Title: RE: [ActiveDir] Trusting Domain SIDs
Ah ok, I wondered if that was the one that was being
discussed, I didn't want to assume it was something that Iknew. That one does
work for sure in ADFIND I know. :o)
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian
De
Yes, you can use that option for user-assigned
software but then of course it presumes the user has indeed fallen out
scope, which means you either have to move the user or the GP scope. Probably
not practical. Also, the uninstall for this is only done during foreground (i.e.
user logon) pro
Oh that hurts my stomach laughing that hard...
You could take that all over the place with innuendo...
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford
Sent: Thursday, October 28, 2004 7:03 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] FW: Exchang
Title: RE: [ActiveDir] Trusting Domain SIDs
I query for specific oids. Its all in the ethereal
trace :oP
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Thursday, October 28, 2004
6:40 PMTo: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] Trus
Title: Re: [ActiveDir] FW: Exchange 2003 on DC
I've
been expecting a schema virus for some time.
-Original Message-From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]On Behalf Of Rick
BozaSent: Thursday, October 28, 2004 5:13 PMTo:
ActiveDir ListSubject: Re: [ActiveDir] FW:
Title: Re: [ActiveDir] FW: Exchange 2003 on DC
OK, now you’re frightening me...
On 10/28/04 7:03 PM, "Robert Rutherford" <[EMAIL PROTECTED]> wrote:
*Rob snuggles up close to SBS2003 and puts his arm around her*
*He whispers * 'It's OK... you may not be the most secure system but I still
Title: Message
>*He whispers
* 'It's OK... you may not be the most secure system but I still think your
kinda sexy'
So are you
saying SBS sleeps around?
Thanks.
--Brian
Desmond
[EMAIL PROTECTED]
Payton on the
web! www.wpcp.org
v - 773.534.0034 x135
f - 773.534.8101
Title: Message
Ew. Too much information!
That picture is going to be stuck in my head for the rest
of the day.
-gil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Robert
RutherfordSent: Thursday, October 28, 2004 4:03 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir]
I never use
user assigned SW. Is there an “Uninstall SW when it falls out of the
scope of mgmt” checkbox for user assigned sutff? This tells a PC to
uninstlal the SW if the GPO no longer applies.
Thanks.
--Brian
Desmond
[EMAIL PROTECTED]
Payton on the
web! www.wpcp.org
v -
Title: RE: [ActiveDir] Trusting Domain SIDs
trustedDomain.
The attribute is securityIdentifier – syntax is SID. There is another
documented attribute domainIdentifier. But it seems to be null on the 356 (give
or take a few) incoming NT4/W2k/W2k3 trusts I have. I ended up just sending an
adf
*Rob snuggles up close to SBS2003 and puts his arm around her*
*He whispers * 'It's OK... you may not be the most secure system but I still think
your kinda sexy'
From: [EMAIL PROTECTED] on behalf of joe
Sent: Thu 28/10/2004 23:20
To: [EMAIL PROTECTED]
Subj
Hmmm, interesting question. I think it would just have to send the new DNs
around to everything. If you have any change in security in that new level
that could cause some work for the DCs as well.
I don't think I would be as concerned about replication as I would about
hard coded DNs in non-linke
Title: [ActiveDir] Remote DSL link
Thanks Dean,
I figured as much. The explanation offered
by the AD team was that MSFT said application partitions are replicated
differently and have special requirements in 2K3.
I think the reason we are having the
issues is because 2003 AD is a
You can use your own, Mr. HumorExpress!
:-)
M
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
joeSent: Thursday, October 28, 2004 6:17 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: Exchange
2003 on DC
Humour!
I wonder if I could slip that by as an MVP Community
A logoff script is likely the only way this is going to
work. Mostly because there is nothing in policy processing that runs at logoff
(other than a logoff script of course and that actually runs outside of policy
processing). One thing you could do, if you don't really need to remove the
wh
Title: RE: [ActiveDir] Trusting Domain SIDs
That’s a good approach, especially
for those particular types. The problem is basically impossible to solve in
general, but you can make some good guesses in some cases.
