Bowen: since you're using a Barracuda, you're probably best off turning on attachment blocking there. In the web interface, that's in Inbound Settings -> Content Policies.
There is no way that I know of to filter attachments in Exchange 2003 without using a third-party add-on. You can do it in Outlook, with a registry setting that you can push out by group policy, but that is super-awkward.
Thanks Feral, that works for me.
not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
@AtomBomb Assuming you're talking about server motherboards, the field is smaller.
I initially was looking at the server motherboards, but I have what is possibly a stupid question. What is the advantage of going with a server mobo versus a consumer one if I'm not going to use dual processors or put in an obscene amount of RAM? I'm guessing it's that their designed to be more reliable, but I don't know how much of that is marketing BS. I know with laptops the business class stuff is designed to be sturdier and simpler than consumer grade, but that seems to be more for ease of replacement (I'd stock up on spares) and because people treat things they didn't buy themselves like shit.
I'll put together a parts list next week (quitting time ho!) to get some input.
I don't think server boards are necessarily more reliable than consumer gear. You're mainly paying for the server CPU socket/chips, more RAM banks, capacity for multiple cpus, and better onboard raid. For something like a branch dhcp, dns and AD I'd think you're not going to get much more performance yield buying server iron. I tend to go for higher core density, because I've found I often need to repurpose machines as web/DB machines. If you've no similar need save and go for i3's. Additional funds I'd put into UPS, disk, spare hardware, or rackmountability if you need the server density.
Djeet on
0
Options
Apothe0sisHave you ever questioned the nature of your reality?Registered Userregular
Server hardware supports ECC RAM and has the capacity for doing things with redundancy. Likewise server processors are different in some way I don't remember.
If you want something that can keep going after a ram failure or something like that without interruption then you want server hardware. This is important for things like ensuring your SQL server doesn't write bad data or lose cached but as yet unwritten data (I.e. When it's particularly busy).
It depends on what you're using the server for, and what kind of an organization you're dealing with.
0
Options
Mr_Rose83 Blue Ridge Protects the HolyRegistered Userregular
There are 'server' boards and there are server boards, just like with everything else. The bottom end is unfortunately not significantly different to consumer gear except in price and fittings (few consumer boards support SAS natively for ex.) but then at the other end you get the ones with redundant, hot-swappable RAM banks, dual (or better) power supplies, and always-on remote management sub-systems etc. etc.
@Feral I want to disallow access to local drive browsing but still have the folders/drive be writable. I have a GPO setup on the machine locally but I still want administrators to be able to access it for easy of administration obviously.
I take it I'd need a GPO on the domain that's set up for specific users on that specific machine right?
I want to take a more liberal lock down policy on the new RDP server above and beyond what I had before where people could go in, delete, rename, remove shit for some reason. Mostly because the program requires access to the drive and the person who set this up didn't set up any policies on the domain other than to allow VNC ports.
not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
Any network gurus on here that can tell me if what i'm trying to do is even possible?
We had an audio system installed which uses a particular piece of software to control it. The audio system was built on it's own network completely (physically) isolated from our production network using the self-assigned IP scheme (169.254.x.x). I want to be able to hook into that network using our production network hardware. If it requires the pc accessing that network be on the same VLAN so be it.
Here's what I've tried: I set up a new VLAN on all the switches in our network. Then assigned an access port (untagged) on one of the switches and connected a patch cable from that port to one of the ports on the unmanaged switch on the Audio network. When I hook up a pc elsewhere and put it on the Audio VLAN it is unable to ping anything inside the audio network (while multiple PCs within the audio network are able to ping each other. Oddly enough when I look at the connection info on the port on the managed switch that is hooked into the Audio network it sees all the different MAC addresses of the various devices.
My next step was just to plug in a laptop into the Audio network to verify connectivity, if that works then plug the laptop into the managed switch to test connectivity, if that works then I must have configured one of the switches wrong, but my time is very limited and before I put in any more time I want to know if this is even possible.
Because unfortunately if any of the audio devices are put on a network with DHCP they will pull an IP and everything will have to be reconfigured, and due to the nature of the self-assigned IP there can be no gateway.
