Home | Site Map | Cisco How ToNet How To | Windows Vista | Case Studies | Forums | Services | Donations | Careers | About Us | Contact Us|

 

Active Directory 0701

Re: Easy one - identify an icon in AD.

Re: Error 1419 in directory service log

RE: Error msg 1030 & 1058 every 5 minutes on all 3 servers

Re: Error while trying to demote a domain controller

Re: Firewall settings for DC

Re: Forest Trust Issue

Re: Free Registry Cleaners

Re: Funny strings for operatingSystem attribute(when LDIFDE)

Re: Global Catalog and RID Master

Re: Group policy not processing properly

Re: Group Policy Object

Re: Group policy refreshes in 15 or 90+ minutes?

Re: Group Policy Reporting

Re: HELP PLEASE forward internal IP to DMZ ip

Re: How to Determine Which Service in LSASS.EXE Binds to Port X?

Re: How to disable screen savers on servers

 

 

From: Meinolf Weber <meiweb(nospam)@gmx.de>

To: none

Subject: Re: Easy one - identify an icon in AD.

Date: 09/26/2007 14:32:07

 

 

Hello Adam N.,

 

What kind of file is it. My browser is not able to open it? And if it is

a FOLDER, just give the complete path with it.

 

Best regards

 

Meinolf Weber

Disclaimer: This posting is provided "AS IS" with no warranties, and confers

no rights.

 

> Could someone please identify this folder for me?

>

> http://baumshelter.net/new2.html

>

 

 

 

Top


 

 

 

From: Adam N. <AdamN@discussions.microsoft.com>

To: none

Subject: Re: Easy one - identify an icon in AD.

Date: 09/26/2007 14:42:01

 

 

oops sorry, here is a link...

 

http://www.baumshelter.net/img/clip.JPG

 

"Meinolf Weber" wrote:

 

> Hello Adam N.,

>

> What kind of file is it. My browser is not able to open it? And if it is

> a FOLDER, just give the complete path with it.

>

> Best regards

>

> Meinolf Weber

> Disclaimer: This posting is provided "AS IS" with no warranties, and confers

> no rights.

>

> > Could someone please identify this folder for me?

> >

> > http://baumshelter.net/new2.html

> >

>

>

>

 

 

 

Top


 

 

 

From: Mathieu CHATEAU <gollum123@free.fr>

To: none

Subject: Re: Easy one - identify an icon in AD.

Date: 09/26/2007 14:52:51

 

 

Hello,

 

that may be in DSADMIN.DLL

 

 

--

Cordialement,

Mathieu CHATEAU

http://lordoftheping.blogspot.com

 

 

"Adam N." <AdamN@discussions.microsoft.com> wrote in message

news:47595087-B478-4349-BE37-2437FB7A5750@microsoft.com...

> oops sorry, here is a link...

>

> http://www.baumshelter.net/img/clip.JPG

>

> "Meinolf Weber" wrote:

>

>> Hello Adam N.,

>>

>> What kind of file is it. My browser is not able to open it? And if it is

>> a FOLDER, just give the complete path with it.

>>

>> Best regards

>>

>> Meinolf Weber

>> Disclaimer: This posting is provided "AS IS" with no warranties, and

>> confers

>> no rights.

>>

>> > Could someone please identify this folder for me?

>> >

>> > http://baumshelter.net/new2.html

>> >

>>

>>

>>

 

 

 

Top


 

 

 

From: Meinolf Weber <meiweb(nospam)@gmx.de>

To: none

Subject: Re: Easy one - identify an icon in AD.

Date: 09/26/2007 14:56:39

 

 

Hello Adam N.,

 

This is the icon for an Organizational Unit.

 

 

Best regards

 

Meinolf Weber

Disclaimer: This posting is provided "AS IS" with no warranties, and confers

no rights.

 

> oops sorry, here is a link...

>

> http://www.baumshelter.net/img/clip.JPG

>

> "Meinolf Weber" wrote:

>

>> Hello Adam N.,

>>

>> What kind of file is it. My browser is not able to open it? And if it

>> is a FOLDER, just give the complete path with it.

>>

>> Best regards

>>

>> Meinolf Weber

>> Disclaimer: This posting is provided "AS IS" with no warranties, and

>> confers

>> no rights.

>>> Could someone please identify this folder for me?

>>>

>>> http://baumshelter.net/new2.html

>>>

 

 

 

Top


 

 

 

From: Adam N. <AdamN@discussions.microsoft.com>

To: none

Subject: Re: Easy one - identify an icon in AD.

Date: 09/26/2007 15:01:04

 

 

huh? the arrow in the picture is pointing to a folder,

I just want to know what that folder is called and what it is for, it has a

specific icon on the front of the folder, so I know its not just a folder.

 

Thanks...

 

"Mathieu CHATEAU" wrote:

 

> Hello,

>

> that may be in DSADMIN.DLL

>

>

> --

> Cordialement,

> Mathieu CHATEAU

> http://lordoftheping.blogspot.com

>

>

> "Adam N." <AdamN@discussions.microsoft.com> wrote in message

> news:47595087-B478-4349-BE37-2437FB7A5750@microsoft.com...

> > oops sorry, here is a link...

> >

> > http://www.baumshelter.net/img/clip.JPG

> >

> > "Meinolf Weber" wrote:

> >

> >> Hello Adam N.,

> >>

> >> What kind of file is it. My browser is not able to open it? And if it is

> >> a FOLDER, just give the complete path with it.

> >>

> >> Best regards

> >>

> >> Meinolf Weber

> >> Disclaimer: This posting is provided "AS IS" with no warranties, and

> >> confers

> >> no rights.

> >>

> >> > Could someone please identify this folder for me?

> >> >

> >> > http://baumshelter.net/new2.html

> >> >

> >>

> >>

> >>

>

>

 

 

 

Top


 

 

 

From: Adam N. <AdamN@discussions.microsoft.com>

To: none

Subject: Re: Easy one - identify an icon in AD.

Date: 09/26/2007 15:04:01

 

 

Thats what I was after, Thanks so much, I thought thats what that was but I

have been working on a different network for sometime (NVELL).

 

I have a second question now that I know what that is but I had to first

identify that folder,

 

Thanks again.

 

"Meinolf Weber" wrote:

 

> Hello Adam N.,

>

> This is the icon for an Organizational Unit.

>

>

> Best regards

>

> Meinolf Weber

> Disclaimer: This posting is provided "AS IS" with no warranties, and confers

> no rights.

>

> > oops sorry, here is a link...

> >

> > http://www.baumshelter.net/img/clip.JPG

> >

> > "Meinolf Weber" wrote:

> >

> >> Hello Adam N.,

> >>

> >> What kind of file is it. My browser is not able to open it? And if it

> >> is a FOLDER, just give the complete path with it.

> >>

> >> Best regards

> >>

> >> Meinolf Weber

> >> Disclaimer: This posting is provided "AS IS" with no warranties, and

> >> confers

> >> no rights.

> >>> Could someone please identify this folder for me?

> >>>

> >>> http://baumshelter.net/new2.html

> >>>

>

>

>

 

 

 

Top


 

 

 

From: Meinolf Weber <meiweb(nospam)@gmx.de>

To: none

Subject: Re: Easy one - identify an icon in AD.

Date: 09/26/2007 15:07:02

 

 

Hello Adam N.,

 

Organizational units (also called OUs) are a type of directory object into

which you can place users, groups, computers, printers, shared folders, and

other organizational units within a single domain. An organizational unit

(represented as a folder in the Active Directory Users and Computers interface)

lets you logically organize and store objects in the domain. If you have

multiple domains, each domain can implement its own organizational unit hierarchy.

 

You use organizational units primarily to delegate administrative authority

over sets of users, groups, and resources. For example, you might create

an organizational unit to contain all user accounts for your entire company.

After creating organizational units to delegate administration, apply Group

Policy settings to the organizational units to define desktop configurations

for users and computers. Because you use organizational units to delegate

administration, the structure you create will probably reflect your administrative

model more than your business organization.

 

 

 

Best regards

 

Meinolf Weber

Disclaimer: This posting is provided "AS IS" with no warranties, and confers

no rights.

 

> oops sorry, here is a link...

>

> http://www.baumshelter.net/img/clip.JPG

>

> "Meinolf Weber" wrote:

>

>> Hello Adam N.,

>>

>> What kind of file is it. My browser is not able to open it? And if it

>> is a FOLDER, just give the complete path with it.

>>

>> Best regards

>>

>> Meinolf Weber

>> Disclaimer: This posting is provided "AS IS" with no warranties, and

>> confers

>> no rights.

>>> Could someone please identify this folder for me?

>>>

>>> http://baumshelter.net/new2.html

>>>

 

 

 

Top


 

 

 

From: Jorge Silva <jorgesilva_pt@hotmail.com>

To: none

Subject: Re: Easy one - identify an icon in AD.

Date: 09/26/2007 15:08:02

 

 

Hi

What is the Purpose  of this question?

 

--

I hope that the information above helps you.

Have a Nice day.

 

Jorge Silva

MCSE, MVP Directory Services

"Adam N." <AdamN@discussions.microsoft.com> wrote in message

news:238FE87C-48C0-40F7-B043-307C07498FC0@microsoft.com...

> Could someone please identify this folder for me?

>

> http://baumshelter.net/new2.html

 

 

 

Top


 

 

 

From: Mathieu CHATEAU <gollum123@free.fr>

To: none

Subject: Re: Error 1419 in directory service log

Date: 09/27/2007 14:48:55

 

 

Hello,

 

do you have more than one DC ? If you have 2, you may make the other Global

catalog too. If you have more than two, you may put 2 global catalog, and

give the last one the infrastructure operation master

 

--

Cordialement,

Mathieu CHATEAU

http://lordoftheping.blogspot.com

 

 

"Sofi" <Sofi@discussions.microsoft.com> wrote in message

news:F8D4F029-4DF1-4D87-A88E-7939FFB59BDD@microsoft.com...

