Its done on the client :-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
UserEnvDebugLevel = 65538 (Dword)
or the tool I mentioned will set it for you.
Alan Cuthbertson
- Original Message -
From: Umer Y. [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Grillenmeier, Guido wrote:
I'm very surprised to see that reghack still listed in a public KB - it
was to be taken out many months ago - this is obviously the last
resort to do and is very risky when used by the wrong type of people.
Yes, but it was usefull for me some time ago :)
But You will not
999!!! Getting depressed just thinking about it
But I was thinking of maybe doing, 1 time settings thru a startup
script instead of GPO. Then again it would be hard the to check wich
computers are 'compliant' and wich are not.
Maybe SMS can help me doing that Still a lot of work
Eeehh, I meant an application per GPO not a setting per GPO ;-))
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Reijnders
Sent: Tuesday, February 15, 2005 08:26
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GPO design
Hi Bart,
The
Save it as .vbs and just run it by either double clicking it or typing
its name at a command prompt. If you're using Outlook then it's possible
that it will have removed all the line breaks - extra line breaks in
this message were removed will appear at the top - tell it to put the
line breaks
A couple of newbie questions, please bear with me...
Looking at the computer accounts in Act Dir Users
Comps, and within each Computer account folder, is
various computer accounts... I understand I can add or
remove computers, but shouldn't they appear
automatically when you connect a
[EMAIL PROTECTED] wrote:
A couple of newbie questions, please bear with me...
Looking at the computer accounts in Act Dir Users
Comps, and within each Computer account folder, is
various computer accounts... I understand I can add or
remove computers, but shouldn't they appear
automatically
When you add a computer to an AD domain, the default location for the
computer's account is the 'Computer' OU (unless the computer is a domain
controller). If you have OUs for computers to organize them (i.e.,
production workstations, office workstations), you need to add the
computer accounts to
Hi,
When you join a computer to the domain you need to provide credentials at
the client. If the computer account (with the same name as the computer you
want to join) was pre-created in some OU, then the computer will use that
account. If the account was NOT pre-created then a computer account
Ken, Jorge, thanks guys for great explanations :)
DDH
Hi,
When you join a computer to the domain you need to
provide credentials at
the client. If the computer account (with the same
name as the computer you
want to join) was pre-created in some OU, then the
computer will use that
I am having DNS issues.
When I type NSLOOKUP my default server comes up with the correct address.
Then I am getting
*** servername can't find NSLOOKUP: Non-existant domain.
I have two DNS servers: Primary and Secondary.
Windows 2k3.
Thanks in advance.
Rob
List info :
Title: Message
Thanks
the kind words Michael ... believe me, I also wish I had some of the functions
of say BASH available to me ... it's coming though.
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Oh. g
In that case, I've always liked Knoppix's ability to run from a CD. Sure I
can do that with other OS's but it is cool to be able to do that and have
some tools handy.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Monday,
How can I create a local user on all my XP workstation using GPOs?
Devon Harding
Windows Systems Engineer
Southern Wine Spirits - GSD
954-602-2469
-
__ This message and any attachments are
solely for the intended
Title: Message
Dean I have to agree with Michael
those batch files are pretty awesome, you did a handful of things I knew could
be done, and the rest I was certain wasnt legal in a batch file
Amazing
(ps yes I am still lurking, have had a
couple of huge projects in no way
Harding, Devon wrote:
How can I create a local user on all my XP workstation using GPOs?
You want to create local user or You want to add some users to local group?
If You want to create local user the only way I can figure out will be
to place some startup script in GPO which will create this
You can do it in a startup script which is fired when a machine is booted.
If your users have high enough privs on the machines you could do it in a
logon script.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Tuesday,
Za Vue wrote:
If the account is the same on all workstations than I rather use a short
batch or VB script.
