Best Practice: Deploying Group Policy to Users on different OUs

Greetings, everyone! I am needing some advice on how to deploy some group policy objects to specific users stored on different OUs.
Let me set the stage: I work for a large school district, and have recently taken over the district's career center. The idea behind the career center is that students from different high schools around the city come in to take classes based on their choice
of career, such as radio broadcasting or auto mechanic and such. The AD structure is set up so that each school has their own OU.  When a user (staff, student, etc.) is assigned to a school OU, they automatically are added to
their school's security group (i.e. EASTHIGH-STUDENT), and that when any user moves from one school to another, we have to move their AD account to that school's OU, which will remove the security group from the old school and apply the new school
security group.
For the career center, since we have students coming from different buildings every day, rather than trying to find a way to move their AD account from their high school OU to the career center OU, the previous techs created generic accounts (such as tv001,
tv002, etc.) in AD and stored them in the career center OU.  This way, teachers can assign students that particular generic account so that they can access the drives and printers from the career center, as well as access the career center network
drives while they are at their home high school.
Since I have moved to the career center, and apparently I have more knowledge about group policy than most of the techs in the district, the district system engineers want me to remove all of the generic accounts from the career center OU, and have students
use their own AD accounts.  Obviously I also want to do this since the generic accounts are very confusing to me, but I'm trying to figure out the best way to do this.
For simplicity sake, I'm just going to start off by figuring out how to set up a group policy for mapping the career center drives.  Now, I obviously know that the best way would be to create security groups for each career area, and that we would need
to add students to those groups so that only those particular students would get the GPO for the career center, but my question is where would I like the group policies to?  Do I need to link it at the root of the domain so that every OU is hit? 
Just curious about this.
Thanks!

Don't link it to the root.... apply the drive mapping as a policy at the OU or you could apply the drive mapping using Group Policy Preferences using security group targeting... .I would also strongly recommend you check out my articles
Best Practice: Active Directory Structure Guidelines
– Part 1
Best Practice: Group Policy Design Guidelines – Part 2
Hope it helps...

Similar Messages

  • Best practice to set up the user authorization

    Dear expert,
    I have a question regarding the user authorization access. I've attend the BOE training but I'm still blur in term of user authorization planning. Currently, I have around 50 named users that need to access the BOE server. But the certain user will be restricted to access to certain folders or reports.  May I know what is the best practice to set up the user authorization access? Should I set up first in the development machine and once its firm, then I migrate it to production machine..or is there any steps that I need to follow...?
    Really appreciate if you can let me know on what should I look into first before set up the authorization. Is there any doccument that I can referring to..?
    Thanks & Regards,
    -Syahida-

    Create User Group for each folder (for eg. Sales/Marketing etc) and also based on the type of access you want to provide.
    Like Sales VOD/ Sales View/Sales Schedule, and add users to the User Group based on the type of rights you want to provide them. Then add the User Group to respective report folders.
    First deploy it in the Development environment, once you have everything finalized then you can replicate the same to QA and Prod environment by migration. Also make sure that in Development environment developers will have full control to develop/add reports to folders, you have to restrict that in QA & Prod environment.

  • Configuring group policy for user profiles in Windows Server 2012 R2 Domain

    Requesting some experts advise on configuring group policy for user profiles.
    We will be building new Windows Server 2012 R2 Domain Controllers (Domain of 400 users).
    The settings which I am concerned:
    1. Folder Redirection: Desktop, Documents, Favorites.
    2. Quota for Folder Redirection - 1 GB per user.
    3. Map a networked drive - 1 GB per user.
    4. Roaming profile - (Will ignore if it does not suit our requirement). 
    The question is how outlook profile will be retained / automatically moved if the users move from once computer to other?
    FYI, E-mails hosted on MS Office365 and OST file size of few users more than 25GB. So, in case the user moves from one computer to other, the entire mailbox will be downloaded via internet. This consumes high bandwidth if more than 3-4 users shift per day.
    Thanks a lot for your valuable time and efforts.