>I am getting the folllowing error in the Directory Service log.

>

> The local domain controller is both a global catalog and the

> infrastructure

> operations master. These two roles are not compatible.

>

> If another domain controller exists in the domain, it should be made the

> infrastructure operations master. The following domain controller is a

> good

> candidate for this role.

>

> Domain controller:

> CN=NTDS

> Settings,CN=EXCHANGE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cat5,DC=local

>

> If all domain controllers in this domain are global catalogs, then there

> are

> no infrastructure update tasks to complete, and this message might be

> ignored.

>

> Thankful for any input.

> Sofia

 

 

 

Top


 

 

 

From: Sofi <Sofi@discussions.microsoft.com>

To: none

Subject: Re: Error 1419 in directory service log

Date: 09/27/2007 14:56:00

 

 

Thank you!

Just one stupid question, how  do I do that?

 

Thanks again.

Sofia

 

"Mathieu CHATEAU" wrote:

 

> Hello,

>

> do you have more than one DC ? If you have 2, you may make the other Global

> catalog too. If you have more than two, you may put 2 global catalog, and

> give the last one the infrastructure operation master

>

> --

> Cordialement,

> Mathieu CHATEAU

> http://lordoftheping.blogspot.com

>

>

> "Sofi" <Sofi@discussions.microsoft.com> wrote in message

> news:F8D4F029-4DF1-4D87-A88E-7939FFB59BDD@microsoft.com...

> >I am getting the folllowing error in the Directory Service log.

> >

> > The local domain controller is both a global catalog and the

> > infrastructure

> > operations master. These two roles are not compatible.

> >

> > If another domain controller exists in the domain, it should be made the

> > infrastructure operations master. The following domain controller is a

> > good

> > candidate for this role.

> >

> > Domain controller:

> > CN=NTDS

> > Settings,CN=EXCHANGE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cat5,DC=local

> >

> > If all domain controllers in this domain are global catalogs, then there

> > are

> > no infrastructure update tasks to complete, and this message might be

> > ignored.

> >

> > Thankful for any input.

> > Sofia

>

>

 

 

 

Top


 

 

 

From: Mathieu CHATEAU <gollum123@free.fr>

To: none

Subject: Re: Error 1419 in directory service log

Date: 09/27/2007 14:58:37

 

 

Global catalog stuff:

 

How to create or move a global catalog in Windows Server 2003, Windows 2000,

or Small Business Server 2000

http://support.microsoft.com/kb/313994/en-us

 

 

--

Cordialement,

Mathieu CHATEAU

http://lordoftheping.blogspot.com

 

 

"Sofi" <Sofi@discussions.microsoft.com> wrote in message

news:C0FCFEA9-E649-48A0-96D4-17AAFC251732@microsoft.com...

> Thank you!

> Just one stupid question, how  do I do that?

>

> Thanks again.

> Sofia

>

> "Mathieu CHATEAU" wrote:

>

>> Hello,

>>

>> do you have more than one DC ? If you have 2, you may make the other

>> Global

>> catalog too. If you have more than two, you may put 2 global catalog, and

>> give the last one the infrastructure operation master

>>

>> --

>> Cordialement,

>> Mathieu CHATEAU

>> http://lordoftheping.blogspot.com

>>

>>

>> "Sofi" <Sofi@discussions.microsoft.com> wrote in message

>> news:F8D4F029-4DF1-4D87-A88E-7939FFB59BDD@microsoft.com...

>> >I am getting the folllowing error in the Directory Service log.

>> >

>> > The local domain controller is both a global catalog and the

>> > infrastructure

>> > operations master. These two roles are not compatible.

>> >

>> > If another domain controller exists in the domain, it should be made

>> > the

>> > infrastructure operations master. The following domain controller is a

>> > good

>> > candidate for this role.

>> >

>> > Domain controller:

>> > CN=NTDS

>> > Settings,CN=EXCHANGE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cat5,DC=local

>> >

>> > If all domain controllers in this domain are global catalogs, then

>> > there

>> > are

>> > no infrastructure update tasks to complete, and this message might be

>> > ignored.

>> >

>> > Thankful for any input.

>> > Sofia

>>

>>

 

 

 

Top


 

 

 

From: Technical <Technical@discussions.microsoft.com>

To: none

Subject: RE: Error msg 1030 & 1058 every 5 minutes on all 3 servers

Date: 09/27/2007 13:21:01

 

 

Can u paste the complete description for both these errors pls

 

Deepak

 

"Sofi" wrote:

 

> Hi,

>

> I am experienceing the 1030 and 1058 in my event logs every 5 minutes. I

> have done some research on technet and tried the following

>

> *887303

> I did not run the dcgpofix.exe.yet, tried but gave me a warning on the fifle

> version and the schema.

>

> Network has 3 servers all running 2003.

> Also, I cannot open the rsop.msc. Gives me error that I do not have the

> right permisssons.....

>

> All this started happening after someone re-installed a DC using the same

> name, do not know if that has a relation but just put it out there.

>

> If someone has any idea I would greatly apprecialte it.

>

> THANK YOU!

> Sofia

 

 

 

Top


 

 

 

From: Sofi <Sofi@discussions.microsoft.com>

To: none

Subject: RE: Error msg 1030 & 1058 every 5 minutes on all 3 servers

Date: 09/27/2007 13:35:03

 

 

1030 - Windows cannot query for the list of Group Policy objects. Check the

event log for possible messages previously logged by the policy engine that

describes the reason for this.

 

For more information, see Help and Support Center at

http://go.microsoft.com/fwlink/events.asp.

 

1058 - Windows cannot access the file gpt.ini for GPO

CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=cat5,DC=local.

The file must be present at the location

<\\cat5.local\sysvol\cat5.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>.

(Configuration information could not be read from the domain controller,

either because the machine is unavailable, or access has been denied. ).

Group Policy processing aborted.

 

For more information, see Help and Support Center at

http://go.microsoft.com/fwlink/events.asp.

"Technical" wrote:

 

> Can u paste the complete description for both these errors pls

>

> Deepak

>

> "Sofi" wrote:

>

> > Hi,

> >

> > I am experienceing the 1030 and 1058 in my event logs every 5 minutes. I

> > have done some research on technet and tried the following

> >

> > *887303

> > I did not run the dcgpofix.exe.yet, tried but gave me a warning on the fifle

> > version and the schema.

> >

> > Network has 3 servers all running 2003.

> > Also, I cannot open the rsop.msc. Gives me error that I do not have the

> > right permisssons.....

> >

> > All this started happening after someone re-installed a DC using the same

> > name, do not know if that has a relation but just put it out there.

> >

> > If someone has any idea I would greatly apprecialte it.

> >

> > THANK YOU!

> > Sofia

 

 

 

Top


 

 

 

From: Sofi <Sofi@discussions.microsoft.com>

To: none

Subject: RE: Error msg 1030 & 1058 every 5 minutes on all 3 servers

Date: 09/27/2007 13:43:03

 

 

I am also getting 1419 in the Directory services log:

 

"The local domain controller is both a global catalog and the infrastructure

operations master. These two roles are not compatible.

If another domain controller exists in the domain, it should be made the

infrastructure operations master. The following domain controller is a good

candidate for this role.

Domain controller:

CN=NTDS

Settings,CN=EXCHANGE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cat5,DC=local

If all domain controllers in this domain are global catalogs, then there are

no infrastructure update tasks to complete, and this message might be ignored.

 

 

"Technical" wrote:

 

> Can u paste the complete description for both these errors pls

>

> Deepak

>

> "Sofi" wrote:

>

> > Hi,

> >

> > I am experienceing the 1030 and 1058 in my event logs every 5 minutes. I

> > have done some research on technet and tried the following

> >

> > *887303

> > I did not run the dcgpofix.exe.yet, tried but gave me a warning on the fifle

> > version and the schema.

> >

> > Network has 3 servers all running 2003.

> > Also, I cannot open the rsop.msc. Gives me error that I do not have the

> > right permisssons.....

> >

> > All this started happening after someone re-installed a DC using the same

> > name, do not know if that has a relation but just put it out there.

> >

> > If someone has any idea I would greatly apprecialte it.

> >

> > THANK YOU!

> > Sofia

 

 

 

Top


 

 

 

From: Ashok Komaragiri <AshokKomaragiri@discussions.microsoft.com>

To: none

Subject: Re: Error while trying to demote a domain controller

Date: 09/25/2007 16:02:34

 

 

Thanx Mathieu for the response, but the problem is resolved. Wanted to share

the solution with you:

 

I forgot to mention in my earlier post that though the server was connected

to the internet, I was not able to browse through any sites. When I try to

open IE and browse through any site it would show me a page not found error.

 

I was under the impression that because I was not able to open AD on the

server, the internet wan't working properly, but it was the other way round.

Because there was a problem with the internet connection on the server, I was

not able to open AD, and the problem with the internet connection was because

of Virtual Memory. The server had enough space on both the hard disks, but

for some reason VM was reporting with a no storage space error in the Event

logs.

 

When we changed the VM settings to use E:\ (the 2nd HDD) instead of C:\, the

internet started working and I could successfully open AD.

 

Anywayz, I Thank you again for your time and advice.

 

- Ashok

 

 

 

Top


 

 

 

From: Paul Bergson [MVP-DS] <pbergson@allete_nospam.com>

To: none

Subject: Re: Firewall settings for DC

Date: 09/26/2007 14:18:22

 

 

Check out an article I have on this

 

http://www.pbbergs.com/windows/articles/FirewallReplication.html

 

--

Paul Bergson

MVP - Directory Services

MCT, MCSE, MCSA, Security+, BS CSci

2003, 2000 (Early Achiever), NT

 

http://www.pbbergs.com

 

Please no e-mails, any questions should be posted in the NewsGroup

This posting is provided "AS IS" with no warranties, and confers no rights.

