Kb 241789
It is a registry mod. You add a key called IgnoreGCFailures to the
HKLM\System\Current Control Set\LSA...
This is for 2000.
Kevin
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Thursday, February 05, 2004 9:26 AM
To: '[E
I have seen Vintela in action. It is a fantastic solution. Very easy to
implement and your *nix users are authenticating to AD. Definitely take
a look at this.
Kevin
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jackson Shaw
Sent: Tuesday, February 03,
Sort of obscure reference and I haven’t
looked at this tool in a couple of years. To tell you the truth I don’t know
if I have ever seen anyone use it in production but Microsoft has a tool
called, Eleveated Priviledges Application Launcher (EPAL). The process is
documented to allow the adm
Title: RE: [ActiveDir] Background
http://www.sysinternals.com/ntw2k/source/regmon.shtml
here is the exact link to Regmon. Thanks Justin for making me rediscover this
tool it is fantastic, as are so many from sysinternals.
Kevin
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTE
Title: RE: [ActiveDir] Background
Go grab regmon from sysinternals. Run it
and change the background and it will capture what key/keys were modified.
Great tool, I haven’t used it in a while but am pretty confident it is
still available up there.
www.sysinternals.com
Kevin
“give
Command line or other it is not possible. WinNT and above are required
for membership in a domain whether it is NT or AD. Win98 can 'browse' in
the domain but it can not be a security principal.
Kevin Sullivan
-Original Message-
From: Chris Blair [mailto:[EMAIL PROTECTED]
Sent: Wednesday
I think Jackson bring up a great point. It is not necessarily related
just to self administration but really to anyone who has a role of 'data
administrator'. There needs to be a way to mandate data structures,
format, use of 'acceptable values' etc. Without these key components
along with very gra
It is still not totally clear Debbie, why
do you want to import computer/user names into a text file? Or do you want to
have a file with computer/user names that can be imported into the migration
product. List based migrations and project based migrations are very popular
and allow a lot o
Ordered it second hand... not a book I would give up it is a good quick
book to refer to. And who read it memorized it and sold it back already,
how exactly does that work ...
-Original Message-
From: Oliver Marshall [mailto:[EMAIL PROTECTED]
Sent: Friday, October 24, 2003 11:06 AM
To: [E
Not yet, I think it is a month out... Just my guess.
Kevin
-Original Message-
From: Graham Turner [mailto:[EMAIL PROTECTED]
Sent: Thursday, October 09, 2003 6:02 PM
To: [EMAIL PROTECTED]
Have come back to the list after a while away - the paper on AD
delegation
from MS looks to be of so
Congratulations Robbie, you have done, once again, a fantastic job. This
book is going to be a staple for advanced AD administrator's. I have to
agree with Rick, I didn't quite realize the magnitude of what Robbie was
doing until I had the book in my hands (this afternoon!). Go get it.
Kevin
Title: [ActiveDir] Resetting Password
In addition to the script you can create a
taskpad combined with simple delegation and your teacher will only see what you
need them to see and have rights to what they need to have rights to. If W2k3
you can use ‘Saved Queried’ as the launch off point
Very, very jealous... It is a horrible sound.
-Original Message-
From: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 19, 2003 2:35 PM
To: '[EMAIL PROTECTED]'
Gil,
received one screamin rubber chicken... I love it! Great sound. My
fellow sysadmins
Look at kb 231747. You need to create a .zap file to push an EXE. Not as
much flexibility but it is a work around.
Kevin
-Original Message-
From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 06, 2003 3:05 PM
To: ActiveDir (E-mail)
Hello Everyone,
I have a insta
RDP, RPC man I keep getting TLA confusion today.
-Original Message-
From: Joe [mailto:[EMAIL PROTECTED]
Sent: Monday, July 21, 2003 7:59 PM
To: [EMAIL PROTECTED]
Errr check your admin group, who is listed there. Either everyone that
is connecting to that box is an admin on that box or s
It is permissions on the RPC connection itself via the TS manager. (I
think that is where it is). The default is Domain Admins it sounds like
someone changed the default and allowed other users to access the Server
in Administration Mode. You should still only be allowed 2 remote
connections though
Title: Message
Chris,
GPOs are not applied to Groups, they are
applied to Users and Computers. So, the fact that there are two groups that the
user is a member of existing in two different OUs is really not relevant. All
that matters is, where the Users are located and where the systems
Title: Message
Marc,
It appears that you are asking about
enforcing business rules regardless of how a user is created and doing so in a
manner that can not be circumvented. Business rules in this sense would be don’t
give “Allow Terminal Server”, or validate naming conventions, or
mand
groups that can add workstations to the domain?
