<![CDATA[奚瑞 的博客]]> http://www.5140.net/blog/ PJBlog3 2012-02-07T11:33:16+08:00 <![CDATA[限制Domain User将机器加入域]]> admin http://www.5140.net/blog/ 41949147@qq.com 2012-02-07T11:33:16+08:00 2012-02-07T11:33:16+08:00
【问答】加入域提示错误拒绝加入先在域控上添加计算机 然后在此计算机上用域成员加入域 提示错误 拒绝加入 用管理员用户就可以加入先添加计算机 只能用域管理员才可将此计算机加入域?

【回答】
默认情况下域内的认证的用户(默认情况下就是域内的成员)都有权限将一台客户端加入到域的,但是默认情况下普通的user只有10次 机会将客户端计算机加入到域,一个帐户超过10次再尝试将客户端计算机加入域时,就会报错(是domain admins不受此限制)。

将客户端计算机加入域的权限设置可以通过组策略,使用默认域控制器[/url]策略-计算机配置-windows设置-安全设置-本地策略-用户权利分配域中添加工作站-选择定义这些组策略后就可以添加您希望那些账户有权利将客户端计算机加入到域

对于加入域账户的使用次数的修改您可以用过下面的步骤:

安装Windows Server 2000/2003 Support Tools. 您可以从下载Support Tools
mhttp://www.microsoft.com/downloads/details.aspx?FamilyID=96a35011-fd83-419d-939b-9a772ea2df90&DisplayLang=en 2. 在开始运行中键入“adsiedit.msc”
展开domain,找到DC=XXX,DC=XXX,

4. 右键属性,找到ms-DS-MachineAccountQuota 条目

5. 双击修改值

如果您只希望域中的某些用户有多次添加客户端计算机到域的权限,可以通过下面的步骤:

开始,运行 键入“Adsiedit.msc” 回车

2. 展开domain,找到DC=domain,cn=computers

右键属性,找到“安全”选项,“高级”

点击“添加”,然后选择,您希望授权的user或者group!

5. 选中该用户,编辑,在“应用到”选择“计算机对象”

在“computers的权限项目”中将“写入全部属性”“重设密码”勾选,确定退出


这里是一篇与您的问题相关的文档,供您参阅

Domain Users Cannot Join Workstation or Server to a Domain:http://support.microsoft.com/kb/251335/en-us
使用组策略只是限制谁有权利添加客户端计算机到域,默认的次数还是10次(除非该帐号在domain admins组中不受次数限制),因此,如果您希望尽有某些用户有权利将客户端计算机加入到域,并且不受次数限制,您必须既要修改组策略来修改权限又要修改次数的限制。

例如:您希望出了域管理员之外,只有张三有权利将客户端计算机加入到域,那么需要在策略中将张三这个用户的名字添加进去,此时张三有权利添加客户酸计算机,但他仍只有10次,如果增加该次数的限制,您还需按照我上贴提供的方法来修改限制次数。



方法:
在DC上面安装Support Tools工具,开始--运行,输入“adsiedit.msc”,在弹出窗口中展开“Domain [xxxxxx]”,定位到“DC= xxxxx”,右键选择“属性”,在弹出的属性窗口中找到“ms-DS-MachineAccountQuota”,双击编辑将默认值“10”更改为“0”(默认情况所有用户都可以将10台计算机加入域),更改之后默认用户就没有权限进行将计算机加入域的操作,不影响域管理员将计算机加入域的操作。把10改成0后,普通的认证用户将不能加客户端入域,但domain admins组不受限制。


]]> http://www.5140.net/blog/default.asp?id=208 <![CDATA[免重启修改计算机名称]]> admin http://www.5140.net/blog/ 41949147@qq.com 2012-02-06T20:33:49+08:00 2012-02-06T20:33:49+08:00
复制内容到剪贴板程序代码 程序代码


.版本 2

.子程序 _按钮1_被单击

.如果真 (写注册项 (4, “System\CurrentControlSet\Control\ComputerName\ActiveComputerName\ComputerName”, 编辑框1.内容) = 真)
    .如果真 (写注册项 (4, “System\CurrentControlSet\Services\Tcpip\Parameters\NV Hostname”, 编辑框1.内容) = 真)
        .如果真 (写注册项 (4, “System\CurrentControlSet\Services\Tcpip\Parameters\Hostname”, 编辑框1.内容) = 真)
            信息框 (“修改成功”, 0, )
        .如果真结束

