Bruce-
I looked through your script that you had posted here previously (I'm assuming its the
same one you're having problems with). I didn't see anything that immediately popped
out. One thing I would suggest is to modify the script to add some debugging info at
key points, using the FileSystem
Planning mode requires a service running on a DC that is only available
in Win2k3--specifically the RSoP Provider service.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Monday, March 01, 2004 8:13 AM
To: ActiveDir (E-mail)
Subj
PROTECTED]'
Subject: RE: [ActiveDir] RSoP
Do I will only be able to use the planning mode on 2003 machines? What
about XP? I was running the RsoP from an XP machines against a 2003
Member server in a 2000 domain, can this not work?
-Original Message-
From: Darren Mar-Elia
Todd-
You should be able to do what you want actually, without having to be at
a DC. Its kind of kludgy, but just try typing the word "Administrators"
(without quotes) into the dialog where you would normally browse for the
group. This is perfectly acceptable and should be resolved to the SID of
th
If I follow your scenario, then it is entirely possible to get user
group policy from a Win2k device within an NT 4 domain. I can't think of
any good way to prevent them from getting that policy, other than using
user or user group-based security filtering on that GPO to prevent these
users from p
Edward-
I've never seen a way to delete a value using ADM files. In fact, I've
never seen a way to rename a value, so I'd like to see how you do that
if you could share it.
Thanks
Darren
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Parker, Edward
Sen
DCs get their Account Policy, and a couple of other security settings,
from any GPO linked to the domain, not necessarily just the Default
Domain Policy. If you have no domain-linked policy, then the DCs will
just use the local policy they have by default, out of the box. A quick
test with my VMWar
Enterprise Admin should be able to do this. You might want to double
check the permissions on the GPO in the child domain you're trying to
edit. Make sure EAs really do have write perms on that GPO. You should
be able to view and change GPO perms by either looking at the Properties
on the GPO in th
---
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Monday, March 15, 2004 11:39 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Group Policy
DCs get their Account Policy, and a couple of other security settings,
from any GPO linked to the domain, not necessarily
Yea, that's the right way to do it Joe.
Guy, I'm kinda surprised you actually saw that behavior. I was under the
impression that password complexity was one of those account policies
that was completely ignored by DCs unless its linked to a domain policy.
-Original Message-
From: [EMAIL
here..
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Monday, March 15, 2004 2:36 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Unable to modify GPO Policy
Enterprise Admin should be able to do this. You might want to double
chec
Robert-
I've seen this behavior too, and yes, manually adding the XP ADMs into a
GPO is safe. However, because XP is supposed to support this
automatically, you might want to check the following policy on your XP
machine that you're using to edit those GPOs:
User Configuration|Administrative Templ
I'll add one more to the mix. Not sure its much better than using an CSVDE dump, but
the GPMC comes with two scripts that are designed to create a test domain that is a
mirror of your production one. They are called:
CreateXMLFromEnvironment.wsf (dump production)
CreateEnvironmentFromXML.wsf (im
For everyone's reference, the spreadsheet of all ADM
settings is here:
http://www.microsoft.com/downloads/details.aspx?FamilyId=7821C32F-DA15-438D-8E48-45915CD2BC14&displaylang=en
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Wednesday, March 24, 2004
Agreed. Not much downside to this as long as you're not putting policies
on these other GPOs that conflict with any set in the DDC policy. Even
in that case, you just have to manage the conflicts.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rutherford
it appears not to be "overrideable". Is this the
expected behavior? If so, how could we accomplish this? TIA!
Mike Thommes
-----Original Message-
From: Darren Mar-Elia [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 24, 2004 12:14 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Linki
You can use this custom ADM to enable that little check box. I can't
claim credit for it however. It was posted by a guy named Joe Elway from
Ireland on the GPO forum I moderate. Pretty useful.