From: Sullivan, Kevin [mailto:[EMAIL PROTECTED]
Sent: 16 July, 2003 18:20 PM
To: [EMAIL PROTECTED]
Hmmm, what error? When the computer joins
the domain?... I wonder if it is a permissions issue on the "join
domain" part
From: Sullivan, Kevin [mailto:[EMAIL PROTECTED]
Sent: 16 July, 2003 18:20 PM
To: [EMAIL PROTECTED]
Hmmm, what error? When the computer joins the
domain?... I wonder if it is a permissions issue on the "join domain"
part. The user actually joining from the computer need to have th
permission
over "Computer Objects" to "Add and Remove computer
objects"
The problem I am experiencing is that if
the computer account already exists in the OU the error received is
"access Denied"
Thanks in advance
Yusuf
From: Sullivan, Kevin
Title: Message
You don’t need to give them account operator
rights. You give them ‘specific’ delegated rights. There could be
some complex solutions that involve automating the process of looking through
the computers container and moving computer account to the appropriate
container (that
Title: Message
This should be pretty straight forward. Delegate
to the User the ability to create Computer objects in the OU then have the user
create the computer accounts. When the computer is joined to the domain it will
be associated with the pre-created account. Just give the computer
In Windows 2000 the Integrated zones are
in the domain naming context so this is correct. But in Windows server 2003 it
is in an application partition and you can choose replication partners
explicitly.
From: Victor Hugo
Naranjo [mailto:[EMAIL PROTECTED]
Sent: Thursday, June 19
Correct about servers but clients are really irrelevant with regards to
Native vs. Mixed mode.
-Original Message-
From: rick reynolds [mailto:[EMAIL PROTECTED]
Sent: Thursday, June 19, 2003 9:29 AM
To: [EMAIL PROTECTED]
You need to run in mixed mode until the last nt4 server or client l
Title: Please Help
I think that Anwer is correct. He was able
to add the computer account to the domain using his credentials because that
action has to go to the PDC which obviously has the account. His local BDC can
not do that and can’t authenticate him because it doesn’t know
about him
My understanding is that it is 'not' supposed to log them off of the
machine. It keeps them from making any additional authenticated
connections on the network and 'logs off' any authenticated connection
that have already been made. If you want to 'log off' the users use the
'logoff.scr' (I think t
There are some modules in Perl that enable
this. They were brought to my attention by Robbie Allen, Robbie – “is
there anybody out there… is there any one at home…” (Pink
Floyd)…
I can dig up the specifics but if someone
else knows Perl well they may already know it.
Kevin
You can have only one Ex2000 organization per forest. Or are you talking
about Exchange 5.5?
Kevin
-Original Message-
From: Ellis, Debbie [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 29, 2003 9:35 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] AD/Exchange Question
My company is getting
Title: OT RIS ISSUE:
There is a switch in the RISetup answer
file that can be set to have a partition created on the first hard drive. I did
a quick TechNet search and couldn’t find it. I will continue to look but
thought possibly someone may have the reference.
Kevin
-Original
Here is another issue that may come up when you start upgrading clients
to be aware of. If a w2k client authenticates to the NT 4 BDCs that will
work fine. The w2k client will use NTLM in the absence of AD for
authentication. But if the NT4 DC happens to be unavailable and the
client contacts a w2k
Always a good Guinness!
-Original Message-
From: Roger Seielstad [mailto:[EMAIL PROTECTED]
Sent: Thursday, March 27, 2003 7:06 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Mixed to Native
The worst part of the mixed to native mode conversion is picking which
refreshing beverage y
MB in either direction depending on the
DC).
Marc Zukerman
Senior Network Engineer
Greenwich Technology Partners
- Original Message -
From: Sullivan, Kevin
To: [EMAIL PROTECTED]
Sent: Wednesday,
March 26, 2003 10:17 AM
Subject: RE:
[Acti
Title: Message
Sorry, one more point of clarification
after reading my post…
A GC has the complete domain naming
context for the Domain which it directly represents. It also contains a partial
replica of the other domains in the forest…
-Original Message-
From: Marc Zukerma
Title: Message
Since you are one domain the sizes should
be the same. The GC contains the partial attribute set from all domains in the
forest. Since you only have one domain you don’t have anything additional
added. Also, yes the GC is a subset of all attributes for the domains which the
Note to self, "read whole post"...
