Hi all,
I just wanted some feedback on this project I'm working on from people
with real world knowledge.
We have AD in place with and OU structure. I've been asked the make
plan to implement GPO's in this organization. I was thinking about
creating a GPO for each application we want to manage
The Outlook 2003 fails (running on a user's desktop) to authenticate with exchange 2003 (after restarting the Outlook The user logon dialog comes up and despite putting correct credentials, it cannot connect to Exchange.
My Exchange is failing to do the Kerberos authentication with Outlook
Hi,
Be carefull with creating a GPO for each application. If you have a lot of
apps and lets say all computers get those apps then those wokstations will
go through each GPO and then you may have performance issue. It may be
better to consolidate several apps that have similar characteristics
HI,
As I know off clients and
servers that can talk kerberos will talk kerberos. NTLM will only be used if the
client or the server cannot use kerberos.
Are there other errors in the
event log? (MRXSmb messages...)
0x29 (KRB_AP_ERR_MODIFIED) "Message stream modified"
This indicates that
Ive seen something similar with
SMS. Whats your DNS scavenging set to in relation to your DHCP
lifecycle? I suspect that you have duplicate host names in your DNS table and
the exchange server is selecting the wrong targets KDC key. I had exactly
the same issue with SMS server trying to
Return Receipt
Your RE: [ActiveDir] Problem with SUS Group Policy
document
:
I am going to use the small script that someone sent me in a vbs script
during the login processing.
Thanks
Justin A. Salandra
MCSE Windows 2000 2003
Network and Technology Services Manager
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]
-Original
I could follow method three couldn't I? I could remove Authenticated
Users and add in my Helpdesk Staff Security Group into the DDC GPO
Policy and then modify this default setting to enable them to add many
computers to the domain.
Someone please check my logic here. Thanks
Dude,
I love the marketing T-shirt for your new
GPO tool, how did you get that by?
Todd
I suppose the part that gets me, is the what would you use it for? I'm not
seeing the application of such a concept exactly.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, February 14, 2005 2:01 AM
To:
Yep, that's one way to do it. I myself would prefer to remove Authenticated
Users from the DDC GPO, create a group and assign that group permissions on
the OU where the accounts should remain and additionally (if needed)
redirect computer account creation to that one OU (as mentioned in
That is also a possibility, however I have multiple domains and
workstations exist in different OU's. If I was to go through the
process of creating an OU and delegating authority, why not just remove
authenticated users, add in the group I want into the DDC GPO and then
modify the quota so they
I guess one question I have in the realm of those apps is... How important
is a pretty GUI to you versus an app that works well and has good
performance? And do you really mean it? What I mean by that is when you look
at an app do you make any decisions about it because it is pretty before
Hello,
I'm studying a compter network using active directory to authenticate the
users.
I noticed that all the computers of the domain are listed in the directory,
and I wonder if this has something to do with authentication.
I did not find it on the Internet, I hope someone will be able to
Hello!
When I do a netstat an
on my Exchange 2003 server I see a lot of connections on TCP 18053. All of our
email clients connect to this Exchange server and just about all of them appear
to have a connection via this port. No one seems to have any idea what that
traffic could be
Just FYI -
We redirected our default computer creation OU. The nice side
effect being that we can now apply policy to that OU (as opposed to the
built-in container, where you cannot).
Thanks...
-DaveC
Reuters America
-Original Message-
From: [EMAIL PROTECTED]
Could be that you have a statically mapped
port assignment for a particular service (NSPI Proxy, IS, SRS, etc.). Check
out the following article. You can the look for the corresponding registry
entries.
http://support.microsoft.com/kb/270836
Tony
From:
[EMAIL PROTECTED]
Domain-member computers are security principals in Windows networks, which
means they have names in Active Directory, and authenticate to Active Directory
when they boot up.
-gil
From: [EMAIL PROTECTED] on behalf of Grumpy Nounet
Sent: Mon 2/14/2005 8:24 AM
Grumpy Nounet wrote:
Hello,
I'm studying a compter network using active directory to authenticate
the users.