    Hi,
    >>The question is how outlook profile will be retained / automatically moved if the users move from once computer to other?
    This depends on where our outlook data files are stored. If these data files are stored under
    drive:\Users\<username>\AppData\Local, then these files can’t be redirected, for folder redirection can’t redirect appdata local or locallow.
    However, regarding your question, we can refer to the following thread to find the solution.
    Roam outlook profiles without roaming profiles
    http://social.technet.microsoft.com/Forums/office/en-US/3908b8e0-8f44-4a34-8eb5-5a024df3463e/roam-outlook-profiles-without-roaming-profiles
    In addition, regarding how to configure folder redirection, the following article can be referred to for more information.
    Configuring Folder Redirection
    http://technet.microsoft.com/library/cc786749.aspx
    Hope it helps.
    Best regards,
    Frank Shen

  • WCEM Best Practice deployment in a multi CRM Landscape

    Hi SCN
    Im looking for advice in relation to best practice deployment of WCEM. Specifically in a multi CRM landscape scenario.
    Do best practices exist?
    JR

    Look into using NWDI as your source code control (DTR) and transport/migration from dev through to production.  This also will handle the deployment to your dev system (check-in/activate).
    For unit testing and debugging you should be running a local version (NWDW).  This way once the code is ready to be shared with the team, you check it in (makes it visible to other team members) and activate it (deploys it to development server).
    We are currently using a separate server for WD applications rather than running them on the portal server.  However, this does not allow for the WD app to run in the new WD iView.  So it depends on what the WD app needs to do an have access to.  Of course there is always the Federated Portal Network as an option, but that is a whole other topic.
    For JCo connections, WD uses a connection name and this connection can be set up to point to different locations depending on which server it is on.  So on the development server the JCo connection can point to the dev back-end and in prod point to the prod back-end.  The JCo connections are not migrated, but setup in each system.
    I hope this helps.  There is a lot of documentation available for NWDI to get you started.  See:  http://help.sap.com/saphelp_erp2005/helpdata/en/01/9c4940d1ba6913e10000000a1550b0/frameset.htm
    -Cindy

  • Event ID 1085 on DC - Failed to Apply the Group Policy Local Users and Groups Settings

    I have a domain with 2 DCs.  The primary DC is running Server 2012 and is raising Event ID 1085 every 10 minutes and 20 seconds.
    Windows failed to apply the Group Policy Local Users and Groups settings. Group Policy Local Users and Groups settings might have its own log file. Please click on the "More information" link.
    System
    - Provider
    [ Name] Microsoft-Windows-GroupPolicy
    [ Guid] {AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}
    EventID 1085
    Version 0
    Level 3
    Task 0
    Opcode 1
    Keywords 0x8000000000000000
    - TimeCreated
    [ SystemTime] 2014-10-20T20:09:03.706992400Z
    EventRecordID 130087
    - Correlation
    [ ActivityID] {FDDFB8C5-9ECF-41B9-B2B4-3AD0B345A37A}
    - Execution
    [ ProcessID] 1000
    [ ThreadID] 3280
    Channel System
    Computer SERVER.DOMAIN.NAME
    - Security
    [ UserID] S-1-5-18
    - EventData
    SupportInfo1 1
    SupportInfo2 4404
    ProcessingMode 0
    ProcessingTimeInMilliseconds 10343
    ErrorCode 183
    ErrorDescription Cannot create a file when that file already exists.
    DCName \\SERVER.DOMAIN.name
    ExtensionName Group Policy Local Users and Groups
    ExtensionId {17D89FEC-5C44-4972-B12D-241CAEF74509}
    Everything I look up for Event ID 1085 seems to be about a different cause.
    Any ideas?

