Windows Tips & Tricks UPDATE--June 6, 2005

Windows Tips &amp Tricks UPDATE, June 6, 2005, —brought to you by the Windows IT Pro Network and the Windows 2000 FAQ site
http://www.windows2000faq.com

Make sure your copy of Windows Tips & Tricks UPDATE isn't mistakenly blocked by antispam software! Be sure to add [email protected] to your list of allowed senders and contacts.

This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Windows Tips & Tricks UPDATE.

Maintain availability, minimize downtime, and preserve the integrity of your organization's information
http://sea.symantec.com/GWCWIPTT606

"THE ARGENT GUARDIAN EASILY BEATS OUT MOM IN ALL OUR TESTS"
http://www.argent.com/w/whitepapers_mom.html?Source=WNT


Sponsor: Maintain availability, minimize downtime, and preserve the integrity of your organization's information

When disruptions occur, you need to get the enterprise restarted — and restored to the "moment before" state — as rapidly as possible. What if there was a superior way to maximize availability and minimize downtime? Symantec LiveState Recovery captures all files and volumes (regardless if in use, hidden, or encrypted), applications, personalities and driver/system settings into one portable and easy-to-manage file – making backup and recovery efforts fast and cost effective, especially for remote office locations. LiveState Recovery delivers the flexibility and power to help keep your business up, running, and growing no matter what happens. Get more information, including white papers and trialware, on how Symantec LiveState Recovery can mitigate system downtime at
http://sea.symantec.com/GWCWIPTT606


FAQs

  • Q. How can I enable the List Object security option in Active Directory (AD)?
  • Q. How can I enable anonymous Lightweight Directory Access Protocol (LDAP) connections under Windows Server 2003?
  • Q. When should I use multiple storage groups (SGs) and multiple databases in Microsoft Exchange Server 2003?
  • Q. Is Anonymous still a member of the Everyone group in Windows XP and later?
  • Q. How can I enable the Anonymous SID to be part of the Everyone group in Windows XP and later?

Commentary
by John Savill, FAQ Editor, [email protected]

Commentary text

In this issue, I tell you about changes to the Power Users group in Windows Server 2003 and give the well-known SIDs for some built-in accounts. I also tell you about the new Recover Mailbox Data feature in Microsoft Exchange Server 2003 Service Pack 1 (SP1), how to recover deleted items from an Exchange public folder, and where cached Universal Group information is stored.

Sponsor: Ensuring Protection and Availability for Microsoft Exchange

Protecting data has always been important. Given the heightened awareness around national security and protecting important human and physical assets, having solutions that are cost-effective, hardware independent and scalable is something every IT manager should seriously consider. Download this free whitepaper to find out more about a complete data protection and disaster recovery solution from NSI Software.
http://www.windowsitpro.com/Whitepapers/nsisoftware/exchangeprotection/ index.cfm?code=tipsmid_0613


FAQs

Q. How can I enable the List Object security option in Active Directory (AD)?

A. By default, users can view the content of organizational units (OUs). You can prevent users from viewing OU content by removing the List Contents right for that OU, or you can use the List Object permission to explicitly select which objects in an OU are viewable by particular users or groups.

To enable the List Object option, perform these steps on a domain controller (DC) or on a machine that has adsiedit.msc installed. (ADSI Edit is part of the Windows 2000 or later support tools.)

  1. Start adsiedit.msc (Start, Run, adsiedit.msc). 2. Expand the Configuration container. Expand Services - Windows NT.
  2. Right-click "CN=Directory Service" and select Properties.
  3. Double-click the dSHeuristics attribute.
  4. If the value is Not Set, set it to 001. If the value field isn't blank, change the third character of the string to 1, as the A HREF="http://www.windowsitpro.com/content/content/46740/listobjectright.gif">figureshows. Click OK.
  5. Close ADSI Edit.

Now when you select an object's advanced security properties, a new List Object property is displayed, as the figure at figure shows.

You need to ensure that you set the List Object right not only on the objects you want to be visible but also on the OU containing the objects. Remember to remove the List Contents permission from the container for users whom you don't want to view the entire contents. For example, by default the Authenticated Users group has List Contents permission, so you'd need to remove that right to allow the more granular List Object capability.

Be careful when using the List Object functionality because it makes DCs perform extra work. The DC must check every object in a container to determine whether the object should be visible instead of merely checking the container for a general list or "not list" option.