I noticed that all the computers of the domain are listed in the
directory, and I wonder if this has something to do with authentication.
I did not find it on the Internet, I hope
This forum may be a little hard for you to comprehend. Maybe you need to go
buy some Complete Idiot's Guide books.
Z.V.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grumpy Nounet
Sent: Monday, February 14, 2005 10:24 AM
To:
Tony,
Thanks for the quick response! It doesnt
appear that we have a static port assigned though.
Joe
Pelle
Senior Infrastructure Architect
Information Technology
Valassis / IT
19975 Victor Parkway Livonia, MI
48152
Tel 734.591.7324 Fax 734.632.6151
[EMAIL PROTECTED]
Couldn't have said it better myself.
FWIW, I've already polled a sufficient sample re: a Joeware preso; there's
plenty of interest. Even more important is the interests of those who have
never heard of joeware.
And corporate affiliation doesn't matter either.
But I'm not paying for a
Z.V.
That's not a helpful response and it's somewhat insulting. There's no
minimum level for questions on this list. Remember that nearly all of us
started out with little or no knowledge of AD.
Tony
ActiveDir List Owner
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL
Joe, can you confirm the app that's listening on that port?
Do you have other applications on the client that might be using that port
to connect?
What kind of traffic do you see destined for that port on the wire?
There's no set reason that port would be used out of the box that I'm aware
Sounds like this is the port that Exchange has chosen for
RPC traffic with the Outlook clients. Unless you make a registry change on the
server, Exchange will pick ports above 1024 (more or less randomly)for RPC
with clients. http://support.microsoft.com/kb/155831has
a passing mention of
I was in a meeting
last week and the issue came up if it is possible to override the default domain
policy and set policies on each domain. I always understood that you couldn't do
this. But if you block inheritance and apply another policy on an OU, what
happens? Furthermore is supposed to
One of our admins restored a DC from a backup greater than 60 days old.
There are no newer backup copies. Replication is not working - Access
denied. Also, the restored DC cannot be dcpromo'd out. Rebuilding the
computer from scratch is not an option. Repadmin and nltest operations
are
Why is DCPROMO not an option?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Monday, February 14, 2005 12:27 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] suggestions for tombstoned DC recovery?
One of our admins
In general, any GPO linked to the domain will have
conflicting settings overriden if a container (OU) down the tree sets block
inheritance. The DDP is no different. However, some policies, like account
policy, will not be affected by block inheritance on regulard OUssince it
will be
Title: Message
Careful, Gil...if they keep you there in those conditions long enough
you'll start to identify with your captors and protect them (see Stockholm
Syndrome).
Joe,
you should be retained just for the entertainment value during breaks and such -
I learned stuff just listening to
I think I am missing something obvious, It looks like there
is an option to remote control a computer with active directory and it gives
the option of interacting with the users session. I can never get it interact
with the users session it always locks the users screen and then gives me
If a bare metal machine rebuild is not an option, then why not change the
tombstone period to 60 days and then restore your DC again? [i.e. if your
restore is 80 days old, then set the tombstone value to 81]
Modify the tombstonelifetime attribute value in
Hi Jorge,
Great input.. But do i understand you correct that performance is
depended on the amount of different GPO instead of the settings done
by these gpo's?
rgds,
Bart
On Mon, 14 Feb 2005 10:47:43 +0100, Jorge de Almeida Pinto
[EMAIL PROTECTED] wrote:
Hi,
Be carefull with creating a
Ben D. Kusa wrote:
I think I am missing something obvious, It looks like there is an option
to remote control a computer with active directory and it gives the
option of interacting with the users session. I can never get it
interact with the users session it always locks the users screen and
Personally, instead of blocking the default domain policy I
would create seperate policy objects with the settingsthat I wanted
filtered/blocked. But your "set policies on each domain" leads me to
believe that there are multiple domains in the forest involved here?