Do you try to parse the abstract schema
(CN=Aggregate,CN=Schema….) or re
Title: [ActiveDir] Remote DSL link
Yeah so basically for replication[1]...
App partitions are different because they don't
replicate into "the GC".
Another arguable difference is
that you explicitly pick which machines have the partition. I say
that is arguable because you do pick whic
Title: [ActiveDir] Remote DSL link
I usually tackle such issues by first turning
up KCC logging to 4 or 5 and seeing if that clues me in.
If you don’t see it from that, send
me the DS event log after turning KCC logging to 5 and running KCC once + ldif
dump of your config NC. With those tw
Title: Message
Ack, you said SBS...
I await the day that someone writes a bad virus that
targets Domain Controllers. I figure that the SBS machines will be the first to
get hit with something like that since there are so many vectors to the
security bastion on that product.
joe
Humour!
I wonder if I could slip that by as an MVP Community
KB...
Do we need a passport to submit? Michael, what's your
password ID and password...
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B.
SmithSent: Thursday, October 28, 2004 5:43 PMTo:
[EMA
I don't know if I like this as a generic solution Gil.
o Most people have issue enumerating/understanding ACLs to start with.
o You can't really query it.
o Only viable from Windows.
o Resolving SIDS to names for all of the ACEs would be on the slow side.
o No auto cleanup if someone were de
Title: groups vs attributes
This thread went all over the place so I came back to the
original post. Right off I am assuming LDAP based apps not running on MS
Platform. If they are running on MS, have them look at the azman stuff.
I would ask the developers specifically what are they
doin
Title: Message
Just because there is a passing similarity to Windows
Server, SBS is really another product entirely. :-) :-)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken
CornetetSent: Thursday, October 28, 2004 5:24 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FW:
Thanks Joe...that's surprisingly clear to me. Scary...I must be finally absorbing some
wisdom. No more
deer-in-the-headlights for me (well, maybe not as much) Thanks also to the other folks
who commented
on this issue, as always. Y'all are awesome
Now on to the script editor.
-Original Mes
Title: groups vs attributes
I just wanted to point out on this post that user isn't an
objectcategory, this would get changed to be objectcategory=person. For all
intents and purposes for this specific filter, it would be just as efficient but
could hurt you in other queries.
joe
From:
Title: [ActiveDir] Remote DSL link
As
with the well-known 3 partitions, app. partitions, their connection objects and
the resulting replica links are handled by the KCC, ISTG and DRA. Site
structure is taken into account, in short they're
treated the same as the domain NC with the possible
I can buy a 2900i (with ISDN backup) for £155, so say $90 or so. An absolute bargain.
I have used them and know of many others who have used them for years. Check the
draytek website.
I'm not completely bias as I'm big into Checkpoint and also know Watchguard and
Sonicwall. The Drayteks are ju
MeOW!
I was asking for documentation for my customer file, thank
you! :-)
M
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
joeSent: Thursday, October 28, 2004 4:44 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FW: Exchange
2003 on DC
Don't install Exchange on a Dom
Robbie and I chat just about every day.
:-P
Robbie said that that was a section that Alistair
wrote, but that as far as he knew, a logoff script was the only way to do it. I
messed around with it a little bit and found that it's non-obvious, and somewhat
slow, but it surely can be done.
I'd say in this case, at least failures (logon events) but success would be
handy as well I'm guessing.
Be sure you leave enough room for the event log and you set it to wrap vs.
shutting down etc.
Al
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ker
Title: [ActiveDir] Remote DSL link
Fortigate goes for $1500, how much does
the Draytek Vigor 2600i go for?
-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Thursday, October 28, 2004
4:55 PM
To: [EMAIL PROTECTED]
Subject: RE: [Ac
Title: Message
Um,
SBS users don't have a choice...