Q. How can I enable anonymous Lightweight Directory Access Protocol (LDAP) connections under Windows Server 2003?

A. By default, connections to Active Directory (AD) must bind via a set of credentials so that they can perform a meaningful directory search. If you have applications that can't authenticate, you can enable anonymous LDAP connections. To do so, perform these steps:

  1. Start adsiedit.msc, which is part of the Windows 2000 or later support tools. (Start, Run, adsiedit.msc).
  2. Expand the Configuration container. Expand Services - Windows NT.
  3. Right-click "CN=Directory Service" and select Properties.
  4. Double-click the dSHeuristics attribute.
  5. If the value is Not Set, set it to 0000002. If the value field isn't blank, change the seventh character of the string to 2 (e.g., if the value is 001, you'd change it to 0010002). Click OK.
  6. Close ADSI Edit.

After the change has replicated to all domain controllers (DCs), Windows 2003 will allow anonymous LDAP connections. However, ACLs on the data in AD still apply, so to let anonymous users view objects, you need to grant them Anonymous logon access rights. For example, to let anonymous users view an OU's contents, grant "Anonymous logon" the List Contents right.

Q. When should I use multiple storage groups (SGs) and multiple databases in Microsoft Exchange Server 2003?

A. Exchange 2003, Enterprise Edition allows four supported SGs, with each SG containing as many as five databases. Databases within an SG share a common transaction log. Ideally, each transaction log should have its own RAID 1 disk set and each database its own RAID 5 disk set. Here are some useful guidelines for deciding when to use multiple SGs and multiple databases.

Reasons for multiple SGs:

  • Each SG has its own transaction logs, so if you use multiple SGs, each with its transaction logs set on different disks, you should see performance gains.
  • Some mail accounts might require a lower level of recoverability. For those accounts, you don't need to keep transaction logs, which means you can enable circular logging. (To learn more about circular logging, see the FAQ "How do I enable circular logging for Active Directory?" at http://www.windowsitpro.com/Article/ArticleID/13403/13403.html .) You can place accounts that have different recoverability requirements into separate SGs, then enable circular logging on the SGs containing the accounts that don't have high recoverability requirements.
  • You can set certain administrative options at SG levels.
  • You can restore only one database at a time per SG. Consequently, spreading databases over multiple SGs enables more concurrent database restores.
Reasons for multiple databases:
  • You can place each database on a different physical disk, which will likely improve performance.
  • You can set database-level quota policies, so that by grouping users into different databases, you can assign different policies (e.g., mailbox quotas) to particular user groups.
  • By separating users into multiple databases, you minimize the scope of any database corruption.
  • In the event of a database restore, you must restore the data in only one database, which enables faster recoverability.
  • By dividing user accounts over multiple databases, you can prioritize the database-restoration order in the event of a total disaster. For example, if all managers are in one database, you could restore that database first. (Of course, when you put all managers in one database, if a database becomes corrupt, it's bound to be that one!)
  • Multiple databases let you keep database size to a manageable level (typically less than 40GB).

Prior to Exchange 2003, Microsoft recommended keeping SGs to a minimum and adding them only as they filled up with databases. However, for Exchange 2003, Microsoft recommends that you add one database per each of the four SGs, and when each SG contains one database, start adding databases until each SG has two databases, and so forth. This approach is described in the Microsoft article How to configure storage groups in Exchange Server 2003.

Q. Is Anonymous still a member of the Everyone group in Windows XP and later?

A. No. In Windows Server 2003 and XP, the Anonymous SID is no longer part of the Everyone group, which enables a more secure default installation.

Q. How can I enable the Anonymous SID to be part of the Everyone group in Windows XP and later?

A. You can make Anonymous a member of the Everyone group by making the following registry change:

  1. Start the registry editor (regedit.exe).
  2. Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry subkey.
  3. Double-click the everyoneincludesanonymous value.
  4. Set the value to 1 and click OK.
  5. Close the registry editor.
You can also configure this setting via Group Policy. To do so, open the appropriate Group Policy Object (GPO), then expand Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options. Enable the "Network access: Let Everyone permissions apply to anonymous users" option.