;;;
CLASS MACHINE ;;
;;;
CATEGORY
Title: Server Membership
30 days is the default machine account password renewal
interval--I believe--on Win2k and above.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Strand,
TedSent: Thursday, March 25, 2004 8:45 AMTo:
[EMAIL PROTECTED]Subject: [ActiveDir] Server
Member
reverse.
|-+-->
| | "Darren Mar-Elia" |
| | <[EMAIL PROTECTED]|
| | om>|
| | Sent by: |
| |
Actually, if you want to set local user account expiration
date, this isn't a policy option, but rather an attribute on the local SAM
account. You can set it using a script like this:
Set usr =
GetObject("WinNT://machinename/darren")usr.AccountExpirationDate =
"06/06/2005"usr.SetInfo
e". Is this the
expected behavior? If so, how could we accomplish this? TIA!
Mike Thommes
-----Original Message-
From: Darren Mar-Elia [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 24, 2004 12:14 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Linking other GPO objects to Domain
PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Sunday, March 28, 2004 12:45 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Linking other GPO objects to Domain Controllers
Oh get over it Joe. Don't be such a weenie. Live life on the edge and
use security
That would be cool. If I'm not mistaken, I think NDS has allowed a
similar capability for years in that you can cleave off parts of a tree
and replicate it to those servers that need it most.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Sun
D] On Behalf Of Darren Mar-Elia
Sent: Monday, March 15, 2004 2:36 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Unable to modify GPO Policy
Enterprise Admin should be able to do this. You might want to double
check the permissions on the GPO in the child domain you're trying to
edit. M
t.com/fwlink/events.asp.
Hope this helps.
Thanks,
Steve
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Tuesday, March 30, 2004 3:06 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Unable to modify GPO Policy
I think Tim has a good
Yes, that's exactly it. Grant those specific DCs the Read and Apply
Group Policy rights on the GPO.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala
Sent: Wednesday, March 31, 2004 12:08 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Testing othe
Michael-
Anything is possible, so a DC reboot *might* help. A couple of
questions. Where are you defining this policy? Is it on a GPO linked to
someplace in AD or on the local GPO? If an AD-linked one, then have a
look on the DC that the workstation is authenticating to (echo
%logonserver% from the
Chuck-
Try granting the "Replication Synchronization" right on the domain
object (domainDNS class) that you want the user to be able to replicate.
Note that this provides the synchronization right for just that domain
NC. You'll have to do the same thing to the schema and config objects to
delegate
Craig-
Pretty much any MSI can be deployed via Group Policy. The limiting
factor will be whether you need to transform it for your environment and
if it provides tools to create transforms so you don't have to do it
manually.
Darren
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EM
Michael-
Are you doing per-user assignment or per-machine? In general, if you do
a per-user assignment, the application is only "advertised" for install
on first use at logon, rather than fully installed. The exception to
this is that software installation policy in W2K3 supports a new option
on us
Michael-
SI uses the MSI product code (aka product id) to determine whether an
application is installed already or not. I think that if you have an
upgrade relationship between v.1 and v.2 and the Product codes are the
same, then it will ignore the upgrade.
There are a lot of options for troubles
Russ-
Error 1603 is likely an MSI error, which, according to the
SDK, indicates the following:
The file [2][3] is being
held in use by the following process: Name: [4], Id: [5], Window Title:
'[6]'.
So it looks like maybe there is an open file conflict of
some kind. Which log file did th
Yes, painfully, that is true. MS Marketing strikes again. I can just see
the advertising:
"Trust your network to a WUS"
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Christopher
Hummert
Sent: Wednesday, April 14, 2004 11:09 AM
To: [EMAIL PROTECTED]
S
Charles-
When you say you're importing IPSEC, I assume this means you have an
.inf file that you've created that you importing into an OU-linked GPO?
The ability to make changes to a GPO are governed by the permissions on
the GPO object itself, which is not stored in the OU but rather under
the Sys
ileges using the delegate administration feature.
Is there a big difference between using the .ipsec file instead of the
.inf file?