 

"Kenneth Porter" <shiva.blacklist@sewingwitch.com> wrote in message

news:Xns99B778A555E32shivasewingwitchcom@207.46.248.16...

> What exceptions should be present on a DC?

>

> I just set up a new Win 2003 R2 x64 server and made it the first DC for my

> new AD domain. I then attempted to join my old workgroup Win 2003 server

> to

> the new domain, and kept getting refused. On a hunch I dropped the

> firewall

> on the new server and the join went through without difficulties.

>

> So it looks like the "Manage My Server" application doesn't add LDAP to

> the

> firewall exceptions list. (I believe it also failed to add DNS, and I

> solved that earlier with an explicit exception.)

>

> I don't want to leave the firewall off, so what holes should I punch in it

> to provide AD services? I now know I need holes for DNS, LDAP, and

> probably

> WINS. Any others?

 

 

 

Top


 

 

 

From: Jorge Silva <jorgesilva_pt@hotmail.com>

To: none

Subject: Re: Firewall settings for DC

Date: 09/26/2007 15:06:10

 

 

Hi

Adding to Pauls response here's more info:

http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=c2ef3846-43f0-4caf-9767-a9166368434e

http://technet.microsoft.com/en-us/library/Bb727063.aspx

 

 

--

I hope that the information above helps you.

Have a Nice day.

 

Jorge Silva

MCSE, MVP Directory Services

"Kenneth Porter" <shiva.blacklist@sewingwitch.com> wrote in message

news:Xns99B778A555E32shivasewingwitchcom@207.46.248.16...

> What exceptions should be present on a DC?

>

> I just set up a new Win 2003 R2 x64 server and made it the first DC for my

> new AD domain. I then attempted to join my old workgroup Win 2003 server

> to

> the new domain, and kept getting refused. On a hunch I dropped the

> firewall

> on the new server and the join went through without difficulties.

>

> So it looks like the "Manage My Server" application doesn't add LDAP to

> the

> firewall exceptions list. (I believe it also failed to add DNS, and I

> solved that earlier with an explicit exception.)

>

> I don't want to leave the firewall off, so what holes should I punch in it

> to provide AD services? I now know I need holes for DNS, LDAP, and

> probably

> WINS. Any others?

 

 

 

Top


 

 

 

From: Jorge Silva <jorgesilva_pt@hotmail.com>

To: none

Subject: Re: Forest Trust Issue

Date: 09/26/2007 12:12:37

 

 

Hi

Could be a DNS issue.

Can both Forests solve each other existing DNS FQDN for the domains?

--

I hope that the information above helps you.

Have a Nice day.

 

Jorge Silva

MCSE, MVP Directory Services

"Tim Chin" <donotemail> wrote in message

news:%23DzSq3EAIHA.3848@TK2MSFTNGP05.phx.gbl...

>I just recently switch out our external trusts between forests with a

>forest trust as all domain controllers, domain functional levels, and

>forest functional levels are at 2003 now.  The following day, users that

>remote in couldn't cross forest boundaries with their credentials.  It

>prompted them for username/password (which it would only accept in

>domain\user fashion, not UPN -- I believe).  However, anyone inside the

>network could do all of this just fine without windows asking for

>authentication.

>

> Is this a port issue?  From my understanding, forest trusts allow or only

> use Kerberos.  Do I have to have port 88 allowed from every client to

> every dc that is affected by the forest trust?  Currently, users from

> domain A can only contact domain A's dcs on the normal authentication

> ports.  They cannot contact domain B's, C's, D's, etc., etc. dcs.  Note:

> Resources sit all over the place.  In other words, a user from domain A

> will access resources in all trusted domains.

>

> Any help is appreciated.

> Tim

>

 

 

 

Top


 

 

 

From: Tim Chin <donotemail>

To: none

Subject: Re: Forest Trust Issue

Date: 09/26/2007 12:20:30

 

 

Jorge,

 

Yes.  The DCs can all resolve each other as they all use the same DNS

servers and basically sit in the same rack / same subnets.  It's only when

clients remote in that they can't access resources across forests.  For

example, if a user logs into a client here at the office, everything works

fine.  Our remote access appliance does address/port filtering for users

that remote in.  I will attempt to get the logs (if there are any) from the

remote access appliance, but was curious if anyone saw any issues with the

setup that I had outlined with a forest trust vs. external trusts.

 

Tim

 

"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message

news:eHp6qBGAIHA.5868@TK2MSFTNGP05.phx.gbl...

> Hi

> Could be a DNS issue.

> Can both Forests solve each other existing DNS FQDN for the domains?

> --

> I hope that the information above helps you.

> Have a Nice day.

>

> Jorge Silva

> MCSE, MVP Directory Services

 

 

 

Top


 

 

 

From: Jorge Silva <jorgesilva_pt@hotmail.com>

To: none

Subject: Re: Forest Trust Issue

Date: 09/26/2007 12:34:22

 

 

I have some forests trusts and they work well, did you check if you've any

FW restriction that might prevent authenticaon or connectivity.

 

--

I hope that the information above helps you.

Have a Nice day.

 

Jorge Silva

MCSE, MVP Directory Services

"Tim Chin" <donotemail> wrote in message

news:uvk0tGGAIHA.1208@TK2MSFTNGP03.phx.gbl...

> Jorge,

>

> Yes.  The DCs can all resolve each other as they all use the same DNS

> servers and basically sit in the same rack / same subnets.  It's only when

> clients remote in that they can't access resources across forests.  For

> example, if a user logs into a client here at the office, everything works

> fine.  Our remote access appliance does address/port filtering for users

> that remote in.  I will attempt to get the logs (if there are any) from

> the remote access appliance, but was curious if anyone saw any issues with

> the setup that I had outlined with a forest trust vs. external trusts.

>

> Tim

>

> "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message

> news:eHp6qBGAIHA.5868@TK2MSFTNGP05.phx.gbl...

>> Hi

>> Could be a DNS issue.

>> Can both Forests solve each other existing DNS FQDN for the domains?

>> --

>> I hope that the information above helps you.

>> Have a Nice day.

>>

>> Jorge Silva

>> MCSE, MVP Directory Services

>

>

 

 

 

Top


 

 

 

From: Shenan Stanley <newshelper@gmail.com>

To: none

Subject: Re: Free Registry Cleaners

Date: 09/27/2007 12:46:40

 

 

tdr911turbo@gmail.com wrote:

> Optimize registry for free http://w1nd0w5fr33t1ps.bl0g5p0t.c0m/

 

Or don't spam...

Either would be good.

 

From:  tdr911turbo@gmail.com

Newsgroups:

microsoft.public.windowsxp.setup_deployment,alt.os.windows-xp,microsoft.public.windowsxp.perform_maintain,alt.sys.pc-clone.dell,comp.os.ms-windows.programmer.win32

Subject: Free Registry Cleaners

Date: Thu, 27 Sep 2007 10:34:01 -0700

Organization: http://groups.google.com

Lines: 2

Message-ID: <1190914441.885203.244730@57g2000hsv.googlegroups.com>

NNTP-Posting-Host: 218.58.136.4

Mime-Version: 1.0

Content-Type: text/plain; charset="iso-8859-1"

X-Trace: posting.google.com 1190914442 12634 127.0.0.1 (27 Sep 2007 17:34:02

GMT)

X-Complaints-To: groups-abuse@google.com

NNTP-Posting-Date: Thu, 27 Sep 2007 17:34:02 +0000 (UTC)

User-Agent: G2/1.0

X-HTTP-UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;

rv:1.8.1.7) Gecko/20070914 Firefox/2.0.0.4;MEGAUPLOAD

1.0,gzip(gfe),gzip(gfe)

Complaints-To: groups-abuse@google.com

Injection-Info: 57g2000hsv.googlegroups.com; posting-host=218.58.136.4;

   posting-account=ps2QrAMAAAA6_jCuRt2JEIpn5Otqf_w0

Bytes: 1454

X-Original-Bytes: 1411

Path:

TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS02.phx.gbl!newsfeed00.sul.t-online.de!t-online.de!border2.nntp.dca.giganews.com!border1.nntp.dca.giganews.com!nntp.giganews.com!postnews.google.com!57g2000hsv.googlegroups.com!not-for-mail

Xref: TK2MSFTNGP01.phx.gbl

microsoft.public.windowsxp.perform_maintain:220496

microsoft.public.windowsxp.setup_deployment:164556

 

--

Shenan Stanley

     MS-MVP

--

How To Ask Questions The Smart Way

http://www.catb.org/~esr/faqs/smart-questions.html

 

 

--

Shenan Stanley

     MS-MVP

--

How To Ask Questions The Smart Way

http://www.catb.org/~esr/faqs/smart-questions.html

 

 

 

Top


 

 

 

From: VanguardLH <VanguardLH@mail.invalid>

To: none

Subject: Re: Free Registry Cleaners

Date: 09/27/2007 15:38:34

 

 

<tdr911turbo@gmail.com> wrote in message

news:1190914430.544546.78400@g4g2000hsf.googlegroups.com...

> Optimize registry for free http://windowsfreetips.blogspot.com/

>

 

 

Chinese Google Grouping spammers stoking their blogs in public are not

trusted.  Keep your crap.

 

 

 

Top


 

 

 

From: PA Bear <PABearMVP@gmail.com>

To: none

Subject: Re: Free Registry Cleaners

Date: 09/27/2007 16:52:12

 

 

SPAM

 

Should I use a Registry cleaner?

http://aumha.net/viewtopic.php?t=28099

--

~Robear Dyer (PA Bear)

MS MVP-Windows (IE, OE, Security, Shell/User)

AumHa VSOP & Admin http://aumha.net

DTS-L http://dts-l.org/

 

 

 

Top


 

 

 

From: Lee Flight <lef@le.ac.uk-nospam>

To: none

Subject: Re: Funny strings for operatingSystem attribute(when LDIFDE)

Date: 09/28/2007 05:49:30

 

 

Hi

 

the "::" after the attribute name tells you that the value is Base64

encoded.

