 8:08 AM To: activedirectory Subject: [ActiveDir] DHCP(ot) My company wants to use 3rd party dhcp product like Bluecat's Adonis 500 or 1000 instead of Windows DHCP. Is there really any compelling reason to dump or not dump Windows DHCP? We are running a Win2k3 Forest FFL Win2k3 with all our clients Win2k pro at the moment and Exchange 2k3. We do have a lot of Solaris servers running Sybase and other backendnetwork services as well. I'm just wondering why the pros or cons are of moving away from Windows DHCP in this area. I think the pros of WIN DHCP is its free and the abilty to prevent rouge DHCP servers(if they're running win2k and above, of course). I think most DHCP servers can do DDNS these days on behalf of the client so that's probably not an issue. Most can also give clients additionally info in the scope options like dns ip,domain name,etc. So, i was wondering if i'm missing anything. Also, has anyone used Bluecat's DHCP product in their network? Thanks alot List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OS 10.4 and W23k Ad
Anyone have problems with Mac OS 10.4 binding to Windows 2003 AD? Once you bind the damn thing successfully and unbind it you cannot re-bind it again. I have about 10 of these Mac-Crap machines. No problem with OS 10.3 and below. I like to shove all these machines up Apple's azz..or my management. -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OS 10.4 and W23k Ad
I am running 10.4.3. -Z.V. Kevin Gent wrote: upgrade to 10.4.3 - Original Message - From: Za Vue [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, December 16, 2005 2:13 PM Subject: [ActiveDir] OS 10.4 and W23k Ad List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OS 10.4 and W23k Ad
This computer is unable to access the domain controller for an unknown reason. Why can we all just get along? -Z.V. Kevin Gent wrote: upgrade to 10.4.3 - Original Message - From: Za Vue [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, December 16, 2005 2:13 PM Subject: [ActiveDir] OS 10.4 and W23k Ad Anyone have problems with Mac OS 10.4 binding to Windows 2003 AD? Once you bind the damn thing successfully and unbind it you cannot re-bind it again. I have about 10 of these Mac-Crap machines. No problem with OS 10.3 and below. I like to shove all these machines up Apple's azz..or my management. -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Win32Shutdown Method Win2003
I use PsShutdown.exe from www.systeminternals.com(free). Create single batch file and run it. Here is my batch script to reboot all servers at once. c:\tools\shutdown -r \\server1 (-r restart the machine) c:\tools\shutdown -r \\server2 c:\tools\shutdown -r \\server3 c:\tools\shutdown -r \\server4 c:\tools\shutdown -r \\server5 c:\tools\shutdown -r \\server6 etc. etc. PsShutdown.exe is just renamed to shutdown.exe. -Z.V. Alain Lissoir wrote: Have you tried your script as a plain admin on server? I wonder if it is not a question of privileges ... Try to add to your script the following before connecting to the Root\CIMv2 namespace. Then retry ... Set objWMILocator=CreateObject ("WbemScripting.SWbemLocator") objWMILocator.Security_.Privileges.AddAsString "SeShutdownPrivilege", True Set objWMIServices = objWMILocator.ConnectServer(strComputerName, cWMINameSpace,strUserID, strPassword) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Harding, Devon Sent: Wednesday, December 14, 2005 5:23 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Win32Shutdown Method Win2003 This script is part of a another script that upon logon, checks certain registry values, then if the values are not set, the script then sets the value and logoff the current user. Like I said before, it works on Windows XP but not servers. Why? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Steve Shaff Sent: Tuesday, December 13, 2005 7:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Win32Shutdown Method Win2003 The shutdown command works. Give that a shot. S From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Harding, Devon Sent: Tuesday, December 13, 2005 2:34 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Win32Shutdown Method Win2003 Im using the following script to logoff a workstation. It works fine on XP workstations but does not seem to work on Windows 2000/2003 servers. Any Ideas? Set objSystemSet = GetObject("winmgmts:{impersonationLevel=impersonate,(Shutdown)}").InstancesOf("Win32_OperatingSystem") For Each objSystem In objSystemSet objSystem.Win32Shutdown 0 Next Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Reducing number of Global Catalogs
Below is a quote from the WindowsITPro magazine. If you have just one domain, Microsoft recommends that you make all the domain controllers (DCs) GC servers so that your network won't incur any extra space usage or processing. In essence, the infrastructure Flexible Single Master Operation (FSMO) role still checks the GC for many operations. By making all DCs GC servers, you can spread the FSMO's request load to all DCs and prevent one DC from asking another DC for information that the first DC already has. Although the FSMO can't typically reside on a GC, you won't encounter any problems as long as only one domain exists because the FSMO won't need to keep track of any external domain objects. -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Reducing number of Global Catalogs
Who wrote it? *J John Savill John Savill is Director of Technical Infrastructure for Geniant. He is a CISSP, a Security and Messaging MCSE on Windows Server 2003, a six-time MVP, and a Krav Maga instructor. He is also the author of Windows Server 2003 Active Directory Design and Implementation from Packt Publishing (http://www.packtpub.com/book/active_directory). Email address: [EMAIL PROTECTED] * joe wrote: Wow who wrote that article in the magazine? That is pretty bad. The end result is the same though as stated by everyone so far. If you have a single domain there is only slight overhead if you make all DCs into GCs. The only overhead I can really think of is that you will have more global catalog DNS records and all DCs are listening on an extra 1-2 ports... That is easily outweighed by the gain of having lots of GC availability. Not sure what space usage you would incur by NOT doing it as indicated by the article. The whole IM role thing is pretty oddly described as well. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] W2K W2K3 environment.