Yes, but you have to ensure that at the time when You will run this
script or batch all workstations will be powered on - using startup
script You can do it asynchronously
--
Tomasz
Let's see exactly what you are looking at on your screen. Copy and paste
everything you see on the command line. Or, describe all the steps you took
before you got that error. For example, did that error come up as soon as you
type nslookup and press enter?
Sincerely,
Dèjì Akómöláfé, MCSE+M
Title: Message
Dean-
Have you been doing anything with Monad
yet?
Hunter
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean
WellsSent: Tuesday, February 15, 2005 6:49 AMTo: Send - AD
mailing listSubject: RE: [ActiveDir] Two little tools
...
Thanks
the kind words
Or...download and use Hyena. It is free for 30 days. Just select all the
computers at once, they have to be on, and create an account and assign it
to whatever group(s). You can even set and reset passwords.
-Z.V.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Can you provide more info like when the error occurs? Right after starting
NSLOOKUP or after to query for some FQDN?
Jorge
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, February 15, 2005 14:45
To:
Title: Message
I'm on
the beta and have played with it ... but only briefly ... like what I see so
far.
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Coleman,
HunterSent: Tuesday, February
A script is fine. Where can I find an example of one? Also, I wan't it
to terminate if the user already exists.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, February 15, 2005 9:26 AM
To: ActiveDir@mail.activedir.org
Subject: RE:
Turns out that youre right. The
end-point mapper selected this port to communicate on.
FYI once Exchange is rebooted or
failed over the port can and probably will change (to anything over 1024 as
stated below).
Looked very odd to me that it picked such
a high ambiguous port but
Harding, Devon wrote:
A script is fine. Where can I find an example of one? Also, I wan't it
to terminate if the user already exists.
Go to Technet Script Center site,
http://www.microsoft.com/technet/scriptcenter/default.mspx
Download scriptomatic and start to play :)
--
Tomasz Onyszko [MVP]
Hi,
You could create a script that uses some list with computers, pings those
computer and creates a local user account with ADDUSERS.EXE (and if needed
in combination with CUSRMGR) or create a Vbscript that checks if the
computer is up and creates the account if it does not exist yet
Cheers
Okay, our environment is that all our clients are
running Windows XP SP2, and our servers are Windows 2003. The situation is
that our Accounting department uses Quickbooks, and about 70 of our employees
need to use an application that comes with Quickbooks called "QB Timer".
It's free for
Hello Everyone,
Does
anyone know of a tool or suite of tools that would be able to replace both Quest
ERDisk and Recovery Manager for AD? Thank you in advance for your help!
Tom
Did you check the permissions on the files that were
installed? Of there may be a file in the Windows or System32 directories
that they need permissions on?
Is anything logged that would give you an idea where it
hangs? What's Inuit have to say?
//SIGNED//
Jason,
use a monitoring tool like total uninstaller from http://www.martau.com
to identify where the software needs permission to write (registry AND
file system).
You should examine it twice. First during installation and later during
normal program run.
After identifying the permission
Ill stay off my soap box of how
frustrating it is that developers dont code properly for NT Theyve
only had 10 years and just let you know that I feel your pain.
On the plus side, Ive very rarely
come up against an app I couldnt get to run as a regular user by fixing
file or registry
Are they willing to let you know what user rights are
required? I have found that applications that "require" admin or pu privileges
can usually be run if appropriate permissions are given to select registry
entries, directories, system files, etc and user rights. I have even run across
a
Title: Message
I
would speak with Intuit and ask if the app checks whether the user has 'power
user' privs or whether the user simply needs rights in certain areas of the
file
system and/or registry.
Depending on the answer given, determines the approach you then
take.
The
former = user
Hi All
You could add the following line into a startup script - that would apply
to every computer in the OU.
net user accountname accountpassword /add
This line will add that user to the local admin group
net localgroup Administrators /add accountname
Randy Barger wrote a nice
You guys gave some great suggestions to this tough question, and made
some good points. For what it's worth, mine is a bit less realistic -STOP purchasing software from a company that can't get this right (regardless ofexcuse or reason).
