Don’t you ever sleep?
Jze!!! J
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Dir. Services /
Security
www.readymaids.com
- we know IT
www.akomolafe.com
Do you now realize that
Today is the Tomorrow you were worried about Yesterday? -anon
Yeah. What he said. ;)
Thanks Deji
Roger SeielstadE-mail Geek
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Friday, April 08, 2005 11:04
PMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] SSL on OWA to change pas
That only applies to creating the computer account, which
has already been done in the scenario described.
Roger SeielstadE-mail Geek
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David
AragonSent: Friday, April 08, 2005 3:42 PMTo:
ActiveDir@mail.
Via the ADU&C GUI, there's a permissions page when you
create the computer account which corresponds to which principles have access to
associate a machine with the account, I don't, however, know what the specific
permission name is for that setting.
Roger SeielstadE-mail Geek
Actually, we do it with a number of our servers.
Is the DNS record a CNAME or an A record?
If it's a CNAME, is the target the FQDN of the box??
fs1 in cname fileserver1.domain.com
Or is it
fs1 in cname fileserver1
Unless it is the former, it won't work.
Alternately (but less ele
Do your clients have a dns suffix search order defined? Without it they
generally won't do host name to FQDN transitions for cnames.
Roger Seielstad
E-mail Geek
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Cothern Jeff D. Team EITC
That goes into a standard default.htm or index.htm page located on the
inetpub/wwwroot folder.
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Dir. Services / Security
www.readymaids.com - we know IT
www.akomolafe.
Hey Laura!
Yes - closest GPO will win in that scenario.
Roger Seielstad
E-mail Geek
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Hunter, Laura E.
> Sent: Friday, April 08, 2005 6:56 AM
> To: ActiveDir@mail.activedir.org
> Subject:
You are correct - it is kerberos delegation. I've never
done it, but it is well documented. Start here: http://msdn.microsoft.com/library/default.asp?url="">
Roger SeielstadE-mail Geek
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of sergio
leraSent: Fr
IIRC, user settings in a GPO only apply to user accounts in the OU to which
the GPO applies - so if its on a workstation-only GPO, it shouldn't affect
the users regardless of what machine they sign into
Security group filtering is probably the best way to pull this off for your
transition period.
There's an ASP command called response.redirect that will do it, as well as
a static HTML meta tag for redirects - should be able to search pretty
quickly for the specific syntax.
Roger Seielstad
E-mail Geek
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTEC
The mantra from day one has always been that password
policy is domain wide - that leads me to the conclusion that it can't be
blocked. I'm sure ~eric or one of the other's with vast URL's of docs can point
to something that proves it, but that's how I've always known the case to
be.
-
I think if you set that to 1 it basically forces TCP rather than UDP as
well. We do that with the hosts on our production network.
Roger Seielstad
E-mail Geek
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Becker, Jim
> Sent: Thursday, A
I have exactly what you are looking for. But
describing and commenting it all is such a pain I don’t want to go
through the exercise again. I can share the code, but being a spaghetti coder,
I’m not sure you’d be able to decode it. I shared it with someone
(who shall remain nameless J) on t
Thanks for the responses. I spoke too
soon. Here is what I want to do: script a means for a generic domain user
(created only for this purpose) to join workgroup machines to a domain when
logged onto those machines as a local non-admin user.
Here's what I have done:
- created a user ca
On the WKGUID thing, that binding syntax is definitely not an ADSI
thing. It is supported by AD directly and works in other APIs as well.
That said, I'm not sure why there would have been a problem searching
the deleted objects container by the WKGUID. Perhaps the bind wasn't
done with a Domain
Had a customer encountered that before after fileserver hardware swap.
Take a look at this regkey perhaps its applicable to you too
http://support.microsoft.com/default.aspx?scid=kb;en-us;281308
Thank you and have a splendid day!
Kind Regards,
Freddy Hartono
Windows Administrator (ADSM/NT Se
Also check out computer account
permissions when you create them.
Thank you and have a splendid day!
Kind Regards,
Freddy Hartono
Windows Administrator (ADSM/NT Security)
Spherion Technology Group, Singapore
For Agilent Technologies
E-mail: [EMAIL PROTECTED]
Ok so why do we not have this problem if you just do an install from cd
and then connect. We only have the problem when we start applying
policies and security.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, April 08, 20
Thanks David. That’s what I was
looking for.
From: David
Aragon [mailto:[EMAIL PROTECTED]
Sent: Friday, April 08, 2005 3:42
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Netdom to
Join
Noah,
That depends on what you
have "Computer Configuration/Windows
Just checked the Mac and Windows.com web site and found this recent issue on
one of Apples updates for Panther:
http://www.macwindows.com/AD.html#032905
Apple 2005-003 Update causes AD binding problem
March 25, 2005
John Skinner reports that Apple Security Update 2005-003 for Mac OS X has cause
(Gotta love how many Exchange questions get fielded to this list, isn't
it?)