    I enabled tracing on a domain gpo and I still get the error when running gpupdate /force .
    I'm also still getting Event 1085.  Here's the trace file.  I've anonymized the site/domain and the GUIDs.
    2014-10-21 11:16:54.003 [pid=0x3e8,tid=0xcd0] Entering ProcessGroupPolicyExLocUsAndGroups()
    2014-10-21 11:16:54.018 [pid=0x3e8,tid=0xcd0] SOFTWARE\Policies\Microsoft\Windows\Group Policy\{GUID-1}
    2014-10-21 11:16:54.018 [pid=0x3e8,tid=0xcd0] BackgroundPriorityLevel ( 0 )
    2014-10-21 11:16:54.018 [pid=0x3e8,tid=0xcd0] DisableRSoP ( 0 )
    2014-10-21 11:16:54.018 [pid=0x3e8,tid=0xcd0] LogLevel ( 2 )
    2014-10-21 11:16:54.018 [pid=0x3e8,tid=0xcd0] Command subsystem initialized. [SUCCEEDED(S_FALSE)]
    2014-10-21 11:16:54.065 [pid=0x3e8,tid=0xcd0] Background priority set to 0 (Idle).
    2014-10-21 11:16:54.065 [pid=0x3e8,tid=0xcd0] ----- Parameters
    2014-10-21 11:16:54.065 [pid=0x3e8,tid=0xcd0] CSE GUID : {GUID-1}
    2014-10-21 11:16:54.065 [pid=0x3e8,tid=0xcd0] Flags : ( X ) GPO_INFO_FLAG_MACHINE - Apply machine policy rather than user policy
    2014-10-21 11:16:54.065 [pid=0x3e8,tid=0xcd0] ( X ) GPO_INFO_FLAG_BACKGROUND - Background refresh of policy (ok to do slow stuff)
    2014-10-21 11:16:54.065 [pid=0x3e8,tid=0xcd0] ( ) GPO_INFO_FLAG_SLOWLINK - Policy is being applied across a slow link
    2014-10-21 11:16:54.065 [pid=0x3e8,tid=0xcd0] ( ) GPO_INFO_FLAG_VERBOSE - Verbose output to the eventlog
    2014-10-21 11:16:54.065 [pid=0x3e8,tid=0xcd0] ( ) GPO_INFO_FLAG_NOCHANGES - No changes were detected to the Group Policy Objects
    2014-10-21 11:16:54.065 [pid=0x3e8,tid=0xcd0] ( ) GPO_INFO_FLAG_LINKTRANSITION - A change in link speed was detected between previous policy application and current policy application
    2014-10-21 11:16:54.065 [pid=0x3e8,tid=0xcd0] ( ) GPO_INFO_FLAG_LOGRSOP_TRANSITION - A change in RSoP logging was detected between the application of the previous policy and the application of the current policy.
    2014-10-21 11:16:54.065 [pid=0x3e8,tid=0xcd0] ( X ) GPO_INFO_FLAG_FORCED_REFRESH - Forced Refresh is being applied. redo policies.
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] ( ) GPO_INFO_FLAG_SAFEMODE_BOOT - windows safe mode boot flag
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] ( ) GPO_INFO_FLAG_ASYNC_FOREGROUND - Asynchronous foreground refresh of policy
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Token (computer or user SID): S-1-5-18
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Abort Flag : Yes (0x313be090)
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] HKey Root : Yes (0x80000002)
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Deleted GPO List : No
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Changed GPO List : Yes
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Asynchronous Processing : Yes
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Status Callback : No (0x00000000)
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] WMI namespace : Yes (0x32273740)
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] RSoP Status : Yes (0x320cc7f4)
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Planning Mode Site : (none)
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Computer Target : No (0x00000000)
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] User Target : No (0x00000000)
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Calculated list relevance. [SUCCEEDED(S_FALSE)]
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] ----- Changed - 0
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Options : ( ) GPO_FLAG_DISABLE - This GPO is disabled.
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] ( ) GPO_FLAG_FORCE - Do not override the settings in this GPO with settings in a subsequent GPO.
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Options (raw) : 0x00000000
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Version : 19267878 (0x01260126)
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] GPC : LDAP://CN=Machine,CN={GUID-2},CN=Policies,CN=System,DC=SITE,DC=DOMAIN
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] GPT : \\SITE.DOMAIN\sysvol\SITE.DOMAIN\Policies\{GUID-2}\Machine
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] GPO Display Name : Default Domain Policy
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] GPO Name : {GUID-2}
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] GPO Link : ( ) GPLinkUnknown - No link information is available.
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] ( ) GPLinkMachine - The GPO is linked to a computer (local or remote).
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] ( ) GPLinkSite - The GPO is linked to a site.