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of joeSent: Thursday, October 28, 2004 3:44
PMTo: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] FW: Exchange 2003 on DC
Don't install Exch
Not actually,
Digital Signatures, Digital Envelopes, and Kerberos all use what Asymmetric
Cryptography (aka Public/Private Keys). But the techniques are used for different
purposes.
The term "AD Kerberos" is meaningless. AD is the database that contains the actual
usernames and passwords (amo
Hey, I wanted to post a link to this great blog by ~Eric concerning
Auto-LinkIDs.
VENDORS [1] TAKE NOTE OF THIS BLOG ENTRY
http://blogs.msdn.com/efleis/archive/2004/10/12/241219.aspx
Basically ~Eric is the first on the block to document functionality built
into Windows AD 2003 and AD/AM to
Title: [ActiveDir] Remote DSL link
i have
a Watchguard firebox X
-Original Message-From: Robert Rutherford
[mailto:[EMAIL PROTECTED]On Behalf Of Robert
RutherfordSent: Thursday, October 28, 2004 4:40 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Remote DSL
link
Wel
Yep. Sakari and Mika did a good job with that book and the
first version. I think permissions are chapter 4... I recall reading the first
edition and stopping cold on that chapter for a good month or two and then
started telling everyone they needed to read that book.
Don't feel bad for no
ldp is a pain... To easy to blow the various options as
they are in all sorts of different places.
Try this
adfind -gc -b "" -f
"&(objectcategory=computer)(servicePrincipalName=MSSQLSvc/ourserver.ourdomain.org:1523)"
servicePrincipalName
That will dump all objects (and SPNs) with that
Title: [ActiveDir] Remote DSL link
How much does the Draytek Vigor2600i cost?
-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford
Sent: Thursday, October 28, 2004
4:25 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Remote
DSL l
Did you get an answer on this one Michael? We can hunt
Robbie down for an anwer if not.
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B.
SmithSent: Tuesday, September 07, 2004 10:09 AMTo:
[EMAIL PROTECTED]Subject: [ActiveDir] install on logon,
uninstall on
Title: [ActiveDir] Remote DSL link
how
much does it go for?
-Original Message-From: Robert Rutherford
[mailto:[EMAIL PROTECTED]On Behalf Of Robert
RutherfordSent: Thursday, October 28, 2004 4:25 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Remote DSL
link
Whats go
Title: [ActiveDir] Remote DSL link
These devices don’t have a ISDN
backup built in, but offer a VPN solution that also scans at the gateway for
viruses, allows you to put into place NIDS and NIPS and also acts as a
firewall. All this for $1,500. Not bad
-Original Message-
Fro
Title: [ActiveDir] Remote DSL link
Fortinet and Fortigate is the way to go
-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Thursday, October 28, 2004
4:17 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Remote
DSL link
t
Don't install Exchange on a Domain Controller, even you Michael B.
Smith
Article ID
:
994678345
Last Review
:
October
28, 2004
Revision
:
1.0
This article was previously published under
Q994678345
SYMPTOMS
In a Windows 2000
domain so
i'm running exchange in native mode. AD in mixed.
i still have an NT dc laying around and haven't gotten around to testing all apps in
native mode.
what should i audit?
thanks
-Original Message-
From: Mulnick, Al [mailto:[EMAIL PROTECTED]
Sent: Thursday, October 28, 2004 4:23 PM
To: '[EM
Well you will have to protect the RRAS box with a firewall? Do you have one?
The Drayteks are also firewalls... you could build a tunnel between a cisco and the
Draytek very easily.
From: [EMAIL PROTECTED] on behalf of Kern, Tom
Sent: Thu 28/10/2004 21:16
To: [
Title: [ActiveDir] Remote DSL link
We started seeing strange problems with our
Directory replication recently when bringing up new Windows 2003 DC in our Hub
and Spoke Site design. Our network has a lot of firewalls, domains, and business
units, and we have managed to coordinate most of
Yeah the issue I saw was specific to disjoint namespaces and the new
functionality in K3 AD that was verifying the domain names of the hosts.
