it sort of depends on your scenario - just to restore a broken DC,
you're fine. To recover deleted objects, you're also mostly fine, as
long as these don't have links to the unavailable domains (e.g.
group-membership).
to recover the whole domain (i.e. from scratch), you won't get very far
I agree with Guido but would flip it around and make the short name the
sAMAccountName...
Domain\mkshirsa
And
[EMAIL PROTECTED]
The astute will understand why
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
Guido
Sent
Regular multivalue attributes still have a
limitation on size. In 2K that is approximately ~850 members and in K3 that is
approximately ~1300 members.
I'd call these "entries" instead of members to avoid
confusion...
Not sure if it was mentioned in another part of this
thread, but it
had me worried just the same when reading DLand
thinkingDistribution Lists ;-))
one thing that I don't understand is, why doesn't the token
only store the _RIDs_ of the DLGs - why are they stored with the full SID???
Makes no sense to me, as they are able to use theRID for GGs and UGs - and
It's also worth to point out, that you have to distinguish heavily
between the OS version and the DIT size to expect. Other cleanup tasks
can also strongly impact DIT size.
At HP our Win2000 GCs had an average DIT size of 18GB - we then disabled
the Distributed Link Tracking service on all DCs
Title: DC location queries
that default first site would only be used when promoting
new DCs to a domain if that DC has an IP address that's not
defined for any subnet/site. Naturally, I would fire anyone who even tries
to promote a DC without doing the necessary prep-work..., so you should
the DNS data
into the DNS app partition?
Thanks!
Francis
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
Guido
Sent: 15 avril 2005 04:00
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] NTDS.dit size
It's also worth to point out
is this your first Exchange 200x server in the org?
if not, do others have the same problem?
Did you actually check the ACLs on the MS Exchange
container in the configuration NC (e.g. via ADSI edit)? I've had an occurrance,
where these were corrupt.
/Guido
From: [EMAIL PROTECTED]
2003's forestprep requires network connectivity. So you'd
at least need to connect your "interims" DC to another separate
network.
Though I am all for a well planned routine that allows an
easy fall-back in case of any issues, your sister company's environment doesn't
really sound like
neither is better or worse: it's important to correctly
adjust the LdapDisplayName of the Secretary and the labeledURI
attributes in the schema (as added by E2k during setup) so as not to conflict
with the new additions of the Win2003 schema, which alsoadds (the RFC
compliant version) of
I can confirm what Jorge expects below - yes, all explicit permissions
are removed and then the default from whatever is defined in the schema
is set.
You can script the resetting of permissions back to the default using
the DSACLS.exe or ACLDiag.exe tools (I can't remember if only one of
them or
hey Dean - I see you're on a DNS trip today ;-)) 10 posts on this
thread by Dean - must be a record...
aren't we forgetting that this is a test-environment? I'd just blow
away the child's DNS subzone on in the root DC's DNS config and then
create a delegation for the child.test.com zone for the
Hey Nicolas - how is life is South Africa?
I see Jorge has basically touched all aspects of why you'd want to
prepare for a forest DR, if you really want to undo the switch to native
mode of a Win2k domain.
He's even given you a usable workaround to test just that business
critical SNA
to check prep
ADPREP /FORESTPREP
cn=forest name
cn=Configuration
cn=ForestUpdates
cn=windows2003update
ADPREP /DOMAINPREP
cn=domain name
cn=SYSTEM
cn=DomainUpdates
cn=Windows2003Update
to
domainFunctionality: 0;
1 forestFunctionality: 0;
1 domainControllerFunctionality: 2;
Grillenmeier, Guido wrote:
to check prep
ADPREP /FORESTPREP
cn=forest name
cn=Configuration
cn=ForestUpdates
cn=windows2003update
ADPREP /DOMAINPREP
cn
you don't mention OS version - I'm assuming you will or have implemented
Win2k3. In this case the island-problem (which used to be an issue in
a Win2k AD's root domain) is no longer an issue and you're fine to go
ahead with your option 3.
I would also recommend to setup the _msdcs subzone of the
from 2003 Guido. What's the
recommendation in that case?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Grillenmeier, Guido
Sent: Monday, April 25, 2005 4:00 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain
] On Behalf Of
Grillenmeier, Guido
Sent: Tuesday, April 26, 2005 1:31 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest
ah - that changes the picture
option 3 is still valid for child DCs (DCs point to themselves + another
DC of the same domain
Title: Segregating and delegating _msdcs
technically, this approach is quite feasable - however,
it's usually done the other way around. Many companies dothisso that
they can safely enable DDNS on the _MSDCS zones (as AD integrated zone) allowing
automatic service record, DC Domain GUID
Title: Message
yeah right;-) however, I'm quite happy about
the additions in SP1 - even though this should have been called R2 and the
plannedR2 would then be R3... ;-)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean
WellsSent: Dienstag, 22. März 2005 02:55To: Send -
nope, all it does (which is quite nice) is to Allow Write Members for
the respective security Principal Object on the Group object. If the
manager (or manager group) changes, the permissions are adjusted
appropriately - however, as I understand, you have to adjust them via
ADUC again (i.e. it's
Hey joe - what a post - took forever to read but it was quite
entertaining as I've been through similar thoughts myself.