Domains by their nature
Well, I think faster than I type. What I meant to say is
"set policies on each OU". I'm pretty sure that changes the response a little
bit.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Perdue David J
Contr InDyne/Enterprise ITSent: Monday, February 14, 2005 12:42
PMTo:
It's not that DCPROMO was not an option, it just didn't work - also
access denied.
Mike Thommes
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Monday, February 14, 2005 11:39 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
I suggest have SUS or WUS in the business and create one GP for
implementation of all patches and updates from MS at one go...
Other applications consolidate into one and publish.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Bart Vandyck
Sent: 14
Is there anyway to share a session without having users intervention? Or
do you have to use third-party? It is client side I am looking to
control, what I am looking for is a helpdesk remote control utility.
Thanks
Ben Kusa
Simpson Gumpertz Heger
-Original Message-
From: [EMAIL
Hi,
I have a typical issue with re-building a DC.
I am currently in the stage of re-creating a AD domain for DR documentation.
Have installed W2k server -- trying to restore for a backup tape from the
live system ( whole C drive and the System state) -- make registry changes
for RPC and NTFRS
So...technically, after the restore, the dc doesn't really exist in the
organization anymore (well, it's been cleaned up) but likely has some
remnants from the restore. Is that correct?
What I'm getting at is that DCPROMO shouldn't work because that DC
technically doesn't exist. It's an island
I have not been able to find a way to sufficiently solve the
following problem: automatically changing computer names after imaging. I would
like to reassign computer names based on a company naming convention plus
variable. So a computer name would be something like dny01pd***,
with the
really depends on how much issues you'd want afterwards - if you have
another DC in your domain, why is it so critical to bring this one back?
Sounds like you have some Apps on it that you need to keep - but you
should be able to get rid of AD.
If so, the safest method is to demote it forcefully
You'll need a third party app to do *exactly* what you're asking. VNC does
it, and it's free. http://www.realvnc.com/
- Original Message -
From: Ben D. Kusa [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Monday, February 14, 2005 12:34 PM
Subject: RE: [ActiveDir] remote
If DCPROMO won't work, even with the /FORCEREMOVAL flag, the following
MS KB Article has a reghack that will allow you to remove the domain
controller. We had to do this at a remote site in Europe, where the
technical guys had gone home for the day.
Dan-
You can certainly script this with netdom. If you want to use sysprep, you
could set the compnay name to be that dny01pd, and then sysprep will populate
the rest with random crap.
--Brian Desmond
[EMAIL PROTECTED]
Payton on the web! www.wpcp.org
v - 773.534.0034 x135
f - 773.534.8101
Is it safe to assume that RIS is not an
option?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian
DesmondSent: Monday, February 14, 2005 3:44 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Automate
Computer Name Changes
Dan-
You can certainly
script
I have seen a similar thing while using Ntbackup during our DR drills.
The first restore goes along and doesn't really complete (no log file
pops up and no warning - ntbackup simply stops and exits somewhere in
the AD portion of the restore). You reboot the server and you login
with local admin
Where do I enable detailed reporting? At the server, or at the client?
How do I do it?
Thanks for the help.
Anyone else has any further ideas?
Thanks.
From: [EMAIL PROTECTED]
Reply-To: ActiveDir@mail.activedir.org
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Question: AD Group Policy
Hi Ben
Try using remote assistance. There are two ways to use it. First, user
requests assistance, in which case the user must send a request file to the
helpdesk (either via. email, MSN, or put a file on the network and access
it). The second way is to let the helpdesk initiate - at which
Ik you're using winxp, you
should use Remote Assistance instead of using Remote Desktop
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rmassist.mspx
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/remoteassist/intro.mspx
Cheers
jorge
From: [EMAIL PROTECTED]
Yep Lets say you some apps that ALL users get and you have a lot of
apps. In that case I think it is better to create one GPO with those
default available apps instead of creating a GPO for each app. This
depends on how many apps you and you to distribute with AD
Cheers
Jorge
-Original
I would prefer not to use RIS as there are
a lot of customizations that I make to the OS, many of which cannot be done
with unattended installation via RIS (or, at least I do not know or any way).