I would be curious though, just for test, not for final solution if you went
back to the created object and gave the group you mention FC of the computer
o
thanks.
i
almost lost hope on this one...
So far
the best thing i've read about AD security/rights was Inside Active
Directory,2nd ed.
-Original Message-From: joe
[mailto:[EMAIL PROTECTED]Sent: Thursday, October 28, 2004 3:37
PMTo: [EMAIL PROTECTED]Subject: RE:
[ActiveDi
Whats good about the Fortigate? I havent heard of them. I'm asking because Im
genuinely interested.
The beauty of the Draytek Vigor boxes is that they have ISDN backup builtin on a few
of the boxes. Which is very useful when using ADSL.
From: [EMAIL PROTECTE
Title: RE: [ActiveDir] Trusting Domain SIDs
> Hey Joe Richards, how does ADFind know
which binary attributes are SIDs? I know Dmitri has some
> kind of hard-coded lookup table for ldp.exe
to handle special conversions of some numeric and binary data,
> but it is hard to solve the problem
Ok, and from what I can figure, both utilize AD Kerberos to sign or encrypt the data
right?
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry
Sent: Thursday, October 28, 2004 3:58 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Which is bette
The indication is that it's either a permissions or performance error. I
don't know your environment, so I have to ask. Is audit logging enabled for
the security events?
Also, any particular reason you're running in mixed mode AD vs. Native for
the Exchange domain?
Al
-Original Message---
Hi All,
Since moving to XP I get really peeved that whenever I edit a Policy that
has non Policy settings in the Administrative Template area I must go to
"View/Filtering' and unclick "Only show policy settings that can be fully
managed"
I found a Policy under "System/Group Policy" to "Enforce sh
Title: [ActiveDir] Remote DSL link
the
site doesn't want to spend any money and they have no local IT support. we are
in NYC and they are in Folrida. we use a cisco vpn concentrator but that
would involve installing client sw and since XP already has it built in, I
figured this would be the
Digitally sign communications
Or
Digitally encrypt secure channel data
Justin A. Salandra, MCSE
Senior Network Engineer
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir
Title: [ActiveDir] Remote DSL link
Take a look at Fotinet’s device
called Fortigate. I use it and it is great for a VPN connection over DSL
Lines!
-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford
Sent: Thursday, October 28, 20
no entries on any dc.
thats why this error is driving me nuts.
every dc is fine with no errors. on exchange,that is the only error logged.
but, its gotta be affecting mail. it doesn't sound good
-Original Message-
From: Mulnick, Al [mailto:[EMAIL PROTECTED]
Sent: Thursday, October 28,
Title: [ActiveDir] Remote DSL link
Take a look at Fotinet’s device
called Fortigate. I use it and it is great for a VPN connection over DSL
Lines!
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Robert Rutherford
Sent: Thursday, October 28, 20
You also have to look at what each method doesn't do.
1. Digital signature
Proves the message was sent by you
Allows anyone to read the message
2. Digital envelope
Only the desired recipient can read the message
Doesn't prove the message was from you
A truly secur
I was chatting with ~Eric about this doc last night, if
anyone finds any issues with it, pop them on the list here so we can get it all
fed back up the chain.
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
GuidoSent: Thursday, October 28, 2004 3:55 PMT
hello guys,
can someone tell me how i can unsubscribe now. Can't cope anymore.Mails getting too much
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
An ADSL line should easily cover this amount of users. I have run remote sites of 15
odd users on ADSL running in a normal WAN capacity (without TS). I have also run ADSL
with 10+ users and TS with no real problems.
You must of course take into account that ADSL lines dont typically come with a
Actually, we don't have a disjointed namespace. They are specifying a group
to which their userid is a member. Then, they go to the PC to change it's
domain.