Perhaps hiring an experience MCSE contractor will help. Replications and other issues with AD is almost always a start with DNS. You are talking about redoing the who AD structure and loosing accounts and passwords? How large is the company? How will you implement Windows 2003 differently than you did Windows 2000? The languages on the workstations will not be an issue. Jitendra Kalyankar wrote: Here is scenario that is currently being played in my company. We have W2K AD in place, we are not using GPOs except one or two. Now suddenly they (read managers) realized that we need to implement GPO extensively. There are issues with current AD infrastructure like replication is not proper, DNS etc. And other thing is my company has at least 12 different language that we have to support on Windows XP OS. Now there are two groups in company one is saying go for fixing the existing infrastructure and second is saying go for W2K3 since the W2K is almost non-existant. My question to list is what would you suggest in this situation. Any insights, inputs are more than welcome. Also I will keep posted about the decision we (read managers) make, we are having a meeting with Microsoft for this but just as heads up I need to understand obvious pitfalls if any. -- Sincerely, Jitendra Kalyankar List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] W2K W2K3 environment.
It was never done right from the start that is why you are having problems. Sounds like the IT team lacks AD knowledge. First thing you need to would worry about is DNS before anything else. When DNS is working properly things will fall into places a lot more smoothly. Z.V. Jitendra Kalyankar wrote: Company is large and distributed across the globe in around 66 countries. Here is other thing, I just joined the team about say 3 months back and found out many things that need urgent attention to state a few, first was replication which right now is fixed. Not perfect but working okay for the time being. Second is DNS which is a *nix based DNS. What will be the solution for this problem, I can setup a Windows DNS and/or I can put a Read-Only Windows DNSinsideeach big site. The list of problems can go on and on. Anyways I have same opinion that we need to fix the currentinfrastructure first, but making sure that my reasoning is correct. Sincerely, J On 12/14/05, Mike Williams [EMAIL PROTECTED] wrote: We went through that a while back. If your current environment is not running properly group policies won't apply correctly. They will be hit and miss as to which workstations they apply to. AD problems usually track back to DNS problems Fix your current problems first.. Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jitendra Kalyankar Sent: Wednesday, December 14, 2005 10:39 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] W2K W2K3 environment. Here is scenario that is currently being played in my company. We have W2K AD in place, we are not using GPOs except one or two. Now suddenly they (read managers) realized that we need to implement GPO extensively. There are issues with current AD infrastructure like replication is not proper, DNS etc. And other thing is my company has at least 12 different language that we have to support on Windows XP OS. Now there are two groups in company one is saying go for fixing the existing infrastructure and second is saying go for W2K3 since the W2K is almost non-existant. My question to list is what would you suggest in this situation. Any insights, inputs are more than welcome. Also I will keep posted about the decision we (read managers) make, we are having a meeting with Microsoft for this but just as heads up I need to understand obvious pitfalls if any. -- Sincerely, Jitendra Kalyankar
Re: [ActiveDir] Home directories issue
A couple years ago we have a similar problem but it is with NT4.0 clients only. I use \\srvname\profiles\%username%. Never have a problem. -Z.V. Condra, Jerry W Mr HP wrote: Home directories issue Hoping someone has seen this problem before. Users are mapping home folders using AD p rofile tab which maps X: to \\servername\home\joe.user . Occasionally, upon logon, users will map to \\servername\home and not all the way to their own home directory. Ive seen several blogs and the same problem posted elsewhere but no cause or solution. Thanks Jerry
Re: [ActiveDir] I need an auditing and control solution [and yesI'll even fork moneyout for this]
Depends on how many folders you are talking about. NTFS can be applied to folders. My users can only open the folders, can't move folders, can't delete folders, can't rename folders, can't create folders, etc. They can modify files inside their prospective folders. -Z.V.. Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: Problem -- the 'fatal finger syndrome' I have a collaborative firm. There are certain folders that everyone in the office [well with very few exceptions anyway] need to get into. Due to mouse's and dexterity over the years individuals have been the root cause of my fatal finger syndrome a condition where one person clicks on a folder and accidentally slides it under a neighbor. These days we don't freak, we just look around and find the slid folders and move them back. So the other day, under a certain folder, client folders beginning with the letters co through zz end up ...not slid...not moved, but gone, deleted. Now between the shadow file copy that the system does, the robocopy batch file [yes I actually wrote a small bat file, Joe would be so proud] to pull of copies of that one drive to a spare harddrive, and nightly backups, I have enough paths to ensure that I've got multiple ways to get to that data so that it was minor to push the data back but it's obvious to me I need way better control over the fatal finger syndrome. I'm stuck in the position of ...that I can't [as far as all that Ive ever been able to find] unable to set permissions in such a way to allow for creating folders, but not sliding folders nor deleting them. I'm going to review adjusting 'object access' for those series of folders and look into a 'dump to storage' of an auditing software since I know this will increase my already noisy security log files. http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/50fdb7bc-7dae-4dcd-8591-382aeff2ea79.mspx I'm testing out whacking off/disabling cut and paste and seeing if that freaks anyone out in the office [I believe the disabling of cut and paste in IE will also affect the Windows explorer?] Stupid questions... 1. Any other ideas or suggestions from the AD gurus to minimize this 'fatal finger syndrome' that I'm fighting 2. To better track the issue? Flag it? Control it? Stop it? Besides hitting people upside the head? I've got the recovery process/procedures so that I can restore data, but I'd like it either stopped or identified as it happens. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] I need an auditing and control solution [and yesI'llevenfork moneyout for this]
So give them permission to create folder, but not delete them. I have an department share that is seen by 300 users. They can create as many folders as they want, but they don't have access to delete them. -Z.V. Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: I need them to be able to create new folders on a regular basis under two main folders. [new clients you know] Litigation clients --- name of each partner [yes they are management so one has to propose reasonable solutions] client subfolders Due to our collaborative needs they need to get into each other partner folders and not just their own and always be able to create new folders. Za Vue wrote: Depends on how many folders you are talking about. NTFS can be applied to folders. My users can only open the folders, can't move folders, can't delete folders, can't rename folders, can't create folders, etc. They can modify files inside their prospective folders. -Z.V.. Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: Problem -- the 'fatal finger syndrome' I have a collaborative firm. There are certain folders that everyone in the office [well with very few exceptions anyway] need to get into. Due to mouse's and dexterity over the years individuals have been the root cause of my fatal finger syndrome a condition where one person clicks on a folder and accidentally slides it under a neighbor. These days we don't freak, we just look around and find the slid folders and move them back. So the other day, under a certain folder, client folders beginning with the letters co through zz end up ...not slid...not moved, but gone, deleted. Now between the shadow file copy that the system does, the robocopy batch file [yes I actually wrote a small bat file, Joe would be so proud] to pull of copies of that one drive to a spare harddrive, and nightly backups, I have enough paths to ensure that I've got multiple ways to get to that data so that it was minor to push the data back but it's obvious to me I need way better control over the fatal finger syndrome. I'm stuck in the position of ...that I can't [as far as all that Ive ever been able to find] unable to set permissions in such a way to allow for creating folders, but not sliding folders nor deleting them. I'm going to review adjusting 'object access' for those series of folders and look into a 'dump to storage' of an auditing software since I know this will increase my already noisy security log files. http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/50fdb7bc-7dae-4dcd-8591-382aeff2ea79.mspx I'm testing out whacking off/disabling cut and paste and seeing if that freaks anyone out in the office [I believe the disabling of cut and paste in IE will also affect the Windows explorer?] Stupid questions... 1. Any other ideas or suggestions from the AD gurus to minimize this 'fatal finger syndrome' that I'm fighting 2. To better track the issue? Flag it? Control it? Stop it? Besides hitting people upside the head? I've got the recovery process/procedures so that I can restore data, but I'd like it either stopped or identified as it happens. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Help with VB script to map printers
Below is an example in my environment: If IsMember("GROUPNAME") Then MapDrive "G:", "\\SERVER\SHARE$" (I hide all my user shares) MapDrive "P:", "\\SERVER\SHARE-2$" gDrive ="G:\" pDrive ="P:\" oShell.NameSpace(gDrive).Self.Name = " RENAME Share" (Rename the hidden share) oShell.NameSpace(pDrive).Self.Name = "RENAME Share" Prn.AddWindowsPrinterConnection "\\Server\PrinterName" (Map the group to a network printer) Prn.SetDefaultPrinter "\\Server\PrinterName" (Set the default printer for a group/OU) End If ** Let me know if someone wants the full script. -Z.V. Active Directory wrote: RE: [ActiveDir] Help with _vbscript_ to map printers If you are using that exact script. Line eight asks for UNCpath3 Line 3 4 specify UNCpath2 change UNCpath2 on line 4 to UNCpath3 hth Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Noah Eiger Sent: Wednesday, December 07, 2005 1:10 