Title: Message
Does anyone know of
a supported procedure to extend the schema in Windows 2003 SP1 FFL
AD?
This message contains confidential information and is intended only
for the individual or entity named.
Hi list,
the users are having this error event ID 1000 only with no event ID 1058 or 1030, its only this error:
Windows cannot access the file gpt.ini for GPO The file must be present at the location . (). Group Policy processing aborted.
I checked the Sysvol folder and the permissions are
OS?
shereen naser wrote:
Hi list,
the users are having this error event ID
1000 only with no event ID 1058 or 1030, its only this error:
"Windows cannot access the file gpt.ini
for GPO The file must be present at the location . (). Group
Policy processing aborted."
I
Title: Message
If you have a
web access to ITPro or a paper copy of these issues, you can refer to articles
of
September
2001 (Windows 2000 Magazine):Diving into the Active Directory
Schema
November
2001 (Windows 2000 Magazine):Extending the Active Directory
Schema
March 2004
I'm a little confused now; in your original post you mentioned that you had
a parent/child structure which implies more than a mere naming relationship,
I understood it to mean that you have 2 domains in a single forest ... how
many forests do you have and what are the names of the 2 domains (feel
Title: Message
I would recommend starting here
http://msdn.microsoft.com/library/default.asp?url="">
Or buying either the book in the signature or Inside
Directory Second Edition by Sakari Kouti.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From:
I want to find out how many
workstations a local admin have been logging on. Can this be done
through any AD snap-in?
-Z.V.
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
Thanks for the feedback, Deji, Guido, joe et al.
The one piece of code I'm missing now is one that can determine a machine's IP
address. Any suggestions how that may be done (again, assume the machine is not
joined to a domain and is running PE).
I can then feed that address into the logic
To troubleshoot GPO processing:
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/regentry/96405.asp
http://www.winguides.com/registry/display.php/1128/
You can pull it with WMI (not sure about the PE scenario)
http://windowssdk.msdn.microsoft.com/library/default.asp?url=/library/en-us/wmisdk/wmi/wmi_tasks__networking.asp
(watch the wrap)
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
I had the chance to look at the actual problem today and
hereunder I will describe the problem and what I have tried to resolve
it:
Problem: The All Address Lists container has dissapeared
from ESM, as well as the All Global Address Lists container.
From withinOutlook it is as iff you can
Should be able to get it with WshNetwork as well.
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
-Original Message-
From: [EMAIL PROTECTED] [mailto:ActiveDir-
[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, February 06, 2006 9:48 AM
To:
Hi,
The only way to
revertyour organization accessible is to run the commandunder Local
System privileges by passing this command in a command line windows as
this:
c:\at
time /interactive cmd.exe
Ex : c:\at12:00 /interactive
cmd.exe
So at 12:00, a command prompt
will appear with
"So at 12:00, a command prompt
will appear with Local System privileges ( type whiami to be sure)." it
is rather "type whoami to be sure".
:)
Yann
De: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] De la part de Victor
W.Envoyé: lundi 6 février 2006 16:05À:
Thanks for your fast reply Yann!
Do you mean to run the command which resets the permissions
for the Authenticated usersunder local system
priviliges?
Cheers,
Victor
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA
YANNSent: maandag 6 februari 2006 16:30To:
Title: Wireless and logon script
Can someone explain the mechanics of the logon for me, when the user is on a wireless connection? We have Cisco Wireless Access Points, and a Cisco ACS, but I havent been involved with their setup. Basically the deal is when a user logs in to a wired LAN
AD Experts,
Thanks all for your input regarding the FRS issue listed below. We were able
to get a safer solution out from MS to fix SysVol inconsistencies.
Here it is:
1)Fix policies and scripts on the PDC, make sure everything is clean on the
PDC
2)Stop FRS service on all other DCs
3)Start
"why am i" is a more philosophical question I guess, which
cannot be answered by aCLI:)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA
YANNSent: 06 February 2006 15:31To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange - ESM -
"All Address Lists" and
This
may sound silly (and in a way, it is), but try accessing them a little
differently.
Open
adsiedit.msc and drill down ONLY USING THE TREE IN THE LEFT PANE OF THE WINDOW.
Right-click
on All Address Lists IN THE LEFT PANE and open Properties and go
to the Security tab and see if
Creamer, Mark wrote:
Can someone explain the mechanics of the logon for me, when the user is
on a wireless connection? We have Cisco Wireless Access Points, and a
Cisco ACS, but I haven’t been involved with their setup. Basically the
deal is when a user logs in to a wired LAN connection, the
Title: Wireless and logon script
What O/S and Service Pack are you running and are you using
USB WLAN Cards?
We recently deployed a Wireless Infrastructure and had a
similar issue with Computer GPO's and Start Up scripts not being applied.