However, I didn't specifically ask for support from PSS. When you asked
for the support for removing attributes from property sets, I doubt that
the PSS folks really
name
resolution.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
Guido
Sent: Wednesday, May 11, 2005 5:03 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OnTopic] Active Directory Property Set Madness
Hey joe - what a post
ACS is very independent from R2 - it may be released within the same
timeframe, but doesn't rely on any technology introduced in R2.
/Guido
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet
Sent: Freitag, 13. Mai 2005 17:39
To:
nope, the refresh (10 hours by default) will not re-enumerate an
account's group-memberships - it will only check if the account still
exists, enabled and hasn't expired and will refresh the ticket granting
ticket (TGT) of the respective kerberos realm.
Actually, there's a nice little feature
oh, gee, I'm too late - but I had a great weekend ;-))
I'd have to say (and all the posts show themselves) that there is no single
right or wrong answers to lag sites. It's one building block to mastering AD
DR and may very well apply more for larger companies than for smaller ones
(it's
Hey Rick - sorry to hear - but from how I know you, this
has simply made it easier for you to move on to a new company, something you'll
have wanted to do for a while now and never did due to the complications
involved. I am very positive, that you won't need to worry about finding
did you compare the members of the respective groups in AD
on your 3 GCs? You could potentially have an inconsistency between the
DCs.
/Guido
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian
DesmondSent: Donnerstag, 16. Juni 2005 02:19To:
You could prevent users from logging on in the first place - this will
ensure they can't close any window. The only issue is that they can't
open any either ;-))
Just curious - why would you want to achieve this in the first place?
/Guido
-Original Message-
From: [EMAIL PROTECTED]
Here is a nice one
- I've done quite a few migration with all kinds of scenarios, so I hardly ask
questions around this topic.
But when migrating
from one NT4 domain to an AD domain which both have the same
NetBios names, various issues and potential conflicts come to mind and I wonder
Thanks Eric, renaming the source NT4 domain was on the list
of my options and I know that it works as I've done it before in a larger
test-environment. However, I expect many more headaches in a production
environment as it's difficult to analyse all the dependencies to existing apps,
e.g.
the OU permissions prevail over the "add workstations to
domain" user right which is defined in the default DC policy. So you don't need
to change anything for your NONDAs.
However, the mentioned policy grants auth. users the right
to join machines to a domain (up to 10 by default) =I
I'm pretty much fearful of exactly the same things - in the
meantime it's clear that any change to the source is not allowed and the
customer is really keen on doing everything at once over a long weekend and is
willing to risk "some extra troubleshooting" for the benefit of keeping both
Hey Jorge,
thanks for your thoughts - you missed that I'm not going to
register the AD DCs in WINS, so that's not an issue. It's having them in the
same subnet is what I'm slightly worried about and need to check if it's even
possible.
Messing with the old domain name is not an option
yep, group memberships will remain intact in your case.
/Guido
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of mike kline
Sent: Donnerstag, 16. Juni 2005 18:30
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Move Contacts
I want to move some mail
you're not off-base - you should certainly handle access to the VMs as
critical as a physical machine and educate your admins.
I'm not sure if you can completely turn it off if your admins also have
admin-access on the host (which is likely the case for the DAs). You
could potentially run the
... good
thinking, although there's still enough work around the apps involved.
But this might just be my favorite option until now.
Cheers,
Guido
-Original Message-
From: Jorge de Almeida Pinto
[mailto:[EMAIL PROTECTED]
Sent: Donnerstag, 16. Juni 2005 22:55
To: Grillenmeier, Guido; '[EMAIL
Thanks Jose, good to know it you've already done it in a
larger environment. Thanks for the feedback.