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Help with _vbscript_ to map printers Hi I am trying to modify a VBS found on the Internet to map multiple printers. This will be run for every user in an OU. I keep getting the following error for line 8: 8007007B - The filename, directory name or volume syntax is incorrect I have played around with the syntax but think I am missing something very basic here. Any thoughts? I got this from: http://www.computerperformance.co.uk/ezine/ezine16.htm#Example%203:%20Mapping%20Multiple%20Printers ' Poached from Guy Thomas February 2004. ' ** Dim multiPrinter, UNCpath1, UNCpath2, UNCpath3 UNCpath1 = "\\server.abc.private\HP Color LaserJet 3500" UNCpath2 = "\\server.abc.private\HP LaserJet 3300" UNCpath2 = "\\server.abc.private\HP LaserJet 5000" Set multiPrinter = CreateObject("WScript.Network") multiPrinter.AddWindowsPrinterConnection UNCpath1 multiPrinter.AddWindowsPrinterConnection UNCpath2 multiPrinter.AddWindowsPrinterConnection UNCpath3 ' WScript.Echo "Your printer is mapped from : " UNCpath1 _ ' "and from : " UNCpath2 WScript.Quit ' End of _vbscript_ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] [Fwd: ColdFusion Administrators!]
Anyone seen the error below before? Can someone assist me here? Server: Windows 2003 CF: Version 7.0 *** Server Error Either the Macromedia application server is unreachable or it does not have a mapping to process this request. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Track User Disk Space
Someone dumped 2 GB of data on a file server since two days ago. This is unlikely and not normal in my environment. What is the best way to find out other than comparing folders by folders? -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] removing computer problem
1)DNS DNS 2)Try ADSI tool Roseta radfar wrote: Hello, I have a domain and several computers in that. Tow or three of computers have been disconnected from domain with out being removed from AD first. Now I can not remove it from AD. It gives me this error: The DSA object can not be deleted. What is the way to remove these computers from AD? Thanks in advance roseta
Re: [ActiveDir] Limiting User Logon to Specific Machines
I agree that GPO is the route to take. There is too much work keying in what workstations an account can log into. I placed all lab machines and lab accounts into a single OU and apply GPO. ASB wrote: One option is to deny Logon access to this account via User Rights on machines outside the lab. Configure with GPO. -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On 11/3/05, David Aragon [EMAIL PROTECTED] wrote: Background: We are a fair sized university. Before any students can use any of the computing resources on campus they have to demonstrate a level of knowledge or take a class (3 hours a week for 16 weeks) on basic computing skills (this class also covers how to use the various pieces of software available to them in the regular computing labs across campus). The lab we use consists of about 250 workstations. There are usually three full classes run each semester. To simplify things, we have created a communal user for use within the lab. This carries with it certain security risks we are trying to minimize. One thing we wanted to do was to limit the use of this communal user to the systems within the lab. That is, we don't want this user object to be able to log on to any other system within the university (1 domain, 1 site, approx 8000 systems across 18 OU's). Problem: The "Log On To" setting in the user object seems to be limited to 64 NetBIOS names and 1024 bytes of information. Does anyone have any ideas? I'm sure I've just overlooked something basic. Thank you in advance for your comments and suggestions. David Aragon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Restricted Groups question
Just tell everyone to log in using the default Administrator account and leave the password blank. Tell the users to change it later. What company is this? Is there any way to add Authenticated Users built-in group to the local administrator group on every PC using restricted groups GPO? Basically I want an easy way to make sure all users are local admins on their PCs without creating a custom group. Should I just use xxx\domain users instead? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] LastLogon timestamp
I used 3rd party software Hyena. Rimmerman, Russ wrote: What's the easiest way to find out the last logon time of a user account? And if you have 50 domain controllers, would you have to query each one for it, or is this replicated some how? We're in a native win2k domain with mostly win2k3 DCs. Thanks ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] salary(OT)
What you say, the employer might be on this forum. -z.v. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, October 12, 2005 9:37 PM To: activedirectory Subject: [ActiveDir] salary(OT) well, i've been consulting for 2 monthsfull time for a company and now they want to make me an offer to work for them(yeah,i'm amazed too..) At first it was a head/senior AD position but now they want to throw in Exchange in the mix. they used to outsource all their windows infrastructure and during my tenure there, they took it back so they have no AD/Exchange people. This is a 3000 user finanical corp in Manhattan. my question is, what kind of salary would one expect for a such a position, taking into account the bussiness and location and size. thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/