Rebuilding an Exchange 2000 server, and received the following error
trying to install the post-SP3 roll-up:
"Setup has detected that the version of the service pack installed on
your system is lower that what is necessa
Noah,
That depends on what you have "Computer Configuration/Windows
Settings/Security Settings/Local Policies/User Rights Assignment/Add
workstations to Domain" set to allow.
We are a medium sized University and have authorized a group, comprised
of specified users from each of the 13 c
Instead of using the "DisableStrictNameChecking" key as explained in the
KB (which allows a machine to be contacted by _any_ name), I'd use the
following keys to configure the FileServer to listen to specific Alias
names:
OptionalNames (Multi-SZ) in
HKLM\SYSTEM\CurrentControlSet\Services\lanmanser
Careful Al, Do you really want to spin this discussion
up again? The last time this came up I had to create a new.pst just for
that thread ;-)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick,
AlSent: Friday, April 08, 2005 9:13 AMTo:
ActiveDir@mail.activedir.orgSub
Hi –
What are the minimum credentials that a user needs to join a
computer to the domain when the computer account is already created? I am
trying to script netdom to do this and getting denied
if the user has less than administrative access.
Thanks.
-- nme
How much data is in the redirected folders? We've seen slower logins
with large amounts of redirected data.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Friday, April 08, 2005 4:18 PM
To: ActiveDir@mail.activedir.org
Subject: R
Not sure if you've seen/referenced this?
http://support.microsoft.com/default.aspx?scid=kb;en-us;281308
I used it on one of my servers here a while ago and seems OK.
-DaveC
Reuters CIO Infrastructure
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMA
There are 50 users or so doing folder redirection and only this one has
a problem.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf
Sent: Friday, April 08, 2005 5:04 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SLOWW Logons
Hi Jeff
This is because when I access a server it verifies that the server that I
am requesting matches the netbios name on the server itself. Aliases, A
records and WINS / LMHosts will not fix this in any configuration we have
tried. The access denied is server name does not match.
Regards;
J
On Apr 8, 2005 4:55 PM, Salandra, Justin A. <[EMAIL PROTECTED]> wrote:
> I am using folder redirection, but the folder it is redirecting to is in
> the same LAN as where they are logging into.
Are all the users doing folder redirection to the same server, or is
it just the users having this issue?
I am using folder redirection, but the folder it is redirecting to is in
the same LAN as where they are logging into.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, April 08, 2005 11:58 AM
To: ActiveDir@mail.activedir.org
S
I actually deleted the account and setup a
new one and the same problem occurred. I need to enable logging on useenv to
see what is happening, when I do I will report back.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of [EMAIL PROTECTED]
Sent:
Ok for some reason 2003 and xp machines that are locked down with
policies are not working with an alias that was created within DNS for a
server.
To shortin the length of a server name for share purposes we created an
alias.
IE. Fileserver1 alias FS1.
If you go onto the machine and type
So then I can just add an additional
network name resource to the current cluster group? Is there any way to hide
the shares from users when accessing the cluster through the new network name? I
just don’t want any confusion with the users.
Dan
From: Brian Desmond [mailto
No, you can't do this. The disk reosurce has to be in one group so that it
fails over with that group. Why don't you just add the spooler service to the
existing file print group if you only have one lun available? You can add an
additional virtual name as well so users don't notice the changeov
I just wanted to look in the container. I wasn't searching for a specfic object.
I was going by this MS kb article-
http://support.microsoft.com/default.aspx?scid=kb;en-us;q258310
Thanks
Gil Kirkpatrick wrote:
> I believe the WKGUID= format is only decoded by ADSI, not LDAP. You
> need to spe
I believe the WKGUID= format is only decoded by ADSI, not LDAP. You need
to specify the correct DN of the deleted object. Items in the deleted
objects container have DNs of the form CN=\0ADEL:f3c336a8-0652-47c9-8965-aa3ec83a998e,CN=Deleted
Objects,DC=,DC=com. The guid segment of the DN is the
objec
I am a relative novice when it comes to clustering so please
forgive me. Is it possible to have two different cluster groups use the same
disk resource? We currently have a cluster group that is handling file shares
and want to add to it a print spooler as our current print server is on the
Title: Message
Here's
a guess on the mechanism behind your 'Extremely Weird
Problem':
As you
know, GPOs consist of two parts - the part stored in the SYSVOL, and the part
stored as an object in the domain naming context of AD. When a GPO affects
settings that are themselves attributes of o
It looks like Server Sensor was the culprit. Once we
disabled the service (issdaemon), group policies were applying properly and
staying to the settings we chose.