See RFC2849 for more details on LDIF, google for a Base64 decoder.

 

I think you are seeing this for vista machines as Microsoft store

"Vista" with a trademark symbol (TM) or (R) as superscript.

 

Lee Flight

 

"elibbis" <elibbis.2xm03g@DoNotSpam.com> wrote in message

news:elibbis.2xm03g@DoNotSpam.com...

>

> I used LDIFDE to export AD computer objects attributes. Of interest is

> "OperatingSystem". For some computer objects,  the "OperatingSystem"

> value is a long string of funny characters. Like this:

>

> Eg1

> operatingSystem::

> V2luZG93cyBWaXN0YeKEoiBVbHRpbWF0ZSBFZGl0aW9u operatingSystemVersion:

> 6.0 (5308)

>

> Eg2

> operatingSystem::

> V2luZG93cyBWaXN0YeKEoiBCdXNpbmVzcw== operatingSystemVersion: 6.0

> (6000)

>

> Could anyone enlighten what could the funny string be ? It seems like

> from Vista machines.  But why is this funny string ? Or is it from

> stale computer accounts ?

>

> Thanks in advance

>

>

> --

> elibbis

> ------------------------------------------------------------------------

> elibbis's Profile: http://forums.techarena.in/member.php?userid=27586

> View this thread: http://forums.techarena.in/showthread.php?t=825403

>

> http://forums.techarena.in

>

 

 

 

Top


 

 

 

From: Meinolf Weber <meiweb(nospam)@gmx.de>

To: none

Subject: Re: Global Catalog and RID Master

Date: 09/26/2007 08:44:10

 

 

Hello Carlos,

 

No problem in single domain. Also you should configure both servers as DNS

servers with active directory integrated zones.

 

Best regards

 

Meinolf Weber

Disclaimer: This posting is provided "AS IS" with no warranties, and confers

no rights.

 

> Hello to everybody,

>

> I´ve got two domain controllers, SRV1 is the GC SRV2 is the FSMO.

>

> I think that if my GC fails nobody will´be able to log on to the

> domain.

>

> Could i set SRV1 and SRV2 as Global Catalos and SRV2 as FSMO.

>

> Hope you could help me.

>

> Many Thanks

>

> Regards

>

> Carlos Sabelli

>

 

 

 

Top


 

 

 

From: Carlos <Carlos@discussions.microsoft.com>

To: none

Subject: Re: Global Catalog and RID Master

Date: 09/26/2007 10:04:07

 

 

Many thanks Meinolf

--

Carlos Sabelli

 

 

"Meinolf Weber" wrote:

 

> Hello Carlos,

>

> No problem in single domain. Also you should configure both servers as DNS

> servers with active directory integrated zones.

>

> Best regards

>

> Meinolf Weber

> Disclaimer: This posting is provided "AS IS" with no warranties, and confers

> no rights.

>

> > Hello to everybody,

> >

> > I´ve got two domain controllers, SRV1 is the GC SRV2 is the FSMO.

> >

> > I think that if my GC fails nobody will´be able to log on to the

> > domain.

> >

> > Could i set SRV1 and SRV2 as Global Catalos and SRV2 as FSMO.

> >

> > Hope you could help me.

> >

> > Many Thanks

> >

> > Regards

> >

> > Carlos Sabelli

> >

>

>

>

 

 

 

Top


 

 

 

From: Jorge Silva <jorgesilva_pt@hotmail.com>

To: none

Subject: Re: Global Catalog and RID Master

Date: 09/26/2007 12:22:47

 

 

Hi

In a single domain environment ALL DCs have the GC information, so the

"Cost" of having a GC is null, because the information already exists in all

DCs.

 

--

I hope that the information above helps you.

Have a Nice day.

 

Jorge Silva

MCSE, MVP Directory Services

"Carlos" <Carlos@discussions.microsoft.com> wrote in message

news:2285352E-BCC8-4656-800D-E084630237CC@microsoft.com...

> Hello to everybody,

>

> I´ve got two domain controllers, SRV1 is the GC SRV2 is the FSMO.

>

> I think that if my GC fails nobody will´be able to log on to the domain.

>

> Could i set SRV1 and SRV2 as Global Catalos and SRV2 as FSMO.

>

> Hope you could help me.

>

> Many Thanks

>

> Regards

>

> Carlos Sabelli

>

 

 

 

Top


 

 

 

From: rockemhard@gmail.com

To: none

Subject: Re: Global Catalog and RID Master

Date: 09/26/2007 12:30:33

 

 

On Sep 26, 9:44 am, Meinolf Weber <meiweb(nospam)@gmx.de> wrote:

> Hello Carlos,

>

> No problem in single domain. Also you should configure both servers as DNS

> servers with active directory integrated zones.

 

Hello Meinolf,

 

Could you explain this a little more.  Documentation that I have seen

suggests that the FSMO roles are placed separetly from a DC that

contains a GC to allow for proper comparisons of AD objects against

the GC.  Now you mention in a single domain... this is something that

I haven't seen mentioned so perhaps this is the case where this is an

acceptable practice?

 

 

 

Top


 

 

 

From: Jorge Silva <jorgesilva_pt@hotmail.com>

To: none

Subject: Re: Global Catalog and RID Master

Date: 09/26/2007 12:38:23

 

 

The IM is responsible for updating cross-domain object references each DC in

the Domain, to do that it needs to check for changes on an available GC,

then compares its information with the information that the GC has, if any

changes, then updates its local information, and updates cross-domain object

references each DC in the Domain.

 

The Problem is that If the IM is also a GC, when is going to check for

changes he asks for a GC and because the IM is also a GC it "thinks" that it

has all information updated and there's no need to update the DCs on its

domain causing others DCs ending up with nonupdated information, remember

DCs in a domain only know everything about their domain, because the domain

partition is replicated between them. Example:

 

2 Domains:

 

- Domain1

 

- Domain2

 

- You create a Universal Security group on Domain1, and add it a user from

Domain2.

 

- All GCs in the forest now that UNG on domain1 has a user from Domain2, and

all DCs in the Domain1 also know that, but DCs (non-GCs) in Domain2 don't

know anything about it, the IM in their domain is responsible for update

that information and replica it to the DCs in their domain.

 

So in conclusion:

 

- If you have only 1 Domain you don't have cross-domain object references,

so there isn't job for the IM.

 

- If you have only 1 DC in a domain, doesn't matter if it is a GC or not

because that DC holds all roles for its domain, and it doesn't need to

update no other DC in its domain, so in this scenario doesn't matter if it

is a GC or not.

--

I hope that the information above helps you.

Have a Nice day.

 

 

Jorge Silva

MCSE, MVP Directory Services

<rockemhard@gmail.com> wrote in message

news:1190827833.101625.255870@22g2000hsm.googlegroups.com...

> On Sep 26, 9:44 am, Meinolf Weber <meiweb(nospam)@gmx.de> wrote:

>> Hello Carlos,

>>

>> No problem in single domain. Also you should configure both servers as

>> DNS

>> servers with active directory integrated zones.

>

> Hello Meinolf,

>

> Could you explain this a little more.  Documentation that I have seen

> suggests that the FSMO roles are placed separetly from a DC that

> contains a GC to allow for proper comparisons of AD objects against

> the GC.  Now you mention in a single domain... this is something that

> I haven't seen mentioned so perhaps this is the case where this is an

> acceptable practice?

>

 

 

 

Top


 

 

 

From: Meinolf Weber <meiweb(nospam)@gmx.de>

To: none

Subject: Re: Global Catalog and RID Master

Date: 09/26/2007 13:52:09

 

 

Hello Jorge,

 

Thanks for taking over, the only thing i could provide is this article:

http://support.microsoft.com/kb/223346

 

And in this article the part "General recommendations for FSMO placement"

 

Best regards

 

Meinolf Weber

Disclaimer: This posting is provided "AS IS" with no warranties, and confers

no rights.

 

> The IM is responsible for updating cross-domain object references each

> DC in the Domain, to do that it needs to check for changes on an

> available GC, then compares its information with the information that

> the GC has, if any changes, then updates its local information, and

> updates cross-domain object references each DC in the Domain.

>

> The Problem is that If the IM is also a GC, when is going to check for

> changes he asks for a GC and because the IM is also a GC it "thinks"

> that it has all information updated and there's no need to update the

> DCs on its domain causing others DCs ending up with nonupdated

> information, remember DCs in a domain only know everything about their

> domain, because the domain partition is replicated between them.

> Example:

>

> 2 Domains:

>

> - Domain1

>

> - Domain2

>

> - You create a Universal Security group on Domain1, and add it a user

> from Domain2.

>

> - All GCs in the forest now that UNG on domain1 has a user from

> Domain2, and all DCs in the Domain1 also know that, but DCs (non-GCs)

> in Domain2 don't know anything about it, the IM in their domain is

> responsible for update that information and replica it to the DCs in

> their domain.

>

> So in conclusion:

>

> - If you have only 1 Domain you don't have cross-domain object

> references, so there isn't job for the IM.

>

> - If you have only 1 DC in a domain, doesn't matter if it is a GC or

> not because that DC holds all roles for its domain, and it doesn't

> need to update no other DC in its domain, so in this scenario doesn't

> matter if it is a GC or not.

>

> Jorge Silva

> MCSE, MVP Directory Services

> <rockemhard@gmail.com> wrote in message

> news:1190827833.101625.255870@22g2000hsm.googlegroups.com...

