From: Meinolf Weber
<meiweb(nospam)@gmx.de>
To:
none
Subject:
Re: Easy one - identify an icon in AD.
Date:
09/26/2007 14:32:07
Hello
Adam N.,
What
kind of file is it. My browser is not able to open it? And if it is
a
FOLDER, just give the complete path with it.
Best
regards
Meinolf
Weber
Disclaimer:
This posting is provided "AS IS" with no warranties, and confers
no
rights.
>
Could someone please identify this folder for me?
>
>
http://baumshelter.net/new2.html
>
Top
From: Adam N.
<AdamN@discussions.microsoft.com>
To:
none
Subject:
Re: Easy one - identify an icon in AD.
Date:
09/26/2007 14:42:01
oops
sorry, here is a link...
http://www.baumshelter.net/img/clip.JPG
"Meinolf
Weber" wrote:
>
Hello Adam N.,
>
>
What kind of file is it. My browser is not able to open it? And if it is
>
a FOLDER, just give the complete path with it.
>
>
Best regards
>
>
Meinolf Weber
>
Disclaimer: This posting is provided "AS IS" with no warranties,
and confers
>
no rights.
>
>
> Could someone please identify this folder for me?
>
>
>
> http://baumshelter.net/new2.html
>
>
>
>
>
Top
From: Mathieu CHATEAU
<gollum123@free.fr>
To:
none
Subject:
Re: Easy one - identify an icon in AD.
Date:
09/26/2007 14:52:51
Hello,
that
may be in DSADMIN.DLL
--
Cordialement,
Mathieu
CHATEAU
http://lordoftheping.blogspot.com
"Adam
N." <AdamN@discussions.microsoft.com> wrote in message
news:47595087-B478-4349-BE37-2437FB7A5750@microsoft.com...
>
oops sorry, here is a link...
>
>
http://www.baumshelter.net/img/clip.JPG
>
>
"Meinolf Weber" wrote:
>
>>
Hello Adam N.,
>>
>>
What kind of file is it. My browser is not able to open it? And if it is
>>
a FOLDER, just give the complete path with it.
>>
>>
Best regards
>>
>>
Meinolf Weber
>>
Disclaimer: This posting is provided "AS IS" with no warranties,
and
>>
confers
>>
no rights.
>>
>>
> Could someone please identify this folder for me?
>>
>
>>
> http://baumshelter.net/new2.html
>>
>
>>
>>
>>
Top
From: Meinolf Weber
<meiweb(nospam)@gmx.de>
To:
none
Subject:
Re: Easy one - identify an icon in AD.
Date:
09/26/2007 14:56:39
Hello
Adam N.,
This
is the icon for an Organizational Unit.
Best
regards
Meinolf
Weber
Disclaimer:
This posting is provided "AS IS" with no warranties, and confers
no
rights.
>
oops sorry, here is a link...
>
>
http://www.baumshelter.net/img/clip.JPG
>
>
"Meinolf Weber" wrote:
>
>>
Hello Adam N.,
>>
>>
What kind of file is it. My browser is not able to open it? And if it
>>
is a FOLDER, just give the complete path with it.
>>
>>
Best regards
>>
>>
Meinolf Weber
>>
Disclaimer: This posting is provided "AS IS" with no warranties,
and
>>
confers
>>
no rights.
>>>
Could someone please identify this folder for me?
>>>
>>>
http://baumshelter.net/new2.html
>>>
Top
From: Adam N.
<AdamN@discussions.microsoft.com>
To:
none
Subject:
Re: Easy one - identify an icon in AD.
Date:
09/26/2007 15:01:04
huh?
the arrow in the picture is pointing to a folder,
I
just want to know what that folder is called and what it is for, it has a
specific
icon on the front of the folder, so I know its not just a folder.
Thanks...
"Mathieu
CHATEAU" wrote:
>
Hello,
>
>
that may be in DSADMIN.DLL
>
>
>
--
>
Cordialement,
>
Mathieu CHATEAU
>
http://lordoftheping.blogspot.com
>
>
>
"Adam N." <AdamN@discussions.microsoft.com> wrote in
message
>
news:47595087-B478-4349-BE37-2437FB7A5750@microsoft.com...
>
> oops sorry, here is a link...
>
>
>
> http://www.baumshelter.net/img/clip.JPG
>
>
>
> "Meinolf Weber" wrote:
>
>
>
>> Hello Adam N.,
>
>>
>
>> What kind of file is it. My browser is not able to open it? And if
it is
>
>> a FOLDER, just give the complete path with it.
>
>>
>
>> Best regards
>
>>
>
>> Meinolf Weber
>
>> Disclaimer: This posting is provided "AS IS" with no
warranties, and
>
>> confers
>
>> no rights.
>
>>
>
>> > Could someone please identify this folder for me?
>
>> >
>
>> > http://baumshelter.net/new2.html
>
>> >
>
>>
>
>>
>
>>
>
>
Top
From: Adam N.
<AdamN@discussions.microsoft.com>
To:
none
Subject:
Re: Easy one - identify an icon in AD.
Date:
09/26/2007 15:04:01
Thats
what I was after, Thanks so much, I thought thats what that was but I
have
been working on a different network for sometime (NVELL).
I
have a second question now that I know what that is but I had to first
identify
that folder,
Thanks
again.
"Meinolf
Weber" wrote:
>
Hello Adam N.,
>
>
This is the icon for an Organizational Unit.
>
>
>
Best regards
>
>
Meinolf Weber
>
Disclaimer: This posting is provided "AS IS" with no warranties,
and confers
>
no rights.
>
>
> oops sorry, here is a link...
>
>
>
> http://www.baumshelter.net/img/clip.JPG
>
>
>
> "Meinolf Weber" wrote:
>
>
>
>> Hello Adam N.,
>
>>
>
>> What kind of file is it. My browser is not able to open it? And if
it
>
>> is a FOLDER, just give the complete path with it.
>
>>
>
>> Best regards
>
>>
>
>> Meinolf Weber
>
>> Disclaimer: This posting is provided "AS IS" with no
warranties, and
>
>> confers
>
>> no rights.
>
>>> Could someone please identify this folder for me?
>
>>>
>
>>> http://baumshelter.net/new2.html
>
>>>
>
>
>
Top
From: Meinolf Weber
<meiweb(nospam)@gmx.de>
To:
none
Subject:
Re: Easy one - identify an icon in AD.
Date:
09/26/2007 15:07:02
Hello
Adam N.,
Organizational
units (also called OUs) are a type of directory object into
which
you can place users, groups, computers, printers, shared folders, and
other
organizational units within a single domain. An organizational unit
(represented
as a folder in the Active Directory Users and Computers interface)
lets
you logically organize and store objects in the domain. If you have
multiple
domains, each domain can implement its own organizational unit hierarchy.
You
use organizational units primarily to delegate administrative authority
over
sets of users, groups, and resources. For example, you might create
an
organizational unit to contain all user accounts for your entire company.
After
creating organizational units to delegate administration, apply Group
Policy
settings to the organizational units to define desktop configurations
for
users and computers. Because you use organizational units to delegate
administration,
the structure you create will probably reflect your administrative
model
more than your business organization.
Best
regards
Meinolf
Weber
Disclaimer:
This posting is provided "AS IS" with no warranties, and confers
no
rights.
>
oops sorry, here is a link...
>
>
http://www.baumshelter.net/img/clip.JPG
>
>
"Meinolf Weber" wrote:
>
>>
Hello Adam N.,
>>
>>
What kind of file is it. My browser is not able to open it? And if it
>>
is a FOLDER, just give the complete path with it.
>>
>>
Best regards
>>
>>
Meinolf Weber
>>
Disclaimer: This posting is provided "AS IS" with no warranties,
and
>>
confers
>>
no rights.
>>>
Could someone please identify this folder for me?
>>>
>>>
http://baumshelter.net/new2.html
>>>
Top
From: Jorge Silva
<jorgesilva_pt@hotmail.com>
To:
none
Subject:
Re: Easy one - identify an icon in AD.
Date:
09/26/2007 15:08:02
Hi
What
is the Purpose of this question?
--
I
hope that the information above helps you.
Have
a Nice day.
Jorge
Silva
MCSE,
MVP Directory Services
"Adam
N." <AdamN@discussions.microsoft.com> wrote in message
news:238FE87C-48C0-40F7-B043-307C07498FC0@microsoft.com...
>
Could someone please identify this folder for me?
>
>
http://baumshelter.net/new2.html
Top
From: Mathieu CHATEAU
<gollum123@free.fr>
To:
none
Subject:
Re: Error 1419 in directory service log
Date:
09/27/2007 14:48:55
Hello,
do
you have more than one DC ? If you have 2, you may make the other Global
catalog
too. If you have more than two, you may put 2 global catalog, and
give
the last one the infrastructure operation master
--
Cordialement,
Mathieu
CHATEAU
http://lordoftheping.blogspot.com
"Sofi"
<Sofi@discussions.microsoft.com> wrote in message
news:F8D4F029-4DF1-4D87-A88E-7939FFB59BDD@microsoft.com...
>I
am getting the folllowing error in the Directory Service log.
>
>
The local domain controller is both a global catalog and the
>
infrastructure
>
operations master. These two roles are not compatible.
>
>
If another domain controller exists in the domain, it should be made the
>
infrastructure operations master. The following domain controller is a
>
good
>
candidate for this role.
>
>
Domain controller:
>
CN=NTDS
>
Settings,CN=EXCHANGE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cat5,DC=local
>
>
If all domain controllers in this domain are global catalogs, then there
>
are
>
no infrastructure update tasks to complete, and this message might be
>
ignored.
>
>
Thankful for any input.
