Archived from groups: microsoft.public.win2000.active_directory (
More info?)
It is not past the tombstone date. I label servers with the down date
when I take them offline.. Besides, then you get tombstone errors in the
event logs. I am seeing none of that.
--
Ryan Hanisco
MCSE, MCDBA
FlagShip Integration Services
Chicago, IL
"BCE" <dirwolf@speakeasy.net> wrote in message
news:%23FvfIOdUFHA.2540@tk2msftngp13.phx.gbl...
> How many "weeks" was that dc offline, there is a time limit where you can
> cause problems bringing back a dc after so many days!
>
> --
> BRIAN EDWARDO
> "Ryan Hanisco" <rhanisco@flagshipis.com> wrote in message
> news:%2310bIEcUFHA.2664@TK2MSFTNGP15.phx.gbl...
>> Smo,
>>
>> This is not really applicable, but I appreciate the effort.
>>
>> Thanks so much.
>>
>> --
>> Ryan Hanisco
>> MCSE, MCDBA
>> FlagShip Integration Services
>> Chicago, IL
>>
>> "smo" <smo@discussions.microsoft.com> wrote in message
>> news:E0398274-069D-4937-89BD-0EAD7ECD8AE9@microsoft.com...
>>> Not sure if this is related, but if it seems to be an intermittent
>>> permission
>>> problem on the Account Operators, check the ACL. You may want to check
>>> this
>>> KB out:
>>>
http://support.microsoft.com/default.aspx?kbid=817433
>>>
>>> smo
>>>
>>> "Ryan Hanisco" wrote:
>>>
>>>> The primary DCs are 2000 SP4 but the one we brought up again is 2003
>>>> gold.
>>>> The accounts are members of Account Operators... not a delegated scope
>>>> of
>>>> management.
>>>>
>>>> The Account Operators can manage 80% of the objects but some are read
>>>> only
>>>> and they get the Access Denied Error.
>>>>
>>>> This is not an error with versioning. This is something to do with
>>>> domain
>>>> convergence in either the AD or DNS. I am trying to nail it down to
>>>> What
>>>> and Why.
>>>>
>>>> --
>>>> Ryan Hanisco
>>>> MCSE, MCDBA
>>>> FlagShip Integration Services
>>>> Chicago, IL
>>>>
>>>> "SMO" <SMO@discussions.microsoft.com> wrote in message
>>>> news
AC48540-C5AB-41C7-9760-0F0B9496C914@microsoft.com...
>>>> > What's your environment (DC running 2000 or 2003, SP level)? Did you
>>>> > delegate
>>>> > permissions using Delegation Control wizard?
>>>> >
>>>> > smo
>>>> >
>>>> > "Ryan Hanisco" wrote:
>>>> >
>>>> >> I have a large and complex environment with several domains in the
>>>> >> forest.
>>>> >> After bringing a dc online that was down for a few weeks, users that
>>>> >> have
>>>> >> been given the account operator privileges are no longer able to
>>>> >> change
>>>> >> passwords for users.
>>>> >>
>>>> >> Full administrators are able to do this, but the end users are
>>>> >> getting an
>>>> >> Access Denied message.
>>>> >>
>>>> >> They are able to contact the correct PDCe and NSLOOKUP gives them
>>>> >> the
>>>> >> correct addresses for GCs and domains.
>>>> >>
>>>> >> Suggestions?
>>>> >>
>>>> >> --
>>>> >> Ryan Hanisco
>>>> >> MCSE, MCDBA
>>>> >> FlagShip Integration Services
>>>> >> Chicago, IL
>>>> >>
>>>> >>
>>>> >>
>>>> >>
>>>>
>>>>
>>>>
>>
>>
>
>