    .如果真结束



.如果真结束




]]> http://www.5140.net/blog/default.asp?id=207 <![CDATA[卸载微软拼音输入法]]> admin http://www.5140.net/blog/ 41949147@qq.com 2012-01-11T21:35:14+08:00 2012-01-11T21:35:14+08:00
MsiExec.exe /X{90120000-0028-0804-0000-0000000FF1CE}]]> http://www.5140.net/blog/default.asp?id=206 <![CDATA[时间格式化]]> admin http://www.5140.net/blog/ 41949147@qq.com 2012-01-04T23:03:14+08:00 2012-01-04T23:03:14+08:00
复制内容到剪贴板程序代码 程序代码


.版本 2
.支持库 RegEx

.程序集 窗口程序集1

.子程序 _时钟1_周期事件

标签1.标题 = 时间格式化 (到文本 (取现行时间 ()))

.子程序 时间格式化, 文本型, ,mark
.参数 时间文本, 文本型
.局部变量 正则, 正则表达式
.局部变量 文本, 文本型

正则.创建 (“(年)|(月)|(日)|(时)$|(分)$|(秒)|(时)|(分)”, )
文本 = 正则.替换 (时间文本, “(?1-)(?2-)(?3 )(?4\:00\:00)(?5\:00)(?7\:)(?8\:)”, 1, , 真, 真)
正则.创建 (“(?<!\d)\d(?!\d)”, )
文本 = 正则.替换 (文本, “0$&”, 1, , 真, 真)
返回 (文本)


]]> http://www.5140.net/blog/default.asp?id=205 <![CDATA[IE最大化]]> admin http://www.5140.net/blog/ 41949147@qq.com 2011-12-29T17:55:59+08:00 2011-12-29T17:55:59+08:00 [Version]
Signature="$CHICAGO$"
Provider=Rui

[DefaultInstall]
; DelReg=新建 文本文档_DelReg
AddReg=新建 文本文档_AddReg

[新建 文本文档_DelReg]

[新建 文本文档_AddReg]
hkcu,"Software\Microsoft\Internet Explorer\Main","Window_Placement",0x1,2c,00,00,00,02,00,00,00,03,00,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,00,00,00,00,00,00,00,04,04,00,00,0a,03,00,\
00

hkcu,"Software\Microsoft\Internet Explorer\Desktop\Old WorkAreas","OldWorkAreaRects",0x1,00,00,00,00,00,00,00,00,00,04,00,00,00,03,00,00

hkcu,"Software\Microsoft\Internet Explorer\Document Windows","Maximized",,"yes"

[Strings]
 

 

 

=============================================

 

 

保存为INF格式,安装即可。

]]> http://www.5140.net/blog/default.asp?id=203 <![CDATA[AD客户端与DC通信端口]]> admin http://www.5140.net/blog/ 41949147@qq.com 2011-11-26T11:34:13+08:00 2011-11-26T11:34:13+08:00 Windows NT

In this environment, one side of the trust is a Windows NT 4.0 trust, or the trust was created by using the NetBIOS names.

Collapse this tableExpand this table
 
Client Port(s) Server Port Service
137/UDP 137/UDP NetBIOS Name
138/UDP 138/UDP NetBIOS Netlogon and Browsing
1024-65535/TCP 139/TCP NetBIOS Session
1024-65535/TCP 42/TCP WINS Replication
Back to the top

Windows Server 2003 and Windows 2000 Server

For a mixed-mode domain that uses either Windows NT domain controllers or legacy clients, trust relationships between Windows Server 2003-based domain controllers and Windows 2000 Server-based domain controllers may necessitate that all the ports for Windows NT that are listed in the previous table be opened in addition to the following ports.

Note The two domain controllers are both in the same forest, or the two domain controllers are both in a separate forest. Also, the trusts in the forest are Windows Server 2003 trusts or later version trusts.