If the production network is on one IP subnet and the audio network is on a different IP subnet, and there's no router between the two, they're not going to be able to communicate, even if they're on the same VLAN.
every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
Well, if I currently hook a PC into the Audio VLAN I created, since there is no DHCP server, it self-assigns an IP , so wouldn't that be the same IP subnet? And shouldn't that be the same as hooking directly into a switch on the audio network since I have the VLAN plugged into that network?
Well, if I currently hook a PC into the Audio VLAN I created, since there is no DHCP server, it self-assigns an IP , so wouldn't that be the same IP subnet? And shouldn't that be the same as hooking directly into a switch on the audio network since I have the VLAN plugged into that network?
Oh, yeah, it should.
It sounds like maybe your managed switch isn't passing traffic between the VLAN and the access port?
every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
Ok, just making sure I'm not trying to accomplish an impossible task. I haven't been forced to deal with this self-assigned IP bullshit before. If it were up to me I would assign static IPs on all the audio devices.
I'll try my narrow-it-down with the laptop to see where the communications break occurs.
ghost_master2000 on
0
Options
TL DRNot at all confident in his reflexive opinions of thingsRegistered Userregular
edited January 2012
Augh. Client asked us to roll back these laptops from 7 to XP. They bought OEM refurb licenses, but due to weird circumstances I ended up using a Dell OEM disc to install. When I went to reseal (sysprep) one of the laptops as part of imaging it onto the other machines, it rejected the product key as invalid.
Is there anything I can do here, other than track down the original non-Dell OEM disc and reinstall everything?
edit: ok, it looks like I can boot from the proper disc and run a repair operation. Now to track down the media...
What service pack are the keys for? You can download an XP ISO from microsoft directly usually. Microsoft is awesome now, I can download my media whenever the fuck I want to.
not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
Ok, I have a program that synchronizes with AD to pull lists of users and groups so I don't have to recreate them in the program itself. But since we've moved to AD 2008 R2, I get error messages that it is unable to read the AD entries.
Did MS change something in AD 2008 R2 that doesn't allow third party programs to read AD? I tried giving it a domain admin account and it still gives the error. My attempts to google the problem are less than successful.
hm I haven't had any issues pulling info from what appears to be 2008 R2 using openldap's library. Didn't need SSL but I did need to provide an initial user to bind as.
I wish that someway, somehow, that I could save every one of us
Ok, I have a program that synchronizes with AD to pull lists of users and groups so I don't have to recreate them in the program itself. But since we've moved to AD 2008 R2, I get error messages that it is unable to read the AD entries.
Did MS change something in AD 2008 R2 that doesn't allow third party programs to read AD? I tried giving it a domain admin account and it still gives the error. My attempts to google the problem are less than successful.
This link refers to third-party LDAP servers, not clients, but it might be of use.
You could also try connecting to the server with a third-party LDAP browser tool like LEX and see what errors it throws.
every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
Augh. Client asked us to roll back these laptops from 7 to XP. They bought OEM refurb licenses, but due to weird circumstances I ended up using a Dell OEM disc to install. When I went to reseal (sysprep) one of the laptops as part of imaging it onto the other machines, it rejected the product key as invalid.
Is there anything I can do here, other than track down the original non-Dell OEM disc and reinstall everything?
edit: ok, it looks like I can boot from the proper disc and run a repair operation. Now to track down the media...
I'm sorry, man. I would have done everything in my power to talk that client out of it. There is no logical reason why they need to do that.
every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
the "no true scotch man" fallacy.
0
Options
TL DRNot at all confident in his reflexive opinions of thingsRegistered Userregular
edited January 2012
.
TL DR on
0
Options
TL DRNot at all confident in his reflexive opinions of thingsRegistered Userregular
Augh. Client asked us to roll back these laptops from 7 to XP. They bought OEM refurb licenses, but due to weird circumstances I ended up using a Dell OEM disc to install. When I went to reseal (sysprep) one of the laptops as part of imaging it onto the other machines, it rejected the product key as invalid.