/Guido
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Medeiros,
JoseSent: Donnerstag, 16. Juni 2005 22:33To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
realize that Today is the Tomorrow you were worried about
Yesterday? -anon
From: [EMAIL PROTECTED] on behalf of Grillenmeier, Guido
Sent: Thu 6/16/2005 1:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Migration between domains with same NetBios name
Thanks Dj - time to check rendom out a little more
/Guido
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Freitag, 17. Juni 2005 15:20
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Migration between domains with same
Title: ADMT and Error 7422
that would then be a move operation (which ADMT does
support and I've used it successfully).
the special character (ö = o-Umlaut) could be the culprid,
but it should be easy for you to figure it out - just rename the account
appropriately (is the umlaut in the
Hello Darren - the data is stored differently for the
DFS root replicas (i.e. the list of servers hosting a DFS root) and
replicas of a link target (i.e. the list of servers hosting the shared data
which is being replicated by some means, by default via
FRS).
For the first you'll find an
Title: ADMT and Error 7422
can you post the exact movetree command syntax you
used?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Haaker,
ChrisSent: Dienstag, 21. Juni 2005 19:14To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADMT and Error
7422
So I have
that's what I call a surprise ;-)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Freddie Coleman
III
Sent: Dienstag, 21. Juni 2005 16:03
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GPO configuration
Took me a while, but here it is:
User
Title: ADMT and Error 7422
hmm - I thought it wasn't an issue to pass a user account
to be moved, but after checking again, it looks like movetree will only work
with OUs.
as your ou=cincinnati
obviously contains objects that can't be moved successfully (e.g. global
groups) and that you
with all of the options mentioned (incl. FSMT and RoboCopy) you have to
be aware of the limitations of copying ACLs from source to target, which
basically depends on how you've ACLed the data on your servers:
If you've used Server-Local groups, the tools won't do the work for you
to re-create
Title: Delegation to Child Domain Failing
can you explain your issue a little
more?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Donnerstag, 23. Juni 2005
22:42To: ActiveDir@mail.activedir.orgSubject: [ActiveDir]
Delegation to Child Domain Failing
If Domain B is an AD domain and at least native mode, then create a
Domain Local Group in Domain B and add the Domain Admins of Domain A to
that group. Then add the Domain Local Group from Domain B to the local
Admins group on the servers you wish to be administered (basically all
servers) - you
the concept is similar to that of printer objects in AD:
you you don't create printer queues in an OU (or as child-objects of servers) -
instead you create a reference to an existing printer queue on a server - this
reference is stored ina printer object; basicallyActive
_Directory_can act
Rick - you should have taken the time to read the other posts ;-)
He wants to grant admin access to memberservers, which you won't achieve
by adding the domain A users to domain B's administrator group...
/Guido
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
. However, I wasn't
going to post a follow-up just to call attention to myself.
Thanks for your help, Guido! You blew THAT plan! ;o)
Rick
From: Grillenmeier, Guido [EMAIL PROTECTED]
Date: 2005/06/27 Mon PM 05:40:11 EDT
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Admins
depends on which group-type you're using - and which
OS...
if you're connected to a GC, the Universal Group (UG)
memberships should be visible on the User - however, you'll never see the Domain
Local Group membership of a user if the group is in a different
domain.
rgd. UGs - althoughthe
I tend to not agree fully with the elevation of priv
thoughtsmentioned in this
thread.
It really depens on you delegation model and doing it right
in the first place = ofcourse you don't grant all you "OU-Level"-Admins the
rights to change all scripts in NetLogon - instead you'd create a
agreed on most statements, especially on the GPOs, which
doesn't only apply to the admin accounts, but also the workstations they use.
These should at least be in a different, tightly controlled
OU.
If the
desire is to let some sub admins do these mods, I really prefer the shifting the
same as adding users - you always update the group, not the object you
put into the group. So just replace the user DNs with the computer's
DNs in this sample:
http://www.microsoft.com/technet/scriptcenter/scripts/ad/groups/adgpvb03
.mspx
/Guido
-Original Message-
From: [EMAIL
objTextFile.Close
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
Guido
Sent: Friday, July 01, 2005 3:42 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT - Script to check if reg entry present
same as adding users - you always
sounds like typical Outlook client issues to me - not really a GC or a
Network problem.
afaik, Outlook 2k/XP was basically not smart enough to failover to
another GC when the one it selected goes down. It does receive a list
from the Exchange Server, but it requires a restart to connect to
Title: RE: [ActiveDir] Keep existing attributes from users restored.
realize that this search-flag can't be applied to all
attributes (e.g. linked attributes such as member/memberOf) = as such you
will always require a combination of actions to successfully recover users to a
previous state.
works fine - done it many times - that's what sysprep is
for (no matter what the future role of machine is supposed to be - even a
DC)
even works nice with sysprepped VMware images
;-)
/Guido
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alex
FontanaSent: Samstag, 9.
wait until you have to handle many virtual servers - even DCs...