>> On Sep 26, 9:44 am, Meinolf Weber <meiweb(nospam)@gmx.de> wrote:

>>

>>> Hello Carlos,

>>>

>>> No problem in single domain. Also you should configure both servers

>>> as

>>> DNS

>>> servers with active directory integrated zones.

>> Hello Meinolf,

>>

>> Could you explain this a little more.  Documentation that I have seen

>> suggests that the FSMO roles are placed separetly from a DC that

>> contains a GC to allow for proper comparisons of AD objects against

>> the GC.  Now you mention in a single domain... this is something that

>> I haven't seen mentioned so perhaps this is the case where this is an

>> acceptable practice?

>>

 

 

 

Top


 

 

 

From: SaltyBalllz <SaltyBalllz.2xlrrj@DoNotSpam.com>

To: none

Subject: Re: Group policy not processing properly

Date: 09/27/2007 23:01:22

 

 

Hi AT,

I have a nework with the exact same issue your having.

1 domain forest - Server 2003

5 DC's in 5 different cities

All the Client PC's are running Windows XP SP2.

The GPO is applied to the OU's

Everything works correctly at the FSMO location, but at some of the

remote locations it is hit and miss.  On some machines GP works

correctly and others it does not.  If you run a report it will tell you

everything is processed correctly but it has not.  Everyone has the same

rights and are in the same OU.  I am also thinking this is due to a slow

connection.

 

Have you found a solution as of yet?

SaltyBalllz

 

 

--

SaltyBalllz

------------------------------------------------------------------------

SaltyBalllz's Profile: http://forums.techarena.in/member.php?userid=31898

View this thread: http://forums.techarena.in/showthread.php?t=587703

 

http://forums.techarena.in

 

 

 

Top


 

 

 

From: David <david.fike@gmail.com>

To: none

Subject: Re: Group Policy Object

Date: 09/26/2007 09:09:47

 

 

Jeff - I don't believe there is a built-in GPO to support this. My

company is still working through an NDS to AD migration, and this is

one of the things still controlled by NDS scripts. I suppose you could

setup a Scheduled Task to execute "shutdown.exe" on workstations at a

specific time, but this would be difficult if you had a large number

of workstations to set it up on. Sorry I wasn't much help - if I come

across anything else I'll let you know!

 

 

 

Top


 

 

 

From: Chris M <nobody@nowhere.special>

To: none

Subject: Re: Group Policy Object

Date: 09/26/2007 09:14:32

 

 

Jeff Belorit wrote:

> Hello, I was wondering if there is an GPO template for shutting down

> computers at a specific time at night.  My company is trying to enforce the

> users to shutdown when they go home and of course the users do not shutdown.

> It would be nice if this can be done from Group Policy.

 

Hi Jeff,

 

As David has said, there's nothing natively that I'm aware of in Group

Policy that supports scheduled shutdowns.

 

However, (again as David said) you can schedule a task to run

shutdown.exe at a certain time.

 

What you can do is combine the two - create a GPO that has a startup

script which uses the 'at' command to schedule a daily shutdown. This

means that the machines won't pick up the scheduled task until they get

rebooted, but given enough time all of the machines that you apply the

GPO to should be restarted and therefore will add the scheduled task.

 

I did this in an infrastructure of about 1,000 client machines and it

worked like a charm.

 

Make sure that your users are well informed before you implement this -

users have a nasty habit of leaving unsaved work on their desktop when

they leave to go home. If you run shutdown.exe with the -f switch then

this will cause users to lose unsaved work.

 

Cheers,

 

Chris.

 

 

 

Top


 

 

 

From: Jorge Silva <jorgesilva_pt@hotmail.com>

To: none

Subject: Re: Group Policy Object

Date: 09/26/2007 12:32:20

 

 

Hi

Also have a look at psshutdown from MS sysinternals.

 

--

I hope that the information above helps you.

Have a Nice day.

 

Jorge Silva

MCSE, MVP Directory Services

"Jeff Belorit" <jbelorit@mbi-inc.com> wrote in message

news:e%23NvnrDAIHA.4164@TK2MSFTNGP06.phx.gbl...

> Hello, I was wondering if there is an GPO template for shutting down

> computers at a specific time at night.  My company is trying to enforce

> the users to shutdown when they go home and of course the users do not

> shutdown. It would be nice if this can be done from Group Policy.

>

> Thanks

>

 

 

 

Top


 

 

 

From: Mathieu CHATEAU <gollum123@free.fr>

To: none

Subject: Re: Group policy refreshes in 15 or 90+ minutes?

Date: 09/27/2007 01:19:56

 

 

Hello,

 

Determining When Group Policy Changes are Applied

http://technet2.microsoft.com/windowsserver/en/library/a8d4a748-f3b7-4a93-b9f3-f0dbad68f6ae1033.mspx?mfr=true

 

 

--

Cordialement,

Mathieu CHATEAU

http://lordoftheping.blogspot.com

 

 

"Mr. Magoo" <MrMagoo@discussions.microsoft.com> wrote in message

news:4B15E92E-AC3C-4F46-82B5-EE8B921DDD67@microsoft.com...

> My computer account was on a OU=CertainOu. I moved my computer account to

> another OU.

>

> I waited 18 minutes. I did gpresult and I observed that timestamp

> "Last time Group Policy was applied: 9/26/2007 at 12:55:29 PM "

> My previous gpresult.exe showed such timestamp was updated in about 15

> minutes.

>

> Then I noticed that my computer account was shown in the correct and

> current

> container. However, group policies was not inherited according. Basically

> the

> group policies shown below are the ones inherited from the container prior

> to

> my moving operation. Can you clarify which portion of the policy gets

> updated

> in 90 minutes? Why does the time stamps (shown by gpresult) are displayed

> as

> updated every 15 minutes?

>

> C:\>gpresult

>

>

>

> Microsoft (R) Windows (R) XP Operating System Group Policy Result tool

> v2.0

>

> Copyright (C) Microsoft Corp. 1981-2001

>

>

>

> Created On 9/26/2007 at 12:56:46 PM

>

>

>

>

>

> RSOP results for mydomain\myself on machine : Logging Mode

>

> -----------------------------------------------------------------------------

>

>

>

> OS Type:                     Microsoft Windows XP Professional

>

> OS Configuration:            Member Workstation

>

> OS Version:                  5.1.2600

>

> Domain Name:                 MYCOMPANY

>

> Domain Type:                 Windows 2000

>

> Site Name:                   misrenton

>

> Roaming Profile:

>

> Local Profile:               C:\Documents and Settings\myself

>

> Connected over a slow link?: Yes

>

>

>

>

>

> COMPUTER SETTINGS

>

> ------------------

>

>    CN=MYDUMBMACHINE,OU=YOUR,OU=OURS,OU=THEIRS,OU=HIS,OU=HERS and C

>

> omputers,DC=my,DC=company,DC=com

>

>    Last time Group Policy was applied: 9/26/2007 at 12:55:29 PM

>

>    Group Policy was applied from:      Mycompany.yes.com

>

>    Group Policy slow link threshold:   500 kbps

>

>

>

>    Applied Group Policy Objects

>

>    -----------------------------

>

>        GPO1

>        Mypolic2

>        VPN-Site-Settings

>

>

>

>    The following GPOs were not applied because they were filtered out

>

>    -------------------------------------------------------------------

>

>         Vista Wireless Policy

>

>            Filtering:  Disabled (GPO)

> (...)

>

 

 

 

Top


 

 

 

From: Florian Frommherz [MVP] <florian@PLEASELEAVETHISOUT.frickelsoft.net>

To: none

Subject: Re: Group Policy Reporting

Date: 09/26/2007 00:30:30

 

 

Howdie!

 

Avil schrieb:

> I have a Windows 2000 active directory domain. I need to generate a report

> listing all the group policy settings. How can I achieve this?

 

From a Windows XP workstation, you should be able to run the Group

Policy Management Console, which gives you the ability to create reports .

 

Based on the VBS samples shipped with GPMC, you should be able to come

up with something like that.

 

cheers,

 

Florian

--

Microsoft MVP - Windows Server - Group Policy.

eMail: prename [at] frickelsoft [dot] net.

blog: http://www.frickelsoft.net/blog.

 

 

 

Top


 

 

 

From: Avil <Avil@discussions.microsoft.com>

To: none

Subject: Re: Group Policy Reporting

Date: 09/26/2007 00:52:02

 

 

Is it the RSOP tool? Kindly explain.

Thank You

 

"Florian Frommherz [MVP]" wrote:

 

> Howdie!

>

> Avil schrieb:

> > I have a Windows 2000 active directory domain. I need to generate a report

> > listing all the group policy settings. How can I achieve this?

>

>  From a Windows XP workstation, you should be able to run the Group

> Policy Management Console, which gives you the ability to create reports .

>

> Based on the VBS samples shipped with GPMC, you should be able to come

> up with something like that.

>

> cheers,

>

> Florian

> --

> Microsoft MVP - Windows Server - Group Policy.

> eMail: prename [at] frickelsoft [dot] net.

> blog: http://www.frickelsoft.net/blog.

>

 

 

 

Top


 

 

 

From: Florian Frommherz [MVP] <florian@PLEASELEAVETHISOUT.frickelsoft.net>

To: none

Subject: Re: Group Policy Reporting

Date: 09/26/2007 02:06:49

 

 

Howdie!

 

Avil schrieb:

> Is it the RSOP tool? Kindly explain.

 

RSOP is a tool to see the effective policies on a machine. Is this, what

you want?

 

I thought you were searching for a method to report all policies with

their settings configured.

 

In GPMC, you click a policy and view "Settings", which generates a HTML

report of the policy's configured settings. That's a way to start. GPMC

ships some VB scripts which I think you can use to extend in order to

automate this process to generate a over-all-GP-settings-report.