Is there anything I can do here, other than track down the original non-Dell OEM disc and reinstall everything?
edit: ok, it looks like I can boot from the proper disc and run a repair operation. Now to track down the media...
I'm sorry, man. I would have done everything in my power to talk that client out of it. There is no logical reason why they need to do that.
Oh, I know. Line of business app that was totally gonna be ready for Windows 7 I swear when they ordered the laptops last August apparently runs like shit on the VirtualPC, and my boss's reaction was to take the client's complaint at face value rather than do any investigation.
0
Options
Apothe0sisHave you ever questioned the nature of your reality?Registered Userregular
Ok, I have a program that synchronizes with AD to pull lists of users and groups so I don't have to recreate them in the program itself. But since we've moved to AD 2008 R2, I get error messages that it is unable to read the AD entries.
Did MS change something in AD 2008 R2 that doesn't allow third party programs to read AD? I tried giving it a domain admin account and it still gives the error. My attempts to google the problem are less than successful.
This link refers to third-party LDAP servers, not clients, but it might be of use.
You could also try connecting to the server with a third-party LDAP browser tool like LEX and see what errors it throws.
Is LEX free? If not, the SoftTerra LDAP Browser (not administrator) is.
Windows share permissions vs. NTFS permissions. I know Microsoft says set share permissions to Full Control for Everyone, set your NTFS allow permissions for your groups, and the more restrictive of the two wins (NTFS). That's how we've always ran things. Somewhat recently move our file server from an old 2003 box to a new 2008 R2 box, just using robocopy. Now, this probably worked the same way on the 2003 box it's just that no one ever really tried. But, setup like that if anyone knows the share name they can access the contents of the directory. The permissions prevent changes from being made; but, everything is accessible. Some quick testing resulted in the conclusion that the $machinename\Users default group on the NTFS permissions of the folders was allowing this.
So, the question is: Duplicate all the NTFS permissions to the share permissions; or, break inheritance on all shares and remove the default Users group? For some reason I'm hesitant about breaking all the inheritances but I'm not entirely sure why...
Googling around I can't really find anyone addressing this, which strikes me as odd.
Windows share permissions vs. NTFS permissions. I know Microsoft says set share permissions to Full Control for Everyone, set your NTFS allow permissions for your groups, and the more restrictive of the two wins (NTFS). That's how we've always ran things. Somewhat recently move our file server from an old 2003 box to a new 2008 R2 box, just using robocopy. Now, this probably worked the same way on the 2003 box it's just that no one ever really tried. But, setup like that if anyone knows the share name they can access the contents of the directory. The permissions prevent changes from being made; but, everything is accessible. Some quick testing resulted in the conclusion that the $machinename\Users default group on the NTFS permissions of the folders was allowing this.
So, the question is: Duplicate all the NTFS permissions to the share permissions; or, break inheritance on all shares and remove the default Users group? For some reason I'm hesitant about breaking all the inheritances but I'm not entirely sure why...
Googling around I can't really find anyone addressing this, which strikes me as odd.
Break inheritance and remove the machinename\users group from the NTFS access control list. Make sure read permissions aren't given to any other group that shouldn't have them.
Feral on
every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
Only break inheritance when necessary, as it increases your workload, but it's necessary to really set up proper shares that have restricted access to different groups. Also, make sure Access Based Enumeration is set so they only see what they have access to. Gives people less of a chance to snoop around.
I had to recreate NTFS permissions for my shared drive at the police department and it was a nightmare setting it up, but it works great now!
Windows share permissions vs. NTFS permissions. I know Microsoft says set share permissions to Full Control for Everyone, set your NTFS allow permissions for your groups, and the more restrictive of the two wins (NTFS).
Is that really Microsoft BP? Anyways not sure of the particulars of what you're trying to deliver, but you might try adding Deny permissions. I haven't done that for sharing permissions, but with NTFS permissions a Deny will overrule an Allow.
Windows share permissions vs. NTFS permissions. I know Microsoft says set share permissions to Full Control for Everyone, set your NTFS allow permissions for your groups, and the more restrictive of the two wins (NTFS).