/Guido
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf
Sent: Samstag, 9. Juli 2005 09:55
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Sysprep Win2k3 Servers...maybe
Chuck - what exactly are you trying to achieve/monitor?
AD itself doesn't provide a real event-driven model for notification of
changes to objects, but for single object monitoring you can get quite
far with WMI event queries (which in the background read the instance of
an object and then
Title: RE: [ActiveDir] Keep existing attributes from users restored.
thanks for the useful information, Eric. You've only
mentioned sidHistory - does the same apply for the password?
/Gudo
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric
FleischmanSent: Montag, 11. Juli
it's a global group, which can't have accounts from other
domains as a member. I very much doubt you have an issue with DSQUERY -
more likely some DC that's out of sync = which DC is DSQUERY connecting to?
Are you getting different results from different DCs or the same
one?
I'd say it's
Title: RE: [ActiveDir] Keep existing attributes from users restored.
thanks Eriic for lending me that i - I've just added
another one to your name so you won't have to miss out on one in your next mail
;-)
ok - I've just checked myself as well - keeping the
password was more like wishful
yep, sound just like the source-domain's SIDs are being filtered when
the resource is still in the source domain (external.dev). Realize,
that you only need to disable SID filtering on the trust in the source
domain - you should leave it enabled on the target domain.
/Guido
-Original
filtering apply to nt40 to w2k3 Native AD migration?
john
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
Guido
Sent: Tuesday, July 12, 2005 2:36 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADMT Group SID History
yep, sound just
should work just like setting any other registry key on the client.
The question is, if you really need it/want it. Most computer migration
tools can set that value during the migration of the PC from source to
target. But you might very well not want to change this value at the
time of the
2003
Network and Technology Services Manager
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
Guido
Sent: Tuesday, July 19, 2005 5:51 PM
To: ActiveDir
well, I could think of many more drawbacks using this option...
don't get me wrong - psexec is cool. But I don't really see it as an
option to deploy software to many clients of which usually a certain
percentage is remotely connected or offline. So you'd have to build
your own little framework
I love NDRs of NDRs...
/Guido
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Mittwoch, 20. Juli 2005 07:42
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Message Not Delivered
is 14.500 HP folks enough for you?
I'd actually kindly ask you not to post such requests on
this list - that's not what it's meant for and I'm sure Tony would not be too
pleased if this repeats.
/Guido
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Simon
CooperSent:
I fully second Eric's approach to auditing - this way you'll soon
realize that although AD auditing is a critical piece in the equation,
it won't answer things such as who deleted specific critical data on
memberServerX etc. As such I see auditing to be a much bigger topic
than just for AD - but
if you're fine with other users seeing the existance of OUX, then
there's no need to leverage DSHEURISTICS and the list object mode.
but I'd suggest to change the def. sec. descriptor for OUs by removing
Auth. Users from it - this way you'll be on the safe side that stuff in
new OUs won't be
not a good idea to restore a DC to new HW - I'd always
preferr to demote the old one (if possible, otherwise do a metadata cleanup) -
then promote the new one (could even use promote from media option of
replication is an issue).
it is possible that you new machine was not synced in time
your main problem could be outside of DNS, but a simple requirement for an SBS
DC in a mixed domain with other DCs = the SBS DC MUST be the PDC and hold
all the FSMO roles of the domain/forest.
So first thing you should do is to concentrate on getting those roles
transferred accross to the SBS
. users/everyone not being able to see those you also
had to remove the explicit perms for auth. users/everyone on those
objects
Cheers,
#JORGE#
From: [EMAIL PROTECTED] on behalf of Grillenmeier,
Guido
Sent: Fri 7/22/2005 11:46 PM
To: ActiveDir@mail.activedir.org
oh come on joe - you can do better than that - this should be a simple
additional option in adfind ;-)
actually works nicely and I could already come up with various other
use-cases.
Thanks,
Guido
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
thanks for the advertising Jorge - and I didn't even promise you any
goodies :-)
Mark, you might also want to have a look at John Craddock and Sally
Storey's offering for a 1 day 400-level AD Disaster Recovery seminar:
http://www.kimberry.co.uk/dotnetlectures/addr.aspx
John and Sally are well
The one recommendation to make is that for DCs it's ok to use SCW to
disable extra services you may not use on these machines (e.g. Error
Reporting Service, Application Experience Lookup Service etc. ),
however, you should not enable the Windows FW on DCs. If you do need to
protect access to your
Steve,
you actually don't have to be a Cisco expert for this one - this is
rather unrelated to the underlying network technology used: AD supports
super-netting for the configuration of subnets to define
site-boundaries. Say you have a class C network that holds the majority
of your clients and
Warning 1: YOU MUST MUST MUST still let DCs replicate, _in both
directions_, _on a regular basis_. The regularity of the basis is
based
on the fact that AD replication must always happen end-to-end in the
forest within a tombstone lifetime or you end up with lingering
objects.
