Group Policy bits and pieces

Hi,

Here are just a few group policy basics which might help a few people.

Firstly, the way group policy is processed:

In a domain environment it goes like this...


Local
Site
Domain
OU

Whichever policy is applied last wins and its settings apply.

NOTE: Be careful though to remember that if for example you define a setting in the local policy, if none of the other policies explicitly define that same setting, then the local policy setting will be applied even though it is not last in the processing order.


Someone recently asked how to reset the local policy:

The best way I have found would be to script the deletion of the registry.pol files from the

%windir%\system32\grouppolicy\machine

and

%windir%\system32\grouppolicy\user

directories.

This would leave you with a clean local GPO so that new domain policies can be applied without having to define every setting.

Finally, a way to reset local security settings on a 2000/XP and 2003 machine:

secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose

(note the above should be one line)

See the link below for more info on this one:

Link

Looks like my next phone is getting closer!!

WOW!

Finally a small WM5 phone with UTMS functions (3G) and WIFI.

I have been using the SPV M5000 (Imate JasJar) for a while now and the 3G for web browsing is great, but the size it not :(

So this new phone looks like it will do everything!





For more info see below:

http://www.theunwired.net/?itemid=2945

Creating and ISO file from a group of directories

Hi,

Just a quick post about how to create ISO files from a bunch of files on your hard disk.

I found this useful when working with virtual machines on VMWare ESX server that have no networking. I create an ISO image of the files I need in the VM and then mount it to the CD drive.

The tool I found which is very simple to use is called MagicISO and a trial version can be downloaded here:

http://www.magiciso.com/

You will find, that it also does a load more stuff like burn CDs and DVDs and also extract ISO images of existing CDs.

Hope this is useful.
Cheers
Nathan

Links and Blogs section.

Hi,

As you can see, I have now added a few more sites and blogs that I regularly look at. I hope to build this into a set of links which will guide daily browsing.

Cheers
Nathan

A few of my favourite photos from the Minasi Forum meeting (mostly)

The beautiful sun rise seen from my hotel window.


The Minasi Forum Server (on the right!)



My wife Lizzie on the beach in Folkestone



A group of us about to leave the hotel in Virginia:
Nick, Anthony, James, Mark, Tim, Aiden




Me and Mark Minasi




Me on the beach in Folkestone, UK

Accessing and LDAP directory using Outlook

Hi,

This is an issue that a friend of mine raised recently and its fix:

I go into Outlook 2003 and configure and ldap settings using the default.
When I click on to it opens up a display box to type in a name to search on. I type a new and it returns nothing. I click on advanced and find to open up a search box. I type in a last name and the attached document will show the two dialog boxes I have gotten after I tried a few settings.

I can setup the same ldap directory , ldap.iup.edu, in
outlook express. I go to send a new message, click on to, type in a
name to find, and it searches the ldap directory fine.

He was getting the following error messages:

If I take the default settings and leave Seach Base blank:




And




After I enter in dc=iup, dc=edu




It turns out the fix was available on Experts Exchange and went as below:



http://www.experts-exchange.com/Applications/MS_Office/Q_21165809.html

The problem was caused by the fact that later versions of Outlook try to enumerate the entire directory on connection. The default setting on the ADAM LDAP server limits the search query to a maximum of 10,000 names. If number of LDAP entries exceeds that, Outlook will generate an error.

There are two fixes; One is to make a registry change on the client machine which will remove the error:

Open regedit and and browse to: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\(if you've got office 2002 it will be (10.0) not (11.0)

Add new key, name it "LDAP"

Next add a Dword, name it "DisableVLVBrowsing" and set the value to "1" (don't actually add the quotes on either).

So what you have is [HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\LDAP]"DisableVLVBrowsing"=dword:00000001

Now reboot (or it wont work).


The second solution (probably the better of the 2 depending on your directory size) is to change the maximum number of results ADAM will desplay AKA "MaxTempTableSize". The default is 10,000.On the LDAP server open "ADAM tools" and at the command prompt type "dsmgmt" (use /? to show the commands and quit to back up)

at dsmgmt: type "ldap pol"
at ldap policy: type "connections"
at connections: type "connect to server servername:389" (where servername is the name of your ldap server)
it should say binding to server etc...
at connections: type "quit"
at ldap policy: type "list" (you should see MaxTempTableSize listed. type "show value" to see the current value)
at ldap policy: type "Set MaxTempTableSixe to 20000" (or whatever value you want).
at ldap policy type "commit changes"