>
Sofia
Top
From: Sofi
<Sofi@discussions.microsoft.com>
To:
none
Subject:
Re: Error 1419 in directory service log
Date:
09/27/2007 14:56:00
Thank
you!
Just
one stupid question, how do I do that?
Thanks
again.
Sofia
"Mathieu
CHATEAU" wrote:
>
Hello,
>
>
do you have more than one DC ? If you have 2, you may make the other Global
>
catalog too. If you have more than two, you may put 2 global catalog, and
>
give the last one the infrastructure operation master
>
>
--
>
Cordialement,
>
Mathieu CHATEAU
>
http://lordoftheping.blogspot.com
>
>
>
"Sofi" <Sofi@discussions.microsoft.com> wrote in message
>
news:F8D4F029-4DF1-4D87-A88E-7939FFB59BDD@microsoft.com...
>
>I am getting the folllowing error in the Directory Service log.
>
>
>
> The local domain controller is both a global catalog and the
>
> infrastructure
>
> operations master. These two roles are not compatible.
>
>
>
> If another domain controller exists in the domain, it should be made
the
>
> infrastructure operations master. The following domain controller is a
>
> good
>
> candidate for this role.
>
>
>
> Domain controller:
>
> CN=NTDS
>
>
Settings,CN=EXCHANGE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cat5,DC=local
>
>
>
> If all domain controllers in this domain are global catalogs, then
there
>
> are
>
> no infrastructure update tasks to complete, and this message might be
>
> ignored.
>
>
>
> Thankful for any input.
>
> Sofia
>
>
Top
From: Mathieu CHATEAU
<gollum123@free.fr>
To:
none
Subject:
Re: Error 1419 in directory service log
Date:
09/27/2007 14:58:37
Global
catalog stuff:
How
to create or move a global catalog in Windows Server 2003, Windows 2000,
or
Small Business Server 2000
http://support.microsoft.com/kb/313994/en-us
--
Cordialement,
Mathieu
CHATEAU
http://lordoftheping.blogspot.com
"Sofi"
<Sofi@discussions.microsoft.com> wrote in message
news:C0FCFEA9-E649-48A0-96D4-17AAFC251732@microsoft.com...
>
Thank you!
>
Just one stupid question, how do I do that?
>
>
Thanks again.
>
Sofia
>
>
"Mathieu CHATEAU" wrote:
>
>>
Hello,
>>
>>
do you have more than one DC ? If you have 2, you may make the other
>>
Global
>>
catalog too. If you have more than two, you may put 2 global catalog, and
>>
give the last one the infrastructure operation master
>>
>>
--
>>
Cordialement,
>>
Mathieu CHATEAU
>>
http://lordoftheping.blogspot.com
>>
>>
>>
"Sofi" <Sofi@discussions.microsoft.com> wrote in message
>>
news:F8D4F029-4DF1-4D87-A88E-7939FFB59BDD@microsoft.com...
>>
>I am getting the folllowing error in the Directory Service log.
>>
>
>>
> The local domain controller is both a global catalog and the
>>
> infrastructure
>>
> operations master. These two roles are not compatible.
>>
>
>>
> If another domain controller exists in the domain, it should be made
>>
> the
>>
> infrastructure operations master. The following domain controller is a
>>
> good
>>
> candidate for this role.
>>
>
>>
> Domain controller:
>>
> CN=NTDS
>>
>
Settings,CN=EXCHANGE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cat5,DC=local
>>
>
>>
> If all domain controllers in this domain are global catalogs, then
>>
> there
>>
> are
>>
> no infrastructure update tasks to complete, and this message might be
>>
> ignored.
>>
>
>>
> Thankful for any input.
>>
> Sofia
>>
>>
Top
From: Technical
<Technical@discussions.microsoft.com>
To:
none
Subject:
RE: Error msg 1030 & 1058 every 5 minutes on all 3 servers
Date:
09/27/2007 13:21:01
Can
u paste the complete description for both these errors pls
Deepak
"Sofi"
wrote:
>
Hi,
>
>
I am experienceing the 1030 and 1058 in my event logs every 5 minutes. I
>
have done some research on technet and tried the following
>
>
*887303
>
I did not run the dcgpofix.exe.yet, tried but gave me a warning on the
fifle
>
version and the schema.
>
>
Network has 3 servers all running 2003.
>
Also, I cannot open the rsop.msc. Gives me error that I do not have the
>
right permisssons.....
>
>
All this started happening after someone re-installed a DC using the same
>
name, do not know if that has a relation but just put it out there.
>
>
If someone has any idea I would greatly apprecialte it.
>
>
THANK YOU!
>
Sofia
Top
From: Sofi
<Sofi@discussions.microsoft.com>
To:
none
Subject:
RE: Error msg 1030 & 1058 every 5 minutes on all 3 servers
Date:
09/27/2007 13:35:03
1030
- Windows cannot query for the list of Group Policy objects. Check the
event
log for possible messages previously logged by the policy engine that
describes
the reason for this.
For
more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
1058
- Windows cannot access the file gpt.ini for GPO
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=cat5,DC=local.
The
file must be present at the location
<\\cat5.local\sysvol\cat5.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>.
(Configuration
information could not be read from the domain controller,
either
because the machine is unavailable, or access has been denied. ).
Group
Policy processing aborted.
For
more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
"Technical"
wrote:
>
Can u paste the complete description for both these errors pls
>
>
Deepak
>
>
"Sofi" wrote:
>
>
> Hi,
>
>
>
> I am experienceing the 1030 and 1058 in my event logs every 5 minutes.
I
>
> have done some research on technet and tried the following
>
>
>
> *887303
>
> I did not run the dcgpofix.exe.yet, tried but gave me a warning on the
fifle
>
> version and the schema.
>
>
>
> Network has 3 servers all running 2003.
>
> Also, I cannot open the rsop.msc. Gives me error that I do not have
the
>
> right permisssons.....
>
>
>
> All this started happening after someone re-installed a DC using the
same
>
> name, do not know if that has a relation but just put it out there.
>
>
>
> If someone has any idea I would greatly apprecialte it.
>
>
>
> THANK YOU!
>
> Sofia
Top
From: Sofi <Sofi@discussions.microsoft.com>
To:
none
Subject:
RE: Error msg 1030 & 1058 every 5 minutes on all 3 servers
Date:
09/27/2007 13:43:03
I
am also getting 1419 in the Directory services log:
"The
local domain controller is both a global catalog and the infrastructure
operations
master. These two roles are not compatible.
If
another domain controller exists in the domain, it should be made the
infrastructure
operations master. The following domain controller is a good
candidate
for this role.
Domain
controller:
CN=NTDS
Settings,CN=EXCHANGE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cat5,DC=local
If
all domain controllers in this domain are global catalogs, then there are
no
infrastructure update tasks to complete, and this message might be ignored.
"Technical"
wrote:
>
Can u paste the complete description for both these errors pls
>
>
Deepak
>
>
"Sofi" wrote:
>
>
> Hi,
>
>
>
> I am experienceing the 1030 and 1058 in my event logs every 5 minutes.
I
>
> have done some research on technet and tried the following
>
>
>
> *887303
>
> I did not run the dcgpofix.exe.yet, tried but gave me a warning on the
fifle
>
> version and the schema.
>
>
>
> Network has 3 servers all running 2003.
>
> Also, I cannot open the rsop.msc. Gives me error that I do not have
the
>
> right permisssons.....
>
>
>
> All this started happening after someone re-installed a DC using the
same
>
> name, do not know if that has a relation but just put it out there.
>
>
>
> If someone has any idea I would greatly apprecialte it.
>
>
>
> THANK YOU!
>
> Sofia
Top
From: Ashok Komaragiri
<AshokKomaragiri@discussions.microsoft.com>
To:
none
Subject:
Re: Error while trying to demote a domain controller
Date:
09/25/2007 16:02:34
Thanx
Mathieu for the response, but the problem is resolved. Wanted to share
the
solution with you:
I
forgot to mention in my earlier post that though the server was connected
to
the internet, I was not able to browse through any sites. When I try to
open
IE and browse through any site it would show me a page not found error.
I
was under the impression that because I was not able to open AD on the
server,
the internet wan't working properly, but it was the other way round.
Because
there was a problem with the internet connection on the server, I was
not
able to open AD, and the problem with the internet connection was because
of
Virtual Memory. The server had enough space on both the hard disks, but
for
some reason VM was reporting with a no storage space error in the Event
logs.
When
we changed the VM settings to use E:\ (the 2nd HDD) instead of C:\, the
internet
started working and I could successfully open AD.
Anywayz,
I Thank you again for your time and advice.
-
Ashok
Top
From: Paul Bergson [MVP-DS]
<pbergson@allete_nospam.com>
To:
none
Subject:
Re: Firewall settings for DC
Date:
09/26/2007 14:18:22
Check
out an article I have on this
http://www.pbbergs.com/windows/articles/FirewallReplication.html
--
Paul
Bergson
MVP
- Directory Services
MCT,
MCSE, MCSA, Security+, BS CSci
2003,
2000 (Early Achiever), NT
http://www.pbbergs.com
Please
no e-mails, any questions should be posted in the NewsGroup
This
posting is provided "AS IS" with no warranties, and confers no
rights.
"Kenneth
Porter" <shiva.blacklist@sewingwitch.com> wrote in message
news:Xns99B778A555E32shivasewingwitchcom@207.46.248.16...
>
What exceptions should be present on a DC?
>
>
I just set up a new Win 2003 R2 x64 server and made it the first DC for my
>
new AD domain. I then attempted to join my old workgroup Win 2003 server
>
to
>
the new domain, and kept getting refused. On a hunch I dropped the
>
firewall
>
on the new server and the join went through without difficulties.
