Free  
HOME OVER VIEW TUTORIALS TESTS BOOKS CONTACT US  
   
Google
 
Windows Tips
ACTIVE DIRECTORY
TCP / IP
SECURITY
RECOVERY
SYSTEM CONFIGURATIONS
PRINTING
NETWORK
RAID
RAS
SERVICE PACKS


Windows XP : Windows 2003 : Windows 2000
 

Active Directory
How can I use the registry to configure Group Policy update times?

You usually configure Group Policy update times under the Computer Configuration\Administrative Templates\System\Group Policy and the User Configuration\Administrative Templates\System\Group Policy branches; however, you can also directly set the registry to configure Group Policy update times by performing the following steps:

  1. Start regedit.exe.
  2. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System to set Computer refresh. Or, alternatively, go to HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System to set User refresh.
  3. Create a DWORD value with a name of GroupPolicyRefreshTime, and set it to a number between 0 and 648000 minutes.
  4. Create a DWORD value with a name of GroupPolicyRefreshTimeOffset, and set it to a number between 0 and 1440 minutes. (You specify an offset value to prevent many clients from trying to refresh at the same time.)
  5. Close regedit.
How do I allow modifications to the schema?

The schema is extensible, which means that you can change it. However, modifying the schema is dangerous because doing so affects the entire domain forest. Microsoft doesn’t recommend schema modification.

If you insist on modifying the schema, you can use the GUI or edit the registry. To use the GUI, you must first register the .dll file for the Microsoft Management Console (MMC) snap-in. Go to a command prompt, and enter


regsvr32 schmmgmt.dll

Then, use the Microsoft Windows 2000 Resource Kit’s Tools console to start the Schema Manager. Alternatively, create a custom MMC to start the Schema Manager. Next, add the Active Directory Schema snap-in to the Schema Manager. (From the Start menu, select Run, and enter


MMC

From the Console menu, select Add/Remove Snap-in. Click Add, and select Active Directory Schema. Finally, click Add, Close, OK.)

  1. Start the MMC Active Directory Schema snap-in on the domain controller (DC).
  2. In the leftmost pane, right-click Active Directory Schema, and select Operations Master from the context menu.
  3. You’ll see the name of the machine that holds the domain name operations Flexible Single-Master Operation (FSMO) role, as the Screen shows.

  4. Select the checkbox labeled The Schema may be modified on this server.
  5. Click OK in the confirmation dialog box.

Another way to modify the schema is to edit the registry.

  1. Start regedit.
  2. Go to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters registry entry.
  3. Double-click Schema Update Allowed (of type REG_DWORD).
  4. Set the value to 1.
  5. Click OK.
  6. Close the registry editor.
How do I audit Active Directory?

You can configure Active Directory (AD) auditing to produce successful and failed entries in the Directory Service (DS) event log.

  1. Start the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in. (Select Programs, Administrative Tools, Active Directory Users and Computers from the Start menu.)
  2. From the View menu, select Advanced Features.
  3. Expand the domain, right-click the Domain Controllers container, and select Properties from the context menu.
  4. Select the Group Policy tab.
  5. Select Default Domain Controllers Policy, and click Edit.
  6. Expand the Computer Configuration branch, the Windows Settings branch, the Security Settings branch, and the Local Policies branch.
  7. Select Audit Policy.
  8. The rightmost window will show auditing levels. Double-click Audit Directory Service Access.
  9. Select the relevant checkboxes (e.g., Audit successful attempts, Audit failed attempts), as the Screen shows. Click OK.
  10. Close the Group Policy window.
  11. In the main Domain Controllers Properties dialog box, click OK.
  12. Close the Active Directory Users and Computers MMC snap-in.

You can use Event Viewer to view the logs in the Security log. Because domain controllers poll for policy changes every 5 minutes, the policy change might take as long as 5 minutes to take effect. Other domain controllers in the enterprise receive the changes after the 5-minute interval, plus replication time.

 1   2    3    4    5    6    7    8    9    10    11    12    13    14   [>>]
 
 

Contact Us | Bookmark This Page | Make Your Home Page