Turns out the GPO processing and Start up scripts
Hmm, this discussion is going the wrong way
;-))
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: maandag 6 februari 2006
16:55To: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] Exchange - ESM - "All Address Lists" and "All Global Address Lists"
Hello,
I
don't check the whole kb you mentionned, but the at /interactive will just
give you the right that you have lost to perform the action described in the
KB.
Cordialement,Yann TIROACentre de Ressources
Informatique.Campus Scientifique de la DOUA.Bât. Gabriel Lippmann - 2
ème étage
Is there a limit to the amount of nesting which can be carried out on
Universal Security Groups?
We have a single domain (mix of Windows 2003 and 2000 servers) with
Exchange 2003 and a number of nested groups but we've just discovered a
problem - mail sent to some of the lists is not reaching all
Oh yes !
Just think about it, i would recommend you to check*ALL*
theACLs throught the organisation level in case
of
Here is a technet doc describing the default permissions Organization
Container,Address Lists Container,Addressing Container, and many more here
Good point. I will clarify things. If I navigate on the
left side to "CN=Configuration,CN=Services,CN=Microsoft
Exchange,CN=Domain,CN=AddressListContainer" from within Adsi Edit, I see
only two 'folders' on the left side:
- CN=Offline Address List
- CN=Recipient Update Services
I should see
Good.
So, can you right click on Address Lists Container in the left
pane and blow the permissions down? (Dont touch the right-side before
trying!)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Victor W.
Sent: Monday, February 06, 2006 11:58 AM
To:
No need to apologise, I blame spielberg anyway.frank "Ulf B. Simon-Weidner" [EMAIL PROTECTED] wrote: Sorry - wasn't sure if it's your real name. If I'd choose a fake name for a community yours is in the top10 ;-)Hope you don't mind.Ulf From: [EMAIL PROTECTED]
To right answer your question : Yes.
I use ESM instead of dsacls because I get use granting ACL with GUI :o)
Yann
De: [EMAIL PROTECTED] de la part de Victor W.
Date: lun. 06/02/2006 16:48
À: ActiveDir@mail.activedir.org
Objet : RE: [ActiveDir] Exchange -
I have an issue whereby I have 3 dual roleFile Print Servers/DC's remaining in my org (cut down from 50+) where I can't separate these roles for another 6 months.My issue is that I have Server Ops staff who connect through to these FP DC's via Remote Desktop. They only have Server Operator
Title: Wireless and logon script
Chris, Im not having success
finding that KB. Is that the right number?
Thanks!
mc
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, February 06, 2006
11:16 AM
To: ActiveDir@mail.activedir.org
You could try giving them full control permissions over the RDP-Tcp connection object in tscc.msc (Terminal Services Configuration MMC).
Have you considered the other settings in there regarding idle session limits and such...??
Teo
On 2/6/06, Frank Abagnale [EMAIL PROTECTED] wrote:
I have an
Yes, I did that already but forgot to mention it. I didnot
see any deny permissions. I gave Authenticated users read permission, as well as
the Everyone group.
When I look in another Exchange Organization I manage I
dont see that this is necessary, theAuthenticatedusers and Everyone
group
Good point Dean - Yes, we use 802.1x for wireless access, and IPSec once the
clients are on the network for host level access.
I read the thread as using 802.1x for accessing the wired networks, which I
know several companies do. Microsoft does not use it for wired, for that we
rely on IPSec
Okay, so you start ESM with local system properties. Does that mean you have
to start ESM from that same command prompt window?
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: maandag 6 februari 2006 19:28
To: ActiveDir@mail.activedir.org
Subject: RE :
We are using the server move as an opportunity to clean up the schema and
remove some attributes which are no longer needed. From everything I have
read, deleting them from an existing schema is difficult, so we wanted to
rebuild the schema from scratch on the new server, then copy the
Title: Wireless and logon script
Are there any errors in the app log? If so
what are they? You may want to enable userenv logging for more detailed
info. Two things come to mind.One thing is that you may want
to disable media sense. See 239924How to disable Media Sensing for
TCP/IP in
Hello folks :)
Has someone got an idea about disabling the tsweb warning popup ?
I noticed that the popup warning only appears when:
- users connect via tsweb.
- users connect via the RDP client (mstsc.exe).
BUT, when users connect via the Remote Desktop Connection MMC (tsmmc.msc). the
Why not just keep them from doing it in the first
place or set a policy to end their disconnected session after x minutes?
That way the others willbe able to logon after thedisconnected
session is terminated in x minutes.If you are running 2003 there are
a few policy options that you can
Frank,
Below is a
link to MS Outlook plugin that when configured, will automatically archive
folders to a network share at regular intervals, making it easy to keep all of
you Outlook folders safely backed up.