>
>
So it looks like the "Manage My Server" application doesn't add
LDAP to
>
the
>
firewall exceptions list. (I believe it also failed to add DNS, and I
>
solved that earlier with an explicit exception.)
>
>
I don't want to leave the firewall off, so what holes should I punch in it
>
to provide AD services? I now know I need holes for DNS, LDAP, and
>
probably
>
WINS. Any others?
Top
From: Jorge Silva
<jorgesilva_pt@hotmail.com>
To:
none
Subject:
Re: Firewall settings for DC
Date:
09/26/2007 15:06:10
Hi
Adding
to Pauls response here's more info:
http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=c2ef3846-43f0-4caf-9767-a9166368434e
http://technet.microsoft.com/en-us/library/Bb727063.aspx
--
I
hope that the information above helps you.
Have
a Nice day.
Jorge
Silva
MCSE,
MVP Directory Services
"Kenneth
Porter" <shiva.blacklist@sewingwitch.com> wrote in message
news:Xns99B778A555E32shivasewingwitchcom@207.46.248.16...
>
What exceptions should be present on a DC?
>
>
I just set up a new Win 2003 R2 x64 server and made it the first DC for my
>
new AD domain. I then attempted to join my old workgroup Win 2003 server
>
to
>
the new domain, and kept getting refused. On a hunch I dropped the
>
firewall
>
on the new server and the join went through without difficulties.
>
>
So it looks like the "Manage My Server" application doesn't add
LDAP to
>
the
>
firewall exceptions list. (I believe it also failed to add DNS, and I
>
solved that earlier with an explicit exception.)
>
>
I don't want to leave the firewall off, so what holes should I punch in it
>
to provide AD services? I now know I need holes for DNS, LDAP, and
>
probably
>
WINS. Any others?
Top
From: Jorge Silva
<jorgesilva_pt@hotmail.com>
To:
none
Subject:
Re: Forest Trust Issue
Date:
09/26/2007 12:12:37
Hi
Could
be a DNS issue.
Can
both Forests solve each other existing DNS FQDN for the domains?
--
I
hope that the information above helps you.
Have
a Nice day.
Jorge
Silva
MCSE,
MVP Directory Services
"Tim
Chin" <donotemail> wrote in message
news:%23DzSq3EAIHA.3848@TK2MSFTNGP05.phx.gbl...
>I
just recently switch out our external trusts between forests with a
>forest
trust as all domain controllers, domain functional levels, and
>forest
functional levels are at 2003 now. The following day, users that
>remote
in couldn't cross forest boundaries with their credentials. It
>prompted
them for username/password (which it would only accept in
>domain\user
fashion, not UPN -- I believe). However, anyone inside the
>network
could do all of this just fine without windows asking for
>authentication.
>
>
Is this a port issue? From my understanding, forest trusts allow or
only
>
use Kerberos. Do I have to have port 88 allowed from every client to
>
every dc that is affected by the forest trust? Currently, users from
>
domain A can only contact domain A's dcs on the normal authentication
>
ports. They cannot contact domain B's, C's, D's, etc., etc.
dcs. Note:
>
Resources sit all over the place. In other words, a user from domain
A
>
will access resources in all trusted domains.
>
>
Any help is appreciated.
>
Tim
>
Top
From: Tim Chin <donotemail>
To:
none
Subject:
Re: Forest Trust Issue
Date:
09/26/2007 12:20:30
Jorge,
Yes.
The DCs can all resolve each other as they all use the same DNS
servers
and basically sit in the same rack / same subnets. It's only when
clients
remote in that they can't access resources across forests. For
example,
if a user logs into a client here at the office, everything works
fine.
Our remote access appliance does address/port filtering for users
that
remote in. I will attempt to get the logs (if there are any) from the
remote
access appliance, but was curious if anyone saw any issues with the
setup
that I had outlined with a forest trust vs. external trusts.
Tim
"Jorge
Silva" <jorgesilva_pt@hotmail.com> wrote in message
news:eHp6qBGAIHA.5868@TK2MSFTNGP05.phx.gbl...
>
Hi
>
Could be a DNS issue.
>
Can both Forests solve each other existing DNS FQDN for the domains?
>
--
>
I hope that the information above helps you.
>
Have a Nice day.
>
>
Jorge Silva
>
MCSE, MVP Directory Services
Top
From: Jorge Silva
<jorgesilva_pt@hotmail.com>
To:
none
Subject:
Re: Forest Trust Issue
Date:
09/26/2007 12:34:22
I
have some forests trusts and they work well, did you check if you've any
FW
restriction that might prevent authenticaon or connectivity.
--
I
hope that the information above helps you.
Have
a Nice day.
Jorge
Silva
MCSE,
MVP Directory Services
"Tim
Chin" <donotemail> wrote in message
news:uvk0tGGAIHA.1208@TK2MSFTNGP03.phx.gbl...
>
Jorge,
>
>
Yes. The DCs can all resolve each other as they all use the same DNS
>
servers and basically sit in the same rack / same subnets. It's only
when
>
clients remote in that they can't access resources across forests.
For
>
example, if a user logs into a client here at the office, everything works
>
fine. Our remote access appliance does address/port filtering for
users
>
that remote in. I will attempt to get the logs (if there are any)
from
>
the remote access appliance, but was curious if anyone saw any issues with
>
the setup that I had outlined with a forest trust vs. external trusts.
>
>
Tim
>
>
"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
>
news:eHp6qBGAIHA.5868@TK2MSFTNGP05.phx.gbl...
>>
Hi
>>
Could be a DNS issue.
>>
Can both Forests solve each other existing DNS FQDN for the domains?
>>
--
>>
I hope that the information above helps you.
>>
Have a Nice day.
>>
>>
Jorge Silva
>>
MCSE, MVP Directory Services
>
>
Top
From: Shenan Stanley
<newshelper@gmail.com>
To:
none
Subject:
Re: Free Registry Cleaners
Date:
09/27/2007 12:46:40
tdr911turbo@gmail.com
wrote:
>
Optimize registry for free http://w1nd0w5fr33t1ps.bl0g5p0t.c0m/
Or
don't spam...
Either
would be good.
From:
tdr911turbo@gmail.com
Newsgroups:
microsoft.public.windowsxp.setup_deployment,alt.os.windows-xp,microsoft.public.windowsxp.perform_maintain,alt.sys.pc-clone.dell,comp.os.ms-windows.programmer.win32
Subject:
Free Registry Cleaners
Date:
Thu, 27 Sep 2007 10:34:01 -0700
Organization:
http://groups.google.com
Lines:
2
Message-ID:
<1190914441.885203.244730@57g2000hsv.googlegroups.com>
NNTP-Posting-Host:
218.58.136.4
Mime-Version:
1.0
Content-Type:
text/plain; charset="iso-8859-1"
X-Trace:
posting.google.com 1190914442 12634 127.0.0.1 (27 Sep 2007 17:34:02
GMT)
X-Complaints-To:
groups-abuse@google.com
NNTP-Posting-Date:
Thu, 27 Sep 2007 17:34:02 +0000 (UTC)
User-Agent:
G2/1.0
X-HTTP-UserAgent:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.8.1.7)
Gecko/20070914 Firefox/2.0.0.4;MEGAUPLOAD
1.0,gzip(gfe),gzip(gfe)
Complaints-To:
groups-abuse@google.com
Injection-Info:
57g2000hsv.googlegroups.com; posting-host=218.58.136.4;
posting-account=ps2QrAMAAAA6_jCuRt2JEIpn5Otqf_w0
Bytes:
1454
X-Original-Bytes:
1411
Path:
TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS02.phx.gbl!newsfeed00.sul.t-online.de!t-online.de!border2.nntp.dca.giganews.com!border1.nntp.dca.giganews.com!nntp.giganews.com!postnews.google.com!57g2000hsv.googlegroups.com!not-for-mail
Xref:
TK2MSFTNGP01.phx.gbl
microsoft.public.windowsxp.perform_maintain:220496
microsoft.public.windowsxp.setup_deployment:164556
--
Shenan
Stanley
MS-MVP
--
How
To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html
--
Shenan
Stanley
MS-MVP
--
How
To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html
Top
From: VanguardLH
<VanguardLH@mail.invalid>
To:
none
Subject:
Re: Free Registry Cleaners
Date:
09/27/2007 15:38:34
<tdr911turbo@gmail.com>
wrote in message
news:1190914430.544546.78400@g4g2000hsf.googlegroups.com...
>
Optimize registry for free http://windowsfreetips.blogspot.com/
>
Chinese
Google Grouping spammers stoking their blogs in public are not
trusted.
Keep your crap.
Top
From: PA Bear <PABearMVP@gmail.com>
To:
none
Subject:
Re: Free Registry Cleaners
Date:
09/27/2007 16:52:12
SPAM
Should
I use a Registry cleaner?
http://aumha.net/viewtopic.php?t=28099
--
~Robear
Dyer (PA Bear)
MS
MVP-Windows (IE, OE, Security, Shell/User)
AumHa
VSOP & Admin http://aumha.net
DTS-L
http://dts-l.org/
Top
From: Lee Flight
<lef@le.ac.uk-nospam>
To:
none
Subject:
Re: Funny strings for operatingSystem attribute(when LDIFDE)
Date:
09/28/2007 05:49:30
Hi
the
"::" after the attribute name tells you that the value is Base64
encoded.
See
RFC2849 for more details on LDIF, google for a Base64 decoder.
I
think you are seeing this for vista machines as Microsoft store
"Vista"
with a trademark symbol (TM) or (R) as superscript.
Lee
Flight
"elibbis"
<elibbis.2xm03g@DoNotSpam.com> wrote in message
news:elibbis.2xm03g@DoNotSpam.com...