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] ( X ) GPLinkDomain - The GPO is linked to a domain.
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] ( ) GPLinkOrganizationalUnit - The GPO is linked to an organizational unit.
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] ( ) GP Link Error
    2014-10-21 11:16:54.096 [pid=0x3e8,tid=0xcd0] lParam : 0x00000000
    2014-10-21 11:16:54.096 [pid=0x3e8,tid=0xcd0] Prev GPO : No
    2014-10-21 11:16:54.096 [pid=0x3e8,tid=0xcd0] Next GPO : Yes
    2014-10-21 11:16:54.096 [pid=0x3e8,tid=0xcd0] Extensions : [{00000000-0000-0000-0000-000000000000}{GUID-3}][{GUID-1}{GUID-3}][{GUID-4}{GUID-5}{GUID-6}{GUID-7}{GUID-8}][{GUID-9}{GUID-10}][{GUID-11}{GUID-5}{GUID-6}]
    2014-10-21 11:16:54.096 [pid=0x3e8,tid=0xcd0] lParam2 : 0x3146f978
    2014-10-21 11:16:54.096 [pid=0x3e8,tid=0xcd0] Link : LDAP://DC=SITE,DC=DOMAIN
    2014-10-21 11:16:54.096 [pid=0x3e8,tid=0xcd0] Purge GPH : C:\ProgramData\Microsoft\Group Policy\History\{GUID-2}\Machine\Preferences\Groups\Groups.xml
    2014-10-21 11:16:54.096 [pid=0x3e8,tid=0xcd0] Read GPE XML data file (592 bytes total).
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] ----- Changed - 1
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] Options : ( ) GPO_FLAG_DISABLE - This GPO is disabled.
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] ( ) GPO_FLAG_FORCE - Do not override the settings in this GPO with settings in a subsequent GPO.
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] Options (raw) : 0x00000000
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] Version : 1245203 (0x00130013)
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] GPC : LDAP://CN=Machine,CN={GUID-12},CN=Policies,CN=System,DC=SITE,DC=DOMAIN
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] GPT : \\SITE.DOMAIN\sysvol\SITE.DOMAIN\Policies\{GUID-12}\Machine
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] GPO Display Name : Default Domain Controllers Policy
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] GPO Name : {GUID-12}
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] GPO Link : ( ) GPLinkUnknown - No link information is available.
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] ( ) GPLinkMachine - The GPO is linked to a computer (local or remote).
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] ( ) GPLinkSite - The GPO is linked to a site.
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] ( ) GPLinkDomain - The GPO is linked to a domain.
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] ( X ) GPLinkOrganizationalUnit - The GPO is linked to an organizational unit.
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] ( ) GP Link Error
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] lParam : 0x00000000
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] Prev GPO : Yes
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] Next GPO : No
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] Extensions : [{00000000-0000-0000-0000-000000000000}{GUID-3}][{GUID-1}{GUID-3}][{GUID-9}{GUID-10}]
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] lParam2 : 0x324e8198
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] Link : LDAP://OU=Domain Controllers,DC=SITE,DC=DOMAIN
    2014-10-21 11:16:54.127 [pid=0x3e8,tid=0xcd0] Purge GPH : C:\ProgramData\Microsoft\Group Policy\History\{GUID-12}\Machine\Preferences\Groups\Groups.xml
    2014-10-21 11:16:54.127 [pid=0x3e8,tid=0xcd0] Read GPE XML data file (592 bytes total).
    2014-10-21 11:16:54.143 [pid=0x3e8,tid=0xcd0] Completed get next GPO. [SUCCEEDED(S_FALSE)]
    2014-10-21 11:16:54.143 [pid=0x3e8,tid=0xcd0] WQL : SELECT * FROM RSOP_PolmkrSetting WHERE polmkrBaseCseGuid = "{GUID-1}"
    2014-10-21 11:16:54.143 [pid=0x3e8,tid=0xcd0] Purged 2 old RSoP entries.
    2014-10-21 11:16:54.143 [pid=0x3e8,tid=0xcd0] Logging 2 new RSoP entries.
    2014-10-21 11:16:54.159 [pid=0x3e8,tid=0xcd0] RSoP Entry 0
    2014-10-21 11:16:54.174 [pid=0x3e8,tid=0xcd0] RSoP Entry 1
    2014-10-21 11:16:54.174 [pid=0x3e8,tid=0xcd0] Completed get GPO list. [SUCCEEDED(S_FALSE)]
    2014-10-21 11:16:54.174 [pid=0x3e8,tid=0xcd0] IsRsopPlanningMode() [SUCCEEDED(S_FALSE)]
    2014-10-21 11:17:04.252 [pid=0x3e8,tid=0xcd0] Completed settings update (csePostProcess). [ hr = 0x800700b7 "Cannot create a file when that file already exists." ]
    2014-10-21 11:17:04.252 [pid=0x3e8,tid=0xcd0] Completed CSE post-processing. [ hr = 0x800700b7 "Cannot create a file when that file already exists." ]
    2014-10-21 11:17:04.267 [pid=0x3e8,tid=0xcd0] Leaving ProcessGroupPolicyExLocUsAndGroups() returned 0x000000b7

