Home arrow Articles
Articles
HOW TO: Delegate the ability to add a domain controller to the domain (using minimum permissions) Print E-mail
In larger enterprise deployments there is often the requirement to automate the building and promotion of domain controllers and their hardware. Such deployments utilise service accounts for different tasks. This document describes how to delegate the ability to promote a domain controller using the minimum required permissions. The idea being that a group is granted these permissions and the service account that performs the automated promotions is the only member of this group.
Read more...
 
INFO: Configure USERENV.LOG logging Print E-mail
The core Group Policy engine writes various, configurable types of information to its log file, which is stored under %windir%\debug\usermode. In Windows NT 5.x this file is called USERENV.LOG. In Windows NT 6.x this file is called GPSVC.LOG.
Read more...
 
HOW TO: Manually trigger the directory service garbage collection process Print E-mail

There may be an occasion whereby you need to manually trigger the garbage collection process, as by default it runs every twelve hours. There aren’t going to be many occasions, but one such occasion might be that you want an immediate, up-to-date report on the size of the DIT and the amount of whitespace within the DIT.
Read more...
 
INFO: Fine Tuning Net Logonís SRV Resource Record (RR) registrations Print E-mail

In large branch office deployments it can become necessary to control which Domain Name System (DNS) Resource Records (RR) are registered by Domain Controllers (DC), as well as the weight and priority of these records. This article discusses the settings and methods available for such configurations.
Read more...
 
INFO: Last-Logon-Timestamp (lastLogonTimestamp) Print E-mail

lastLogonTimestamp is a new attribute that is enabled in Windows Server 2003 Forest Functional Level. Unlike lastLogon, it is replicated, however due to its update frequency it can give the incorrect impression that it isn’t replicated like other attributes.
Read more...
 
HOW TO: Install the Windows Server 2003 SP 1 Administration Tools (ADMINPAK) on Windows Vista Print E-mail


By default, the Windows Server 2003 Service Pack (SP) 1 (or SP2) Administration Tools better known as ADMINPAK or ADMINPAK.MSI do not work, or only partially work under Microsoft Vista. There is no plan to release the Windows Server 2008, Administration Tools prior to its release.

Read more...
 
TIP: Configuring the confidentiality bit on CAT-1 schema items Print E-mail

In Windows Server 2003 Service Pack 1 Microsoft introduced a new setting for non-category 1 (base schema) objects and attributes – the confidentiality bit, otherwise known as Confidential Attributes. Summarised, you can set the seventh bit (decimal value 128) of the searchFlags attribute for an attributeSchema object that isn’t part of the base schema which will result in that attribute being considered confidential and therefore read access denied to all but those with both read property and control access permissions defined.
Read more...
 
INFO: What are Active Directory Recursive Queries? Print E-mail

In Windows Server 2003 Service Pack 2 and Windows Server 2007 Microsoft have added a new LDAP query matching rule for linked-value DN syntax attributes, currently known as a recursive query. The idea behind such a query is that it simplifies chasing nested links. The matching rule is implemented by using the OID of the matching rule, enclosed within a starting and ending colon, just like bitwise AND and OR matching rules are implemented. This means that a recursive query takes the format of:
:1.2.840.113556.1.4.1941:=
Read more...
 
TIP: Group Nesting Print E-mail

The question of what group type can be placed into what group type, otherwise known as group nesting, is often asked in the news groups. It is also easy to forget. This tip summarises what group types can be nested into what group types.
Read more...
 
HOW TO: Disable circular logging in Active Directory Print E-mail


The Windows 2000 Server and Windows Server 2003 implementations of the Active Directory database use circular logging by default. By default there are two 10 MB log files (and two 10MB reserve files) that are used for logging database write operations, although if enough transactions justify it, the database (Jet Blue) will use additional logs until the transactions are able to be verified as committed and the extra files pruned back to two again. It has always been said that you cannot turn this feature off. This article explains how to turn this feature off.

Read more...
 
HOW TO: Install Windows Server 2003 R2 on a Domain Controller Print E-mail

 

This article discusses how to install the Windows Server 2003 R2 components, otherwise known as Windows Server 2003 R2 disk 2, onto an Active Directory Domain Services (ADDS) Domain Controller (DC) running Windows Server 2003 Service Pack 1 (SP1).

Read more...
 
INFO: How does mS-DS-MachineAccountQuota work? Print E-mail

What is ms-DS-MachineAccountQuota?

ms-DS-MschineAccountQuota is an attribute of the domain that tells Active Directory how many computers an authenticated user may join to the domain. By default, an authenticated user account may join up to ten computers to the domain without any additional permissions or rights. The value ten is the default value of ms-DS-MachineAccountQuota attribute. This value can be increased, or this feature may be disabled by setting ms-DS-MschineAccountQuota to zero. Administrative or delegated users are exempt from this quota based on permissions in the directory.
Read more...
 
HOW-TO: Delegate permissions to a DFS namespace Print E-mail

In any disparate environment there is a need to have local ‘administrators' to accomplish specific roles. These local administrators are not administrators in the true sense, rather a specific user or users with some IT knowledge who carry out local tasks for the central IT department. Therefore, the need to delegate functions and tasks becomes very necessary. Best practices dictate that any given user should perform that user's role using the least amount of privileges as possible. It is not feasible to give a local user administrative control over an entire server if they only need to administer a specific role. Therefore this tip explains how to delegate the administration of a DFS namespace to a user or group of users, and provides examples of how to achieve this using both the GUI and command line.
Read more...
 
HOW-TO: Limit DFS referrals to one link in a replica set Print E-mail
The question of "how can I limit DFS referrals to one particular link in a replica set" or "how can I configure a replica for backup purposes that no one can access/ use" is frequently asked in the DFS newsgroup. This tip directly addresses this question, and provides examples of how to achieve this using both the GUI and command line.
Read more...
 
HOW TO: Customise the style of the display name in Active Directory Users and Computers and the GAL Print E-mail

Finding and Modifying the Display Specifier - createDialog

It is often asked how the Display Name for user and contact objects in the Active Directory (GUI) management tools (and the GAL) can be changed from the default of to something else, perhaps , , so that this happens by default. This article explains how to make the necessary changes to achieve this.
Read more...
 
<< Start < Prev 1 2 3 4 Next > End >>

Results 1 - 15 of 52