>
>
I used LDIFDE to export AD computer objects attributes. Of interest is
>
"OperatingSystem". For some computer objects, the
"OperatingSystem"
>
value is a long string of funny characters. Like this:
>
>
Eg1
>
operatingSystem::
>
V2luZG93cyBWaXN0YeKEoiBVbHRpbWF0ZSBFZGl0aW9u operatingSystemVersion:
>
6.0 (5308)
>
>
Eg2
>
operatingSystem::
>
V2luZG93cyBWaXN0YeKEoiBCdXNpbmVzcw== operatingSystemVersion: 6.0
>
(6000)
>
>
Could anyone enlighten what could the funny string be ? It seems like
>
from Vista machines. But why is this funny string ? Or is it from
>
stale computer accounts ?
>
>
Thanks in advance
>
>
>
--
>
elibbis
>
------------------------------------------------------------------------
>
elibbis's Profile: http://forums.techarena.in/member.php?userid=27586
>
View this thread: http://forums.techarena.in/showthread.php?t=825403
>
>
http://forums.techarena.in
>
Top
From: Meinolf Weber
<meiweb(nospam)@gmx.de>
To:
none
Subject:
Re: Global Catalog and RID Master
Date:
09/26/2007 08:44:10
Hello
Carlos,
No
problem in single domain. Also you should configure both servers as DNS
servers
with active directory integrated zones.
Best
regards
Meinolf
Weber
Disclaimer:
This posting is provided "AS IS" with no warranties, and confers
no
rights.
>
Hello to everybody,
>
>
I´ve got two domain controllers, SRV1 is the GC SRV2 is the FSMO.
>
>
I think that if my GC fails nobody will´be able to log on to the
>
domain.
>
>
Could i set SRV1 and SRV2 as Global Catalos and SRV2 as FSMO.
>
>
Hope you could help me.
>
>
Many Thanks
>
>
Regards
>
>
Carlos Sabelli
>
Top
From: Carlos <Carlos@discussions.microsoft.com>
To:
none
Subject:
Re: Global Catalog and RID Master
Date:
09/26/2007 10:04:07
Many
thanks Meinolf
--
Carlos
Sabelli
"Meinolf
Weber" wrote:
>
Hello Carlos,
>
>
No problem in single domain. Also you should configure both servers as DNS
>
servers with active directory integrated zones.
>
>
Best regards
>
>
Meinolf Weber
>
Disclaimer: This posting is provided "AS IS" with no warranties,
and confers
>
no rights.
>
>
> Hello to everybody,
>
>
>
> I´ve got two domain controllers, SRV1 is the GC SRV2 is the FSMO.
>
>
>
> I think that if my GC fails nobody will´be able to log on to the
>
> domain.
>
>
>
> Could i set SRV1 and SRV2 as Global Catalos and SRV2 as FSMO.
>
>
>
> Hope you could help me.
>
>
>
> Many Thanks
>
>
>
> Regards
>
>
>
> Carlos Sabelli
>
>
>
>
>
Top
From: Jorge Silva
<jorgesilva_pt@hotmail.com>
To:
none
Subject:
Re: Global Catalog and RID Master
Date:
09/26/2007 12:22:47
Hi
In
a single domain environment ALL DCs have the GC information, so the
"Cost"
of having a GC is null, because the information already exists in all
DCs.
--
I
hope that the information above helps you.
Have
a Nice day.
Jorge
Silva
MCSE,
MVP Directory Services
"Carlos"
<Carlos@discussions.microsoft.com> wrote in message
news:2285352E-BCC8-4656-800D-E084630237CC@microsoft.com...
>
Hello to everybody,
>
>
I´ve got two domain controllers, SRV1 is the GC SRV2 is the FSMO.
>
>
I think that if my GC fails nobody will´be able to log on to the domain.
>
>
Could i set SRV1 and SRV2 as Global Catalos and SRV2 as FSMO.
>
>
Hope you could help me.
>
>
Many Thanks
>
>
Regards
>
>
Carlos Sabelli
>
Top
From: rockemhard@gmail.com
To:
none
Subject:
Re: Global Catalog and RID Master
Date:
09/26/2007 12:30:33
On
Sep 26, 9:44 am, Meinolf Weber <meiweb(nospam)@gmx.de> wrote:
>
Hello Carlos,
>
>
No problem in single domain. Also you should configure both servers as DNS
>
servers with active directory integrated zones.
Hello
Meinolf,
Could
you explain this a little more. Documentation that I have seen
suggests
that the FSMO roles are placed separetly from a DC that
contains
a GC to allow for proper comparisons of AD objects against
the
GC. Now you mention in a single domain... this is something that
I
haven't seen mentioned so perhaps this is the case where this is an
acceptable
practice?
Top
From: Jorge Silva
<jorgesilva_pt@hotmail.com>
To:
none
Subject:
Re: Global Catalog and RID Master
Date:
09/26/2007 12:38:23
The
IM is responsible for updating cross-domain object references each DC in
the
Domain, to do that it needs to check for changes on an available GC,
then
compares its information with the information that the GC has, if any
changes,
then updates its local information, and updates cross-domain object
references
each DC in the Domain.
The
Problem is that If the IM is also a GC, when is going to check for
changes
he asks for a GC and because the IM is also a GC it "thinks" that
it
has
all information updated and there's no need to update the DCs on its
domain
causing others DCs ending up with nonupdated information, remember
DCs
in a domain only know everything about their domain, because the domain
partition
is replicated between them. Example:
2 Domains:
-
Domain1
-
Domain2
-
You create a Universal Security group on Domain1, and add it a user from
Domain2.
-
All GCs in the forest now that UNG on domain1 has a user from Domain2, and
all
DCs in the Domain1 also know that, but DCs (non-GCs) in Domain2 don't
know
anything about it, the IM in their domain is responsible for update
that
information and replica it to the DCs in their domain.
So
in conclusion:
-
If you have only 1 Domain you don't have cross-domain object references,
so
there isn't job for the IM.
-
If you have only 1 DC in a domain, doesn't matter if it is a GC or not
because
that DC holds all roles for its domain, and it doesn't need to
update
no other DC in its domain, so in this scenario doesn't matter if it
is
a GC or not.
--
I
hope that the information above helps you.
Have
a Nice day.
Jorge
Silva
MCSE,
MVP Directory Services
<rockemhard@gmail.com>
wrote in message
news:1190827833.101625.255870@22g2000hsm.googlegroups.com...
>
On Sep 26, 9:44 am, Meinolf Weber <meiweb(nospam)@gmx.de> wrote:
>>
Hello Carlos,
>>
>>
No problem in single domain. Also you should configure both servers as
>>
DNS
>>
servers with active directory integrated zones.
>
>
Hello Meinolf,
>
>
Could you explain this a little more. Documentation that I have seen
>
suggests that the FSMO roles are placed separetly from a DC that
>
contains a GC to allow for proper comparisons of AD objects against
>
the GC. Now you mention in a single domain... this is something that
>
I haven't seen mentioned so perhaps this is the case where this is an
>
acceptable practice?
>
Top
From: Meinolf Weber
<meiweb(nospam)@gmx.de>
To:
none
Subject:
Re: Global Catalog and RID Master
Date:
09/26/2007 13:52:09
Hello
Jorge,
Thanks
for taking over, the only thing i could provide is this article:
http://support.microsoft.com/kb/223346
And
in this article the part "General recommendations for FSMO
placement"
Best
regards
Meinolf
Weber
Disclaimer:
This posting is provided "AS IS" with no warranties, and confers
no
rights.
>
The IM is responsible for updating cross-domain object references each
>
DC in the Domain, to do that it needs to check for changes on an
>
available GC, then compares its information with the information that
>
the GC has, if any changes, then updates its local information, and
>
updates cross-domain object references each DC in the Domain.
>
>
The Problem is that If the IM is also a GC, when is going to check for
>
changes he asks for a GC and because the IM is also a GC it
"thinks"
>
that it has all information updated and there's no need to update the
>
DCs on its domain causing others DCs ending up with nonupdated
>
information, remember DCs in a domain only know everything about their
>
domain, because the domain partition is replicated between them.
>
Example:
>
>
2 Domains:
>
>
- Domain1
>
>
- Domain2
>
>
- You create a Universal Security group on Domain1, and add it a user
>
from Domain2.
>
>
- All GCs in the forest now that UNG on domain1 has a user from
>
Domain2, and all DCs in the Domain1 also know that, but DCs (non-GCs)
>
in Domain2 don't know anything about it, the IM in their domain is
>
responsible for update that information and replica it to the DCs in
>
their domain.
>
>
So in conclusion:
>
>
- If you have only 1 Domain you don't have cross-domain object
>
references, so there isn't job for the IM.
>
>
- If you have only 1 DC in a domain, doesn't matter if it is a GC or
>
not because that DC holds all roles for its domain, and it doesn't
>
need to update no other DC in its domain, so in this scenario doesn't
>
matter if it is a GC or not.
>
>
Jorge Silva
>
MCSE, MVP Directory Services
>
<rockemhard@gmail.com> wrote in message
>
news:1190827833.101625.255870@22g2000hsm.googlegroups.com...
>>
On Sep 26, 9:44 am, Meinolf Weber <meiweb(nospam)@gmx.de> wrote:
>>
>>>
Hello Carlos,
>>>
>>>
No problem in single domain. Also you should configure both servers
>>>
as
>>>
DNS
>>>
servers with active directory integrated zones.
>>
Hello Meinolf,
>>
>>
Could you explain this a little more. Documentation that I have seen
>>
suggests that the FSMO roles are placed separetly from a DC that
>>
contains a GC to allow for proper comparisons of AD objects against
>>
the GC. Now you mention in a single domain... this is something that
>>
I haven't seen mentioned so perhaps this is the case where this is an
>>
acceptable practice?
