Re: Exchange OWA 2003 Trusted Root Certificate
From: Smurfman (smurfman_at_discussions.microsoft.com)
Date: 02/22/05
- Next message: Paul Adare: "Re: Exchange OWA 2003 Trusted Root Certificate"
- Previous message: Paul Adare: "Re: W2K Adv. Svr SP2 and Critical Security Patches"
- In reply to: Steven L Umbach: "Re: Exchange OWA 2003 Trusted Root Certificate"
- Next in thread: Paul Adare: "Re: Exchange OWA 2003 Trusted Root Certificate"
- Reply: Paul Adare: "Re: Exchange OWA 2003 Trusted Root Certificate"
- Reply: Steven L Umbach: "Re: Exchange OWA 2003 Trusted Root Certificate"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 22 Feb 2005 06:59:04 -0800
DNS looks to be fine. And if these machines reboot, they take the policies
and I can see this in the Group Policy Results Wizard in GPMC. When I
compare 2 XP machines (since I can't use the GPMC RSoP with Windows 2000, or
so it tells me), I notice that on this Mail Policy, I have the filter to
apply to specific computers that are part of a group. THe one major thing I
am noticing, is that even though all of the computers are assigned to the
Filter group, not all reflect that their Membership has updated. Does a
computer's group membership only update after a reboot?
One thing I noticed in the DNS article is that the DNS on the network
machine could be missing, or wrong...which I think I would have had more
issues then, but I am going to double check this as well.
GPResult for 2000 machines woudl need to be run at the machine in question,
correct? Thanks again.
J
"Steven L Umbach" wrote:
> OK. Well for that I would start with gpresult and GPMC to make sure that the
> computers are showing as existing in the right OU. Gpresult will also show
> what computer configuration GPO's are being applied to a computer and the
> last time they were applied. RSOP in logging and planning mode can help you
> track down what is going on. RSOP allows you to run scenarios based on the
> OU that the computer is in, group membership, and slow link detection. If
> RSOP planning mode differs from what you are experiencing then their may be
> a network connectivity, dns name resolution, or domain computer account
> problem and the support tool netdiag can be run on any domain computer
> including domain controllers to check for such. See the link below to first
> make sure your dns is 100 percent correct for the domain as improper dns
> configuration is the root of most Active Directory problems. --- Steve
>
> http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382 --- AD
> dns FAQ
> http://support.microsoft.com/default.aspx?scid=kb;en-us;321708 --- netdiag
> and ho to install support tools.
> http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B250842 ---
> troubleshooting Group Policy
>
> "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
> news:CDC3CC09-D644-433F-957E-B435920DF4C5@microsoft.com...
> > Thanks Steve, I posted the behavior in the Exchange.Misc board, I think
> > right
> > next to "fat chance of anyone having the same issue"...thanks a ton for
> > all
> > of your help on this one here. I posted a Group Policy post related to
> > the
> > fact that not all of my machines in the Group are taking the policy, about
> > half of them, and several of them only after I reboot...the whole 90-120
> > minute thing for computers poling and getting a new machine policy is not
> > working...if you had any thoughts on that the post is over there in
> > Win2000.Group Policy...
> >
> > Thanks
> > J
> >
> > "Steven L Umbach" wrote:
> >
> >> Hmm. I can't help with that as I have never experienced it. I don't use
> >> it
> >> as a mmc snapin, I just run it from Administrative Tools. --- Steve
> >>
> >>
> >> "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
> >> news:C18EA64A-F4B7-4776-9EB2-F7A27A0267AA@microsoft.com...
> >> > Thanks Steve, I actually install and start playing around with the GPMC
> >> > SP1
> >> > yesterday. I posted an issue with the tool on another board, but in
> >> > short
> >> > I
> >> > can run the tool by browsing to it in Admin tools, but if I attempt to
> >> > add
> >> > the tool as a snap-in to my custom mmc console, a Microsoft error is
> >> > generated, and the console crashes. I get the same results when I
> >> > attempt
> >> > to
> >> > add the Exchange 2003 snap-in for System Manager, the console crashes
> >> > and
> >> > I
> >> > can't add it. However, once again if I browse to it and run it, works
> >> > fine.
> >> > Ever heard of that behaviour?
> >> >
> >> > Thanks again.
> >> >
> >> >
> >> > "Steven L Umbach" wrote:
> >> >
> >> >> If you have a Group Policy where no computer configuration is defined
> >> >> it
> >> >> makes sense to disable the computer part of the Group Policy. Just
> >> >> keep
> >> >> in
> >> >> mind that it is disabled because we tend to forget such as time goes
> >> >> on
> >> >> and
> >> >> someday if you do define a computer configuration setting it obviously
> >> >> will
> >> >> not work until you enable the computer configuration portion of the
> >> >> Group
> >> >> Policy. If you are using Group Policy Management console [via an XP
> >> >> Pro
> >> >> domain computer for W2K domain] it will be easier to see such. ---
> >> >> Steve
> >> >>
> >> >> http://www.microsoft.com/windowsserver2003/gpmc/default.mspx
> >> >>
> >> >> "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
> >> >> news:6B79FBDD-B636-494B-AD5E-8A16C31A243A@microsoft.com...