 

cheers,

 

Florian

--

Microsoft MVP - Windows Server - Group Policy.

eMail: prename [at] frickelsoft [dot] net.

blog: http://www.frickelsoft.net/blog.

 

 

 

Top


 

 

 

From: Avil <Avil@discussions.microsoft.com>

To: none

Subject: Re: Group Policy Reporting

Date: 09/26/2007 02:30:00

 

 

I am looking for all the active directory group policy setting that are

configured in domain. Could you please teach me on using GPMC. How do I open

that tool on XP machine.

 

Thanks

 

"Florian Frommherz [MVP]" wrote:

 

> Howdie!

>

> Avil schrieb:

> > Is it the RSOP tool? Kindly explain.

>

> RSOP is a tool to see the effective policies on a machine. Is this, what

> you want?

>

> I thought you were searching for a method to report all policies with

> their settings configured.

>

> In GPMC, you click a policy and view "Settings", which generates a HTML

> report of the policy's configured settings. That's a way to start. GPMC

> ships some VB scripts which I think you can use to extend in order to

> automate this process to generate a over-all-GP-settings-report.

>

> cheers,

>

> Florian

> --

> Microsoft MVP - Windows Server - Group Policy.

> eMail: prename [at] frickelsoft [dot] net.

> blog: http://www.frickelsoft.net/blog.

>

 

 

 

Top


 

 

 

From: Florian Frommherz [MVP] <florian@PLEASELEAVETHISOUT.frickelsoft.net>

To: none

Subject: Re: Group Policy Reporting

Date: 09/26/2007 02:36:37

 

 

Howdie!

 

Avil schrieb:

> I am looking for all the active directory group policy setting that are

> configured in domain. Could you please teach me on using GPMC. How do I open

> that tool on XP machine.

 

Download and install the Group Policy Management Console:

http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en

 

You can open the GPMC by using "gpmc.msc" (without parantheses on

Start->Run) - you can then browse to your domain. You should see the

domain as well as your Organizational Units. Below every OU, you can see

the GPOs linked to that OU. After selecting a GPO, you can see a

"Settings" tab on the right pane of the GPMC. This is a generated HTML

report which displays all settings configured within that GPO.

 

cheers,

 

Florian

--

Microsoft MVP - Windows Server - Group Policy.

eMail: prename [at] frickelsoft [dot] net.

blog: http://www.frickelsoft.net/blog.

 

 

 

Top


 

 

 

From: Paul Bergson [MVP-DS] <pbergson@allete_nospam.com>

To: none

Subject: Re: HELP PLEASE forward internal IP to DMZ ip

Date: 09/27/2007 06:48:12

 

 

If you are using the dns name, then you shouldn't have to do anything.  Just

change the ip address of the name and clients need to clear their dns cache

or wait for the TTL to expire.

 

--

Paul Bergson

MVP - Directory Services

MCT, MCSE, MCSA, Security+, BS CSci

2003, 2000 (Early Achiever), NT

 

http://www.pbbergs.com

 

Please no e-mails, any questions should be posted in the NewsGroup

This posting is provided "AS IS" with no warranties, and confers no rights.

 

"tay" <fackinace@googlemail.com> wrote in message

news:1190893050.922763.192140@50g2000hsm.googlegroups.com...

> Hi we are just about to move our ftp server to a dmz.

> At the moment the ip is 192.168.1.66

> In the dmz it will be 10.0.0.66

> Now if possible i dont want to go around 200 machines to change the ip

> so were wondering can a forwarder be used or the likes?

>

> Cheers for any help.

>

> Ian

>

 

 

 

Top


 

 

 

From: tay <fackinace@googlemail.com>

To: none

Subject: Re: HELP PLEASE forward internal IP to DMZ ip

Date: 09/27/2007 07:58:28

 

 

Hmm the thing is cuteftp connects using the ip address of 192.168.1.66

and not the name which needs to change to 10.0.0.66.

Ian

 

 

 

Top


 

 

 

From: Paul Bergson [MVP-DS] <pbergson@allete_nospam.com>

To: none

Subject: Re: HELP PLEASE forward internal IP to DMZ ip

Date: 09/27/2007 08:44:37

 

 

May need to script the change and run at logon time

 

--

Paul Bergson

MVP - Directory Services

MCT, MCSE, MCSA, Security+, BS CSci

2003, 2000 (Early Achiever), NT

 

http://www.pbbergs.com

 

Please no e-mails, any questions should be posted in the NewsGroup

This posting is provided "AS IS" with no warranties, and confers no rights.

 

"tay" <fackinace@googlemail.com> wrote in message

news:1190897908.118811.182310@g4g2000hsf.googlegroups.com...

> Hmm the thing is cuteftp connects using the ip address of 192.168.1.66

> and not the name which needs to change to 10.0.0.66.

> Ian

>

 

 

 

Top


 

 

 

From: Paul Bergson [MVP-DS] <pbergson@allete_nospam.com>

To: none

Subject: Re: How to Determine Which Service in LSASS.EXE Binds to Port X?

Date: 09/27/2007 06:52:03

 

 

Check out an article I have on AD and Firewalls.  In it is an explanation on

how to modify the high ports pool for RPC.  I have made ours in a much

smaller pool.

 

http://www.pbbergs.com/windows/articles/FirewallReplication.html

 

--

Paul Bergson

MVP - Directory Services

MCT, MCSE, MCSA, Security+, BS CSci

2003, 2000 (Early Achiever), NT

 

http://www.pbbergs.com

 

Please no e-mails, any questions should be posted in the NewsGroup

This posting is provided "AS IS" with no warranties, and confers no rights.

 

"Will" <westes-usc@noemail.nospam> wrote in message

news:OuedndYnuZZX9WbbnZ2dnUVZ_vyinZ2d@giganews.com...

> The process that runs LSASS.exe runs many security related services for

> domain controllers, including kerberos, netlogon, etc.   In examining the

> LSASS process with Process Explorer, I'm seeing many ports other than the

> well-known ones being opened for access through RPC.   How can I determine

> which specific services are binding to each of the ports?     Isn't there

> an RPC mapping tool I can run on a server that will clearly identify the

> actual service that has bound to each of the RPC assigned ports like 1026?

>

> The reason I am asking this is that I have a domain controller that is

> being contacted on TCP port 1026 by only one member server in the domain.

> Process Explorer establishes that LSASS owns this port, and I assume it is

> an RPC assigned port number that could change from one boot to the next. I

> want to clearly identify what the service bound to that port is and try to

> understand why only one member server is contacting that service.

>

> The activity is currently being blocked by a firewall.   We have all of

> the critical RPC services (e.g., NETLOGON, AD replication, etc) bound to

> fixed ports and those ports are exposed through the firewall.

>

> --

> Will

>

 

 

 

Top


 

 

 

From: Will <westes-usc@noemail.nospam>

To: none

Subject: Re: How to Determine Which Service in LSASS.EXE Binds to Port X?

Date: 09/27/2007 18:25:34

 

 

"Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message

news:%23F4ITzPAIHA.968@TK2MSFTNGP03.phx.gbl...

> Check out an article I have on AD and Firewalls.  In it is an explanation

> on how to modify the high ports pool for RPC.  I have made ours in a much

> smaller pool.

>

> http://www.pbbergs.com/windows/articles/FirewallReplication.html

 

I'm very familiar with all of the issues on the above page, and I would like

to add a few thoughts:

 

1) You need to also add the NETLOGON service as a fixed port.   This is

perhaps the single most used service among the dynamic range RPC services,

and you do so by creating a DWORD with the port value at the registry

location:

 

    HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DCTcpipPort

 

2) In our experience, once you give fixed ports to NTFRS, NTDS and NETLOGON,

you NO LONGER NEED VARIABLE RPC PORTS (what you assign to 10002 to 10200 in

your example).     We have small forests, so maybe there are load balancing

considerations I don't know about, but dcdiag /v reports no errors between

controllers with just those three fixed ports and we completely lock out the

variable RPC ports.   But we have been running this way for at least a year

now with no errors popping up in dcdiag /v or the eventviewer logs.   If we

have overlooked some legitimate RPCs I would very much like to document

those and read further about them.

 

To wax poetic a bit, any firewall design for a domain controller that uses

dynamic ports is from my point of view not much better than having no

firewall.     The rootkit viruses will either modify system directly or

modify behavior of a well-known system service EXE like LSASS.   It's

nothing for them to just open up another RPC, and then they have you.   By

locking all known services to fixed ports, your system can be compromised,

and it can try to open up additional ports, but no one can contact those

ports, thus greatly limiting one path to gain access to the box from another

computer.

 

All the above is just response to the URL you provided in your response.

My original question was how to identify (by name and function) the specific

RPC service running under a specific process.   The utility in your link

above PortQryUI and PortQry do not do that.   Like Process Explorer, PortQry

simply establishes the fact that process X has open port Y.   In my case

that process is LSASS and the port is 1026.    What I need is a tool like an

"RPC Query" that will actually use port 135 to enumerate all of the active

RPC services on a box and the ports they run on.    Then I can cross

reference the RPC service by name to port 1026 and research that service

further.   Such a tool must be possible to write because otherwise how could

any EXE contact the RPC mapper port 135 and enumerate services on the box?

 

--

Will

 

 

 

> "Will" <westes-usc@noemail.nospam> wrote in message

> news:OuedndYnuZZX9WbbnZ2dnUVZ_vyinZ2d@giganews.com...

>> The process that runs LSASS.exe runs many security related services for

>> domain controllers, including kerberos, netlogon, etc.   In examining the

>> LSASS process with Process Explorer, I'm seeing many ports other than the

>> well-known ones being opened for access through RPC.   How can I

>> determine which specific services are binding to each of the ports?

>> Isn't there an RPC mapping tool I can run on a server that will clearly

>> identify the actual service that has bound to each of the RPC assigned

>> ports like 1026?