Thanks,
chuck
Darren Mar-Elia wrote:
> Charles-
> When you say you're importing IPSEC, I assume this means you have an
> .inf file that you've created tha
Or, you could write a custom .adm and stick it into a GPO
to distribute it.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Vermeire
BartSent: Friday, April 16, 2004 7:09 AMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Registry
change on multiple Workstations...
Hi Fr
First off, just for the sake of terminology, roaming profiles are
different than folder redirection, and you can of course, have both in
action. Folder Redirection means that parts of the profile (e.g. My
Documents) is stored on the server, meaning that you have less of the
profile that needs to ro
There is a load test tool for AD, called ADTest. Check it out at:
http://www.microsoft.com/downloads/details.aspx?FamilyID=4814fe3f-92ce-4871-b8a4-99f98b3f4338&DisplayLang=en
-Original Message-
From: [EMAIL PROTECTED] on behalf of Tony Murray
Sent: Sun 5/9/2004 8
oft\windows\currentversion\policies\system) or
directly?
Ronen
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Thursday, May 06, 2004 8:30 PM
To: [EMAIL PROTECT
Mike-
It is true, but you can override that behavior through Admin. Template
policy on a per-policy area basis to force GPO to process during every
foreground and background refresh regardless of whether the GPO has
changed. The exception to this is that security policy (including file
security) is
Russ-
Not Configured essentially means 'do nothing', so to undo
an enabled setting, you have to set the downstream GPO to Disabled. In your
case, I'm assuming you're controlling the screensaver through User
Configuration|Admin Templates. If that's the case, then your deny ACEs need to
be on
If you truly want to control a user policy based on the
computer, then loopback is the right choice. You don't have to create a separate
OU to do that. It makes it more obvious when you have machines controlled by
loopback in a separate OU, but you can use security permissions to control it,
Actually, now that I look at this, you may need to set the
Screensaver policy in your loopback GPO to Disabled, if this GPO gets
processed after the default domain GPO that sets this to enabled. Not sure now
that I think about it, since loopback replace mode should do just that, but its
poss
Good question. This stuff gets ugly quick. Just a quick
test shows that if I either enable or disable that policy, then its grayed out
for the user, preventing them from changing it in either direction. The problem
is that the first GPO to set this owns it, until another one comes along with
Todd-Not sure if this will get to your specific issue
here, but Gil wrote a great article about the DC discovery process on Windows
& .Net magazine here: http://www.winnetmag.com/Article/ArticleID/37935/37935.html
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Wednesday, May 05, 2004 8:20 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Setting \winlogon\welcome by ADM
Hi-
I think this might work. Give it a go. I made the assumption that you
wanted %computername% to
Hi-
I think this might work. Give it a go. I made the assumption that you
wanted %computername% to be resolved to the actual machinename. If not,
then go ahead and remove the EXPANDABLETEXT keyword.
CLASS MACHINE
CATEGORY "set welcome"
POLICY "Display Computer Name"
KEYNAME "Software\Micr
Title: Updating GPO Templates
Roger-
The automatic updating of ADM templates should happen when
you open the Win2K GPO from XP. The only thing that would stop that is if
you explicitly told the XP box not to do it by setting the following
policy:
User Configuration|Admin Templates|System|
Russ-
Since error 1603 is pretty generic ("a fatal error
occurred"), you might try enabling verbose MSI logging to see what the package
is actually doing. If you haven't already done that, you can find it as an Admin
Template policy under Computer Configuration|Admin Templates|Windows
Compon
Russ-
There are two MSI properties that you can set to control
Reinstall. Namely Reinstall and ReinstallMode. If you have a package editor,
like Wise or Orca, you can set these properties in the package or you can create
a transform to set these properties--using a transform would require
re
Russ-
I think there is a solution for this. Effectively what
you want to do is remove this Reg value completely when a user logs onto a
particular machine. To do this, you could write a custom .ADM file to add to the
loopback GPO that removes the registry values that this particular policy pu
I sent this off list but Al suggested I re-post for everyone's benefit:
"We actually do have a new product, called Aelita Collaboration
Services, that is designed to do secure synchronization of GAL and
Free/Busy for intra and extra-net environments. Its pretty cool
actually. In the spirit of eati
Joe-
My understanding is that they are indeed correcting the
er..challenges with System.DirectoryServices in the 2.0 Framework. I can
echo Gil's comments--today it uses COM Interop, as is evidenced by the
COM Interop exceptions that I get when something pukes and I can also
confirm anectodal
Ha ha. Apparently Al is fond of CLMs (Career Limiting Moves). Tom you
might perhaps suggest that any solution that goes through a third
party's servers by definition means that you lose control over the data.
