Yes you can configure different
proxy servers for different users through GPOs
Two ways:
(1) Put users that need the same
proxy into the same OU. Create for each different proxy a new OU. Create for
each different proxy config a new GPO with the proxy config and link that GPO
accordingly
Quite honestly, you really shouldn't need to run AV software on DCs, there
shouldn't be vectors for them to be infected. If they get infected, it usually
means an Admin was careless - actually in every case of an infected DC I have
investigated it has been an admin being careless.
I disagree. All
Hi!
I have a problem regarding security on user objects, I have an OU call users
and under this I have several other OU's which contains user objects.
In 2 (Out of 15) of these child ou's I have some problems with the user
objects, the problem is that for some reason the user object don't
This happens when those user accounts are member of some protected groups.
Permissions on and inheritance of permissions of protected groups are
controlled by the AdminSDHolder object under the SYSTEM container. Every
hour a process on the PDC Emulator checks the permissions settings of all
thanks, I was missing (it's on the first panel of the query editing).
Shawn
Mulnick, Al [EMAIL PROTECTED] 03/29/05 04:12PM
The filter I used was
((objectClass=User)(objectCategory=Person)) and I set the filter to the OU
I wanted (it's on the first panel of the query editing). The query was
I know there has been some debate in this group recently
about WINS in AD but I wanted to get your feedback regarding an empty root
domain:
Do you need a WINS server in an empty root domain? If
so, would pointing WINS back to the child domain WINS server be a bad
idea? Other than AD
Is an empty root with one domain under it still considered a
multi-domain forest? What is the reasoning for the BHS being a GC?
On Tue, 29 Mar 2005 11:48:37 -0500, Myrick, Todd (NIH/CC/DNA)
[EMAIL PROTECTED] wrote:
One more point to add and I will consider the matter closed. The BHS should
You should consider having at least oneWINS server in the empty root
domain. You will need WINS for NetBIOS name resolution that is still
required by many applications.
Chuck Gafford
Architect 2
Unisys
Imagine It. Done.
I see no particular reason that WINS should care what domain it's in. WINS
job is to do name resolution similar to the function of DNS. Neither really
cares where it lives as long as it lives.
Al
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
But why? Say there are no applications in the root domain. It's just DC's
-Original Message-
From: [EMAIL PROTECTED]
Date: Wed, 30 Mar 2005 08:27:35
To:ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] WINS topic
You should consider having at least one WINS server in the empty root
They make perfect sense, Joe.
Cheers,
-ajm
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, March 30, 2005 12:09 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Compelling arguments?
Ah not really for hire. Well
Hi,
Our production environment has no WINS and works fine.
On Wed, 30 Mar 2005 13:56:21 + GMT, Mark Parris
[EMAIL PROTECTED] wrote:
But why? Say there are no applications in the root domain. It's just DC's
-Original Message-
From: [EMAIL PROTECTED]
Date: Wed, 30 Mar 2005
I see no reason why WINS would be needed in an empty root domain. If
you did decide to use WINS in this domain, I see no problem with using
the WINS from a child domain.
In our environment, we have three separate AD forests and only one set
of WINS servers.
Dennis
On Wed, 30 Mar 2005 08:09:24
Title: Message
WINS
like DNS, is domain agnostic.
You
may host aDNS zone abc.com (corresponding to AD domain abc.com)on
a
UNIX server, which exists in some Kerberos realm, perhaps. Similarly, WINS may
be hosted on a Windows NT server which is not part of any Windows
domain.
In
answer to
Title: Message
Joe,
Your initial posting stated that your root
domain is empty. I assume that there are no applications or users in the domain
beside the admin users, i.e. service administrators. I also assume that youre
using W2K or later to administer this domain. If this is the case,
Title: Message
Your assumptions are correct thanks
to all who posted. I am going to try and stop the WINS service and see if
that breaks anything. Otherwise I can just point it back to the child
WINS server.
Joe
Pelle
Senior Infrastructure Architect
Information Technology
Valassis
Just a note - you can find the where the
object was deleted from in 2k or 2k3 by looking at the metadata via repadmin
/showmeta on the deleted object. You can pass it the objectGuid had via
looking at the deleted object. If you had auditing cranked up for AD then you
should be able to hit
Is it possible? I tried giving the Read/Write
expirationTime perms, but that doesnt appear to be working.
Thanks.
The information contained in this email message may be privileged,
confidential, and protected from disclosure. Any unauthorized use, printing,
copying, disclosure,
I would argue that WINS is required when setting up some applications. SMS
and Exchange come to mind.
Using the child WINS servers is more than enough for what you're talking
about. I wouldn't take them away completely, but rather just use the
existing. I do that now and don't usually
Actually, found it. Theres an
actual accountExpires perm that I mustve blown by.
Thanks anyways.
From: Olegario, Alan
Sent: Wednesday, March 30, 2005
11:37 AM
To: ActiveDir@mail.activedir.org
Subject: Delegating ability to
read/write account expiration
Is it possible? I
Title: Compelling arguments?
Not only is being able to register it important, but also
that DNS resolves to the correct SPN. Let's say you have a SQL server that
is a member of the us.widget.net domain; however, in DNS it is registered as
sql1.sea.widget.net. If you look in AD it's likely
Title: Storing dates in AD
I really appreciate all of the opinions on this. I've
been playing around with these different types in my sandbox. I've used
VBS, C#, VB.NET, and pretty much all of the languages that we hack programmers
use :)
The generalized date type worked really well. From
Title: Storing dates in AD
My observation is that MS uses integer8
when they are representing OS data that is manipulated as FILETIME in normal
Windows routines. Im guessing that the SAM functions use FILETIME
internally, so it was natural to store them natively in AD this way for
A common thing to do in a 'hub and spoke' network is to configure the
DCs in 'spoke' sites to NOT register domain-wide SRV records. That way,
if the DC in a spoke site goes down, the client will discover
domain-wide SRV records for only DCs in the hub site. This prevents the
client from
Always good advice. You can read some details and the registry keys about
it here (for 2000 in this case):
http://www.microsoft.com/technet/archive/windows2000serv/technologies/active
directory/deploy/adguide/adplan/adpch02.mspx
I would have to say to the original poster's question that the
Title: Storing dates in AD
I am not sure it is limited to SAM, I think it may be when
it is likely they will be doing comparisons and modifying by a delta or finding
a delta. I could be wrong though.
What kind of conversation on strings are you looking for?
Generally use case insensitive
Title: Compelling arguments?
SQL Server has all sorts of dorked up issues with SPNs, you
have to always check them anyway. Someone was on crack that worked out that
functionality for SQL Server, I have had my share of arguments with PSS over
that.Instead of trying to do things through the
The latter could be optimized when a client asks
for the global list of all DCs for the domain (=
all DCs that have registered the domain specific
resource records) the list is ordered, compared
to the clients site, from the lowest
I am not sure I like that idea, it mucks with how DNS
Title: Compelling arguments?
True,
I've had the same experience with SQL and Kerberos.
On the bright side the issues forced all of our server admins to understand
Kerberos and engage my team to make sure that it's working
properly.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Title: Compelling arguments?
This is a bit off the topic of the thread, but since we are
talking about using BIND DNS with AD I'll go ahead and ask. Has anyone
figured out a good way of delegating the update DNS right to your DCs? At
my company the DNS admins are on a completely different
30 matches
Mail list logo
