Full of I.T.

Kevin Remde's IT Pro WebLog

Windows Server 2003 Administration Webcast Series (Part 4) Q&A

Happy Grouping!!

What a great session!  I hope you’ll agree that this Part 4 session on Group Management had some real gems in it – even if you thought you already knew it all about groups!

Here, as usual, is the “best of” Q&A log from the webcast.  Sincere thanks again to my teammates for doing such a great job helping to answer questions!  I give them the credit for the information in this document.  Outstanding!

Also I want to make sure also have the link to the Session Resources I posted for Part 4, and the homework assignment also.

Series Part 4 Webcast Q&A

“Is there a way to register for ALL of the events at one time instead of having to register each week?”

“How can we sign up to the whole server webcast in one go? I was only able to register for each event one at a time!”

Currently, that is the process. I know that the webcast team is working on implementing a more seamless, single sign up process moving forward.

“Can we get the presentation WMV in ZIP format for down-loading?”

It’s available as a .wmv download about 72 hours after the event – go back to the event page then and a link to download the file will be sent to you.  I don’t think a .zip is available however.

“In addition to these level 100 webseminars on Windows Administration, is there a “next level” (ie., 200 or 300 level) series of Windows Administration webseminars?”

Yes, starting with the next part they go up in level, 200 then to 300 by the end of the series.

“It is possible to convert a distribution group to security group or reverse?”

Yes, http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/dsadmin_groups_convert_group_type.asp describes how.   
This link will appear on www.microsoft.com/technet/tnt4-04 for this part.

 “Do you have to have exchange to mail to a security group?”

There probably is a product but cannot find one right now that has the same functionality.

“Where can I find info for setting up VPN with my service provider – Quest and what Groups setttings should be setup..roles, permissions, etc…”

Here is a great location to start: http://www.microsoft.com/windowsserver2003/technologies/networking/vpn/default.mspx

“In a small network (single domain), what is the best practice as far as group types are concerned?  Should they all be domain local, universal, global?  Or does it matter?”

You could just use domain local groups in a single domain; but if you ever someday decide to add another domain, you’d be better of to still adhere to using Global Groups and assigning those into Domain Local Groups; and then granting permissions to the Domain Local Groups.

 “How can I get the power-points for the previous webcast I missed?”

If you go to http://www.microsoft.com/technet/community/events/windows2003srv/tnt4-04.mspx  and register for the archived webcasts, you will receive a confirmation email which will include links to the downloads.

“Cool.  Thanks!”

No problem.

“How do you know if your domain is set to mixed or native mode?”

If you go to the Active Directory Users and Computers snap-in, right-click the Domain name and select Domain Functional level, the resulting dialog will tell you what level you are at and what levels you can go to.

“Can we get the questions and answers?”

Undock the Q&A panel and periodically copy and paste the contents into a document file.  Or if you just want the BEST of the Q&A, you’re already here.

“Is there a good place to find best practices in regards to shared folders. (I’m using multiple security groups and have multiple shared folders on my server)”

Please refer to this link on the best practice for managing groups in Windows Server 2003: http://support.microsoft.com/kb/816302

“Is there a way for you to have the links in the PDF live so you do not have to retype them when you wish to use them.  This seems to work in most pdfs except the ones from these seminars.”

Unfortunately we don’t have any control about how these PDFs are created. That said, if you can wait 72 hours, the hot links in the PowerPoint version will be made available on the event page for this event.

“After migrating from exchange 5.5 to 2003 the public folder permissions were assigned based on the distribution group that were migrated over from 5.5. permissions are not taking effect.  I had to add individual users to each folder in order for them to access the folders.  How to I get back my group permissions instead of individual accounts.”

Distribution groups cannot be used to assign permissions.  Assign the permissions using security groups.  Security groups can be used to assign permissions and be used as Distribution Groups, as well.

“Is there any disadvantage if we use the only Security Groups, make them mail enabled, and use them as exchange email distribution lists instead of using Distribution Groups? We can only use the Security Groups to assign permissions to Public Folders in Exchange 2000/2003.”

There’s no reason you can’t do it that way, especially in a smaller environment.  In larger environments, where you want to have more control, creating Groups that are specifically Distribution Groups only, prevents unauthorized use of the group in order to access resources.

“Is there a way to dump the users / groups in AD to a text file to look at the data in a spreadsheet?  I have used the net user ‘userid’ /domain command in dos but some of our group names are long and there is some truncation happening in the results.”

