Re: Please help refresh my memory on AD DC

Hello Meinolf,

Thanks for the reply,

Thanks for the links I will read them.

I wanted to change the local accounts for password expiration and things
like that but they are shaded out. How do I get to them to modify?

Thank you
Joe

"Meinolf Weber" wrote:

Hello Joe,

With GPMC you can edit the default domain and default domain controllers
policy, which by the way is not recommended but possible. These 2 policies
are configured with default settings.

For your own needs and for having the option to go back in any kind of problems
you should better create your own policies and link them to that levels if
you need changes on that. For the beginning you can leave that both as default
and start your own policy settings. Before linking them to productional machines
use always test computers and OU's and test accounts.

GPO's are also a complex part, start here:
http://technet.microsoft.com/en-us/windowsserver/grouppolicy/default.aspx

http://technet.microsoft.com/en-us/library/cc758290.aspx

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


Hello Meinolf,

Those tools are installed but where do I go to edit?

Click Group Policy Management and then where?

Thank you

Joseph
"Meinolf Weber" wrote:
Hello Joe,

From the features install the Group policy management console and
aslo have a look on the RSAT tools there. Remote server
administration tools is the successor for administrative tools.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Hello Meinolf,

In Server 2008 where do you change the local security policies for
all
Servers.
After I joined the servers they all have the same setin as password
expiration and password complexity. I know where to change this on
the
local
machine but how do you change it on the DC for all. Or is this not
what is
happenning?
Thank you
Joseph
"Meinolf Weber" wrote:
Hello Joe,

In Administrative tools, you have a lot of management consoles.
Also that one for IIS.

On the server where the folder is located that you like to share
you have to open the folder properties, choose the sharing tab and
do your settings. Only AD is not enough to share a folder.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties,
and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Hello Meinolf,

Ok I did post in the IIS newsgroups and in IIS.Net a few days
back. I haven't received and answer in this part yet.

In between my last post I logged into IIS MC from the DC I just
used the MMC console Not the ADUC as I thought you would.

I created the folder share just from the ADUC and I didn't do
anything else.

Where would I go from here Locally at that server or on the DC?

Thank you
Joseph
"Meinolf Weber" wrote:
Hello Joe,

See inline.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties,
and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!
http://www.blakjak.demon.co.uk/mul_crss.htm
Hello Meinolf,

I do thank you for hanging in there for me.

I wanted to add the servers to a Domain Controller for central
mangement and easier file sharing. Plus a few applications that
require it.

Use the Administrative tools on the DC.

I problem that I am running into is the management of file
folders and IIS.

You say RDP intothe server and then make the changes in IS MMC.
Ok that is fine because that is what I have been doing all this
time. The question is when I RDP in who am I loggin in as ?

I meant to connect from the DC's administrative tools to the IIS.
It's also possible. But as said before, i am not IIS specialist.
Alos in a domain you should use the domain accounts, local
accounts will have no effect to configure for domain needs.

If I login as a local adminstrator I cannot set permissions on a
folder in IIS MMC because when select a user (and that user is
IUSR_MACHINAME or NETWORK SERVICE for ASP.NET) I get promted to
the Domain Credentials. Is this correct?

If the server is domain member and the accounts also from the
domain, yes.

Do I no longer use the diabled Red Arrowed Users? Do I select
only
the
ones that begin with Domain..?
Domain Users
Domain Administrators
etc...
If so, now, Which one is the anonymous account? Is it still
IUSR_MACHINENAME Because I don't see it available in a non red
arrow.
Plus existing sites already have this as the anonymous user
(IUSR_MACHINENAME)
Because you installed the IIS before creating the domain you will
not have the IIS accounts on the users container in AD users and
computer i assume. I don't know enough about IIS and how to make
also the IIS available for the complete domain access. Maybe you
can export the complete IIS and then import this to a fresh
installed IIS with complete domain setup. But again Ask this in
an IIS NG. There are your experts.

I must say that this is confusing. I am going to post some
images on a Community Server Forum would you please look at
them?

Second Question:

I logged on to the DC pysically standing at the machine.
I created a file share on a remote member server through the
Active
Dir
Users and Computers.
I selected Everyone as read only. I then finished and went over
to
my
laptop
and logged in locally
I can see the share but not access it. Is this correct?
Did you only create the shared folder with ADUC or did you also
share it on the server itself via the sharing tab on the folder
properties? What share permissions did you configure and what
NTFS permissions on the folder. These both are different from the
permissions tab ion ADUC, that let as default.

Thanks again Meinolf

Joseph

"Meinolf Weber" wrote:

Hello Joe,

I can not really follow, what you are trying to achive. If you
like to set folder/file permissions on a remote server
harddisk/volume you should map a drive or connect to the server
with RDP. If you like to configure the IIS, you should use the
"Internet Services Manager" from the Administrative tools and
connect to the server which holds the IIS.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no
warranties,
and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!
http://www.blakjak.demon.co.uk/mul_crss.htm
Hello Meinolf,

Then how do I go about editing/configuring permissions on
folder?

There is no IIS MMC in the DC management. Do notever
logonlocally
again?
Do I just logon the DC and go to Active Directoy Users and
Computers
Right

Click the PC and select manage. When I do that I do not get an
IIS
MMC
I get
most of the others. I can do disk management, SQL, event
Viewer,
I
can
add
and modify users.
I see all that and understand it. But when it comes to adding
a
user
for a folder also
How to manage installed programs is this done locally?
Thank you
Joseph
"Meinolf Weber" wrote:
Hello Joe,

As said before:
"On domain controllers the local users and groups are
disabled
because the
domain controller has it's own Security database and is not
having
the local
SAM."
That's the reason for the red one.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no
warranties,
and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!
http://www.blakjak.demon.co.uk/mul_crss.htm
Hello Meinolf,

You are correct. I can administer the server from the DC but
I cannot set permissions on the IIS or local box. I had to
login to do so. This was my entire concern. Why the red
arrows?

What am I missing here?

Thanks

"Meinolf Weber" wrote:

Hello Joe,

What folder are you talking about? Looks like you are in
computer management and have connected to a domain
controller form the member server. On domain controllers
the local users and groups are disabled because the domain
controller has it's own Security database and is not having
the local SAM.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no
warranties,
and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!
http://www.blakjak.demon.co.uk/mul_crss.htm
Hello Jorge,

Yes I did thanks. I succeccfully added all servers to the
domain.
.

Relevant Pages

  • Re: Please help refresh my memory on AD DC
    ... "Meinolf Weber" wrote: ... Remote server ... Also that one for IIS. ... On the server where the folder is located that you like to share ...
    (microsoft.public.windows.server.active_directory)
  • Re: Please help refresh my memory on AD DC
    ... use only domain user accounts. ... "Meinolf Weber" wrote: ... Remote server ... Also that one for IIS. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Please help refresh my memory on AD DC
    ... "Meinolf Weber" wrote: ... In Server 2008 where do you change the local security policies for all ... On the server where the folder is located that you like to share you ... Ok I did post in the IIS newsgroups and in IIS.Net a few days back. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Please help refresh my memory on AD DC
    ... "Meinolf Weber" wrote: ... In Server 2008 where do you change the local security policies for all ... On the server where the folder is located that you like to share you ... Ok I did post in the IIS newsgroups and in IIS.Net a few days back. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Please help refresh my memory on AD DC
    ... "Meinolf Weber" wrote: ... to open the folder properties, choose the sharing tab and do your settings. ... Ok I did post in the IIS newsgroups and in IIS.Net a few days back. ... Where would I go from here Locally at that server or on the DC? ...
    (microsoft.public.windows.server.active_directory)