I totally missed the computer config part.
-Original Message-
From: Rick Kingslan [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 26, 2003 9:18 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GPO effect on Admin
That's a tough one. Computer policy
You can do it a few ways. One would be to assign the deny 'apply group
policy' for the given administrator... You do this on the ACL of the GPO
itself...
Kevin
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 26, 2003 9:02 AM
To: [EMAIL PROTECTE
Look at WinNetMag.com do a search for Replmon.
IIRC there are a lot of brief articles. It is really pretty easy to work with
just navigating…
-Original Message-
From: Daniel Chaveco
[mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 25, 2003
10:36 AM
To: [EMAIL PROTECTED]
Subject:
Here is a sort of convoluted albeit possible solution to the issue. It
will be much easier to manage and design with the assistance of a
comprehensive management platform that enforces business rules and
manages access control.
The idea is to audit the contents of an OU specifically users. Evaluat
EMAIL PROTECTED]
03-7522424
058-326753
From: Sullivan,
Kevin [mailto:[EMAIL PROTECTED]
Sent: Sunday, March 16, 2003 2:59
PM
To: [EMAIL PROTECTED]
If they are using W2k/XP
it should be fairly easy. Write the GPO and deploy to test client. Then use
Security Configuration and Ana
If they are using W2k/XP it should be
fairly easy. Write the GPO and deploy to test client. Then use Security
Configuration and Analysis to analyze the client and dump the config to a file.
You should be able to use the same tool to deploy to a local security policy. I
haven’t done this in
I would make sure that your clients are
pointing to the DNS server and the DNS server is updated with the appropriate
SRV records. Check DNS and let us know your settings.
Kevin
-Original Message-
From: bobo sy
[mailto:[EMAIL PROTECTED]
Sent: Sunday, March 09, 2003 3:53
PM
So just curious but who is going to DEC?
Kevin Sullivan
Aelita Software
[EMAIL PROTECTED]
Just changes are replicated during normal replication and within the
domain. Sites can cross domains remember so cross site replication will
have to do with what domains are playing, what DC from what domains are
across sites etc. Also, the only info replicated outside of the domain
is information
reating computer accounts? I do
not
want to prevent them from creating them, just prevent them from creating
them in the computers container.
Greg Felzer
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sullivan, Kevin
Sent: Wednesday, February 26,
You may want to look into changing the default msDS-MachineAccountQuota.
This setting allows any user to create 10 computer accounts by default.
You can change this via a script, LDP or ADSI edit. If you change the
default value to 0 then your delegation model will probably work but the
default beh
his is not the location, however is there a place I
can
look thru the RK online?
-Original Message-
From: Sullivan, Kevin [mailto:[EMAIL PROTECTED]]
Sent: Monday, February 03, 2003 12:08 PM
To: [EMAIL PROTECTED]
Subject:RE: [ActiveDir] Decrypt Files from a no longer exist
that these files were encrypted by accident by the user
by
checking the box encrypt contents while looking at the properties of the
folder. Where could I get the DRA from if the domain doesn't exist,
restore
the domain on a workstations?
-Original Message-
From: Sullivan, Kevin
If you can't find the cert that encrypted them or the cert for the Data
Recovery Agent (DRA) (usually the domain admin) you are out of luck.
They key to open the data is stored in the headers of the file and it is
locked up with the private key for the user who encrypted it and the
private key for
Definitely not the whole issue but in you code at the bottom 'Users' is
not OU=Users it is CN=Users... Also, when you say PDC, I have to assume
you are talking about PDC emulator and not a PDC but if you are looking
at an NT DC make sure you test your code with WinNT:// as well as
LDAP:// You will
Go to HKLM/System/CCS/Services/NTDS/Diagnostics and set the Replication
Events value to 5. Then force replication. This will log all kinds of
replication info into the NTDS log that may help you to trouble shoot. I
don't have any references to the specific error off hand but thought
this may be hel
Perfect rebut Rick. I totally agree. Execs hate the idle threat and from my experience
they usually take it as a challenge. There are so many positives to point to when
selling the idea of Win2k/2003 that using the fact the you may lose (perceived)
support doesn't carry much weight. I do a lot o
I recall the ability to add a value to the NTDS\Diagnostics
registry key on a DC to be able to log information pertaining to management of
objects in AD. Of course after I told someone about this I can’t seem to
find it anywhere. What I remember is it is a value that is not present by
defau
Hello Chris,
I have recently been playing with something similar to this. I used ADSI
to iterate through an OU and find the computer objects and then use WMI
to connect to those systems and query more specific info from the WMI
repository. I can try to dig up some chicken scratch I have laying
aro
Title: Message
I am guessing you have but just in case.