Given that it's the officers of your company, that could represent a
serious breach of con
And I'll be in the GPO cabana every day. I seem to have
gotten an extraordinary number of 6pm-9pm shifts! I guess us non-Microsoft
grunts get the less desirable slots :-). Definitely stop by and bring something
from the dinner buffet.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] O
Christoph-
Are you saying that the password policy is still applying
to domain users or to user accounts on the local SAMs of your workstations? If
the latter, when you bring the gpedit.msc on a client, what does the local GPO
show for its password policy and where is it getting its effective
Title: task pads
Rick-
Another option to consider is to use security group
filtering on that GPO instead of relying on moving machines around. In other
words, permission the GPO so that only machines that are part of the "O2K3
Install" group will process the policy. Then, getting Office insta
You can definitely do this with GPO. You could even try to change the
shell from Explorer to Outlook, which would prevent any access to the
Explorer. I haven't tried this with Outlook but have done it
successsfully with IE for web kiosks. You might want to check out the
GPO scenarios that MS provid
Jeff-
It's hard to say what is going on here. Group Policy uses whatever site information is
cached on the workstation to determine which site-linked GPOs to process. In other
words, the issue is that when this machine connects to the corp. network, it is not
following the normal site affinity p
Malachi-
My first question would be--why? DFS, esp. replicated DFS, doesn't seem
to be a great solution for writeable data, since you could effectively
have some files inadvertantly overwritten on each replica. And, since
roaming profiles essentially have some built-in redundancy by virtue of
the f
Christine-
Check out the Scripting Center. Its a great starting point:
http://www.microsoft.com/technet/community/scriptcenter/default.mspx
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Christine
EastonSent: Friday, June 04, 2004 9:43 AMTo:
'[EMAIL PROTECTED]'Subject: [Act
Dan-
There are some limitations on .zap files but that is probably your best bet if you
don't want to repackage. If you go here: www.gpoguy.com/faqs.htm I have an FAQ on
creating .zap files.
Darren
-Original Message-
From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTE
Addusers.exe from the resource kit will dump from one local machine and
import into another.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tashildar,
Dinesh (Cognizant)
Sent: Thursday, June 10, 2004 10:10 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Wi
You can take ownership of those files and change the
permissions to include your account, as long as you don't remove the user's ACE
or the localSystem ACE, without affecting their behavior. The only caveat
here is described in http://support.microsoft.com/default.aspx?scid=kb;en-us;327462
Title: AD, GPO and Technet
Daniel-
What is the command you're typing? I'm not
sure, but TechNet may not support an admin install. You may just need to
copy the install bits from the CD to a share and call the setup msi from the
GPO.
Darren
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECT
tware Settings
Right click on Software Installations and select New > Package
Browse to the location of the TN.MSI file
Click Ok
Have the user logoff and logon and the install should happen
-----Original Message-From: Darren Mar-Elia
[mailto:[EMAIL PROTECTED]Sent: Friday,
ere is any applications/utilities that we/they are needing I can do
a 'mass' installation with little admininistration.
When I reboot
my computer, Technet does not install. What else could I be
missing?