From: "joe" <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
To: <[EMAIL PROTECTED]>
Subject: RE: [ActiveDir] Problems Adding Computers t
FYI - interesting Whitepaper:
http://www.microsoft.com/downloads/details.aspx?FamilyId=64DB845D-F7A3-4209-8ED2-E261A117FC6B&displaylang=en
this is the first step to "branch office DC" running on a multi-purpose
server: "With strict adherence to requirements described in this paper,
domain c
So at this point your permissions are properly set and the DC is responding
as quickly as it needs to for the requests.
Are you getting any entries on the DC's during the MU attempt?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Thurs
I would
Generate a list of all users in the list. Depending on how you do this it
could be a map, a hash, a dictionary, blah blah woof woof. Whatever... It is
an associative array that has for its key, the userid. This list should be
generated by recursing up through any nesting as well assumi
No. Thats why i emailed here.
thanks
-Original Message-
From: Mulnick, Al [mailto:[EMAIL PROTECTED]
Sent: Thursday, October 28, 2004 3:44 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] OT:Exchange MU
And neither of these applied?
http://www.microsoft.com/technet/support/ee/result.a
And neither of these applied?
http://www.microsoft.com/technet/support/ee/result.aspx?EvtSrc=MSExchangeMU&;
EvtID=1033&ProdName=Exchange&LCID=1033&ProdVer=6.5.6940.0
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Thursday, October 28, 20
Another old post with no response.
Permissions in AD are a great big it depends. It depends on
schema mods. It depends on what has been applied. It depends on what DCs you
work against. For instance... Anything that leverages a built in account will
find different Admins of different domain
Do you have a disjoint namespace?
When they create the objects, what do they specify for who can join?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jacob Walker
Sent: Thursday, October 28, 2004 1:18 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir]
Hi, I tried googling and posting this error on the exchange mailling list,but no luck,
so I'm posting here. My apologies in advance.
I'm running win2ksp4 AD in mixed mode with Exchange2k sp3.
Lately i've been getting event id 1033 logged constantly on my exchange server from
metabase update. It
Well what are you trying to achieve?
Digitally sign just ensures to the receiving arty that the packet has not been
tampered with. Digitally encrypt ensures that nobody in between can read the contents
of the packet.
Thanks.
--Brian Desmond
[EMAIL PROTECTED]
Payton on the web! www.wpcp.org
Depends on what your objective is?
Digital signing ensures that the hosts who are communicating are really
who they claim to be. It doesn't keep anyone in the middle from
intercepting and reading the communications however.
Encryption makes it much more difficult to decipher the packets as they
Digitally sign communications
Or
Digitally encrypt secure channel data
Justin A. Salandra, MCSE
Senior Network Engineer
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir
This is EXACTLY what happened. Someone
did a dcpromo and typed the domain in all CAPS.
I’m gonna try this on a test domain
and see what happens.
-Devon
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday
Thank you, Joe. We are implementing Windows Server 2003 AD. Here are the
permissions we have assigned. Any clue as to what critical permission could
be missing?
This object and all child objects:
Create Computer Objects
Computer Objects:
List Contents
Read All Properties
Write All Properties
The MS popup blocker is not a bad free tool for the smaller guy, but as
Z.V. says it's a big target and they will always find ways around it.
If you are an Enterprise and cash is not too much of an issue then you
could look at something like WebSense Enterprise. This works on a number
of fronts -
To add on to Al's great answer...
Did all of the attribute you expect to get added get added with all of the
values you expected?
In the past I have found it worth pulling off a piece of production to do
these tests. You promo up a DC for every domain of the production forest.
You then segregate
I have 10 users in a remote site.
We want to connect them to our domain via a dsl link and Windows RRAS. They are all
windows XP sp1 clients.
Typically they use Termservices in APP mode to access Quick Books server and Outlook
for email.
Is this an ok config for ADSL? Or in general?
can they ju
I would say it depends on what you can get out of the
customer that you are willing to do the work for.