Is that really Microsoft BP? Anyways not sure of the particulars of what you're trying to deliver, but you might try adding Deny permissions. I haven't done that for sharing permissions, but with NTFS permissions a Deny will overrule an Allow.
- didn't know about access based enumeration, good stuff.
I like that it really gives me a good idea if a group I'm assigning permissions for really has the proper permissions to at least read the folders I'm allowing and doesn't have access to the ones they shouldn't.
I don't have to check every folder's properties, just log in with a test account in that group.
@AtomBomb Assuming you're talking about server motherboards, the field is smaller.
I initially was looking at the server motherboards, but I have what is possibly a stupid question. What is the advantage of going with a server mobo versus a consumer one if I'm not going to use dual processors or put in an obscene amount of RAM? I'm guessing it's that their designed to be more reliable, but I don't know how much of that is marketing BS. I know with laptops the business class stuff is designed to be sturdier and simpler than consumer grade, but that seems to be more for ease of replacement (I'd stock up on spares) and because people treat things they didn't buy themselves like shit.
I'll put together a parts list next week (quitting time ho!) to get some input.
So here is that promised parts list. It's probably not ideal, I just put it together quickly to get an idea on the price. For the actual purchase I will watch the sales and get what I can for cheap (that doesn't involve rebates, because fuck rebates).
ASUS P8Z68 mobo $130. Onboard video, can do RAID 1. Pretty basic. i3-2100T $135. I mostly picked this particular i3 because of the low power consumption (35w). Crucial 128gb SSD $180. SATA3, just to put the OS on. Maybe I could get away with a 64gb? WD Green 500gb HDD x2 $260 Normally I'd go for 1tb or larger, but with HDD prices like they are I thought 500gb would suffice. Getting 2 to put them in RAID 1. Green version for lower temps and reliability. Kingston 2x4gb DDR3 1600 $45 Lowest profile on the first page of 5-star reviewed DDR3. Hyper 212+ $30 Cheap, great. A little gamer-ish, but I like that it uses a standard fan. I have this on my gaming rig at home. Antec Earthwatts 380w $49 Cheap, basic but hopefully reliable. 380w should be sufficient I think. HAF 912 $49 Also a little on the gamer side, but still pretty basic looking. Cooling options look to be good.
All that comes to $889. If I get things on sale that might be closer to $800. Any thoughts?
Anyone have any experience with a SonicWall TZ series router?
Yep. What are you trying to do?
I have a hunch it's blocking iTunes and the iOS Remote app from talking to each other on Home Sharing. Pretty sure I have the correct TCP and UDP ports open per Apple's support page, but we just got the thing and I haven't had a chance to monkey around with it and it's such a trivial thing I don't really want to contact their support about it.
0
Options
TL DRNot at all confident in his reflexive opinions of thingsRegistered Userregular
Anyone have any experience with a SonicWall TZ series router?
Yep. What are you trying to do?
I have a hunch it's blocking iTunes and the iOS Remote app from talking to each other on Home Sharing. Pretty sure I have the correct TCP and UDP ports open per Apple's support page, but we just got the thing and I haven't had a chance to monkey around with it and it's such a trivial thing I don't really want to contact their support about it.
Hmm. Have you checked whether traffic is flowing via those ports? Googling 'port test' should provide a website that can test for you.
Also, it's best to use the Public Server Wizard when trying to open ports and such on a SonicWALL. That will create the services / service groups for you and assign the proper configuration settings.
0
Options
TL DRNot at all confident in his reflexive opinions of thingsRegistered Userregular
Also, does anyone know about VMRC? I'm trying to set up the VMs to auto-start with the host server, but I'm having difficulty.
Any network gurus on here that can tell me if what i'm trying to do is even possible?
We had an audio system installed which uses a particular piece of software to control it. The audio system was built on it's own network completely (physically) isolated from our production network using the self-assigned IP scheme (169.254.x.x). I want to be able to hook into that network using our production network hardware. If it requires the pc accessing that network be on the same VLAN so be it.