>>

>> The reason I am asking this is that I have a domain controller that is

>> being contacted on TCP port 1026 by only one member server in the domain.

>> Process Explorer establishes that LSASS owns this port, and I assume it

>> is an RPC assigned port number that could change from one boot to the

>> next. I want to clearly identify what the service bound to that port is

>> and try to understand why only one member server is contacting that

>> service.

>>

>> The activity is currently being blocked by a firewall.   We have all of

>> the critical RPC services (e.g., NETLOGON, AD replication, etc) bound to

>> fixed ports and those ports are exposed through the firewall.

>>

>> --

>> Will

>>

>

>

 

 

 

Top


 

 

 

From: Andy C <acracchiolo@fluidmaster.com>

To: none

Subject: Re: How to Determine Which Service in LSASS.EXE Binds to Port X?

Date: 09/27/2007 19:51:30

 

 

Not to go off topic but I am just curious as to the benifit to you of

Placing everything behind the firewall.

Is it for security purposes or for logging purposes or some other cool

reason that I dont know?

 

-Andy

 

"Will" <westes-usc@noemail.nospam> wrote in message

news:ncqdndHffdlypmHbnZ2dnUVZ_gadnZ2d@giganews.com...

> "Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message

> news:%23F4ITzPAIHA.968@TK2MSFTNGP03.phx.gbl...

>> Check out an article I have on AD and Firewalls.  In it is an explanation

>> on how to modify the high ports pool for RPC.  I have made ours in a much

>> smaller pool.

>>

>> http://www.pbbergs.com/windows/articles/FirewallReplication.html

>

> I'm very familiar with all of the issues on the above page, and I would

> like to add a few thoughts:

>

> 1) You need to also add the NETLOGON service as a fixed port.   This is

> perhaps the single most used service among the dynamic range RPC services,

> and you do so by creating a DWORD with the port value at the registry

> location:

>

>    HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DCTcpipPort

>

> 2) In our experience, once you give fixed ports to NTFRS, NTDS and

> NETLOGON, you NO LONGER NEED VARIABLE RPC PORTS (what you assign to 10002

> to 10200 in your example).     We have small forests, so maybe there are

> load balancing considerations I don't know about, but dcdiag /v reports no

> errors between controllers with just those three fixed ports and we

> completely lock out the variable RPC ports.   But we have been running

> this way for at least a year now with no errors popping up in dcdiag /v or

> the eventviewer logs.   If we have overlooked some legitimate RPCs I would

> very much like to document those and read further about them.

>

> To wax poetic a bit, any firewall design for a domain controller that uses

> dynamic ports is from my point of view not much better than having no

> firewall.     The rootkit viruses will either modify system directly or

> modify behavior of a well-known system service EXE like LSASS.   It's

> nothing for them to just open up another RPC, and then they have you.   By

> locking all known services to fixed ports, your system can be compromised,

> and it can try to open up additional ports, but no one can contact those

> ports, thus greatly limiting one path to gain access to the box from

> another computer.

>

> All the above is just response to the URL you provided in your response.

> My original question was how to identify (by name and function) the

> specific RPC service running under a specific process.   The utility in

> your link above PortQryUI and PortQry do not do that.   Like Process

> Explorer, PortQry simply establishes the fact that process X has open port

> Y.   In my case that process is LSASS and the port is 1026.    What I need

> is a tool like an "RPC Query" that will actually use port 135 to enumerate

> all of the active RPC services on a box and the ports they run on.    Then

> I can cross reference the RPC service by name to port 1026 and research

> that service further.   Such a tool must be possible to write because

> otherwise how could any EXE contact the RPC mapper port 135 and enumerate

> services on the box?

>

> --

> Will

>

>

>

>> "Will" <westes-usc@noemail.nospam> wrote in message

>> news:OuedndYnuZZX9WbbnZ2dnUVZ_vyinZ2d@giganews.com...

>>> The process that runs LSASS.exe runs many security related services for

>>> domain controllers, including kerberos, netlogon, etc.   In examining

>>> the LSASS process with Process Explorer, I'm seeing many ports other

>>> than the well-known ones being opened for access through RPC.   How can

>>> I determine which specific services are binding to each of the ports?

>>> Isn't there an RPC mapping tool I can run on a server that will clearly

>>> identify the actual service that has bound to each of the RPC assigned

>>> ports like 1026?

>>>

>>> The reason I am asking this is that I have a domain controller that is

>>> being contacted on TCP port 1026 by only one member server in the

>>> domain. Process Explorer establishes that LSASS owns this port, and I

>>> assume it is an RPC assigned port number that could change from one boot

>>> to the next. I want to clearly identify what the service bound to that

>>> port is and try to understand why only one member server is contacting

>>> that service.

>>>

>>> The activity is currently being blocked by a firewall.   We have all of

>>> the critical RPC services (e.g., NETLOGON, AD replication, etc) bound to

>>> fixed ports and those ports are exposed through the firewall.

>>>

>>> --

>>> Will

>>>

>>

>>

>

>

 

 

 

Top


 

 

 

From: Will <westes-usc@noemail.nospam>

To: none

Subject: Re: How to Determine Which Service in LSASS.EXE Binds to Port X?

Date: 09/27/2007 21:54:33

 

 

"Andy C" <acracchiolo@fluidmaster.com> wrote in message

news:eyBL2mWAIHA.4656@TK2MSFTNGP04.phx.gbl...

> Not to go off topic but I am just curious as to the benifit to you of

> Placing everything behind the firewall.

> Is it for security purposes or for logging purposes or some other cool

> reason that I dont know?

 

It is for security only.   Our entire Windows 2000 network was hit by a

rootkit virus, and once you have gone through that kind of nightmare you do

a lot of thinking about what kinds of network designs make it structurally

very difficult for a trojan application to operate or to spread.   All of

those Windows 2000 computers were unrecoverable and had to be rebuilt.   As

a small company, it took us years to recover from that, and in fact some of

the machines are still being rebuilt as time allows.   As part of the

rebuilding effort, I did a lot of thinking about how current network designs

contribute to this awful worldwide epidemic of trojans and rootkits.

 

Fundamentally, ethernet with TCP was never built from the start for

security.    Consider the ARP protocol for example.   ARP sits below TCP and

any Microsoft security layers, and it's the basic protocol that allows

computers on the same subnet to find each other.    Unfortunately, it also

lets any authorized software running on your computer essentially sit back

and let the network tell it what targets of interest exist on the network.

The Trojan then can start probing each of the IPs that are broadcast to be

of interest.

 

From the standpoint of Microsoft Networking, consider what the sniffer trace

of a network looks like when you don't turn off NetBIOS over TCP.   There

are huge number of broadcasts that identify for any listener on the network

targets of interest.   The protocols that use ports 137, 138, and 139 are

all ancient stuff, with huge security holes.

 

To address those kinds of concerns, we have gotten to the point where we put

every key server on its own dedicated subnet behind a firewall.    That

stops the ARP problem dead, because no other machine can see the ARPs since

only the firewall and the server share the same subnet together.    While we

turn off NetBIOS over TCP on both clients and servers, having dedicated

subnets lets us enforce that policy strictly and block ports 137, 138, and

139 right at the firewall, so even a misconfigured machine cannot use

unsecure protocols.    Every port in and every port out to every server is

controlled.   So even if the hacker was root on some of these servers, and

they could infect them with rootkits, there would be little of profit in

doing so.    Any ports the rootkit opens up cannot be reached.   Any

outgoing connections to unauthorized ports or HTTP sites are blocked.

 

I'm sure that parts of our network are still hacked.    But we are setting

the bar higher and higher, and at some point the controls will be such that

infestations just won't be able to spread, will be detectable quickly, and

will have limited ability to do damage even on the infected machines.

Unfortunately, getting to that nirvana takes a level of knowledge,

experience, experimentation, and just plain time that I don't believe most

users (or management) would tolerate.

 

A domain controller is the brain of the network, and once it is compromised

the battle is largely over and you can no longer trust authentication or any

of the services the domain controller is delivering.    So for us we decided

early on that we were going to go to war with the domain controllers and

understand top to bottom the services they were delivering, and which of

those needed to be presented for an Active Directory network to function

correctly.    The advantage to limiting the domain controller to just fixed

ports is that it can then be secured by a firewall.   Someone who

compromises the domain controller and runs a service that opens additional

ports on the domain controller won't be able to use them.   The ports might

be listening, but the firewall prevents them from being reached.   Because

no other computer sits on the domain controller's subnet, there is no path

to the domain controller that does not enforce the security policy

implemented by the firewall.

 

Having lived with this basic design for about a year, it has proven to not

only be extremely reliable, but has had the added benefit of speeding up the

network considerably.   I don't understand why this is yet, but perhaps

putting everything on dedicated subnets just cuts down the level of

broadcast traffic so much that retransmissions and latency on each subnet go

way down.   Our internal firewall now has about 30 subnets on it.    It was

a huge amount of work to set it up, but it's not very hard to maintain as

long as you document the network with diagrams, and organize the ruleset

correctly.

 

--

Will

 

 

> "Will" <westes-usc@noemail.nospam> wrote in message

> news:ncqdndHffdlypmHbnZ2dnUVZ_gadnZ2d@giganews.com...

>> "Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message

>> news:%23F4ITzPAIHA.968@TK2MSFTNGP03.phx.gbl...

>>> Check out an article I have on AD and Firewalls.  In it is an

>>> explanation on how to modify the high ports pool for RPC.  I have made

>>> ours in a much smaller pool.