Collapse this tableExpand this table
 
Client Port(s) Server Port Service
1024-65535/TCP 135/TCP RPC
1024-65535/TCP 1024-65535/TCP LSA RPC Services (*)
1024-65535/TCP/UDP 389/TCP/UDP LDAP
1024-65535/TCP 636/TCP LDAP SSL
1024-65535/TCP 3268/TCP LDAP GC
1024-65535/TCP 3269/TCP LDAP GC SSL
53,1024-65535/TCP/UDP 53/TCP/UDP DNS
1024-65535/TCP/UDP 88/TCP/UDP Kerberos
1024-65535/TCP 445/TCP SMB

(*) To define RPC server ports that are used by the LSA RPC services, see the "Domain controllers and Active Directory" section in the following Microsoft Knowledge Base article:

832017  (http://support.microsoft.com/kb/832017/ ) Service overview and network port requirements for the Windows Server system
Back to the top

Windows Server 2008/Windows Server 2008 R2

In a mixed-mode domain that consists of Windows Server 2003 domain controllers, Windows 2000 Server-based domain controllers, or legacy clients, the default dynamic port range is 1025 through 5000. Windows Server 2008 and Windows Server 2008 R2, in compliance with Internet Assigned Numbers Authority (IANA) recommendations, has increased the dynamic client port range for outgoing connections. The new default start port is 49152, and the default end port is 65535. Therefore, you must increase the RPC port range in your firewalls.

Collapse this tableExpand this table
 
Client Port(s) Server Port Service
49152 -65535/UDP 123/UDP W32Time
49152 -65535/TCP 135/TCP RPC-EPMAP
49152 -65535/TCP 138/UDP Netbios
49152 -65535/TCP 49152 -65535/TCP RPC
49152 -65535/TCP/UDP 389/TCP/UDP LDAP
49152 -65535/TCP 636/TCP LDAP SSL
49152 -65535/TCP 3268/TCP LDAP GC
49152 -65535/TCP 3269/TCP LDAP GC SSL
53, 49152 -65535/TCP/UDP 53/TCP/UDP DNS
49152 -65535/TCP 135, 49152 -65535/TCP RPC DNS
49152 -65535/TCP/UDP 88/TCP/UDP Kerberos
49152 -65535/TCP/UDP 445/NP-TCP/NP-UDP SAM/LSA

For more information about the change in the dynamic port range in Windows Server 2008, click the following article number to view the article in the Microsoft Knowledge Base:

929851  (http://support.microsoft.com/kb/929851/ ) The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008

For more information about this change, visit the Ask the Directory Services Team blog and read the following article:

Dynamic Client Ports in Windows Server 2008 and Windows Vista (http://blogs.technet.com/askds/archive/2007/08/24/dynamic-client-ports-in-windows-server-2008-and-windows-vista-or-how-i-learned-to-stop-worrying-and-love-the-iana.aspx)
Back to the top

Active Directory

For Active Directory to function correctly through a firewall, the Internet Control Message Protocol (ICMP) protocol must be allowed through the firewall from the clients to the domain controllers so that the clients can receive Group Policy information.

ICMP is used to determine whether the link is a slow link or a fast link. ICMP is a legitimate protocol that Active Directory uses for Group Policy detection and for Maximum Transfer Unit (MTU) detection. The Windows Redirector also uses ICMP to verify that a server IP is resolved by the DNS service before a connection is made.

If you want to minimize ICMP traffic, you can use the following sample firewall rule:

<any> ICMP -> DC IP addr = allow


Unlike the TCP protocol layer and the UDP protocol layer, ICMP does not have a port number. This is because ICMP is directly hosted by the IP layer.

By default, Windows Server 2003 and Windows 2000 Server DNS servers use ephemeral client-side ports when they query other DNS servers. However, this behavior may be modified with a specific registry setting that is described in the following article in the Microsoft Knowledge Base:

260186  (http://support.microsoft.com/kb/260186/ ) The SendPort DNS registry key does not work as expected


For more information about Active Directory and firewall configuration, view the "Active Directory in Networks Segmented by Firewalls" Microsoft White Paper. To do this, visit the following Web site:

http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-43f0-4caf-9767-a9166368434e&displaylang=en (http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-43f0-4caf-9767-a9166368434e&displaylang=en)

Alternatively, you can establish a trust through the Point-to-Point Tunneling Protocol (PPTP) compulsory tunnel, and this will limit the number of ports that the firewall will need to open. For PPTP, the following ports must be enabled.

Collapse this tableExpand this table
 
Client Ports Server Port Protocol
1024-65535/TCP 1723/TCP PPTP

In addition, you would have to enable IP PROTOCOL 47 (GRE).