Marc
If its still stored in your deleted container
Try using adrestore.exe
Adrestore "guid"
It should search and returns you the friendly DN under CN:
name\A0DEL:GUID
Thank you and have a splendid day!
Kind Regards,
Freddy Hartono
Windows Administrator (ADSM/NT Security)
Spherion Technology Group
In DNS, look at the _msdcs.CSG-IT.NET zone and see if you can find that
GUID in there.
Look in your Site and
Services and go to the server “VMDC”.
Look at the NTDS Settings for that server and see if you can find a connection
with that GUID.
In either case, if you find
that GUID, just
I've looked at the guid's of all the dc's in my forest and none match the guid
that shows up in the directory services error on the event log on my dc.
where the heck is it pulling that guid and how can i find out?
could it be a dc that was disconnected from the network for over 60 days and
tomb
I'm trying to look in the deleted objects container in my domain using ldp.
I've entered the OID control of 1.2.840.113556.1.4.417 and i think i've set
everything up correctly. But i keep getting this error-
ldap_search_ext_s(ld,
"",
2, "(objectclass=*)", NULL, 0, svrCtrls, ClntCtrls, 60
You can have your query do the sorting for you. I don't have the specific
attributes handy, but on computer objects you have major OS version and minor
OS version, so you can query for only XP machines.
http://www.microsoft.com/technet/scriptcenter/scripts/ad/computer/cptrvb16.mspx
may be help
How'd you try to edit it? And why do you let admins
have rights if you can't trust them?
http://msdn.microsoft.com/library/default.asp?url="">
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of PAUL
MAYESSent: Friday, April 08, 2005 10:03 AMTo:
ActiveDir@mail.activedir.orgSu
I just have to ask...
Are you using folder redirection on these accounts?
Can the home drive be wronglike in oshkosh, and the user is in
timbuktu?
Any hints in event viewer?
John
"Salandra, Justin
Quick answer is yes. IPSec policies themselves are stored per domain,
but you can assign different ones to different GPOs.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura
E.
Sent: Friday, April 08, 2005 9:56 AM
To: ActiveDir@mail.activedir.
I agree it is most likely anything else but DNS problem. If you are
able to, copy one of those accounts and log in with the new copy. Does the
problem follow the new account? Could you post back with your finding?
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Dir.
On Apr 8, 2005 10:38 AM, Dave A. Marquis <[EMAIL PROTECTED]> wrote:
> That's not right. I would look at the dns configuration. I had the same
> issue as a tech kept fat fingering the configs.
If other users can log in to the same workstation with no delay then I
would say that this is likely not a
On Apr 8, 2005 11:17 AM, Dave A. Marquis <[EMAIL PROTECTED]> wrote:
>
>
> Well we are a mostly Win XP shop here, so if I can grab all of the computer
> names and output to a .txt I can pick and choose the systems. Anyone have a
> pre-built script?
If you have your computer accounts located in de
Well we are a mostly Win XP shop here, so
if I can grab all of the computer names and output to a .txt I can pick and
choose the systems. Anyone have a pre-built script?
David A. Marquis
Computer Systems Administrator
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Be
On Apr 7, 2005 11:32 AM, Christine Allen <[EMAIL PROTECTED]> wrote:
> Thanks. The reason for this is we have domain level service accounts for
> SQL and Exchange, etc. We don't want those to change those passwords. How
> do you folks handle these? Thanks for all your help!
On those accounts yo
Tom,
Not sure how many DCs you have (im assuming its not a 3 digit number)
If im understanding the prob correctly, you are suspecting to have a
stale records somewhere in ntds..
Why not you work out the other way round - grab a list of your current
DCs - resolve those GUID, and find out which of
Searching a GC, I get this-
dap_search_s(ld, "", 0,
"(objectclass=*)", NULL, 1, &msg)
Error: Search: No Such Object. <32>
Result <32>: 208D: NameErr: DSID-03100198, problem 2001 (NO_OBJECT), data
0, best match of:
''
Matched DNs:
Getting 0 entries:
So, I assume this object no l
Dave
Netdom query workstation or server would
be a good start for the ‘domain’
Or dsquery computer (also for the domain)
Thank you and have a splendid day!
Kind Regards,
Freddy Hartono
Windows Administrator (ADSM/NT Security)
Spherion Technology Group, Singapore
For
adfind -gc -b "dc=domain,dc=com" -f
"(objectClass=computer)"
or you could do the same thing with ADSI, using "GC://"
instead of "LDAP://". Are you sure you don't want to do some additional
filtering? You may end up pulling a bunch of computer accounts that don't need
to get SP2 (is that XP
I'm replying to my own post.