Perhaps the same can be said of applications that use
The following script is an example of adding and removing a domain
account (we use a domain group but you can work with individual users)
to/from a local account on a domain member computer. Apply the script to
the machine startup.
'adds DOMAIN GROUP to local admin group and removes it from
If I put this in a logon script, would the user logon on need local
admin permissions?
-Devon
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, February 15, 2005 11:25 AM
To: ActiveDir@mail.activedir.org
Cc:
Hi Devon
Yes, only an admin or the local system can create other admins. Startup
scripts run in the context of local system while logon scripts run in the
context of the user logging and will only do what that users rights allows
for.
Regards;
James R. Day
Active Directory Core Team
Office of
Title: Message
We had
a similar problem here. Ours was an application that was designed for W98 and
our move to W2K3 and XP workstations killed the app. Half the problem with some
of those apps that require admin rights, has to do with the install location or
the default permissions
Hi Rob,
Why not install AD/DNS on both servers?
Steps you could take:
* Install W2K3 on both servers
* Configure each server with a unique IP address, a preferred DNS server
being the server itself and a alternate DNS servers being the other servers.
If WINS is needed configure each server with
Thanks so much Jorge.
I am finishing the last server now. I the IP structure in place.
I will get DNS running on both servers.
Both DNS servers are going to have AD integrated zones?
What should the name of the zones be?
Should they be the same since they are on seperated DNS servers?
Will AD
Sorry to barge in here, but wasn't the original issue simply due to the fact
that Rob tried to resolve name 'nslookup' whilst using nslookup?
Was a complete rebuild necessary?
Apologise if you guys took this off line and decided to go the rebuild route.
neil
-Original Message-
From:
Yes Neil, I just decided to start from a fresh load. Still bringing up the
servers now. I'm new to AD and am looking for advice guidance as necessary. I
thought I had all configurations set correctly, but I couldn't find where I
went wrong. I thought I missed something somewhere so I
I'll leave you in Jorge's capable hands :)
I'll chip in only if I feel the need.
neil
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: 15 February 2005 18:00
To: ActiveDir@mail.activedir.org
Subject: RE: RE: [ActiveDir] DNS
Is this for a production or test environment?
If it is for a test environment it doesn't need to be that fancy and you can
use the answers below otherwise it is not that easy for me to determine how
to install and configure
See inline answers
Cheers
Jorge
-Original Message-
From: [EMAIL
Hi,
You're right. I don't understand it also. I think the nslookup issue was a
misconfiguration of DNS or something like that. I didn't decide or recommend
it to rebuild it. I think a rebuild wouldn't be necessary also, but as he
had already started rebuilding I gave him some hints/tips how to
Thanks stuart...I got this resolved by running the re-store again...
How ever i have another issue here...i wanted this to be a single DC
domain...but my domain owner is DC2 which we do not want to build... Can
some one help me with the proper commands...
I am checking on the ntdsutil -- roles
Hmm...when I copy my batch file to the startup scripts folder and assign
the GPO, it doesn't seems to run. What could be causing this?
-Devon
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, February 15, 2005 12:02 PM
To:
Correct...
You will need to do metadata cleanup to remove DC2 and will need seize
the appropriate FSMO roles. Search the AD list archive at
http://www.mail-archive.com/activedir@mail.activedir.org/ for previous
threads on this topic and restores in general.
Some papers to read are (watch for
I am not sure if this is off topic of not, but I need to resolve the
problem quickly and can't figure it out.
All of the sudden, my user account can access a whole bunch of shares
that I shouldn't be allowed to get into. I have checked all the groups
and nested groups that I can, and there seems
I have a user account that I deleted in AD. When I try to add another
user with that same SMTP address, it stated that the address already
exists. When I do a search for that address in AD, I get no results.
How can I remove this SMTP address from AD?
Devon Harding
Windows Systems Engineer
How can I verify that my DNS server is configured correctly?