Have you looked for recommendations from the Branch Office Guide?
http://www.microsoft.com/technet/treeview/default.asp?url="/technet/prodtechnol/ad/windows2000/deploy/adguide/DEFAULT.asp
I have found it pretty helpful. I am
i
LDAP://cn=users,dc=ntdev3,dc-KEMET,dc=com
Users is not an OU…
-Original Message-
From: Jones, Rick J.(Desktop
Engineering) [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, November 13, 2002
2:34 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD Move
Users script
You can n
Title: Message
Also if they are legacy (9x) clients make
sure they have the DSClient setup. This will allow them to change PW at any DC.
Without it they need to be talking to the PDC emulator.
Kevin
-Original Message-
From: cflesher
[mailto:[EMAIL PROTECTED]]
Sent: Friday,
Sorry for the way off topic but I seem to receive some
responses before I get the original posts. Hours apart. Also sometimes when I
post I don’t see the post for a few hours. Is anyone else experiencing
this and any suggestions?
Thanks
Sent at 1:20 PM 11/8/02
How about this...
Option Explicit
Dim objUser
Dim objAccountDisabled
Set objUser = GetObject("LDAP://CN=User,DC=Domain,DC=MSFT";)
If objUser.AccountDisabled = True Then
objAccountDisabled = "Yes"
Else objAccountDisabled = "No"
End If
WScript.Echo objAccountDisa
http://www.microsoft.com/biztalk/
-Original Message-
From: Salandra, Justin A. [mailto:jasalandra@;chcsnet.org]
Sent: Tuesday, November 05, 2002 4:08 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] Biztalk
What is Biztalk used for? My CIO asked me to look at it and I have
never
used it b
On the Scripting Center at Microsoft.com
(http://www.microsoft.com/technet/scriptcenter). There are a bunch of
useful scripts to look at. First look at resolving password age and add
some logic to that that says as the PW ages so much flip the flag for
user must change password at next logon. Apply
don't know what different means here).
I will try to get more information and post it next week.
-Original Message-
From: Sullivan, Kevin
Sent: Friday, October 25, 2002 10:08 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] ADMT v2
This is fully supported by Microsoft.
-O
SIDHistory update process since the published Microsoft API's are not
being utilized?
-Original Message-
From: Sullivan, Kevin [mailto:KSullivan@;aelita.com]
Sent: Friday, October 25, 2002 2:06 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] ADMT v2
Not all that interesting but what I
Microsoft Certified Trainer
MCSA, MCSE+I - Windows NT / 2000
"Any sufficiently advanced technology
is indistinguishable from magic."
--- Arthur C. Clarke
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:ActiveDir-owner@;mail.activedir.org] On Behalf Of
>
Nope...
-Original Message-
From: Salandra, Justin A. [mailto:jasalandra@;chcsnet.org]
Sent: Friday, October 25, 2002 11:36 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] ADMT v2
Is it free?
-Original Message-
From: Sullivan, Kevin [mailto:KSullivan@;aelita.
for the migration?
-Original Message-
From: Sullivan, Kevin [mailto:KSullivan@;aelita.com]
Sent: Friday, October 25, 2002 6:50 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] ADMT v2
Aelita Domain Migration Wizard... (For one)
-Original Message-
From: Salandra, Justin A
Aelita Domain Migration Wizard... (For one)
-Original Message-
From: Salandra, Justin A. [mailto:jasalandra@;chcsnet.org]
Sent: Friday, October 25, 2002 9:24 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] ADMT v2
Is there any migration tool that doesn't require the target be in nati
I am not totally sure what your goal is here. But some things to think
about...
1. Off Line files (of course occasionally they will need access to the
network.
2. Write a script that does a file copy and call it from a logon script.
3. Create a .msi file with SMS Installer or WISE or WinInstall LE
Wes,
There are as many issues with an inplace upgrade as there are benefits.