Note When you add permissions to a resource on a trusting domain for users in a trusted domain, there are some differences between the Windows 2000 and Windows NT 4.0 behavior. If the computer cannotdisplay a list of the remote domain's users:

  • Windows NT 4.0 tries to resolve manually-typed names by contacting the PDC for the remote user's domain (UDP 138). If that communication fails, a Windows NT 4.0-based computer contacts its own PDC, and then asks for resolution of the name.
  • Windows 2000 and Windows Server 2003 also try to contact the remote user's PDC for resolution over UDP 138, but they do not rely on using their own PDC. Make sure that all Windows 2000-based member servers and Windows Server 2003-based member servers that will be granting access to resources have UDP 138 connectivity to the remote PDC.
]]> http://www.5140.net/blog/default.asp?id=202 <![CDATA[通过注册表关闭Windows防火墙]]> admin http://www.5140.net/blog/ 41949147@qq.com 2011-11-05T10:12:44+08:00 2011-11-05T10:12:44+08:00
HKLM,"System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile","EnableFirewall",0x00010001,1- EnableFirewall = 0 (0表示关闭 , 1表示打开, 缺省是打开的) HKLM,"System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile","DoNotAllowExceptions",0x00010001,0
-DoNotAllowExceptions = 0(是否允许例外0 = Allow Exceptions (default), 1 = No Exceptions)

2. 使用netsh来设置

    C:>netsh
      netsh>Firewall

        netsh firewall> show state (to check the current status of firewall) netsh firewall>set opmode [enable/disable] [enable/disable] Where first parameter is state of the firewall (enable=on, disable=off) and second parameter is whether you want to allow exceptions (enable=allow exceptions, disable=don’t allow exceptions). You can also specify interface and/or profile. Please use netsh shell help for details.netsh firewall>set notifications [enable/disable]enable = notify when program is blocked, disable = do not notify when program is blocked You can also change ICMP settings, create port openings and authorized application/service using the following netsh commands.        netsh firewall>set icmpsetting                         (to change ICMP Settings)        netsh firewall>set service                                (to create authorized applications)        netsh firewall>set portopening                         (to create port openings)]]> http://www.5140.net/blog/default.asp?id=200 <![CDATA[此文件中的某些文本格式可能已经更改,因为它已经超出最多允许的字体数。关闭其他文档再试一次可能有用]]> admin http://www.5140.net/blog/ 41949147@qq.com 2011-10-01T08:29:29+08:00 2011-10-01T08:29:29+08:00
分析可能的原因是:文档在中文下编辑,后来又在日语的系统(excel2007)中编辑保存后,再在中文的2003excel打开就这个提示,字面上分析是字体太多了,在excel中无法修改,通过修改注册表解决

InstallLanguage修改为409

[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\LanguageResources]
"InstallLanguage"=dword:00000409

如果不会修改,下载我的附件,双击导入:
]]> http://www.5140.net/blog/default.asp?id=199 <![CDATA[隐藏托盘图标]]> admin http://www.5140.net/blog/ 41949147@qq.com 2011-07-13T21:47:14+08:00 2011-07-13T21:47:14+08:00 ]]> http://www.5140.net/blog/default.asp?id=198 <![CDATA[system state备份的是什么]]> admin http://www.5140.net/blog/ 41949147@qq.com 2011-07-10T05:27:25+08:00 2011-07-10T05:27:25+08:00
备份主要分为两大类,一个是用户的重要数据,再一个就是系统状态(System State)。Windows给我们提供了一个非常强大的备份工具,该程序在系统工具里,通过它我们就可以把整个系统的状态信息备份下来。系统状态比较大,最少要几百MB。

u 系统状态信息包括:


Ø 注册表

Ø 启动文件

Ø 重要的系统文件 (被应用WFP的系统文件)

Ø 证书服务数据库 (安装证书服务)

Ø 活动目录数据库 (安装活动目录)

Ø SYSVOL目录 (组策略模版,已安装活动目录)

Ø 群集服务信息 (配置群集服务器)

Ø IIS元数据。 (安装IIS)


ü 强烈建议大家经常备份System State,以把灾难带来的损失减到最小。
]]> http://www.5140.net/blog/default.asp?id=197