On
my lab (which is stock) Exchange servers, there are checkboxes checked for both
Everyone and for Authenticated Users. They are both
special but basically give read and list
contents.
Did
you go into Advanced and ensure that Allow inheritable
is checked?
If
so, Im out of ideas and
If objects disappear inside ESM, often the right to read the object or the
right to read the permission of the object has been lost, mangled, whatever.
You CAN expose this object using ADSIEDIT, by browsing to the config
partition,services,exchange,orgname, which then exposes the top level
Title: Wireless and logon script
What about disabling fastlogon. Just a
thought.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tim
HinesSent: Monday, February 06, 2006 2:06 PMTo:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Wireless and
logon
Yes.
1)go to start - execute and type cmd.exe
2) Then will have to type this command at your_local_time + 1mn
/interactive cmd.exe (without quote).
Example: if your local time is 20:05, then you will type at 20:06 /interactive
cmd.exe
This will open an other instance of cmd.exe 1 mn
Slav Pigo... I'm going to massacre his name so I won't even say it
(and you think Dr. J's name is bad you haven't seen Slav's last name)
Slav pointed out a weakness in 802.1x wired deployments that can leave
that network open for attacks. Thus the recommendation is to carefully
review
Thanks that works would be nice if
it worked with the /T switch, but nothing a little scripting cant fix.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, February 02, 2006
10:40 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Title: Message
Hi David,
depends on what you mean - either there's a supported way
on how to extend the schema (pretty sure implementing the schema extensions via
LDIF is supported), however if you are talking about designing the extensions it
depends on your needs if anyone is able to
Dont you just love Microsoft..
Personal
folder files are unsupported over a LAN or over a WAN link
http://support.microsoft.com/?kbid=297019
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Navroz Shariff
Sent: 06 February 2006 19:28
To:
I am going to try that, nice one.
I am still puzzled why I cannot run forestprep. Can anybody tell me what I
have to do to be able to run forestprep without any errors?
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: maandag 6 februari 2006 20:53
To:
That's interesting...I have been doing exactly what
the article states one can't.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark
ParrisSent: Monday, February 06, 2006 3:56 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Roaming
Profiles
Dont you
Title: RE: [ActiveDir] OT: Change Tracking Database
Correct me if I'm wrong but doesn't SharePoint require a manual entry by
a live person to record information? Wouldn't the idea of a change
management software be to automate the process of recording the change
so that no change is
"can't" and "unsupported" are two different
things
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Navroz
ShariffSent: Monday, February 06, 2006 2:12 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Roaming
Profiles
That's interesting...I have been doing
"Unsupported" is different, in many ways, from "Does not
work"
Unsupported in Microsoft speak means, if you call us
because it doesn't work, we won't help you fix it unless you pay us lots of
money.
/aaron
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Navroz
I think MS is consistent here. PST are not supposed to be
used over a lan, they corrupt very easily. The Outlook plug in backs up your
local PST's to a network drive, so you are not using them over the network, just
copying them over the network.
From: [EMAIL PROTECTED]
Victor,
I will dare that your problem with /forestprep will be solve untill you grant
the right accesses for authenticated users.
The user able to launch the setup.exe /forestprep must be member of entreprise
and schema admin *AND* also member of authenticated users, But, authenticated
users
There's a difference between doing it and having Microsoft support it.
Navroz Shariff wrote:
That's interesting...I have been doing exactly what the article states
one can't.
*From:* [EMAIL PROTECTED]
[mailto:[EMAIL
Title: RE: [ActiveDir] OT: Change Tracking Database
The manual entry is what I was looking
for, though the automated process you mention is interesting as well.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Sent: Monday, February 06, 2006
9:10 AM
To:
Problem is can you tracking software 'talk' to that router?
Change management to me is still a process where someone 'signs off' and
approves..i.e. someone in management.
Not to mention there's many places in AD that things change and it's not
tracked why something did it or if it does
I suppose so. I thought you also wanted to create a replica in the sense that password last set, password history, password, etc would also come over?
I don't know of anything that can take you from one directory to another and retain such information, although for some of that you likely could
Going into Advanced on which folder exactly? ? CN=Address Lists
Container?
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: maandag 6 februari 2006 22:38
To: ActiveDir@mail.activedir.org
Subject: RE : [ActiveDir] Exchange - ESM - All Address Lists and All
Cannot find my notes on this one.
What is the command line to restart
DNS services without rebooting the DC?
Brent Eads
Employee Technology Solutions, Inc.