>>>

>>> http://www.pbbergs.com/windows/articles/FirewallReplication.html

>>

>> I'm very familiar with all of the issues on the above page, and I would

>> like to add a few thoughts:

>>

>> 1) You need to also add the NETLOGON service as a fixed port.   This is

>> perhaps the single most used service among the dynamic range RPC

>> services, and you do so by creating a DWORD with the port value at the

>> registry location:

>>

>>    HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DCTcpipPort

>>

>> 2) In our experience, once you give fixed ports to NTFRS, NTDS and

>> NETLOGON, you NO LONGER NEED VARIABLE RPC PORTS (what you assign to 10002

>> to 10200 in your example).     We have small forests, so maybe there are

>> load balancing considerations I don't know about, but dcdiag /v reports

>> no errors between controllers with just those three fixed ports and we

>> completely lock out the variable RPC ports.   But we have been running

>> this way for at least a year now with no errors popping up in dcdiag /v

>> or the eventviewer logs.   If we have overlooked some legitimate RPCs I

>> would very much like to document those and read further about them.

>>

>> To wax poetic a bit, any firewall design for a domain controller that

>> uses dynamic ports is from my point of view not much better than having

>> no firewall.     The rootkit viruses will either modify system directly

>> or modify behavior of a well-known system service EXE like LSASS.   It's

>> nothing for them to just open up another RPC, and then they have you.

>> By locking all known services to fixed ports, your system can be

>> compromised, and it can try to open up additional ports, but no one can

>> contact those ports, thus greatly limiting one path to gain access to the

>> box from another computer.

>>

>> All the above is just response to the URL you provided in your response.

>> My original question was how to identify (by name and function) the

>> specific RPC service running under a specific process.   The utility in

>> your link above PortQryUI and PortQry do not do that.   Like Process

>> Explorer, PortQry simply establishes the fact that process X has open

>> port Y.   In my case that process is LSASS and the port is 1026.    What

>> I need is a tool like an "RPC Query" that will actually use port 135 to

>> enumerate all of the active RPC services on a box and the ports they run

>> on.    Then I can cross reference the RPC service by name to port 1026

>> and research that service further.   Such a tool must be possible to

>> write because otherwise how could any EXE contact the RPC mapper port 135

>> and enumerate services on the box?

>>

>> --

>> Will

>>

>>

>>

>>> "Will" <westes-usc@noemail.nospam> wrote in message

>>> news:OuedndYnuZZX9WbbnZ2dnUVZ_vyinZ2d@giganews.com...

>>>> The process that runs LSASS.exe runs many security related services for

>>>> domain controllers, including kerberos, netlogon, etc.   In examining

>>>> the LSASS process with Process Explorer, I'm seeing many ports other

>>>> than the well-known ones being opened for access through RPC.   How can

>>>> I determine which specific services are binding to each of the ports?

>>>> Isn't there an RPC mapping tool I can run on a server that will clearly

>>>> identify the actual service that has bound to each of the RPC assigned

>>>> ports like 1026?

>>>>

>>>> The reason I am asking this is that I have a domain controller that is

>>>> being contacted on TCP port 1026 by only one member server in the

>>>> domain. Process Explorer establishes that LSASS owns this port, and I

>>>> assume it is an RPC assigned port number that could change from one

>>>> boot to the next. I want to clearly identify what the service bound to

>>>> that port is and try to understand why only one member server is

>>>> contacting that service.

>>>>

>>>> The activity is currently being blocked by a firewall.   We have all of

>>>> the critical RPC services (e.g., NETLOGON, AD replication, etc) bound

>>>> to fixed ports and those ports are exposed through the firewall.

>>>>

>>>> --

>>>> Will

 

 

 

Top


 

 

 

From: Will <westes-usc@noemail.nospam>

To: none

Subject: Re: How to Determine Which Service in LSASS.EXE Binds to Port X?

Date: 09/27/2007 23:05:31

 

 

"Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message

news:%23F4ITzPAIHA.968@TK2MSFTNGP03.phx.gbl...

> Check out an article I have on AD and Firewalls.  In it is an explanation

> on how to modify the high ports pool for RPC.  I have made ours in a much

> smaller pool.

>

> http://www.pbbergs.com/windows/articles/FirewallReplication.html

 

The program I needed was RPCINFO.   The service that was running on port

1026 was NT Directory NSP Interface.   That is apparently some kind of peer

to peer protocol networking service (first time I ever knew about it).

What Windows 2000 application would be trying to use that?

 

--

Will

 

 

> http://www.pbbergs.com

>

> Please no e-mails, any questions should be posted in the NewsGroup

> This posting is provided "AS IS" with no warranties, and confers no

> rights.

>

> "Will" <westes-usc@noemail.nospam> wrote in message

> news:OuedndYnuZZX9WbbnZ2dnUVZ_vyinZ2d@giganews.com...

>> The process that runs LSASS.exe runs many security related services for

>> domain controllers, including kerberos, netlogon, etc.   In examining the

>> LSASS process with Process Explorer, I'm seeing many ports other than the

>> well-known ones being opened for access through RPC.   How can I

>> determine which specific services are binding to each of the ports?

>> Isn't there an RPC mapping tool I can run on a server that will clearly

>> identify the actual service that has bound to each of the RPC assigned

>> ports like 1026?

>>

>> The reason I am asking this is that I have a domain controller that is

>> being contacted on TCP port 1026 by only one member server in the domain.

>> Process Explorer establishes that LSASS owns this port, and I assume it

>> is an RPC assigned port number that could change from one boot to the

>> next. I want to clearly identify what the service bound to that port is

>> and try to understand why only one member server is contacting that

>> service.

>>

>> The activity is currently being blocked by a firewall.   We have all of

>> the critical RPC services (e.g., NETLOGON, AD replication, etc) bound to

>> fixed ports and those ports are exposed through the firewall.

 

 

 

Top


 

 

 

From: Al Mulnick <amulnick_No_SPAM@ncDOTrr.com>

To: none

Subject: Re: How to disable screen savers on servers

Date: 09/27/2007 14:22:51

 

 

Using a loopback policy and the server names (in a group), you should be

able to achieve this.

 

Al

 

"Anne Butera" <AnneButera@discussions.microsoft.com> wrote in message

news:AC837013-625D-4ACF-B1A0-88712D5D2344@microsoft.com...

>I have a User Group Policy that is applied to all users that forces a

>company

> screen saver.  But I need to disable this group policy when they RDP to a

> server using Terminal services, because the screen saver uses up too much

> CPU

> and memory.  How can I disable the screen server on certain servers?  Is

> that

> possible since it is a user GP?

>

> Thanks for any input!

>

> Ann

 

 

 

Top


 

 

 

From: Anne Butera <AnneButera@discussions.microsoft.com>

To: none

Subject: Re: How to disable screen savers on servers

Date: 09/27/2007 15:41:00

 

 

Can you elaborate on how to do a loop back policy?  Thank you so much.

 

"Al Mulnick" wrote:

 

> Using a loopback policy and the server names (in a group), you should be

> able to achieve this.

>

> Al

>

> "Anne Butera" <AnneButera@discussions.microsoft.com> wrote in message

> news:AC837013-625D-4ACF-B1A0-88712D5D2344@microsoft.com...

> >I have a User Group Policy that is applied to all users that forces a

> >company

> > screen saver.  But I need to disable this group policy when they RDP to a

> > server using Terminal services, because the screen saver uses up too much

> > CPU

> > and memory.  How can I disable the screen server on certain servers?  Is

> > that

> > possible since it is a user GP?

> >

> > Thanks for any input!

> >

> > Ann

>

>

>

 

 

 

Top


 

 

 

From: Andy C <acracchiolo@fluidmaster.com>

To: none

Subject: Re: How to disable screen savers on servers

Date: 09/27/2007 19:41:09

 

 

http://support.microsoft.com/kb/231287

 

 

"Anne Butera" <AnneButera@discussions.microsoft.com> wrote in message

news:CC60E162-CB5A-4D8C-AF08-E100E3F06D27@microsoft.com...

> Can you elaborate on how to do a loop back policy?  Thank you so much.

>

> "Al Mulnick" wrote:

>

>> Using a loopback policy and the server names (in a group), you should be

>> able to achieve this.

>>

>> Al

>>

>> "Anne Butera" <AnneButera@discussions.microsoft.com> wrote in message

>> news:AC837013-625D-4ACF-B1A0-88712D5D2344@microsoft.com...

>> >I have a User Group Policy that is applied to all users that forces a

>> >company

>> > screen saver.  But I need to disable this group policy when they RDP to

>> > a

>> > server using Terminal services, because the screen saver uses up too

>> > much

>> > CPU

>> > and memory.  How can I disable the screen server on certain servers?

>> > Is

>> > that

>> > possible since it is a user GP?

>> >

>> > Thanks for any input!

>> >

>> > Ann

>>

>>

>>

 

 

 

Top


 

 

 

From: David Shen <davidsunshine2000@hotmail.com>

To: none

Subject: Re: [X-POST] Person and User.

Date: 09/28/2007 01:36:07

 

 

To Alessandro,

 

     You can use Sysinternals tool ADExplorer to view userPrincipalName very

easily.You may download it with www.sysinternals.com

 

"AM" <AM@AM.AM> ??????:%23GArXW1wHHA.424@TK2MSFTNGP06.phx.gbl...

> Hi all,

>

> is there anyone who can kindly tell me how the object/category specified

> in the subject play the role in the big picture of Active Directory?

>

> I need to access the attribute userPrincipalName and someone told me to

> refer to the object (?-I hope to call it with the right name) USER instead

> of PERSON.

>

> Browsing the AD through an LDAP browser the "user" has both the

> objectclass User and Person so I can not see any difference between them

> and I can not understand why to use the first instead of the second. Maybe

> I'm missing something.

>

> I would be interested in some drawings that explains at which level those

> "object" are placed and which is the "role" of each one.

>

> Many thanks in advance.

>

> Alessandro

 

 

 

Top


 

 

 

Post your questions, comments, feedbacks and suggestions