Oh get over it Joe. Don't be such a weenie. Live life on the edge and
use security group filtering on GPOs. Its good fun and good for you :-)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Saturday, March 27, 2004 6:47 PM
To: [EMAIL PROTECTED]
Seems that there was a little talk about
Longhorn. Was anything said about an interim version of Windows before
Longhorn? i.e. Windows 2005..6..7…
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Saturday, March 27, 2004
6:47 PM
To: [EMAIL PROTECTED]
Su
Nothing appeared in the event logs. I
was able to clear up the problem. Do know why this worked but here is
what I did:
Added the new Enterprise Admin to the
Remote Desktop tab in SYSTEM properties. Let him log in successfully, had
him log off, removed him from Remote Desktop tab, ha
Oh, I misunderstood you I think Joe. You mean when you update
msds-someotherattribute it does the userAccountControl for you as well
and vice-versa as well?
If so, yea, only DCs with a writable copy of the NC would need that
change you described as GCs that do not have a writeable copy of the NC
wo
> 1. Caching Domain Controllers - basically a DC that did
> 2. Multiple domain hosting from a single DC.
In combination, these would definitely be nice for larger environments that
have multiple Domain's with cutting down on hardware costs. Although I
suppose individual DC's would need to be a b
You "actually" agree? Yee of little faith! :)
The hotfix and schema update thing you toss in would need to be
forest-wide (of course schema is implicitly, but fix would need to be as
well) as userAccountControl is part of the PAS. It is, IMHO, not a
solution to this problem. Say we need to get rid
Title: Server Membership
Also when you VPN in some VPN clients will
kick a pass reset as well. I forget what the process is (I’m so not a VPN
guy) but if memory serves me correctly it is only those that support an
interactive logon. Don’t quote me on that, and let me know if I should
get an
Unfortunately no, no way to test in an isolated way like that without
bringing at least the root with you and probably any other domains.
I guess you need to find out how important this is. If it is truly critical
to know this will work in a disaster you need to do one of two things.
1. Get the
Title: Message
Hmmm did you do a reply instead of a
forward?
Did Matt agree with your answers?
-
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David
EyesSen
Cool and I actually agree.
The constructed causes all sorts of issues, breaks all sorts of legacy code,
especially anything that would search. So doing the additional method type
attribs that would update useraccountcontrol on the user's behalf should be
something that could work though obviously
Hey Michael, looks like you got an answer from Darren (though I dislike
processing GPOs based on group memberships). However, would it be ok to ask
WHY you would want to do this? Setting up DCs as one offs is usually a great
way to court a troubleshooting problem that is a pain in the butt to resol
This is very cool Darren, thanks for sharing.
-
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Friday, March 19, 2004
Title: Message
This really isn't an AD issue so the proper expertise may
not exist on this list. I would recommend going to the Microsoft Newsgroups and
asking the question. Specifically the IIS groups.
-
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewa
You guys have come a long way and have addressed every issue I came up with.
Us Admins can't expect every product from every vendor to be perfect out of
the gate. We should expect though that vendors listen and help find
solutions (and make corrections) when we find issues. When I find vendors
th
I'm still trying to get over your desire to do a mass update to all of your
DCs at once. You are much braver than I am and much braver than many I have
spoken with. For the most part people consider DCs to be special and not to
be automatically patched en masse like that. The reason being if there
Title: Server Membership
30 days (w2K+) but you can actually go two password
change periods and the machine will be ok so 60 days. NT is 7 days (and 14
days). Outside of that you can do a reset of the password and the machine will
be ok again. Alternatively you can disable the functionality o
That almost sounds like a disk space or permissions
issue... I.E. it is trying to create the local profile, failing, and blowing the
user off. Anything in the event logs?
joe
-
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)
Title: Message
Alex has a forum you can use to get help, he is very
responsive. I like the product, he has done a good job with
it.
-
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PR
I have a general comment for this and kind of curious what
people are doing in this area...
Most products check for availability of the server via
pinging and agents that scrape events and report availability of servers in
terms of whether the server returns a ping or not. This is obviously
If you have Sign Comm Always enabled you will not be able to talk to that
server with a downlevel client. You can disable that policy and in fact
anyone running legacy clients almost always does disable that if they can't
just kill all of the legacy clients in one fell swoop.