>>
Top
From: SaltyBalllz
<SaltyBalllz.2xlrrj@DoNotSpam.com>
To:
none
Subject:
Re: Group policy not processing properly
Date:
09/27/2007 23:01:22
Hi
AT,
I
have a nework with the exact same issue your having.
1
domain forest - Server 2003
5
DC's in 5 different cities
All
the Client PC's are running Windows XP SP2.
The
GPO is applied to the OU's
Everything
works correctly at the FSMO location, but at some of the
remote
locations it is hit and miss. On some machines GP works
correctly
and others it does not. If you run a report it will tell you
everything
is processed correctly but it has not. Everyone has the same
rights
and are in the same OU. I am also thinking this is due to a slow
connection.
Have
you found a solution as of yet?
SaltyBalllz
--
SaltyBalllz
------------------------------------------------------------------------
SaltyBalllz's
Profile: http://forums.techarena.in/member.php?userid=31898
View
this thread: http://forums.techarena.in/showthread.php?t=587703
http://forums.techarena.in
Top
From: David <david.fike@gmail.com>
To:
none
Subject:
Re: Group Policy Object
Date:
09/26/2007 09:09:47
Jeff
- I don't believe there is a built-in GPO to support this. My
company
is still working through an NDS to AD migration, and this is
one
of the things still controlled by NDS scripts. I suppose you could
setup
a Scheduled Task to execute "shutdown.exe" on workstations at a
specific
time, but this would be difficult if you had a large number
of
workstations to set it up on. Sorry I wasn't much help - if I come
across
anything else I'll let you know!
Top
From: Chris M
<nobody@nowhere.special>
To:
none
Subject:
Re: Group Policy Object
Date:
09/26/2007 09:14:32
Jeff
Belorit wrote:
>
Hello, I was wondering if there is an GPO template for shutting down
>
computers at a specific time at night. My company is trying to
enforce the
>
users to shutdown when they go home and of course the users do not
shutdown.
>
It would be nice if this can be done from Group Policy.
Hi
Jeff,
As
David has said, there's nothing natively that I'm aware of in Group
Policy
that supports scheduled shutdowns.
However,
(again as David said) you can schedule a task to run
shutdown.exe
at a certain time.
What
you can do is combine the two - create a GPO that has a startup
script
which uses the 'at' command to schedule a daily shutdown. This
means
that the machines won't pick up the scheduled task until they get
rebooted,
but given enough time all of the machines that you apply the
GPO
to should be restarted and therefore will add the scheduled task.
I
did this in an infrastructure of about 1,000 client machines and it
worked
like a charm.
Make
sure that your users are well informed before you implement this -
users
have a nasty habit of leaving unsaved work on their desktop when
they
leave to go home. If you run shutdown.exe with the -f switch then
this
will cause users to lose unsaved work.
Cheers,
Chris.
Top
From: Jorge Silva
<jorgesilva_pt@hotmail.com>
To:
none
Subject:
Re: Group Policy Object
Date:
09/26/2007 12:32:20
Hi
Also
have a look at psshutdown from MS sysinternals.
--
I
hope that the information above helps you.
Have
a Nice day.
Jorge
Silva
MCSE,
MVP Directory Services
"Jeff
Belorit" <jbelorit@mbi-inc.com> wrote in message
news:e%23NvnrDAIHA.4164@TK2MSFTNGP06.phx.gbl...
>
Hello, I was wondering if there is an GPO template for shutting down
>
computers at a specific time at night. My company is trying to
enforce
>
the users to shutdown when they go home and of course the users do not
>
shutdown. It would be nice if this can be done from Group Policy.
>
>
Thanks
>
Top
From: Mathieu CHATEAU
<gollum123@free.fr>
To:
none
Subject:
Re: Group policy refreshes in 15 or 90+ minutes?
Date:
09/27/2007 01:19:56
Hello,
Determining
When Group Policy Changes are Applied
http://technet2.microsoft.com/windowsserver/en/library/a8d4a748-f3b7-4a93-b9f3-f0dbad68f6ae1033.mspx?mfr=true
--
Cordialement,
Mathieu
CHATEAU
http://lordoftheping.blogspot.com
"Mr.
Magoo" <MrMagoo@discussions.microsoft.com> wrote in message
news:4B15E92E-AC3C-4F46-82B5-EE8B921DDD67@microsoft.com...
>
My computer account was on a OU=CertainOu. I moved my computer account to
>
another OU.
>
>
I waited 18 minutes. I did gpresult and I observed that timestamp
>
"Last time Group Policy was applied: 9/26/2007 at 12:55:29 PM "
>
My previous gpresult.exe showed such timestamp was updated in about 15
>
minutes.
>
>
Then I noticed that my computer account was shown in the correct and
>
current
>
container. However, group policies was not inherited according. Basically
>
the
>
group policies shown below are the ones inherited from the container prior
>
to
>
my moving operation. Can you clarify which portion of the policy gets
>
updated
>
in 90 minutes? Why does the time stamps (shown by gpresult) are displayed
>
as
>
updated every 15 minutes?
>
>
C:\>gpresult
>
>
>
>
Microsoft (R) Windows (R) XP Operating System Group Policy Result tool
>
v2.0
>
>
Copyright (C) Microsoft Corp. 1981-2001
>
>
>
>
Created On 9/26/2007 at 12:56:46 PM
>
>
>
>
>
>
RSOP results for mydomain\myself on machine : Logging Mode
>
>
-----------------------------------------------------------------------------
>
>
>
>
OS
Type:
Microsoft Windows XP Professional
>
>
OS
Configuration:
Member Workstation
>
>
OS
Version:
5.1.2600
>
>
Domain
Name:
MYCOMPANY
>
>
Domain
Type:
Windows 2000
>
>
Site
Name:
misrenton
>
>
Roaming Profile:
>
>
Local
Profile:
C:\Documents and Settings\myself
>
>
Connected over a slow link?: Yes
>
>
>
>
>
>
COMPUTER SETTINGS
>
>
------------------
>
>
CN=MYDUMBMACHINE,OU=YOUR,OU=OURS,OU=THEIRS,OU=HIS,OU=HERS and C
>
>
omputers,DC=my,DC=company,DC=com
>
>
Last time Group Policy was applied: 9/26/2007 at 12:55:29 PM
>
>
Group Policy was applied from:
Mycompany.yes.com
>
>
Group Policy slow link threshold: 500 kbps
>
>
>
>
Applied Group Policy Objects
>
>
-----------------------------
>
>
GPO1
>
Mypolic2
>
VPN-Site-Settings
>
>
>
>
The following GPOs were not applied because they were filtered out
>
>
-------------------------------------------------------------------
>
>
Vista Wireless Policy
>
>
Filtering: Disabled (GPO)
>
(...)
>
Top
From: Florian Frommherz [MVP]
<florian@PLEASELEAVETHISOUT.frickelsoft.net>
To:
none
Subject:
Re: Group Policy Reporting
Date:
09/26/2007 00:30:30
Howdie!
Avil
schrieb:
>
I have a Windows 2000 active directory domain. I need to generate a report
>
listing all the group policy settings. How can I achieve this?
From
a Windows XP workstation, you should be able to run the Group
Policy
Management Console, which gives you the ability to create reports .
Based
on the VBS samples shipped with GPMC, you should be able to come
up
with something like that.
cheers,
Florian
--
Microsoft
MVP - Windows Server - Group Policy.
eMail:
prename [at] frickelsoft [dot] net.
blog:
http://www.frickelsoft.net/blog.
Top
From: Avil
<Avil@discussions.microsoft.com>
To:
none
Subject:
Re: Group Policy Reporting
Date:
09/26/2007 00:52:02
Is
it the RSOP tool? Kindly explain.
Thank
You
"Florian
Frommherz [MVP]" wrote:
>
Howdie!
>
>
Avil schrieb:
>
> I have a Windows 2000 active directory domain. I need to generate a
report
>
> listing all the group policy settings. How can I achieve this?
>
>
From a Windows XP workstation, you should be able to run the Group
>
Policy Management Console, which gives you the ability to create reports .
>
>
Based on the VBS samples shipped with GPMC, you should be able to come
>
up with something like that.
>
>
cheers,
>
>
Florian
>
--
>
Microsoft MVP - Windows Server - Group Policy.
>
eMail: prename [at] frickelsoft [dot] net.
>
blog: http://www.frickelsoft.net/blog.
>
Top
From: Florian Frommherz [MVP]
<florian@PLEASELEAVETHISOUT.frickelsoft.net>
To:
none
Subject:
Re: Group Policy Reporting
Date:
09/26/2007 02:06:49
Howdie!
Avil
schrieb:
>
Is it the RSOP tool? Kindly explain.
RSOP
is a tool to see the effective policies on a machine. Is this, what
you
want?
I
thought you were searching for a method to report all policies with
their
settings configured.
In
GPMC, you click a policy and view "Settings", which generates a
HTML
report
of the policy's configured settings. That's a way to start. GPMC
ships
some VB scripts which I think you can use to extend in order to
automate
this process to generate a over-all-GP-settings-report.
cheers,
Florian
--
Microsoft
MVP - Windows Server - Group Policy.
eMail:
prename [at] frickelsoft [dot] net.
blog:
http://www.frickelsoft.net/blog.
Top
From: Avil
<Avil@discussions.microsoft.com>
To:
none
Subject:
Re: Group Policy Reporting
Date:
09/26/2007 02:30:00
I
am looking for all the active directory group policy setting that are
configured
in domain. Could you please teach me on using GPMC. How do I open
that
tool on XP machine.
Thanks
"Florian
Frommherz [MVP]" wrote:
>
Howdie!