It can be very
I'd actually have to say that this is a battle worth
fighting because people would try to see something in AD which they shouldn't
= a separate tree should certainly not be used simply to put an
organisational structure in place which is negative to the business in the
longrun.Neither
Title: Message
the ldifde command can do the job for you
/Guido
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Antonio
ArandaSent: Dienstag, 2. August 2005 18:48To:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Replicating
AD
Im
trying to setup a test AD that's
actually that's not the case Carlos - even after all DCs are upgraded to
R2, SYSVOL is still using the legacy FRS replication mechanism. This
won't change before Lonhorn.
so it should stay on the list of gripes ;-)
/Guido
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL
o in addition to the stagged delete process as described below, I'd like
to be able to force the full deletion of objects before the tombstone
lifetime has expired.
o better handling of cross-domain links during restore operations - goes
along with the stagged delete approach: allow linked
Question 1: what did you do just prior to the first time it acted this
way?
Answer: nothing
Question 2: what did you do before you did nothing? ;-)
e.g. what did you do while trying to get the FW running on a DC?
Fact is that you shouldn't use it on a DC. I doubt that's different for
a 3rd
there is an easier way, although you might not be able to
leverage it, depending on your situation.
1. you could promote the server to be the DC of a new
temp-forest (will take the local SAM and make "normal" AD accounts and groups
out of it)
2. then create a trust to your target forest and
because some of the users are abusing their privileges
The usefulnes of LimitLogon for your scenario it sort of depends what the users
are doing that you consider abuse.
LimitLogon is mainly meant to hinder your users to use more concurrent
logon-sessions than you'd like them to use - so if
Title: Virtual Domain Controllers
Since it's a single domain server I just take
ghost snapshots of the domain and then backup the files
not really a useful approach to backup a DC. Might be
ok for FS and other roles, but DCs are not really cool with snapshotting and
being "rolled back in
in until LH Server. However, THOSE are really going to be worth waiting
for.
Rick
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
Guido
Sent: Wednesday, August 03, 2005 10:57 AM
To: ActiveDir@mail.activedir.org
Subject: RE
Title: Virtual Domain Controllers
hehe - single DC - must have overread that - I would have
called that to be a problem in itself ;-)
But then again it's only for 10 users and likely ok.
As such, I even doubt that SID reissue is much of a problem as this environment
is likely rather static
Hey Tom - sounds like fun.
The phrase they are cut of from the root domain physically combined
with both dns zones are in the root and they don't have any dns
locally sounds a bit unrealistic - this should naturally cause numerous
replication issues; basically nothing should work (even normal
the enviorment i work in is all win2k pro/server so GPMC is out.
Are you saying you don't even have a single WinXP box in this
environment?
If you have one, you could still install GPMC on the XP client - this
will work fine against a win2k AD. Then execute the
GetReportsForAllGPOs.wsf
afaik that's a non-configurable option in ADMT - same for
v3 (release date is slipping every time I mention the last one I know - so I
won't mention it hoping it will stay ;-)
However, I've been using the v3 Beta quite successfully for
a while and didn't have a stability issue or any other
looks like you've manually added a permission at the OU
level and didn't supply the scope for it = on your OU go to Properties -
Security - Advanced, find your permissionand then choose to apply the
permission to "this objects and all child objects". This won't be required
for permissions
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
Guido
Sent: Thursday, August 11, 2005 9:32 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Not inheritting permissions
looks like you've manually added a permission at the OU level
Title: Schema Updates
correct
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Donnerstag, 11. August 2005
21:59To: ActiveDir@mail.activedir.orgSubject: [ActiveDir]
Schema Updates
Hi,
I am having some problems updating the schema for Avaya
Unified
it'll try - but as the version of the tombstone object will then be
lower than that of the auth. restored object, the local change on the
deleted object itself will simply be disregarded and the object +
attributes restored (read: they will be overwritten by the auth.
restored object which have a
--
A good plan today is better than a perfect plan tomorrow.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Grillenmeier,
Guido
Sent: Saturday, August 06, 2005 3:39 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Limitlogin for users
gee Brett - so Jorge and I are no one... ;-)
you have to forgive Rick - he's just never had to restore an object ;-))
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: Freitag, 12. August 2005 01:22
To: ActiveDir@mail.activedir.org
201 - 300 of 733 matches
Mail list logo