Events and Resources
(A complete Web and live events directory brought to you by Windows IT Pro: http://www.windowsitpro.com/events )

  • True High Availability – Going Beyond Backup and Data Replication

  • In this free Web seminar discover the various categories of high availability and disaster recovery solutions available and the pros and cons of each. You'll learn what solutions help you take preemptive, corrective action without resorting to a full system failover, or in extreme cases, that perform a non-disruptive, automatic switchover to a secondary server. Register Now!
    http://www.windowsitpro.com/seminars/truehighavailability/index.cfm?code=0615emailannc

  • Get Ready for SQL Server 2005 Roadshow in Europe

  • Get the facts about migrating to SQL Server 2005. SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best-practices migration to SQL Server 2005 and improve your database computing environment. Receive a 1-year membership to PASS and 1-year sub
    http://www.windowsitpro.com/roadshows/sqlservereurope/index.cfm?code=0615emailannc

  • Streamline Desktop Deployments

  • Managing desktop software configurations doesn't have to be a manual process, resulting in unplanned costs, deployment delays, and client confusion. In this free Web seminar find out how to manage the software package preparation process and increase your desktop reliability, user satisfaction, and IT cost effectiveness. You'll learn how to simplify the deployment and configuration process, starting with the new-application request, review, and approval process and progressing through software packaging and deployment.
    http://www.windowsitpro.com/seminars/SoftwarePackagingWorkflow/index.cfm?code=0615emailannc

  • Win A Windows IT Pro VIP Subscription – Register and You Could Win!

  • In this free Web seminar, learn what the most common fax messaging challenges encountered in the workforce are and solutions for how to turn these common fax "headaches" into cost-effective, easy-to-use, business communications. You'll also receive a free industry white paper on fax deployment and integration techniques. Register now and you'll receive a 30-day software trial and a starbuck's gift card for attending!
    http://www.windowsitpro.com/seminars/applicationintegration/index.cfm?code=0615emailannc

  • Safeguard Your Exchange Servers – Plus Receive A FREE eBook

  • Managing storage growth, providing application resiliency, and handling small errors and problems before they grow are all important aspects of boosting your Exchange uptime. In this free Web seminar discover how storage and application management techniques for Exchange can be used to improve the resiliency and performance of your Exchange infrastructure. Register now and get your free eBook!
    http://www.windowsitpro.com/seminars/exchangeapplicationavailability/index.cfm?code=0615emailannc

    Featured White Paper
    (from Windows IT Pro and its partners)

  • Security Management in a Multi-platform World

  • In this free white paper you'll learn how to reduce management overhead when dealing with multiple platforms and the costs and benefits of a centralized "holistic" approach to security management. Get the ins and outs of managing multi-platform security and how you can safely, securely, and sanely manage the security infrastructure of complex, multi-platform environments.
    http://www.windowsitpro.com/Whitepapers/bindview/securitymanagement/index.cfm?code=0615emailannc

    Announcements
    (from Windows IT Pro and its partners)

  • Chat with Mike Otey about SBS SP1

  • Windows IT Pro's Mike Otey will answer your questions about Microsoft Small Business Server (SBS) Service Pack 1 (SP1) in a chat on June 15 at 3:00 p.m. Eastern time. For details, visit the Microsoft chat site at
    http://ad.doubleclick.net/clk;16543944;6134865;q?http://www.microsoft.com/communities/chats/default.mspx#05_Jun14_MVP_CF

    Sponsored Links

  • Ensuring Protection and Availability for Microsoft Exchange

  • Download this free white paper now!
    http://www.windowsitpro.com/Whitepapers/nsisoftware/exchangeprotection/index.cfm?code=nlsplink

  • Quest Software

  • Eleven things you must know about quick AD recovery!
    http://ad.doubleclick.net/clk;17412125;8214395;c?http://wm.quest.com/WITPNLSponlink11ThingsWPRMAD60105

  • A New Dimension in IT Infrastructure Management: Integrated KVM and Serial Console Control Systems

  • Reduce downtime, mean-time-to-repair, lower costs & improve ROI.
    http://www.windowsitpro.com/whitepapers/raritan/integratedkvm/index.cfm?code=nlsplink

    Contact Us
    Here's how to reach us with your comments and questions:

    This email newsletter is brought to you by Windows IT Pro, the leading publication for IT professionals deploying Windows and related technologies. Subscribe today.
    http://www.windowsitpro.com/rd.cfm?code=00eu205xeb

    Hide comments

    Comments

    • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

    Plain text

    • No HTML tags allowed.
    • Web page addresses and e-mail addresses turn into links automatically.
    • Lines and paragraphs break automatically.
    Publish