Here's what I've tried: I set up a new VLAN on all the switches in our network. Then assigned an access port (untagged) on one of the switches and connected a patch cable from that port to one of the ports on the unmanaged switch on the Audio network. When I hook up a pc elsewhere and put it on the Audio VLAN it is unable to ping anything inside the audio network (while multiple PCs within the audio network are able to ping each other. Oddly enough when I look at the connection info on the port on the managed switch that is hooked into the Audio network it sees all the different MAC addresses of the various devices.
My next step was just to plug in a laptop into the Audio network to verify connectivity, if that works then plug the laptop into the managed switch to test connectivity, if that works then I must have configured one of the switches wrong, but my time is very limited and before I put in any more time I want to know if this is even possible.
DOH! Turns out one of the trunks on one of our switches was not tagged on that VLAN I created. It was a reasonable mistake since the person who had set those up had marked all the trunks AS trunks except that one.
Posts
That way, it will load during the windows startup process, before user login.
the "no true scotch man" fallacy.
Thanks Feral, that works for me.
Why that looks like it'd be perfect, also it would allow the network drive to immediately connect
I initially was looking at the server motherboards, but I have what is possibly a stupid question. What is the advantage of going with a server mobo versus a consumer one if I'm not going to use dual processors or put in an obscene amount of RAM? I'm guessing it's that their designed to be more reliable, but I don't know how much of that is marketing BS. I know with laptops the business class stuff is designed to be sturdier and simpler than consumer grade, but that seems to be more for ease of replacement (I'd stock up on spares) and because people treat things they didn't buy themselves like shit.
I'll put together a parts list next week (quitting time ho!) to get some input.
If you want something that can keep going after a ram failure or something like that without interruption then you want server hardware. This is important for things like ensuring your SQL server doesn't write bad data or lose cached but as yet unwritten data (I.e. When it's particularly busy).
It depends on what you're using the server for, and what kind of an organization you're dealing with.
Nintendo Network ID: AzraelRose
DropBox invite link - get 500MB extra free.
I take it I'd need a GPO on the domain that's set up for specific users on that specific machine right?
I want to take a more liberal lock down policy on the new RDP server above and beyond what I had before where people could go in, delete, rename, remove shit for some reason. Mostly because the program requires access to the drive and the person who set this up didn't set up any policies on the domain other than to allow VNC ports.
We had an audio system installed which uses a particular piece of software to control it. The audio system was built on it's own network completely (physically) isolated from our production network using the self-assigned IP scheme (169.254.x.x). I want to be able to hook into that network using our production network hardware. If it requires the pc accessing that network be on the same VLAN so be it.
Here's what I've tried: I set up a new VLAN on all the switches in our network. Then assigned an access port (untagged) on one of the switches and connected a patch cable from that port to one of the ports on the unmanaged switch on the Audio network. When I hook up a pc elsewhere and put it on the Audio VLAN it is unable to ping anything inside the audio network (while multiple PCs within the audio network are able to ping each other. Oddly enough when I look at the connection info on the port on the managed switch that is hooked into the Audio network it sees all the different MAC addresses of the various devices.
My next step was just to plug in a laptop into the Audio network to verify connectivity, if that works then plug the laptop into the managed switch to test connectivity, if that works then I must have configured one of the switches wrong, but my time is very limited and before I put in any more time I want to know if this is even possible.
ghost_master - how about just putting a router between the audio network and your production network?
the "no true scotch man" fallacy.
the "no true scotch man" fallacy.
Oh, yeah, it should.
It sounds like maybe your managed switch isn't passing traffic between the VLAN and the access port?
the "no true scotch man" fallacy.
I'll try my narrow-it-down with the laptop to see where the communications break occurs.
Is there anything I can do here, other than track down the original non-Dell OEM disc and reinstall everything?
edit: ok, it looks like I can boot from the proper disc and run a repair operation. Now to track down the media...
Did MS change something in AD 2008 R2 that doesn't allow third party programs to read AD? I tried giving it a domain admin account and it still gives the error. My attempts to google the problem are less than successful.