> >> >> > Actually that was not the only thing I was trying to accomplish.
> >> >> > There
> >> >> > are
> >> >> > specific user configurations that I will be performing as well. But
> >> >> > my
> >> >> > whole
> >> >> > issue was that When I removed Authenticated Users from the default
> >> >> > setting
> >> >> > for the Apply of the GPO, the computer configuration was not
> >> >> > applied,
> >> >> > when
> >> >> > I
> >> >> > used this GPO at the domain level, since Domain Computers are a
> >> >> > member
> >> >> > of
> >> >> > Authenticated Users, other GPO's that I made computer config changes
> >> >> > to,
> >> >> > worked just fine. Once I modified a group to include the specific
> >> >> > computers
> >> >> > that would get this particular config, and applied it to the GPO
> >> >> > (filter)
> >> >> > everything worked like a charm.
> >> >> >
> >> >> > I do have another question, raised by your comment below. I notice
> >> >> > there
> >> >> > are options for the GPO to Disable User or Computer Configuration
> >> >> > Settings.
> >> >> > When I have a policy (not this one), that has Authenticated Users as
> >> >> > the
> >> >> > default, and I have left this setting as is, but made no comptuer
> >> >> > changes -
> >> >> > is it safe to assume that the computer configuration is skipped - or
> >> >> > in
> >> >> > a
> >> >> > domain of less than 50 users, do I care? Is performance really a
> >> >> > concern?
> >> >> >
> >> >> > "Paul Adare" wrote:
> >> >> >
> >> >> >> In article <gsGdnUQ-Y5-o44_fRVn-og@comcast.com>, in the
> >> >> >> microsoft.public.win2000.security news group, Steven L Umbach
> >> >> >> <n9rou@n0-
> >> >> >> spam-for-me-comcast.net> says...
> >> >> >>
> >> >> >> > That should work fine with the GPO at the domain level. ---
> >> >> >> > Steve
> >> >> >> >
> >> >> >> > "Smurfman" <Smurfman@discussions.microsoft.com> wrote in message
> >> >> >> > news:A340D0EB-BB20-41E7-8478-42D257B72CBF@microsoft.com...
> >> >> >> > > So for this example, create 2 Global Groups, perhaps one called
> >> >> >> > > Mail_Users
> >> >> >> > > and the other Mail_Workstations. Then assign the users and
> >> >> >> > > computers
> >> >> >> > > to
> >> >> >> > > each
> >> >> >> > > respective group, and use those two groups in the GPO Security
> >> >> >> > > settings to
> >> >> >> > > Apply and then what - Assign the GPO to the Domain?. Am I
> >> >> >> > > following
> >> >> >> > > you
> >> >> >> > > correctly?
> >> >> >> >
> >> >> >>
> >> >> >> If all the OP is trying to do here is to push the required root
> >> >> >> certificate out however, there is no need for the Mail_Users group
> >> >> >> at
> >> >> >> all. Since the Public Key policy settings are in the Computer
> >> >> >> Configuration section of the GPO, that section will _never_ be
> >> >> >> processed
> >> >> >> by user. Giving them permissions on a GPO that they will never
> >> >> >> process
> >> >> >> doesn't accomplish anything. In fact, as a best practice, if a GPO
> >> >> >> contains _only_ user or _only_ computer settings processing of the
> >> >> >> empty
> >> >> >> section of the GPO should be disabled for performance reasons. No
> >> >> >> point
> >> >> >> processing a GPO that doesn't contain settings that will be
> >> >> >> applied.
> >> >> >>
> >> >> >> --
> >> >> >> Paul Adare
> >> >> >> "On two occasions, I have been asked [by members of Parliament],
> >> >> >> 'Pray, Mr. Babbage, if you put into the machine wrong figures,
> >> >> >> will the right answers come out?' I am not able to rightly
> >> >> >> apprehend
> >> >> >> the kind of confusion of ideas that could provoke such a question."
> >> >> >> -- Charles Babbage (1791-1871)
> >> >> >>
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>
- Next message: Paul Adare: "Re: Exchange OWA 2003 Trusted Root Certificate"
- Previous message: Paul Adare: "Re: W2K Adv. Svr SP2 and Critical Security Patches"
- In reply to: Steven L Umbach: "Re: Exchange OWA 2003 Trusted Root Certificate"
- Next in thread: Paul Adare: "Re: Exchange OWA 2003 Trusted Root Certificate"
- Reply: Paul Adare: "Re: Exchange OWA 2003 Trusted Root Certificate"
- Reply: Steven L Umbach: "Re: Exchange OWA 2003 Trusted Root Certificate"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
