|
In larger enterprise deployments there is often the requirement to automate the building and promotion of domain controllers and their hardware. Such deployments utilise service accounts for different tasks. This document describes how to delegate the ability to promote a domain controller using the minimum required permissions. The idea being that a group is granted these permissions and the service account that performs the automated promotions is the only member of this group. |
|
Read more...
|
|
The core Group Policy engine writes various, configurable types of information to its log file, which is stored under %windir%\debug\usermode. In Windows NT 5.x this file is called USERENV.LOG. In Windows NT 6.x this file is called GPSVC.LOG.
|
|
Read more...
|
|
There may be an occasion whereby you need to manually trigger the garbage collection process, as by default it runs every twelve hours. There aren’t going to be many occasions, but one such occasion might be that you want an immediate, up-to-date report on the size of the DIT and the amount of whitespace within the DIT. |
|
Read more...
|
|
In large branch office deployments it can become necessary to control which Domain Name System (DNS) Resource Records (RR) are registered by Domain Controllers (DC), as well as the weight and priority of these records. This article discusses the settings and methods available for such configurations. |
|
Read more...
|
|
lastLogonTimestamp is a new attribute that is enabled in Windows Server 2003 Forest Functional Level. Unlike lastLogon, it is replicated, however due to its update frequency it can give the incorrect impression that it isn’t replicated like other attributes. |
|
Read more...
|
|
|
By default, the Windows Server 2003 Service Pack (SP) 1 (or SP2) Administration Tools better known as ADMINPAK or ADMINPAK.MSI do not work, or only partially work under Microsoft Vista. There is no plan to release the Windows Server 2008, Administration Tools prior to its release. |
|
Read more...
|
|
In Windows Server 2003 Service Pack 1 Microsoft introduced a new setting for non-category 1 (base schema) objects and attributes – the confidentiality bit, otherwise known as Confidential Attributes. Summarised, you can set the seventh bit (decimal value 128) of the searchFlags attribute for an attributeSchema object that isn’t part of the base schema which will result in that attribute being considered confidential and therefore read access denied to all but those with both read property and control access permissions defined. |
|
Read more...
|
|
In Windows Server 2003 Service Pack 2 and Windows Server 2007 Microsoft have added a new LDAP query matching rule for linked-value DN syntax attributes, currently known as a recursive query. The idea behind such a query is that it simplifies chasing nested links. The matching rule is implemented by using the OID of the matching rule, enclosed within a starting and ending colon, just like bitwise AND and OR matching rules are implemented. This means that a recursive query takes the format of:
:1.2.840.113556.1.4.1941:= |
|
Read more...
|
|
The question of what group type can be placed into what group type, otherwise known as group nesting, is often asked in the news groups. It is also easy to forget. This tip summarises what group types can be nested into what group types. |
|
Read more...
|
|
|
The Windows 2000 Server and Windows Server 2003 implementations of the Active Directory database use circular logging by default. By default there are two 10 MB log files (and two 10MB reserve files) that are used for logging database write operations, although if enough transactions justify it, the database (Jet Blue) will use additional logs until the transactions are able to be verified as committed and the extra files pruned back to two again. It has always been said that you cannot turn this feature off. This article explains how to turn this feature off. |
|
Read more...
|
|
|
This article discusses how to install the Windows Server 2003 R2 components, otherwise known as Windows Server 2003 R2 disk 2, onto an Active Directory Domain Services (ADDS) Domain Controller (DC) running Windows Server 2003 Service Pack 1 (SP1). |
|
Read more...
|
|
What is ms-DS-MachineAccountQuota?
ms-DS-MschineAccountQuota is an attribute of the domain that tells Active Directory how many computers an authenticated user may join to the domain. By default, an authenticated user account may join up to ten computers to the domain without any additional permissions or rights. The value ten is the default value of ms-DS-MachineAccountQuota attribute. This value can be increased, or this feature may be disabled by setting ms-DS-MschineAccountQuota to zero. Administrative or delegated users are exempt from this quota based on permissions in the directory. |
|
Read more...
|
|
In any disparate environment there is a need to have local ‘administrators' to accomplish specific roles. These local administrators are not administrators in the true sense, rather a specific user or users with some IT knowledge who carry out local tasks for the central IT department. Therefore, the need to delegate functions and tasks becomes very necessary. Best practices dictate that any given user should perform that user's role using the least amount of privileges as possible. It is not feasible to give a local user administrative control over an entire server if they only need to administer a specific role. Therefore this tip explains how to delegate the administration of a DFS namespace to a user or group of users, and provides examples of how to achieve this using both the GUI and command line. |
|
Read more...
|
|
|
The question of "how can I limit DFS referrals to one particular link in a replica set" or "how can I configure a replica for backup purposes that no one can access/ use" is frequently asked in the DFS newsgroup. This tip directly addresses this question, and provides examples of how to achieve this using both the GUI and command line. |
|
Read more...
|
|
Finding and Modifying the Display Specifier - createDialog
It is often asked how the Display Name for user and contact objects in the Active Directory (GUI) management tools (and the GAL) can be changed from the default of to something else, perhaps , , so that this happens by default. This article explains how to make the necessary changes to achieve this. |
|
Read more...
|
|
Articles 