Rob
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Now this is getting interesting. If I log into any other machine with
the same user, I do not have access to those shares.
The machine in question is the same machine I do my admin work from, but
always use runas. I have tried disconnecting the mounted drives,
rebooting, dismounting again. How
How quickly did you try to reuse that SMTP address? I've seen that when
I delete a mailbox or contact and immediately try to apply the address
to another object.
Might be worth verifying that the address is gone:
Adfind -gc -b dc=domain,dc=com -s subtree -f
proxyaddresses=*youraddress* name
About 10mins. When I do a normal AD search for that SMTP address, it
does not return any results. That adfind command didn't find any
results either.
-Devon
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter
Sent: Tuesday, February 15,
Ok, I found the address using adfind -gc -b -f
proxyaddresses=smtp:[EMAIL PROTECTED], but now how do I remove it from
AD?
-Devon
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Tuesday, February 15, 2005 3:21 PM
To:
Ok, now I'm getting somewhere. Correct me if I'm wrong. Would this be
the correct command to find and remove that account that the SMTP
address is associated with?
Adfind -gc -b -f proxyaddresses=smtp:[EMAIL PROTECTED] | admod -del
-Devon
-Original Message-
From: [EMAIL PROTECTED]
Can't say on the adfind/admod pairing...I'm waiting for the DEC session
on JoeWare in a couple of weeks :-)
What object got returned by adfind? Is it something you can get to with
ADUC? If so, Exchange Tasks-Remove all Exchange Attributes may be the
cleanest way to make sure that all of the right
Looks like I at some point today must have allowed the machine to
remember a connection I made to the file server with the admin account.
I resolved it by going to \control panel\users\advanced\manage passwords
and deleted the entry.
I just don't know what I would have been doing, that I would
Resend and Update, list blocked because I responded from wrong account
Almost, -del or -rm would delete the entire user object... But you need to
use -dsq on adfind to output the quoted DN.
adfind -gc -b -f proxyaddresses=smtp:[EMAIL PROTECTED] -dsq | admod -del
Also if you want to just
That user account WAS deleted from AD but for some reason, the orphand
object was still retained, so it wouldn't be a problem if I removed the
entire object.
-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Sent: Tuesday, February 15, 2005 3:42 PM
To: Harding, Devon;
I really appreciate everyone's input on my
situation.
I did get it to work, in short, because of
everyone's help here. Thanks!
Here's what I did:
I contacted Intuit (maker of Quickbooks) and wasted
55 minutes on hold and another 10 minutes on hold after a rep answered the call
only to
When I try to remove the object, I get this:
C:\ Adfind -gc -b -f proxyaddresses=smtp:[EMAIL PROTECTED] -dsq | admod
-del
AdMod V01.00.00cpp Joe Richards ([EMAIL PROTECTED]) July 2004
DN Count: 1
Using server: server.domain.com
Deleting specified objects...
DN: cn=doe\,
That means your default GC has the object in its database but your default
DC for that domain doesn't see it.
You can tell which DCs are involved by doing this
adfind -gc -b -s base dnshostname
adfind -h domain.com -b -s base dnshostname
If the object is in your default domain you can
Envision my utopia all apps, in
order to get a Designed for XP logo need to meet some
requirements:
Come
with an MSI installer or have one thats easily extractable from an EXE.
Come
with an .ADM file for configuring options
Run
under a non-privileged user account.
cough
job security
/cough
Yes that would make application deployments much easier
:-)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Crawford,
ScottSent: Tuesday, February 15, 2005 4:29 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Using GPO to
install an
That's exactly the case, except its not in the child domain
(child1.domain.com) but it exists everywhere else, (domain.com,
child2.domain.com, child3.domain.com)
When I try the admod command, it tries to contact the child domain
(child1.domain.com) that is the owner of the account, but does not
Dave-
Hallelujah! I'm with you here. Can we start some kind of
movement? I'm thinking a web site like dontwritestupidwindowsapps.org? Maybe
hold some rallies outside of offending software company's headquarters where we
burn their shrinkwrap? I'm serious. This used to bug the holy heck out
In my
experience, a lot of developers DON'T KNOW in detail what their apps do and what
permissions are required on what resources. They develop with Admin
accounts and make their service accounts Admins unless they're forced
otherwise. That's a sure way to keep security problems out of
How long ago was this account deleted?