-Original Message-----From: Darren Mar-Elia
[mailto:[EMAIL PROTECTED]S
Ok
Reboot the client machine and watch the product install
I did the above and rebooted my computer,
but it didn't install. So, what am I leaving out?
-Original Message-From: Darren Mar-Elia
[mailto:[EMAIL PROTECTED]Sent: Monday, June 21, 2004 12:52
PMTo: [EMAIL PROTECTED]
click on Software Installations and select New > Package
Browse to the location of the TN.MSI file
Click Ok
Reboot the client machine and watch the product install I did the
above and rebooted my computer, but it didn't install. So, what am I
leaving out?
-
Title: GPO - File and Printer Sharing.
Rick-
No way that I know of to do this from GPO. The challenge is
that its a bunch of binary reg keys that get messed with when you turn this on
or off--per connection. I did a quick look through netsh and didn't see any
commands there, but I may have mi
esI've mentioned it to them several times. I seem to remember
you could do this with NT, and a system policy.
John
|-+-->
| | "Darren Mar-Elia" |
| | <[EMAIL PROTECTED]|
| |
Title: Message
Jack-
You have a perfectly valid point and yet, millions of
people live and die by PSTs, even in large corporations that "should know
better". The reasons vary from inadequate central storage for Exchange to just
plain old user preference. Hell, even I keep emails forever in
P
Edwin-
Where exactly are those errors appearing? On the DC or the
clients that are processing GPO? Also, what version of DC are you running and
what version of client?
The dfsutil /purgemupcache will work on Server 2003 DCs
only.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behal
And at the risk of shameless self-promotion, there's Quest's Spotlight on Active
Directory...
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brent Westmoreland
Sent: Monday, June 28, 2004 12:55 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] AD diag
Manjeet-
The normal way to set up a roaming profile is to simply assign a profile
path within the user's AD account. For example, you might enter
\\server\profiles\%username% on at that AD attribute and then when the
user logs off a workstation, their profile is copied up to that server
and share u
A user-driven script is not likely to work. These policies
are set in HKCU but the keys involved are permissioned away from
normal users by default--to prevent a normal user from undoing a policy. There
are a couple of ways you could skin this. If you want to pay money, Full Armor
has a tool
David-
It depends upon what you are really interested in seeing. There is no
good way, out-of-the-box, to audit what change was actually made to a
particular GPO setting in either Win2K or Win2k3. If you just want to
see that "somebody" made "some" change to a GPO, then you can use DS
auditing to l
Title: Message
Actually, you don't want to do this on the local security
policy because then it will only apply to that DC. On the Default Domain
Controllers Policy, check what you have under:
Computer Configuration\Windows Settings\Security
Settings\Local Policies\User Rights Assignment\Lo
Title: DC GPO not applying event log settings
You might want to enable verbose security policy logging
too see if it shows something. Here's the info on enabling
it:
http://support.microsoft.com/default.aspx?scid=kb;en-us;245422
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf
Jared-
You can, but the GPO just has to be linked appropriately. For example,
if you two OUs-one containing users and one containing computers, you
can link that one GPO to both. Or, if those two OUs share a parent OU,
then you link it to that parent OU. And, of course, you can always link
the GPO
Brenda-
Make sure your DCs are properly registering their SRV
records. For GPOs, you're specifically looking for an ldap locator record like
this:
_ldap._tcp.._sites.dc._msdcs..com
Also make sure your clients have the correct DNS references--i.e. they are consistent and pointing to reliab
Brenda-
Have you tried enabling this policy on your XP
boxes?
Computer Configuration|Administrative Templates|System|Logon|Always wait for the network at computer startup and logon
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brenda
WilkinsSent: Tuesday, August 10,
Right. Strike one. Ok, I've actually had this same problem
on my test laptop. Essentially computer foreground GPO processing never works
because the Wireless NIC isn't activated by the time the system does its thing.
User processing works ok however, and computer background processing works o
Brenda-
Is Fast Logon Optimization enabled (on by default) on the XP machines? Does the
situation change after the 2nd or 3rd reboot (i.e. the computer policy is
finally delivered on XP)?