>
>
Avil schrieb:
>
> Is it the RSOP tool? Kindly explain.
>
>
RSOP is a tool to see the effective policies on a machine. Is this, what
>
you want?
>
>
I thought you were searching for a method to report all policies with
>
their settings configured.
>
>
In GPMC, you click a policy and view "Settings", which generates
a HTML
>
report of the policy's configured settings. That's a way to start. GPMC
>
ships some VB scripts which I think you can use to extend in order to
>
automate this process to generate a over-all-GP-settings-report.
>
>
cheers,
>
>
Florian
>
--
>
Microsoft MVP - Windows Server - Group Policy.
>
eMail: prename [at] frickelsoft [dot] net.
>
blog: http://www.frickelsoft.net/blog.
>
Top
From: Florian Frommherz [MVP]
<florian@PLEASELEAVETHISOUT.frickelsoft.net>
To:
none
Subject:
Re: Group Policy Reporting
Date:
09/26/2007 02:36:37
Howdie!
Avil
schrieb:
>
I am looking for all the active directory group policy setting that are
>
configured in domain. Could you please teach me on using GPMC. How do I
open
>
that tool on XP machine.
Download
and install the Group Policy Management Console:
http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en
You
can open the GPMC by using "gpmc.msc" (without parantheses on
Start->Run)
- you can then browse to your domain. You should see the
domain
as well as your Organizational Units. Below every OU, you can see
the
GPOs linked to that OU. After selecting a GPO, you can see a
"Settings"
tab on the right pane of the GPMC. This is a generated HTML
report
which displays all settings configured within that GPO.
cheers,
Florian
--
Microsoft
MVP - Windows Server - Group Policy.
eMail:
prename [at] frickelsoft [dot] net.
blog:
http://www.frickelsoft.net/blog.
Top
From: Paul Bergson [MVP-DS]
<pbergson@allete_nospam.com>
To:
none
Subject:
Re: HELP PLEASE forward internal IP to DMZ ip
Date:
09/27/2007 06:48:12
If
you are using the dns name, then you shouldn't have to do anything.
Just
change
the ip address of the name and clients need to clear their dns cache
or
wait for the TTL to expire.
--
Paul
Bergson
MVP
- Directory Services
MCT,
MCSE, MCSA, Security+, BS CSci
2003,
2000 (Early Achiever), NT
http://www.pbbergs.com
Please
no e-mails, any questions should be posted in the NewsGroup
This
posting is provided "AS IS" with no warranties, and confers no
rights.
"tay"
<fackinace@googlemail.com> wrote in message
news:1190893050.922763.192140@50g2000hsm.googlegroups.com...
>
Hi we are just about to move our ftp server to a dmz.
>
At the moment the ip is 192.168.1.66
>
In the dmz it will be 10.0.0.66
>
Now if possible i dont want to go around 200 machines to change the ip
>
so were wondering can a forwarder be used or the likes?
>
>
Cheers for any help.
>
>
Ian
>
Top
From: tay <fackinace@googlemail.com>
To:
none
Subject:
Re: HELP PLEASE forward internal IP to DMZ ip
Date:
09/27/2007 07:58:28
Hmm
the thing is cuteftp connects using the ip address of 192.168.1.66
and
not the name which needs to change to 10.0.0.66.
Ian
Top
From: Paul Bergson [MVP-DS]
<pbergson@allete_nospam.com>
To:
none
Subject:
Re: HELP PLEASE forward internal IP to DMZ ip
Date:
09/27/2007 08:44:37
May
need to script the change and run at logon time
--
Paul
Bergson
MVP
- Directory Services
MCT,
MCSE, MCSA, Security+, BS CSci
2003,
2000 (Early Achiever), NT
http://www.pbbergs.com
Please
no e-mails, any questions should be posted in the NewsGroup
This
posting is provided "AS IS" with no warranties, and confers no
rights.
"tay"
<fackinace@googlemail.com> wrote in message
news:1190897908.118811.182310@g4g2000hsf.googlegroups.com...
>
Hmm the thing is cuteftp connects using the ip address of 192.168.1.66
>
and not the name which needs to change to 10.0.0.66.
>
Ian
>
Top
From: Paul Bergson [MVP-DS]
<pbergson@allete_nospam.com>
To:
none
Subject:
Re: How to Determine Which Service in LSASS.EXE Binds to Port
X?
Date:
09/27/2007 06:52:03
Check
out an article I have on AD and Firewalls. In it is an explanation on
how
to modify the high ports pool for RPC. I have made ours in a much
smaller
pool.
http://www.pbbergs.com/windows/articles/FirewallReplication.html
--
Paul
Bergson
MVP
- Directory Services
MCT,
MCSE, MCSA, Security+, BS CSci
2003,
2000 (Early Achiever), NT
http://www.pbbergs.com
Please
no e-mails, any questions should be posted in the NewsGroup
This
posting is provided "AS IS" with no warranties, and confers no
rights.
"Will"
<westes-usc@noemail.nospam> wrote in message
news:OuedndYnuZZX9WbbnZ2dnUVZ_vyinZ2d@giganews.com...
>
The process that runs LSASS.exe runs many security related services for
>
domain controllers, including kerberos, netlogon, etc. In
examining the
>
LSASS process with Process Explorer, I'm seeing many ports other than the
>
well-known ones being opened for access through RPC. How can I
determine
>
which specific services are binding to each of the
ports? Isn't there
>
an RPC mapping tool I can run on a server that will clearly identify the
>
actual service that has bound to each of the RPC assigned ports like 1026?
>
>
The reason I am asking this is that I have a domain controller that is
>
being contacted on TCP port 1026 by only one member server in the domain.
>
Process Explorer establishes that LSASS owns this port, and I assume it is
>
an RPC assigned port number that could change from one boot to the next. I
>
want to clearly identify what the service bound to that port is and try to
>
understand why only one member server is contacting that service.
>
>
The activity is currently being blocked by a firewall. We have
all of
>
the critical RPC services (e.g., NETLOGON, AD replication, etc) bound to
>
fixed ports and those ports are exposed through the firewall.
>
>
--
>
Will
>
Top
From: Will
<westes-usc@noemail.nospam>
To:
none
Subject:
Re: How to Determine Which Service in LSASS.EXE Binds to Port
X?
Date:
09/27/2007 18:25:34
"Paul
Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message
news:%23F4ITzPAIHA.968@TK2MSFTNGP03.phx.gbl...
>
Check out an article I have on AD and Firewalls. In it is an
explanation
>
on how to modify the high ports pool for RPC. I have made ours in a
much
>
smaller pool.
>
>
http://www.pbbergs.com/windows/articles/FirewallReplication.html
I'm
very familiar with all of the issues on the above page, and I would like
to
add a few thoughts:
1)
You need to also add the NETLOGON service as a fixed port. This
is
perhaps
the single most used service among the dynamic range RPC services,
and
you do so by creating a DWORD with the port value at the registry
location:
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DCTcpipPort
2)
In our experience, once you give fixed ports to NTFRS, NTDS and NETLOGON,
you
NO LONGER NEED VARIABLE RPC PORTS (what you assign to 10002 to 10200 in
your
example). We have small forests, so maybe there are
load balancing
considerations
I don't know about, but dcdiag /v reports no errors between
controllers
with just those three fixed ports and we completely lock out the
variable
RPC ports. But we have been running this way for at least a
year
now
with no errors popping up in dcdiag /v or the eventviewer logs.
If we
have
overlooked some legitimate RPCs I would very much like to document
those
and read further about them.
To
wax poetic a bit, any firewall design for a domain controller that uses
dynamic
ports is from my point of view not much better than having no
firewall.
The rootkit viruses will either modify system directly or
modify
behavior of a well-known system service EXE like LSASS. It's
nothing
for them to just open up another RPC, and then they have you.
By
locking
all known services to fixed ports, your system can be compromised,
and
it can try to open up additional ports, but no one can contact those
ports,
thus greatly limiting one path to gain access to the box from another
computer.
All
the above is just response to the URL you provided in your response.
My
original question was how to identify (by name and function) the specific
RPC
service running under a specific process. The utility in your
link
above
PortQryUI and PortQry do not do that. Like Process Explorer,
PortQry
simply
establishes the fact that process X has open port Y. In my case
that
process is LSASS and the port is 1026. What I need is a
tool like an
"RPC
Query" that will actually use port 135 to enumerate all of the active
RPC
services on a box and the ports they run on. Then I can
cross
reference
the RPC service by name to port 1026 and research that service
further.
Such a tool must be possible to write because otherwise how could
any
EXE contact the RPC mapper port 135 and enumerate services on the box?
--
Will
>
"Will" <westes-usc@noemail.nospam> wrote in message
>
news:OuedndYnuZZX9WbbnZ2dnUVZ_vyinZ2d@giganews.com...
>>
The process that runs LSASS.exe runs many security related services for
>>
domain controllers, including kerberos, netlogon, etc. In
examining the
>>
LSASS process with Process Explorer, I'm seeing many ports other than the
>>
well-known ones being opened for access through RPC. How can I
>>
determine which specific services are binding to each of the ports?
>>
Isn't there an RPC mapping tool I can run on a server that will clearly
>>
identify the actual service that has bound to each of the RPC assigned
>>
ports like 1026?
>>
>>
The reason I am asking this is that I have a domain controller that is
>>
being contacted on TCP port 1026 by only one member server in the domain.
>>
Process Explorer establishes that LSASS owns this port, and I assume it
>>
is an RPC assigned port number that could change from one boot to the
>>
next. I want to clearly identify what the service bound to that port is
>>
and try to understand why only one member server is contacting that
>>
service.
>>
>>
The activity is currently being blocked by a firewall. We have
all of
>>
the critical RPC services (e.g., NETLOGON, AD replication, etc) bound to
>>
fixed ports and those ports are exposed through the firewall.