That's it type quit several times or do a "show value" to take a look at the new value. (Here's what it looks like)

C:\WINDOWS\ADAM>dsmgmt
dsmgmt: ldap pol
ldap policy: connections
server connections: connect to server avsmtp1:389
Binding to avsmtp1:389 ...
Connected to avsmtp1:389 using credentials of locally logged on user.
server connections: quit
ldap policy: list
Supported Policies:
MaxPoolThreads
MaxDatagramRecv
MaxReceiveBuffer
InitRecvTimeout
MaxConnections
MaxConnIdleTime
MaxPageSize
MaxQueryDuration
MaxTempTableSize
MaxResultSetSize
MaxNotificationPerConn
MaxValRangeldap

policy: set MaxTempTableSize to 20000
ldap policy: commit changes

Hope this helps somebody else out.

Cheers
Nathan

New standalone emulator for Windows Mobile devices

Hi,

Finally, we now have a standalone emulator for Windows Mobile 5 devices which also included direct push technology!

http://www.microsoft.com/downloads/details.aspx?FamilyId=C62D54A5-183A-4A1E-A7E2-CC500ED1F19A&displaylang=en

Resetting the Directory Services Restore mode password in Active Directory

Here is how you reset the AD restore mode password in 2003:

Start Ntdsutil (click Start, Run; enter cmd.exe; then enter ntdsutil.exe).

Start the Directory Service Restore Mode Administrator password-reset utility by entering the argument "set dsrm password" at the ntdsutil prompt: ntdsutil: set dsrm password

Run the Reset Password command, passing the name of the server on which to change the password, or use the null argument to specify the local machine.

For example, to reset the password on server testserver1, enter the following argument at the Reset DSRM Administrator Password prompt:

Reset DSRM Administrator Password: reset password on server testserver1

To reset the password on the local machine, specify null as the server name: Reset DSRM Administrator Password:

reset password on server null

You'll be prompted twice to enter the new password. You'll see the following messages:

Please type password for DS Restore Mode Administrator Account:

Please confirm new password:

Password has been set successfully.

Exit the password-reset utility by typing "quit" at the following prompts:
Reset DSRM
Administrator Password: quit

ntdsutil: quit



Unfortunately, this doesn't work for Windows 2000. One way around this would be to do a system state backup, DCPromo down, reset the password and then do the necessary restore.

DCGPOFIX a tool for reseting Default GPOs

Hi,

I came across this tool recently when trying to recover a domain in a training environment.

One of the students had managed to delete his Default Domain Policy!

So to recover it I ran the following: dcgpofix /target:domain

It can also be used to recover the Default Domain Controllers Policy

dcgpofix /target:dc

By default with specifying the target, you will reset both policies.

NOTE: be very careful with this tool, as it will wipe out any settings you currently have in your default policies!

For more info on the tool check:

Link to the Technet Site

Copying files to Linux systems

Well, now I am really branching out!

Whilst studying for my VMWare Certified Professional exam, I have discovered a great little tool which lets you copy files from a Windows machine to a Linux based one. In my case, a VMWare ESX 2.5.2 system.

The tool is called WinSCP and is available for download from:

http://winscp.net/eng/download.php

More photos from the Minasi Forum Meeting

Here are a few more photos from the meeting:

http://tinyurl.com/ga4lj

Mark Minasi Forum Meeting

Hi,

As you can see from the title, this post is about the first meeting of members of the Mark Minasi forum.

This forum www.minasi.com, is one of the very best and most friendly I.T. based forums on the Internet. It has many knowledgable members including several MVPs.

So, over the last few months we have been trying to organise a get together and last week we did it!

We held the event at the Marriot Courtyard in Virginia Beach, Norfolk, USA.

Over the weekend we had some great sessions including:

Looking forward to the important things in Windows Vista
An in depth look at Windows Logins
Microsoft Dynamics (CRM etc) and virtualisation
Exchange Active Sync and your PDA/Smartphone (This one was mine!)
A session by an engineer from SecureWave about a product for desktop lockdown
A session on SBS 2003 R2
Troubleshooting with Netmon
A look at IPv6

So as you can see, some excellent topics and I can verify that the sessions were brilliant.

To top it all off, we had a superb evening at Mark's house on Saturday night wife wonderful food!

All in all this was an amazing event which we hope to repeat. If anyone is interested in the forum please have a look at the link above.

To view pictures from the event look at the links below:

http://www.flickr.com/photos/thenakedmvp/show/

http://www.flickr.com/photos/88471851@N00/show/