Port 389 should be X.500 (LDAP)
Port 636 should be X.500 w/ SSL (LDAP w/ TLS)
I think.
This link refers to third-party LDAP servers, not clients, but it might be of use.
You could also try connecting to the server with a third-party LDAP browser tool like LEX and see what errors it throws.
the "no true scotch man" fallacy.
I'm sorry, man. I would have done everything in my power to talk that client out of it. There is no logical reason why they need to do that.
the "no true scotch man" fallacy.
Oh, I know. Line of business app that was totally gonna be ready for Windows 7 I swear when they ordered the laptops last August apparently runs like shit on the VirtualPC, and my boss's reaction was to take the client's complaint at face value rather than do any investigation.
Is LEX free? If not, the SoftTerra LDAP Browser (not administrator) is.
So, the question is: Duplicate all the NTFS permissions to the share permissions; or, break inheritance on all shares and remove the default Users group? For some reason I'm hesitant about breaking all the inheritances but I'm not entirely sure why...
Googling around I can't really find anyone addressing this, which strikes me as odd.
Break inheritance and remove the machinename\users group from the NTFS access control list. Make sure read permissions aren't given to any other group that shouldn't have them.
the "no true scotch man" fallacy.
I had to recreate NTFS permissions for my shared drive at the police department and it was a nightmare setting it up, but it works great now!
Is that really Microsoft BP? Anyways not sure of the particulars of what you're trying to deliver, but you might try adding Deny permissions. I haven't done that for sharing permissions, but with NTFS permissions a Deny will overrule an Allow.
2005; but, the same should still apply...
http://technet.microsoft.com/en-us/library/cc780823(WS.10).aspx
http://technet.microsoft.com/en-us/library/cc782737(WS.10).aspx
- didn't know about access based enumeration, good stuff.
I like that it really gives me a good idea if a group I'm assigning permissions for really has the proper permissions to at least read the folders I'm allowing and doesn't have access to the ones they shouldn't.
I don't have to check every folder's properties, just log in with a test account in that group.
So here is that promised parts list. It's probably not ideal, I just put it together quickly to get an idea on the price. For the actual purchase I will watch the sales and get what I can for cheap (that doesn't involve rebates, because fuck rebates).
ASUS P8Z68 mobo $130. Onboard video, can do RAID 1. Pretty basic.
i3-2100T $135. I mostly picked this particular i3 because of the low power consumption (35w).
Crucial 128gb SSD $180. SATA3, just to put the OS on. Maybe I could get away with a 64gb?
WD Green 500gb HDD x2 $260 Normally I'd go for 1tb or larger, but with HDD prices like they are I thought 500gb would suffice. Getting 2 to put them in RAID 1. Green version for lower temps and reliability.
Kingston 2x4gb DDR3 1600 $45 Lowest profile on the first page of 5-star reviewed DDR3.
Hyper 212+ $30 Cheap, great. A little gamer-ish, but I like that it uses a standard fan. I have this on my gaming rig at home.
Antec Earthwatts 380w $49 Cheap, basic but hopefully reliable. 380w should be sufficient I think.
HAF 912 $49 Also a little on the gamer side, but still pretty basic looking. Cooling options look to be good.
All that comes to $889. If I get things on sale that might be closer to $800. Any thoughts?
Yep. What are you trying to do?
I have a hunch it's blocking iTunes and the iOS Remote app from talking to each other on Home Sharing. Pretty sure I have the correct TCP and UDP ports open per Apple's support page, but we just got the thing and I haven't had a chance to monkey around with it and it's such a trivial thing I don't really want to contact their support about it.
Hmm. Have you checked whether traffic is flowing via those ports? Googling 'port test' should provide a website that can test for you.
Also, it's best to use the Public Server Wizard when trying to open ports and such on a SonicWALL. That will create the services / service groups for you and assign the proper configuration settings.
DOH! Turns out one of the trunks on one of our switches was not tagged on that VLAN I created. It was a reasonable mistake since the person who had set those up had marked all the trunks AS trunks except that one.