Dan
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael
Id be interested in the
customizations youre unable to make using RIS.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
Sent: Monday, February 14, 2005
3:23 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Automate
Computer Name Changes
I'm very surprised to see that reghack still listed in a public KB - it
was to be taken out many months ago - this is obviously the last
resort to do and is very risky when used by the wrong type of people.
/Guido
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
You may want to do a bit of research into RIS Dan, more
specifically the [Components] portion if that is the type of customization you
are referring to.
Here is a URL that I keep handy:
http://tinyurl.com/3p8g9
As for any registry changes, that can be scripted fairly
easily.
Software
I agree with Guido that the FORCEREMOVAL option is the safest one besides
reinstalling a DC. However I understand that some apps don't like (or not
supprted) the DC there installed on is demoted and again promoted (e.g.
Exchange)
There is another way accept replication with a DC that has been
I'm not gonna do software distrubution or patches with GPO. We have
started an SMS 2003 upgrade project for that..
I think only basic software will be managed: Windows XP, IE 6, Office
XP 2003,...
thnks,
Bart
On Mon, 14 Feb 2005 22:16:57 +0100, Jorge de Almeida Pinto
[EMAIL PROTECTED]
Title: Message
Neil
quickly observed that the script wasn't written to deal with W2K ... for those
interested, I've enclosed a version that is.
Dean
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Ouch, I'm actually bleeding...
On the MI in March. It definitely isn't fun. But if you get on a plane, you
tend to want to end up someplace which is considerably better. :o)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent:
Wow, I can't believe they actually still have that hack officially
documented. I recall when someone asked Kwan about it at last year's spring
DEC he about tripped over his own tongue and nearly fell off the podium
trying to spit out how unsupported that was but he understood the reasoning
behind
Title: Message
Thanks David. I didn't think of it from the Entertainment
standpoint. :o)
I am usually just trying to keep myself entertained.
Seriously though, glad you found my jabbering
useful/interesting/entertaining. The idea that my presence alone was helpful or
useful to the point
Heck I like those Idiot books. Those are generally very well written. I
think I still have a copy of some Idiot's guide to AD laying about and have
been known to open it and look things up even after I wrote my first AD
program.
-Original Message-
From: [EMAIL PROTECTED]
Well for part of this Guido woudn't be bad for... He would just have to get
rid of that five o'clock shadow.
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick
Sent: Monday, February 14, 2005 10:52 AM
To: ActiveDir@mail.activedir.org
Subject: RE:
Ahh... but I just said that it was cool - not useful. I'm impressed by the
simple fact that it runs.
You might say from a purely technical aspect it's cool. Utilitarian - maybe
not so much.
Many times, it's just the Wow factor, and nothing else.
-rtk
-Original Message-
From: [EMAIL
Title: Message
Twenty years ago I could write /bin/sh scripts in svr3, but
Windows batch files - I never really"got" them.
People like you who can produce these types of things in
cmd/batch are quite admirable.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean
Title: Message
You havent met Dean face to face,
have you? VBG
Just kidding, Dean
-rtk
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Monday, February 14, 2005
8:27 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Two
I don't know a lot about scripting or vbs. But can I take the below
Lines of text starting at CONST and paste that into a notepad and save
it as .vbs does that work or do I need to use some vbs program?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Thats enough. Windows knows what program to use to execute them.
To run frm a commandline - cscript myscript.vbs :)
--Brian Desmond
[EMAIL PROTECTED]
Payton on the web! www.wpcp.org
v - 773.534.0034 x135
f - 773.534.8101
From: [EMAIL PROTECTED] on behalf of
Title: Invitation from Manjeet Jakhar
activedir@mail.activedir.org,
Come join my network at hi5!
I now have over 2 friends in my network! You can meet all of them,
plus more than 7 million other
Hi Bart,
The *main* performance hit is caused by the actual settings set in a GPO,
*not* the number of GPO's. However, besides performance, managebility is
important thing to consider when you're designing your GPO structure.
A limit you have to take into account is the maximum number of GPO's
71 matches
Mail list logo