>>
>>
--
>>
Will
>>
>
>
Top
From: Andy C <acracchiolo@fluidmaster.com>
To:
none
Subject:
Re: How to Determine Which Service in LSASS.EXE Binds to Port
X?
Date:
09/27/2007 19:51:30
Not
to go off topic but I am just curious as to the benifit to you of
Placing
everything behind the firewall.
Is
it for security purposes or for logging purposes or some other cool
reason
that I dont know?
-Andy
"Will"
<westes-usc@noemail.nospam> wrote in message
news:ncqdndHffdlypmHbnZ2dnUVZ_gadnZ2d@giganews.com...
>
"Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote
in message
>
news:%23F4ITzPAIHA.968@TK2MSFTNGP03.phx.gbl...
>>
Check out an article I have on AD and Firewalls. In it is an
explanation
>>
on how to modify the high ports pool for RPC. I have made ours in a
much
>>
smaller pool.
>>
>>
http://www.pbbergs.com/windows/articles/FirewallReplication.html
>
>
I'm very familiar with all of the issues on the above page, and I would
>
like to add a few thoughts:
>
>
1) You need to also add the NETLOGON service as a fixed port.
This is
>
perhaps the single most used service among the dynamic range RPC services,
>
and you do so by creating a DWORD with the port value at the registry
>
location:
>
>
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DCTcpipPort
>
>
2) In our experience, once you give fixed ports to NTFRS, NTDS and
>
NETLOGON, you NO LONGER NEED VARIABLE RPC PORTS (what you assign to 10002
>
to 10200 in your example). We have small forests,
so maybe there are
>
load balancing considerations I don't know about, but dcdiag /v reports no
>
errors between controllers with just those three fixed ports and we
>
completely lock out the variable RPC ports. But we have been
running
>
this way for at least a year now with no errors popping up in dcdiag /v or
>
the eventviewer logs. If we have overlooked some legitimate
RPCs I would
>
very much like to document those and read further about them.
>
>
To wax poetic a bit, any firewall design for a domain controller that uses
>
dynamic ports is from my point of view not much better than having no
>
firewall. The rootkit viruses will either modify
system directly or
>
modify behavior of a well-known system service EXE like LSASS.
It's
>
nothing for them to just open up another RPC, and then they have
you. By
>
locking all known services to fixed ports, your system can be compromised,
>
and it can try to open up additional ports, but no one can contact those
>
ports, thus greatly limiting one path to gain access to the box from
>
another computer.
>
>
All the above is just response to the URL you provided in your response.
>
My original question was how to identify (by name and function) the
>
specific RPC service running under a specific process. The
utility in
>
your link above PortQryUI and PortQry do not do that. Like
Process
>
Explorer, PortQry simply establishes the fact that process X has open port
>
Y. In my case that process is LSASS and the port is
1026. What I need
>
is a tool like an "RPC Query" that will actually use port 135 to
enumerate
>
all of the active RPC services on a box and the ports they run
on. Then
>
I can cross reference the RPC service by name to port 1026 and research
>
that service further. Such a tool must be possible to write
because
>
otherwise how could any EXE contact the RPC mapper port 135 and enumerate
>
services on the box?
>
>
--
>
Will
>
>
>
>>
"Will" <westes-usc@noemail.nospam> wrote in message
>>
news:OuedndYnuZZX9WbbnZ2dnUVZ_vyinZ2d@giganews.com...
>>>
The process that runs LSASS.exe runs many security related services for
>>>
domain controllers, including kerberos, netlogon, etc. In
examining
>>>
the LSASS process with Process Explorer, I'm seeing many ports other
>>>
than the well-known ones being opened for access through RPC. How
can
>>>
I determine which specific services are binding to each of the ports?
>>>
Isn't there an RPC mapping tool I can run on a server that will clearly
>>>
identify the actual service that has bound to each of the RPC assigned
>>>
ports like 1026?
>>>
>>>
The reason I am asking this is that I have a domain controller that is
>>>
being contacted on TCP port 1026 by only one member server in the
>>>
domain. Process Explorer establishes that LSASS owns this port, and I
>>>
assume it is an RPC assigned port number that could change from one boot
>>>
to the next. I want to clearly identify what the service bound to that
>>>
port is and try to understand why only one member server is contacting
>>>
that service.
>>>
>>>
The activity is currently being blocked by a firewall. We have
all of
>>>
the critical RPC services (e.g., NETLOGON, AD replication, etc) bound to
>>>
fixed ports and those ports are exposed through the firewall.
>>>
>>>
--
>>>
Will
>>>
>>
>>
>
>
Top
From: Will
<westes-usc@noemail.nospam>
To:
none
Subject:
Re: How to Determine Which Service in LSASS.EXE Binds to Port
X?
Date:
09/27/2007 21:54:33
"Andy
C" <acracchiolo@fluidmaster.com> wrote in message
news:eyBL2mWAIHA.4656@TK2MSFTNGP04.phx.gbl...
>
Not to go off topic but I am just curious as to the benifit to you of
>
Placing everything behind the firewall.
>
Is it for security purposes or for logging purposes or some other cool
>
reason that I dont know?
It
is for security only. Our entire Windows 2000 network was hit
by a
rootkit
virus, and once you have gone through that kind of nightmare you do
a
lot of thinking about what kinds of network designs make it structurally
very
difficult for a trojan application to operate or to spread. All
of
those
Windows 2000 computers were unrecoverable and had to be
rebuilt. As
a
small company, it took us years to recover from that, and in fact some of
the
machines are still being rebuilt as time allows. As part of the
rebuilding
effort, I did a lot of thinking about how current network designs
contribute
to this awful worldwide epidemic of trojans and rootkits.
Fundamentally,
ethernet with TCP was never built from the start for
security.
Consider the ARP protocol for example. ARP sits below TCP and
any
Microsoft security layers, and it's the basic protocol that allows
computers
on the same subnet to find each other. Unfortunately, it
also
lets
any authorized software running on your computer essentially sit back
and
let the network tell it what targets of interest exist on the network.
The
Trojan then can start probing each of the IPs that are broadcast to be
of
interest.
From
the standpoint of Microsoft Networking, consider what the sniffer trace
of
a network looks like when you don't turn off NetBIOS over TCP.
There
are
huge number of broadcasts that identify for any listener on the network
targets
of interest. The protocols that use ports 137, 138, and 139 are
all
ancient stuff, with huge security holes.
To
address those kinds of concerns, we have gotten to the point where we put
every
key server on its own dedicated subnet behind a firewall.
That
stops
the ARP problem dead, because no other machine can see the ARPs since
only
the firewall and the server share the same subnet
together. While we
turn
off NetBIOS over TCP on both clients and servers, having dedicated
subnets
lets us enforce that policy strictly and block ports 137, 138, and
139
right at the firewall, so even a misconfigured machine cannot use
unsecure
protocols. Every port in and every port out to every
server is
controlled.
So even if the hacker was root on some of these servers, and
they
could infect them with rootkits, there would be little of profit in
doing
so. Any ports the rootkit opens up cannot be
reached. Any
outgoing
connections to unauthorized ports or HTTP sites are blocked.
I'm
sure that parts of our network are still hacked. But we
are setting
the
bar higher and higher, and at some point the controls will be such that
infestations
just won't be able to spread, will be detectable quickly, and
will
have limited ability to do damage even on the infected machines.
Unfortunately,
getting to that nirvana takes a level of knowledge,
experience,
experimentation, and just plain time that I don't believe most
users
(or management) would tolerate.
A
domain controller is the brain of the network, and once it is compromised
the
battle is largely over and you can no longer trust authentication or any
of
the services the domain controller is delivering. So for
us we decided
early
on that we were going to go to war with the domain controllers and
understand
top to bottom the services they were delivering, and which of
those
needed to be presented for an Active Directory network to function
correctly.
The advantage to limiting the domain controller to just fixed
ports
is that it can then be secured by a firewall. Someone who
compromises
the domain controller and runs a service that opens additional
ports
on the domain controller won't be able to use them. The ports
might
be
listening, but the firewall prevents them from being reached.
Because
no
other computer sits on the domain controller's subnet, there is no path
to
the domain controller that does not enforce the security policy
implemented
by the firewall.
Having
lived with this basic design for about a year, it has proven to not
only
be extremely reliable, but has had the added benefit of speeding up the
network
considerably. I don't understand why this is yet, but perhaps
putting
everything on dedicated subnets just cuts down the level of
broadcast
traffic so much that retransmissions and latency on each subnet go
way
down. Our internal firewall now has about 30 subnets on
it. It was
a
huge amount of work to set it up, but it's not very hard to maintain as
long
as you document the network with diagrams, and organize the ruleset
correctly.
--
Will
>
"Will" <westes-usc@noemail.nospam> wrote in message
>
news:ncqdndHffdlypmHbnZ2dnUVZ_gadnZ2d@giganews.com...
>>
"Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote
in message
>>
news:%23F4ITzPAIHA.968@TK2MSFTNGP03.phx.gbl...
>>>
Check out an article I have on AD and Firewalls. In it is an
>>>
explanation on how to modify the high ports pool for RPC. I have made
>>>
ours in a much smaller pool.
>>>
>>>
http://www.pbbergs.com/windows/articles/FirewallReplication.html
>>
>>
I'm very familiar with all of the issues on the above page, and I would
>>
like to add a few thoughts:
>>
>>
1) You need to also add the NETLOGON service as a fixed port.