The option to create a pristine AD an move everything over allows you a
lot of flexibility in cleaning up your old NT environment and making
sure you don't migrate any junk that you should get rid of anyway. So
with you
I have worked quite a bit with MSDSS. It
is really pretty straight forward. I have also done a few larger Netware 5.1 à AD migrations where we used MSDSS and then used Aelita’s (my company) Domain Migration Wizard to
manage the enterprise project.
Any specific questions
about MSDSS?
Its all Os and 1s right? Configuring your VPN for FQDN or IP should
ultimately be the same thing because the name resolves to IP which makes
the connection.
Am I right or am I missing something about VPNs?
Kevin
-Original Message-
From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]]
Se
Chuck
-Original Message-
From: Sullivan, Kevin
[mailto:[EMAIL PROTECTED]]
Sent: Thursday, October 03, 2002 4:50 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OT:
Unable to browse across the subnets/gateways
What are the subnets? And
what is the gateway config.
Also, When you say browse
d
Title: Message
What are the subnets? And what is the
gateway config.
Also, When you
say browse do you mean Network neighborhood? If so play with the LMHosts file to
see if you can force resolution if you can it is probably a WINS issue. Are the
servers WINS clients? Do the registration
SO->OpenDSObject("LDAP://".$adc."/".$adspath,
$admact,
$passwd,
ADS_SECURE_AUTHENTICATION);
$DSBind->{'ms-DS-MachineAccountQuota'} = $newval;
$DSBind->SetInf
);
my $DSBind = $DSO->OpenDSObject("LDAP://".$adc."/".$adspath,
$admact,
$passwd,
ADS_SECURE_AUTHENTICATION);
$DSBind->{'ms-DS-MachineAccountQuota'} = $newval;
I tried to post the swynk script and it didn't send. From past
experience it will probably show up in a while. Anyway, I couldn't get
the script that Tony mentioned to run. Can someone put their eyes on the
script and let me know if you see any problems or lines that I may need
to edit.
Thanks,
Title: Joining computers to a domain?
The
ms-ds-machineAccountQuota (I believe) is a per domain
setting. It allows any user in the domain to create 10 computer accounts in AD.
I also think this is possibly restricted to the default computer container but am not sure. This really helps for
I can think of ways to run cleanup scripts on a schedule to do this. The
Universal Group is designated via a specific bit value or some other
designation. The script could look for that designation and look at the
creator/owner of the object and check against an authorized list. If the
creator/own
Try this...
Open ADUC and on the left hand pane right-click on the OU that you want
these admins to see... choose new window from here... Go to the windows
menu and choose the original window... Close that window... save the
.msc file out and apply NTFS permissions on the .mcs file.
Alternativel
My apologies, please disregard my last message to this thread.
-Original Message-
From: Sullivan, Kevin
Sent: Wednesday, September 18, 2002 10:38 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Network Infrastructure cause AD Security Fowl
Ups?
I am having a brain cramp at the moment
Sorry about the formatting... I am adding _ to designate a line break.
-Original Message-
From: Sullivan, Kevin
Sent: Wednesday, September 18, 2002 10:35 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Networkdrive-mapping @ logon
This is a pretty simple example so you could enhance
I am having a brain cramp at the moment. I am trying to send you an
example script but it is being rejected by the
[EMAIL PROTECTED]
How do I send script examples? I know it can be done.
-Original Message-
From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]]
Sent: Friday, September 06,
PROTECTED]
Subject: RE: [ActiveDir]
Networkdrive-mapping @ logon
I would like to have one posted
The only thing I can is doing this from a
DOS-prompt L
-Original Message-
From: Sullivan, Kevin
[mailto:[EMAIL PROTECTED]]
Sent: woensdag 18 september 2002
14:22
To: [EMAIL PROTECTED
You can use a startup script and use
VBScript to map the drives. You can pretty much call on any command like ‘route’.
In the group policy for the container
select startup script under computer configuration and point to the VBScript or
JScript that you want to use. I will look for
exam
Not possible. W2k cannot be a BDC can only be a DC in an AD forest.
Secondly it will not become the PDC of the NT4 domain unless you upgrade
the NT 4 PDC.
Upgrade the PDC first and then you can use W2k DCs as well as NT 4 BDCs.
Your domain will be in 'Mixed Mode' in order to support this
configur
85 matches
Mail list logo