More importantly, do they have a complete AD design and you
are just pointing and clicking? Do you have to come up with the whole design? Do
you have to come up with the requirements? DR
I doubt anyone has really played with it. I expect from the
example below it would possibly be dnsRoot that would be the culprit. I just
changed the case of it on one of my test domains and it allowed it. Don't know
if I broke anything, but ADUC still shows the old version of the name. Could
Figures.
On Oct 27, 2004, at 7:57 PM, Za Vue wrote:
Just wanted to mention that someone has already found a way to get
around
Microsoft's pop-up blockers.
-Z.V.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Perdue David J
Contr InDyne/Enterprise IT
Sent
Another possible alternative is PSYNCH from
MTEC.
http://www.psynch.com/
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Wednesday, October 27, 2004 6:46
PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir]
Password policies
We had the same needs an
I have seen that with Windows Server 2003 AD if there aren't enough
permissions delegated to the person/group actually doing the join in a
disjointed namespace environment.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jacob Walker
Sent: Thursday
This is an old post but I didn't see any
responses
o I wouldn't recommend ACLing the share, ACL the
folder under the share. Just leave the share open for everyone FC and lock down
at the folder/file level for less issues in troubleshooting.
o Don't do FC, do CHANGE and READ perms. GC
Thanks, but nothing there really seems to help. It's strange. When we look
at the computer account in the domain, it also ends up disabling it.
-Original Message-
From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED]
Sent: Wednesday, October 27, 2004 7:37 AM
To: [EMAIL PROTECTED]
Subje
Return Receipt
Your RE: [ActiveDir] Delegation of group membership changes to
document add use rs and not to ad d other groups
:
That would make sense. I thought the
permissions may have been the issue. Thanks for confirming that.
S
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, October 28, 2004
7:20 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Delegates
O
Yep. I considered that as A. I guess it should have been said as Third Party
/ Internally developed provisioning tool. Any time I think of a third party
tool I figure I will see what I could write myself first. Usually you can
write something that is more specific to your environment faster than yo
Another option would be to provide a web tool that proxies the group membership
management. The account that the tool runs under would have the necessary delegated
permissions to manage the group membership, but the members of the
TK_ChangeGroupMembership group would not. The tool could authen
Ok under the category of duh, sorry. I didn't read the full
post...
Under Security - this person has full
control
Full Control means a user has all permissions over an
object. For some reason MS did the Send As functionality as a permission
(instead of an attribute say like public delegat
Title: Delegation of group membership changes to add users and not to add other groups
A is definitely the best answer in terms of a guarantee. C
is the most fun. :o)
For a quick workaround I would combine B wih C. A script
that checks groups for nested groups and then if it finds them clean
They could also have FC over the user object directly or
through a group...
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick,
AlSent: Thursday, October 28, 2004 9:50 AMTo:
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir]
Delegates
Sounds like the user has too ma
I would start with
nltest /sc_query:nt4domainname
Run on various 2k3 DCs.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, October 27, 2004 3:01 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Odd trust behavior
We've
Sounds like the user has too many rights for example the
'Send As' rights along with the send on behalf of.
Can you verify the behavior with some test accounts and
just follow this to grant send on behalf of rights and nothing else? http://support.microsoft.com/?kbid=327000
Al
From:
Dual hating?
Pay particular attention to the way permissions are handled
on folders. Should work, but that will be the one to watch most
likely.
Good luck,
Al
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITCSent: Wednesday, October 27, 2004 6:
That would make a great slogan right now in the US, wouldn't it?
"Buy our product and there'll be a rubber chicken in every data center." or
something like that.
Al
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick
Sent: Wednesday, Octob
Cool. I'd be interested to hear the results and why you can't get the
connections you need.
Al
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, October 27, 2004 10:31 PM
To: [EMAIL PROTECTED]; '[EMAIL PROTECTED]'
Subje
Return Receipt
Your RE: [ActiveDir] Stopping Pop-Ups and Spyware Enterprise wide
document
:
Return Receipt
Your RE: [ActiveDir] Stopping Pop-Ups and Spyware Enterprise wide
document
:
1 - 100 of 107 matches
Mail list logo