Dsquery.exe is a command line tool that would do this.

“Is there a tool built into AD that will provide me a list of users and all the permissions they have on our network?”

Not built in, no.  By assigning permissions to groups, rather than users, and documenting those permissions assignments you can track permissions assigned against your defined security policies.

 “Does the query based distrib group update dynamically when you add a new user?”

Actually, if you create a new user with attributes that match what a Query-Based Distribution Group would include, nothing happens.  It’s only when the list is used and evaluated, which is every time mail is sent to it, that the “members” are there.  It is truly dynamic.

“What is the problem with using a domain local group to control access to a resource instead of a local group?”

I think you are discussing the same thing, unless you are talking about a local group you created on a server?

“I was told that Best practices called for creating a local group on a server and putting domain groups into the server local group and using the server’s local group on the server to control access. Is this better that using a domain local group and adding other groups or users to it and using this domain local group to control access?”

Yes, you were told that back in the NT 4.0 days because there was no such thing as a group that was local to the entire domain.  You had local groups on the domain controllers, or you had server local groups.  So your member servers (file servers?) had local groups on them into which you put Global Groups.  With Active Directory, now you have domain-wide groups that are local to the domain, managed in Active Directory for the sake of the domain, without having to create local groups on a server-by-server basis. 

“Is ldifde command available in W2k native domains?”

Yes.  It’s available in Win2k regardless of the domain functional level.

“What is a good ldifde resource?”

You should find some good ones at http://search.microsoft.com/search/results.aspx?view=en-us&st=b&na=82&qu=ldifde

 “The icon of query based distr list of that list is not displayed correctly in some computers. it is displayed correctly on the machine with exchange but when i use ADUC on a different machine the icon is displayed like the icon of the unknown file. why is that?”

That sometimes happens when the Exchange Administration tools are not installed on the system.  To fix that if you install just the Exchange admin tools on that administrative

“Can I do a trusted domain on SBS 2003 to NT4 server?”

No-the answer is at http://support.microsoft.com/kb/842690

“In a small and single domain environment, is it better to make all groups Domain Local Groups?  Do I gain performance for doing that?”

You don’t and, in fact, you lose manage-ability. Why? Because if I have multiple domain local groups that I use to control access to specific resources and then populate those Domain Local groups directly with Users, there will likely be multiple occurrences of the same user assigned to multiple Domain Local groups. Now, If I have a new hire, I have to put that user into each Domain Local group that I need the user in. However, If I have created Global Groups and populated Domain Local Groups with the Globals, it is likely that the Global group is assigned to multiple Domain Local groups. Now I can just add the user to the appropriate Globals and the User has access to all resources the global group has been assigned to. You can do what you’re saying, but this recommendation is a better long term solution, that will maximize manageability and account for growth.

“I was in a meeting and late for this webcast.  Can I see this webcast later?”

Yes, it will be available to view as a webcast stream about 24-48 hours from now, and available for download in about 72 hours. Start at http://www.microsoft.com/webcasts and click on the On-demand Webcasts link at the top of the page.

“Does this get easier when you work with it all day or are u guys showing off features you only use once in a blue moon?”

ldifde, and all command line utilities usually need research to use them properly and would want to be used more than once a year.

“Are the DS(Add, Move…) commands limited to modifying/creating groups in the same domain? If not, can the DSMOVE be used to move objects from one domain to another?

The DSMove command can only move objects within OU’s in the same domain.  To move objects between domains use the MoveTree utility.  See kb/238394 at http://support.microsoft.com/kb/238394

“Will the movetree retain the groups that the user is part of or would i have to use one of the methods shown today to export the group membership, movetree the user, then modify the users group membership?”

Global Groups, by definition, can only contain users from the domain the global group is created in, therefore when I move the object to a new domain I lose all global group memberships and need to re-assign that user to the appropriate globals in the new domain.

“Say you add a computer object to a group (to filter Group Policy). How long before that gets reflected in the token of the computer? Is a reboot required? Will restarting NETLOGON work?”

I talked with an engineer in PSS and he believed reboot, but please review this site for a 100% answer. http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/distrib/dsce_ctl_fvlv.asp

And finally – in reference to “Tequila-Kitty”…


“That was good!!”

Don’t encourage him. lol 🙂 Have a great day!

And the best comment of the day:
“It’s a good thing he didn’t use a lemon with that poor cat… he’d have created a sourpuss!”

OHHHHHH- that’s bad!