If it has been longer than the tombstone period, you have a lingering object
and you need to start worrying about what other bad things are going on.
If it has been recently, you need to chase your replication and determine
where the update stopped at.
There should be one more
requirement:
4. The vendor
promptly tests all service packs and security updates, publishes the results of
their testingplus any end user feedback on their web site, and
aggressively pursues correction of any incompatibilities discovered by
themselves or their
This has been since last week. (about 5 days). Is there anyway to force
the delete to the other GC's?
-Devon
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, February 15, 2005 4:51 PM
To: ActiveDir@mail.activedir.org
Subject: RE:
I like the sound of that. J
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Salisbury
Sent: Tuesday, February 15, 2005
4:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Using GPO
to install an MSI package
There should be one more
I heard mention of bginfo in an email
while back from someone. Nice little program. But little
issue. Doesnt work in our environment for the user due to security
rights. Is there a way to run the bginfo as a service or as a system
account?
Thanks
Jeff
Hi Rick,
Thanks - btw - this reghack works also if you have specific backgrounds per
machine as in the HOLs or MOCs - just put the screenshots for every computer
in a specific directory (let's use the example c:\imgs), name them as the
computername, then set the Wallpaper-Regkey as
Title: Message
And to further close the loop, we have installed this fix
on our problematic Exchange servers and it has cleared up the problem completely
with no ill effects. We are getting ~1,000,000 less events/day in our security
logs :-)
If I remember correctly what ~Eric told me on the
IIRC you only need to specify write rights on the
bginfo.bmp file. But it's been a while.
Gruesse -
Sincerely,
Ulf B. Simon-Weidner
MVP-Book "Windows XP - Die Expertentipps":http://tinyurl.com/44zcz
Weblog: http://msmvps.org/UlfBSimonWeidner
WebSite: http://www.windowsserverfaq.org
Geoff,
Not sure if this will work for youbut...we customise
our settings and create therequired lets say %Whatever%.bgi file. We then
"install" BGINFO on all workstation and server builds:
BginfoInstall.cmd
@echo offECHO.ECHO Copying BGInfo Files...mkdir
"%systemdrive%\Program
This was definitely a help . I
modified the bginfoinstall.cmd to add these lines
Echo %systemroot%\bginfo.bmp
echo y| cacls %systemroot%\bginfo.bmp /e
/g users:w
I removed the regedit line and did away
with the .reg file and instead thru a GPO that is being used for other things
So I guess I'm outta luck with this one huh? Anyone have any other ideas?
From: [EMAIL PROTECTED] on behalf of joe
Sent: Tue 2/15/2005 4:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remove orphaned account
How long ago was this account
You need to figure out where the break is. Look at the GC that you expect it
at and chase back through the replication connections to determine how the
change should get there from the domain. There has to be a break somewhere.
joe
-Original Message-
From: [EMAIL PROTECTED]
Since you are just starting out with AD and DNS, let me encourage you to get
familiar with the MS DNS Center:
http://www.microsoft.com/Windows2000/technologies/communications/dns/default.
asp
Spend a day with the White Paper here:
Ignore me. Came in late to the conversation and far better brains than
me are looking at it :) :) :)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson
Sent: 16 February 2005 07:38
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
So. the other option is to take a little bit of your time
and do some investigation.
Go grab Regmon and Filemon from Sysinternals (both free)
and watch what the app is trying to access. Chances are its doing something in
%systemroot%\system32 or in the registry that is generally not
85 matches
Mail list logo