We actually have disb
DEC was indeed cool. I am not under NDA for it that I
am aware of. In fact I would expect Gil would like to hear people chattering
about the conference as it will drive more people to it. And again, I don't do
many conferences but this one is exceptionally good in terms of anything I have
be
Why in all the zillion lists I am on do people on this list turn that
notification on? Really curious, thinking I might be off my boat
somehow?
Thanks,
jlc
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archi
Guido and Joe,
First of all, thank you for all your advice and help.
You guys are absolutely right, we should have never gotten a domain if they didn't
trust us with Enterprise admin rights over the forest. I assume they can't shake the
Win NT view of domains yet.
However this was a mangement
They need WP (Write Property) on the member attribute of the group.
Assuming the following
OU: GroupTestOU
Delegated Admin Group: joe\TestOU-GroupTestOU-GrpAdmin
You can use the following DSACLS command on the OU to delegate the ability
to change membership to all groups within the OU.
dsa
In addition to all the great questions and suggestions so far I would ask,
if only one person is trying to do something does it work ok or is it ALWAYS
slow no matter what?
If it gets slower and slower with more people you could be dealing with a
variety of network issues with a start being the fi
Check out accexp on www.joeware.net on the free c++ win32 tools
page
[Sat 03/27/2004
17:35:28.94]F:\DEV\cpp\AccExp>accexp
AccExp V01.01.00cpp Joe Richards ([EMAIL PROTECTED])
August 2002
Usage: AccExp user date [/s
machine]
user User ID to
view/modify
date
Title: [ActiveDir] disaster recovery
ï
Excellent post.
I just wanted to jump in and reemphasize that
point.
Restoring a single domain of a forest in an isolated
environment and expecting it to work is unrealistic. I agree with Guido in that
you never should have been given admin rights int
Hmm. Can a non-perl person understand the perl code...
Depends on the non-perl person I guess. That perl that makes up that script is
not the easiest to convert to vbscript. If vbscript would have been easy to do
this in, I probably would have gone that way, overall though I have to say that
Hey Tom.
Something I have discussed on this list previously and was a topic for one
of the presentations at DEC by Intel is the idea of using Virtual Server or
VMWare for Virtual DCs. Then you can pick up the virtual disk image and take
it anywhere...
For example, always have a Virtual DC (for ev
While I (personally, speaking in a position of no power over this) tend
to agree that userAccountControl should be many attributes (IMHO anyway
for Joe's reason as well as others not cited in this thread), the
concept of having it as a constructed attribute (I assume that's what
you mean when you s
Cute solution to an MS Generated issue. Yes, MS, you shouldn't have put
everything into useraccountcontrol attribute like that... That should have
been a generated attribute (or something else if you still needed it there)
I think and the real info stuffed into other locations so it could be
delega
Howdy all, reviving this chain for a moment...
Someone contacted me on this via email when I came back from DEC so I
whipped up the joeware tool to do the address to subnet/site name mapping...
You can find it on the joeware site with all of the other free tools on the
Free Win32 C++ Tools page. I
Mike,
I haven't tested this out, but I suppose that one could do as you suggest
and run a script similar to the following:
Dim User
Dim UserName
Dim UserDomain
Dim AccountExpirationDate
UserDomain = "Target_User_Domain"
UserName = "Target_User_Name"
Set User = GetObject("WinNT://" & UserDomain
Hi Rick,
Thanks for the feedback! That's exactly what I thought would happen but I needed
an expert's view! I was thinking instead I could achieve roughly the same affect by
giving the group read/write access over the User Account propery named
"AccountExpires" and set it to the current ti
"BTW, if you
didn't go to the Directory Experts Conference, you missed a good time. NetPro
did a good job and there was a lot of good discussions. Plus some of the stuff
Stuart was talking about was pretty darn cool. "
Firstly, just rub it
in. Secondly, are you under NDA? Cut loose
Mike,
The property that you're looking to delegate is the 'Write
userAccountControl'. However, that does open up an interesting can of
worms. The userAccountControl proerty, as you may well know, is a series
of flags that control a number of aspects of the user account - enable (flag
val
Thanks for the reply..your answer I was I was thinking was best
method.
Nathan
Nathan CaseyNetwork AnalystWGS-ISD County of Sonoma[EMAIL PROTECTED](707)
565-3519>>> [EMAIL PROTECTED] 03/26/04 07:09PM
>>>
Simple answer: It is by
design. In windows 2003, if you have a DNS zone, the DCP
37 matches
Mail list logo