I think this means this guid can't be found in AD?
However, my DC keeps logging errors that it can't replicate with it. This has
been going on for days. My DC must be getting the guid from somewhere, but
where?
any help would be great.
thanks
Kern, Tom wrote:
> Eve
I answered you on the Microsoft public
newsgroup where you posted the same thing.
Like I said, I think you need Kerberos
delegation for sure, but you may also need protocol transition in order to get
a Kerberos ticket in the first place. This implies 2003 server and 2003 native
mode AD
On Apr 7, 2005 11:52 AM, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> Set the time source on your Root PDC with net time /setsntp:SERVERNAME
>
> On all other DC's do not set a time source with net time /setsntp:
>
> By not setting a time source the DC's should all default to the Forest Root
> P
Try searching the GC. The object may not be in that domain (hence the
referral).
Joe K.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Friday, April 08, 2005 8:56 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GUID resolut
That's not right. I would look at the dns configuration. I had the same
issue as a tech kept fat fingering the configs.
Dave
David A. Marquis
Computer Systems Administrator
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Friday
Hello All,
Does anyone know a script that will gather
all computer accounts in a forest? I want to build a list of computer names so
I can make a script to send the Win SP2 package to the file system, but not
install it.
Dave
This e-mail message, including all attachments,
Title: Message
I did
and it did not :)
Q 3
remains unanswered as does the question regarding how to ascertain which site
is/was the default site.
I'll
carry on digging and testing.
neil
MVP -
DS
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Did you follow the link James provided? I think that doc should answer
all 3 qs.
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Dir. Services / Security
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worri
I want to prevent a collection of administrative users from deleting certain objects/containers etc now I could set up some more acl's on these objects or I suppose that I could wander off and buy a product off the shelf to offer that protection. But looking at it some of these products do so
Morning all,
I'm getting conflicting references on this question from Google, but I
imagine someone here can answer definitively in about 5 seconds:
Am I able to assign a single common IPSec policy to a domain GPO, but
also have separate IPSec configurations for OUs lower in the AD
infrastructure
Even with the brackets and guid=, i get this error now-
ldap_search_s(ld, "", 1,
"(objectclass=*)", NULL, 1, &msg)
Error: Search: Referral. <10>
Result <10>: 202B: RefErr: DSID-03100698, data 0, 2 access points
ref 1: 'gc.ms-dcs.CSG-IT.NET:3268'
ref 2: 'gc._msdcs.CSG-IT.NET:
Thats a lot of coffee
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Salandra, Justin
A.
Sent: 08 April 2005 14:42
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] SLOWW Logons
My user takes over 30 minutes to logon
-Original Message-
My user takes over 30 minutes to logon
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of ryan
Sent: Friday, April 08, 2005 9:37 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SLOWW Logons
i have the SAME issue. i decided screw it it takes
Isn’t it supposed to work with
hardware for 11a, b and g
-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, April 07, 2005
10:28 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 802.11i
Yes, it came
i have the SAME issue. i decided screw it it takes about a full minute to
log on to the domain. i belive it has something to do with the DNS when the
server was first setup. i just go get a cup of coffee after i logon and when
i get back its up and running fine..
- Original Message -
F
Absolutely...
I personally just find OU's easier to manage than groups.
Must be the graphical representation..
John
"Beelders, Ivor"
<[EMAIL PROT
Filtering GPO's can be done in the same OU. Plan which GPO should link
to which machines before configuring anything. Create groups and add
machines to these groups. Under the security tab of the GPO, allow the
said group to APPLY the GPO. Doing so would allow you to link the GPO to
the OU but onl
Hi Jeff
Probably the easiest way to do this, at least in my world. Is with seperate
OU's and loopbacks.
We faced a similar problem with laptops. We couldn't tell who a laptop
"user" was, as they could log into a desktop anytime, but we wanted to
apply settings to laptop users. So we have an
I think I need Kerberos delegation to pass the security context from the web server to the AD server...has anybody done this? Can u help me?
Thanks a lot!Roger Seielstad <[EMAIL PROTECTED]> wrote:
Taking a wag at it - you're dealing with an impersonation issue. Take a look at the fourth questio
Thanks James.
You've responded to scenario 2 only (I believe) - can you offer any comment on
the other 2 scenarios?
A simply yes/no will suffice :) If no, can you point me to an article that
explains the correct behaviour?
Thanks,
neil
MVP - DS
-Original Message-
From: [EMAIL PROTECTED]
Is it only about CAL?
What about per device licensing?
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Danny
Sent: Wednesday, April 06, 2005 11:19 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Exchange CALs
On Apr 6, 2005 3:07 PM, Dan DeStefa
79 matches
Mail list logo