From: [EMAIL PROTECTED] on behalf of Brenda Casey
Sent: Tue 5/10/2005 9:14
Yes, this is expected because Fast Logon Optimization is
enabled, which essentially says don't wait for the network before presenting the
logon screen. This screws with certain policy. Try enabling the following policy
on those XP machines:
Computer Configuration\Administrative
Templates\S
The only caveat I think I would put on that is that that is not the
behavior I remember in the Win2K days. So if your clients are Win2K you
might want to test that. Or maybe someone can confirm on Win2K?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Aar
More specifically, when you choose Enforced for a given GPO, it is moved to the
bottom of the list of GPOs that a given user or computer will process. This
means that it is processed last and, by virtue of that, overrides any
conflicting settings processed earlier. It doesn't prevent downstream
That's probably a good approach. The Outlook cached mode setting is stored per
email account and is part of the binary blob that is the user's Outlook profile
in the registry, so it would be tough to put that in an ADM.
As an aside, the ineptitude of the Office product team in continuing to only
You might also want to fire up Server Performance Advisor on the box and
collect some perf stats on the queries. You should be able to see where time is
being spent and what kinds of resources are being consumed.
Darren
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTE
Title: LDAP performance
Or if you like the graphical approach: http://www.sysinternals.com/Utilities/TcpView.html
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric
FleischmanSent: Tuesday, June 14, 2005 10:38 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP
I've not seen one. I think that would be pretty hard to pull off unless
you can remove the hot keys and window buttons.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Freddie Coleman
III
Sent: Wednesday, June 15, 2005 1:47 PM
To: ActiveDir@mail.activedi
Its been a long time since I've thought about WINS (thankfully) but in
the "old days" this was somewhat expected behavior. If a client happened
to contact its primary WINS server and it couldn't answer a request, for
whatever reason, it would temporarily use the seconday as its primary.
This is des
This typically has to do with the timing of the wireless connection
starting after computer policy has started processing. There are a
number of registry tweaks that I've had varying degrees of luck with on
this problem over time,but the one that most reliably seems to help is
described here:
http:
. In other words, what does a client
query, exactly, to get its referral list for DFS?
Darren
Darren
Mar-Elia
CTO,
Windows Management
Microsoft MVP, Windows Server-Group
Policy
Quest Software
+1 (415)
342-4185
[EMAIL PROTECTED]
http://www.quest.com
Quick recovery from everyday
disasters
e site-specific storage areas. In other words, what does a client
query, exactly, to get its referral list for DFS?
Darren
Darren
Mar-Elia
CTO,
Windows Management
Microsoft MVP, Windows Server-Group
Policy
Quest Software
+1 (415)
342-4185
[EMAIL PROTECTED]
http://www.quest.com
Quick r
Actually, you can't set the "Apply Group Policy" permission on the local GPO,
since its only file system based. You can only set the permissions available
within NTFS (on %windir%\system32\grouppolicy). I think the special account
approach is probably your best bet.
BTW, not that it helps muc
n't close any window. The only issue is that they can't
> open any either ;-))
>
> Just curious - why would you want to achieve this in the first place?
>
> /Guido
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Dar
Just a caveat on this KB article. It becomes problematic if you have to make
periodic changes to the local GP as you have to go through this lengthy process
described in the KB each time. The article assumes that the local GP is not
changing and relies on the fact that GPs that aren't changed do
This is one of those chicken and egg problems. When ICMP slow link
detection fails (i.e. no response is received to the ping request), no
GP processing occurs at all, so you can't disable slow detection through
GP. So you can't deliver the reg changes to disable slow link detection
through GP. Fun.
You can also script this using
reg.exe.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Robinson,
ChuckSent: Monday, June 27, 2005 6:57 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Open Another
User's Registry File
Open Regedit, set your focus to HKLM, use Lo
301 - 400 of 597 matches
Mail list logo