Office: (312) 762-9224
Fax: (312) 762-9275
The contents contain privileged and/or confidential information intended
Net stop dns
Net start dns
Cheers,
Katrin Wilhelm (MCSA)
CVGT Employment
Training Specialists
Australia
E-mail: [EMAIL PROTECTED]
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, 7 February 2006
10:30 AM
To:
net stop dns
net start dns
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Monday, February 06, 2006 4:30
PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS
Restart
Cannot find my notes on this
one. What is the command line to
restart DNS
I love it when its so simple its difficult...
Thanks!
Brent Eads
Employee Technology Solutions, Inc.
Office: (312) 762-9224
Fax: (312) 762-9275
The contents contain privileged and/or confidential information intended
for the named recipient of this email. ETSI (Employee
If you want a single command line...
net stop dns net start dns
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Monday, February 06, 2006 6:30
PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS
Restart
Cannot find my notes on this
one.
If you want a single command line which only starts if it
stopped correctly ...
net stop dns net start dns
;-)
(sorry - couldn't resist)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
joeSent: Tuesday, February 07, 2006 12:57 AMTo:
...
since we're getting silly -
net
stop dns net start dns || echo Well bugger, it didn't work
:-[
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-WeidnerSent: Monday,
I would agree that it looks like your permissions at some
level have been dorked up, possibly someone added a handy dandy Everyone Deny
FC.
You shouldn't have to use localsystem to bail this out, by
default the owner of the structure there should be Enterprise Admins I believe
and that
Deleting from the schema isn't difficult, it is completely unsupported. You
just don't even want to think about it. I don't like having to say that
because I think it should be allowed if all of the up front work was done
but that is where we currently are.
You can generate an LDIF file and tell
Title: Message
I agree, there is no way to register for MAPIIDs you are
completely on your own with them.I recall one large company that was fit
to be tied over that andthe response from MS was "sorry
dudes".
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
YeahI was a little surprised on that myself. Oh well,
at least it is in there at all. :)
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Crawford,
ScottSent: Monday, February 06, 2006 3:11
No limits that I am aware of, I swear I have tested in the past to 4 or 5
layers and seen it work. I know I definitely tested three layers as I have
done that several times to mimic various environments.
I would
A. Make sure all groups/users in question are mail-enabled.
B. Make sure that
That info isn't maintained in AD. If you have auditing
enabled you might be able to pull it out of the event logs on the DCs. Might be
better to just slap a logon script on your admins and have it record the logons
somewhere. Of course that won't catch net user /user and runas.
joe
--
No there is no limit on the nesting of groups, however, there is a limit
for the amount at Kerberos token size may be. Consider that if you are
a member of a group which is a member of 10 groups which is a member of
two groups each. You look at your account and see that you are only a
member
That wouldn't impact mail delivery for DLs though. No tokens are involved,
it is strictly LDAP lookup (or pulled from cache if the info is already
there).
Definitely something to keep in mind otherwise though.
joe
--
O'Reilly Active Directory Third Edition -
Title: Delegating attribute in property Set (Personal Information set)
Hi all,
Im trying to delegate the Office field shown in aduc - which actually maps to physicalDeliveryOfficeName field in AD.
However via the gui this options seems to be hidden and seems like its part of a Personal
Title: Delegating attribute in property Set (Personal Information set)
Probably a DSSEC.DAT related issue ... google the filename for
instructions.
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf
Title: Delegating attribute in property Set (Personal Information set)
http://support.microsoft.com/?kbid=294952
Look at the info on dssec.dat
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
The operating system stops responding when you run Windows Server 2003
SP1 in a VMware environment:
http://support.microsoft.com/?kbid=910048
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
List info : http://www.activedir.org/List.aspx
List FAQ:
If you prepare the latest version of the WinPE CD with the Add-ons (inc.
WSH, ADSI and WMI), then you have the Win32_NetworkConfigurationSetting
class.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, February 06, 2006 5:36 PM
To:
It does. Use wscript.shell and call ipconfig -n 1 |find /1 reply and parse
the output. Works fine.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, February 06, 2006 5:36 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Script
Joe,
What would be the point of B?
Deji
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, February 06, 2006 5:35 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Nesting groups
No limits that I am aware of, I swear I have
I forgot that Chad has demos of those Sharepoint templates:
Home - Layton Flower WSS Demos:
http://sharepoint.laytonflower.com/default.aspx
Home - Help Desk Dashboard - Basic:
http://sharepoint.laytonflower.com/helpdesk_basic/default.aspx
--
Letting your vendors set your risk analysis
Interesting read, but doesn't really states under what circumstances it
fails... Obviously it doesn't fails on all..
Thank you and have a splendid day!
Kind Regards,
Freddy Hartono
Group Support Engineer
InternationalSOS Pte Ltd
mail: [EMAIL PROTECTED]
phone: (+65) 6330-9785
-Original
84 matches
Mail list logo