This is
>>
perhaps the single most used service among the dynamic range RPC
>>
services, and you do so by creating a DWORD with the port value at the
>>
registry location:
>>
>>
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DCTcpipPort
>>
>>
2) In our experience, once you give fixed ports to NTFRS, NTDS and
>>
NETLOGON, you NO LONGER NEED VARIABLE RPC PORTS (what you assign to 10002
>>
to 10200 in your example). We have small forests,
so maybe there are
>>
load balancing considerations I don't know about, but dcdiag /v reports
>>
no errors between controllers with just those three fixed ports and we
>>
completely lock out the variable RPC ports. But we have been
running
>>
this way for at least a year now with no errors popping up in dcdiag /v
>>
or the eventviewer logs. If we have overlooked some legitimate
RPCs I
>>
would very much like to document those and read further about them.
>>
>>
To wax poetic a bit, any firewall design for a domain controller that
>>
uses dynamic ports is from my point of view not much better than having
>>
no firewall. The rootkit viruses will either modify
system directly
>>
or modify behavior of a well-known system service EXE like
LSASS. It's
>>
nothing for them to just open up another RPC, and then they have you.
>>
By locking all known services to fixed ports, your system can be
>>
compromised, and it can try to open up additional ports, but no one can
>>
contact those ports, thus greatly limiting one path to gain access to the
>>
box from another computer.
>>
>>
All the above is just response to the URL you provided in your response.
>>
My original question was how to identify (by name and function) the
>>
specific RPC service running under a specific process. The
utility in
>>
your link above PortQryUI and PortQry do not do that. Like
Process
>>
Explorer, PortQry simply establishes the fact that process X has open
>>
port Y. In my case that process is LSASS and the port is
1026. What
>>
I need is a tool like an "RPC Query" that will actually use port
135 to
>>
enumerate all of the active RPC services on a box and the ports they run
>>
on. Then I can cross reference the RPC service by name to
port 1026
>>
and research that service further. Such a tool must be possible
to
>>
write because otherwise how could any EXE contact the RPC mapper port 135
>>
and enumerate services on the box?
>>
>>
--
>>
Will
>>
>>
>>
>>>
"Will" <westes-usc@noemail.nospam> wrote in message
>>>
news:OuedndYnuZZX9WbbnZ2dnUVZ_vyinZ2d@giganews.com...
>>>>
The process that runs LSASS.exe runs many security related services for
>>>>
domain controllers, including kerberos, netlogon, etc. In
examining
>>>>
the LSASS process with Process Explorer, I'm seeing many ports other
>>>>
than the well-known ones being opened for access through RPC.
How can
>>>>
I determine which specific services are binding to each of the ports?
>>>>
Isn't there an RPC mapping tool I can run on a server that will clearly
>>>>
identify the actual service that has bound to each of the RPC assigned
>>>>
ports like 1026?
>>>>
>>>>
The reason I am asking this is that I have a domain controller that is
>>>>
being contacted on TCP port 1026 by only one member server in the
>>>>
domain. Process Explorer establishes that LSASS owns this port, and I
>>>>
assume it is an RPC assigned port number that could change from one
>>>>
boot to the next. I want to clearly identify what the service bound to
>>>>
that port is and try to understand why only one member server is
>>>>
contacting that service.
>>>>
>>>>
The activity is currently being blocked by a firewall. We have
all of
>>>>
the critical RPC services (e.g., NETLOGON, AD replication, etc) bound
>>>>
to fixed ports and those ports are exposed through the firewall.
>>>>
>>>>
--
>>>>
Will
Top
From: Will
<westes-usc@noemail.nospam>
To:
none
Subject:
Re: How to Determine Which Service in LSASS.EXE Binds to Port
X?
Date:
09/27/2007 23:05:31
"Paul
Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message
news:%23F4ITzPAIHA.968@TK2MSFTNGP03.phx.gbl...
>
Check out an article I have on AD and Firewalls. In it is an
explanation
>
on how to modify the high ports pool for RPC. I have made ours in a
much
>
smaller pool.
>
>
http://www.pbbergs.com/windows/articles/FirewallReplication.html
The
program I needed was RPCINFO. The service that was running on
port
1026
was NT Directory NSP Interface. That is apparently some kind of
peer
to
peer protocol networking service (first time I ever knew about it).
What
Windows 2000 application would be trying to use that?
--
Will
>
http://www.pbbergs.com
>
>
Please no e-mails, any questions should be posted in the NewsGroup
>
This posting is provided "AS IS" with no warranties, and confers
no
>
rights.
>
>
"Will" <westes-usc@noemail.nospam> wrote in message
>
news:OuedndYnuZZX9WbbnZ2dnUVZ_vyinZ2d@giganews.com...
>>
The process that runs LSASS.exe runs many security related services for
>>
domain controllers, including kerberos, netlogon, etc. In
examining the
>>
LSASS process with Process Explorer, I'm seeing many ports other than the
>>
well-known ones being opened for access through RPC. How can I
>>
determine which specific services are binding to each of the ports?
>>
Isn't there an RPC mapping tool I can run on a server that will clearly
>>
identify the actual service that has bound to each of the RPC assigned
>>
ports like 1026?
>>
>>
The reason I am asking this is that I have a domain controller that is
>>
being contacted on TCP port 1026 by only one member server in the domain.
>>
Process Explorer establishes that LSASS owns this port, and I assume it
>>
is an RPC assigned port number that could change from one boot to the
>>
next. I want to clearly identify what the service bound to that port is
>>
and try to understand why only one member server is contacting that
>>
service.
>>
>>
The activity is currently being blocked by a firewall. We have
all of
>>
the critical RPC services (e.g., NETLOGON, AD replication, etc) bound to
>>
fixed ports and those ports are exposed through the firewall.
Top
From: Al Mulnick
<amulnick_No_SPAM@ncDOTrr.com>
To:
none
Subject:
Re: How to disable screen savers on servers
Date:
09/27/2007 14:22:51
Using
a loopback policy and the server names (in a group), you should be
able
to achieve this.
Al
"Anne
Butera" <AnneButera@discussions.microsoft.com> wrote in message
news:AC837013-625D-4ACF-B1A0-88712D5D2344@microsoft.com...
>I
have a User Group Policy that is applied to all users that forces a
>company
>
screen saver. But I need to disable this group policy when they RDP
to a
>
server using Terminal services, because the screen saver uses up too much
>
CPU
>
and memory. How can I disable the screen server on certain
servers? Is
>
that
>
possible since it is a user GP?
>
>
Thanks for any input!
>
>
Ann
Top
From: Anne Butera
<AnneButera@discussions.microsoft.com>
To:
none
Subject:
Re: How to disable screen savers on servers
Date:
09/27/2007 15:41:00
Can
you elaborate on how to do a loop back policy? Thank you so much.
"Al
Mulnick" wrote:
>
Using a loopback policy and the server names (in a group), you should be
>
able to achieve this.
>
>
Al
>
>
"Anne Butera" <AnneButera@discussions.microsoft.com> wrote
in message
>
news:AC837013-625D-4ACF-B1A0-88712D5D2344@microsoft.com...
>
>I have a User Group Policy that is applied to all users that forces a
>
>company
>
> screen saver. But I need to disable this group policy when they
RDP to a
>
> server using Terminal services, because the screen saver uses up too
much
>
> CPU
>
> and memory. How can I disable the screen server on certain
servers? Is
>
> that
>
> possible since it is a user GP?
>
>
>
> Thanks for any input!
>
>
>
> Ann
>
>
>
Top
From: Andy C
<acracchiolo@fluidmaster.com>
To:
none
Subject:
Re: How to disable screen savers on servers
Date:
09/27/2007 19:41:09
http://support.microsoft.com/kb/231287
"Anne
Butera" <AnneButera@discussions.microsoft.com> wrote in message
news:CC60E162-CB5A-4D8C-AF08-E100E3F06D27@microsoft.com...
>
Can you elaborate on how to do a loop back policy? Thank you so much.
>
>
"Al Mulnick" wrote:
>
>>
Using a loopback policy and the server names (in a group), you should be
>>
able to achieve this.
>>
>>
Al
>>
>>
"Anne Butera" <AnneButera@discussions.microsoft.com> wrote
in message
>>
news:AC837013-625D-4ACF-B1A0-88712D5D2344@microsoft.com...
>>
>I have a User Group Policy that is applied to all users that forces a
>>
>company
>>
> screen saver. But I need to disable this group policy when they
RDP to
>>
> a
>>
> server using Terminal services, because the screen saver uses up too
>>
> much
>>
> CPU
>>
> and memory. How can I disable the screen server on certain
servers?
>>
> Is
>>
> that
>>
> possible since it is a user GP?
>>
>
>>
> Thanks for any input!
>>
>
>>
> Ann
>>
>>
>>
Top
From: David Shen
<davidsunshine2000@hotmail.com>
To:
none
Subject:
Re: [X-POST] Person and User.
Date:
09/28/2007 01:36:07
To
Alessandro,
You can use Sysinternals tool ADExplorer to view userPrincipalName very
easily.You
may download it with www.sysinternals.com
"AM"
<AM@AM.AM> ??????:%23GArXW1wHHA.424@TK2MSFTNGP06.phx.gbl...
>
Hi all,
>
>
is there anyone who can kindly tell me how the object/category specified
>
in the subject play the role in the big picture of Active Directory?
>
>
I need to access the attribute userPrincipalName and someone told me to
>
refer to the object (?-I hope to call it with the right name) USER instead
>
of PERSON.
>
>
Browsing the AD through an LDAP browser the "user" has both the
>
objectclass User and Person so I can not see any difference between them
>
and I can not understand why to use the first instead of the second. Maybe
>
I'm missing something.
>
>
I would be interested in some drawings that explains at which level those
>
"object" are placed and which is the "role" of each
one.
>
>
Many thanks in advance.
>
>
Alessandro
Top
Post your
questions, comments, feedbacks and suggestions
|