  • Best practice deploying additional updates

    Hello what is the best practice concerning monthy windows updates. We are currently adding additional windows updates to the existing 1 package and updating the content on the DP's. However this seems to work with inconsistant results.
    DPs are not finalising content .
    Other places I have worked we would create a seperate package each month for additional updates and never had an issue. Any thoughts?
    SCCM Deployment Technician

    The documented best practices are all related to the maximum number of patches that are part of one deployment. That number should not pas the 1000,
    Remember this is a hard limit of 1000 updates per Software Update Group (not deployment package). It's quite legitimate to use a single deployment package.
    I usually create static historical Software Updates Groups at a point in time (eg November 2014). In this case it is not possible to have a single SUG for all products (Windows 7 has over 600 updates for example). You have to split them. I deploy these
    updates (to pilot and production) and leave the deployments in place. Then I create an ADR which creates a new SUG each month and deploy (to pilot and production).
    You can use a single deployment package for all the above.
    Gerry Hampson | Blog:
    www.gerryhampsoncm.blogspot.ie | LinkedIn:
    Gerry Hampson | Twitter:
    @gerryhampson

  • Processing of Group Policy failed - User Policy - Windows 7

    OP:
    http://social.technet.microsoft.com/Forums/en-US/w7itpronetworking/thread/191f1ee1-a551-446b-9808-ff66a952bb25
    When running a gpupdate I get the following message:
    Updating Policy...
    User policy could not be updated successfully. The following errors were encount
    ered:
    The processing of Group Policy failed. Windows could not authenticate to the Act
    ive Directory service on a domain controller. (LDAP Bind function call failed).
    Look in the details tab for error code and description.
    Computer Policy update has completed successfully.
    To diagnose the failure, review the event log or run GPRESULT /H GPReport.html f
    rom the command line to access information about Group Policy results.
    This only happens on one computer under a certain account; other accounts work fine and the problem account works fine on other computers. Therefore the problem is located on the Windows 7 computer.
    I have tracked it down to an LDAP error code 49. 
    I tried the MS sollution (http://technet.microsoft.com/en-us/library/cc727283(v=ws.10).aspx) but the credentials are sound.
    I can also connect to the DC with LDP.exe fine. 
    Here are the diagnostic read outs (GPResult was too long to post):
    Log Name:      System
    Source:        Microsoft-Windows-GroupPolicy
    Date:          2/29/2012 1:56:09 PM
    Event ID:      1006
    Task Category: None
    Level:         Error
    Keywords:     
    User:          Domain\UserAccount
    Computer:      Win7-ComputerA.FQDomain
    Description:
    The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" />
        <EventID>1006</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>1</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime="2012-02-29T19:56:09.732842600Z" />
        <EventRecordID>32458</EventRecordID>
        <Correlation ActivityID="{CECE6DDC-E7CC-4563-8109-E62382F645D4}" />
        <Execution ProcessID="984" ThreadID="3688" />
        <Channel>System</Channel>
        <Computer>Win7-ComputerA.FQDomain</Computer>
        <Security UserID="S-1-5-21-416373151-1271962822-2142307910-40105" />
      </System>
      <EventData>
        <Data Name="SupportInfo1">1</Data>
        <Data Name="SupportInfo2">5012</Data>
        <Data Name="ProcessingMode">0</Data>
        <Data Name="ProcessingTimeInMilliseconds">1326</Data>
        <Data Name="ErrorCode">49</Data>
        <Data Name="ErrorDescription">Invalid Credentials</Data>
        <Data Name="DCName">
        </Data>
      </EventData>
    </Event>
    Windows IP Configuration
       Host Name . . . . . . . . . . . . : WIN7-ComputerA
       Primary Dns Suffix  . . . . . . . : FQDomain
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : FQDomain
                                           ParentDomain
    Ethernet adapter Local Area Connection:
       Connection-specific DNS Suffix  . : FQDomain
       Description . . . . . . . . . . . : Intel(R) 82579LM Gigabit Network Connecti
    on
       Physical Address. . . . . . . . . : 00-21-CC-5F-CF-DF
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       IPv4 Address. . . . . . . . . . . : 216.71.244.28(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Lease Obtained. . . . . . . . . . : Wednesday, February 29, 2012 12:38:25 PM
       Lease Expires . . . . . . . . . . : Thursday, March 01, 2012 12:38:24 PM
       Default Gateway . . . . . . . . . : 216.71.244.1
       DHCP Server . . . . . . . . . . . : 216.71.244.2
       DNS Servers . . . . . . . . . . . : 216.71.244.2
                                           216.71.240.120
                                           216.71.240.132
       Primary WINS Server . . . . . . . : 216.71.244.2
       Secondary WINS Server . . . . . . : 216.71.240.130
                                           216.71.240.122
       NetBIOS over Tcpip. . . . . . . . : Enabled
    Wireless LAN adapter Wireless Network Connection:
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Intel(R) WiFi Link 1000 BGN
       Physical Address. . . . . . . . . : 8C-A9-82-B0-67-E8
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes

    Hi,
    It sound like port blocking issue, Seems your client system connecting 216.71.240.x DNS Servers as a logon server and which seems on different subnet
    as per subnet mask, So there must be a router or firewall in between and so it might be Active directory ports are being blocked.
    So first for testing purpose just remove other
    216.71.240.x DNS
    servers from TCP/IP configuration and clear dns cache
    ipconfig/flushdns
    and restart the system. check if it works.
    or run this command on DC
    dcdiag /test:dns
    and share the error report.
    Cheers!
    Sanjay

  • Best practice for select access to users

    Not sure if this is the correct forum to post, if not then let me know where should I post.
    From my understanding this is the best forum to ask this questions.
    Are you aware of any "Best Practice Document" to grant select accesses to users on databases. These users are developers which select data out of database for the investigation and application bug fix.
    From time to time user want more and more access to different tables so that they can do investigation properly.
    Let me know if there exists a best practice document around this space.
    Asked in this forum as this is related to PL/SQL access.

    Welcome to the forum!
    Whenever you post provide your 4 digit Oracle version.
    >
    Are you aware of any "Best Practice Document" to grant select accesses to users on databases. These users are developers which select data out of database for the investigation and application bug fix.
    From time to time user want more and more access to different tables so that they can do investigation properly.
    Let me know if there exists a best practice document around this space.
    >
    There are many best practices documents about various aspects of security for Oracle DBs but none are specific to developers doing invenstigation.
    Here is the main page for Oracles' OPAC white papers about security.
    http://www.oracletechnetwork-ap.com/topics/201207-Security/resources_whitepaper.cfm
    Take a look at the ones on 'Oracle Identity Management' and on 'Developers and Identity Services'.
    http://www.dbspecialists.com/files/presentations/implementing_oracle_11g_enterprise_user_security.pdf
    This paper by Database Specialists shows how to use Oracle Identity Management to limit access to users such as developers through the use of roles. It shows some examples of users using their own account but having limited privileges based on the role they are given.
    http://www.dbspecialists.com/files/presentations/implementing_oracle_11g_enterprise_user_security.pdf
    And this Oracle White Paper, 'Oracle Database Security Checklist', is a more basic security doc that discusses the entire range of security issues that should be considered for an Oracle Database.
    http://www.oracle.com/technetwork/database/security/twp-security-checklist-database-1-132870.pdf
    You don't mention what environment (PROD/QA/TEST/DEV) you are even talking about or whether the access is to deal with emergency issues or general reproduction and fixing of bugs.
    Many sites create special READONLY roles, eg. READ_ONLY_APP1, and then grant privileges to those roles for tables/objects that application uses. Then that role can be granted to users that need privileges for that application and can be revoked when they no longer need it.
    Some sites prefer creating special READONLY users that have those read only roles. If a user needs access the DBA changes the password and provides the account info to the user. When the user has completed their duties the DBA resets the password to something no one else knows.
    Those special users have auditing on them and the user using them is responsible for all activity recorded in the logs during the time the user has access to that account.
    In general you grant the minimum privileges needed and revoke them when they are no longer needed; generally through the use of roles.
    >
    Asked in this forum as this is related to PL/SQL access.
    >
    Please explain that. Your question was about 'access to different tables'. How does PL/SQL access fit into that?
    The important reason for the difference is that access is easily controlled thru the use of roles but in named PL/SQL blocks roles are disabled. So those special roles and accounts mentioned above are well-suited to allowing developers to query data but are not well-suited if the user needs to execute PL/SQL code belonging to another schema (the app schema).

  • Best practice: Deployment plan for cluster environment

    Hi All,
    I want to know, which way is the best practice for preparing and deploying new configuration for WLS-cluster environment. How can I plan a simultan deployment of ALL of nodes, with out single point of failure?
    Regards,
    Moh

    Hi All,
    I get the Answer as followed:
    When you deploy an application OR redeploy an application, the deployment is initiated from the Admin Server and it it initiated on all targets (managed servers in the cluster) at the same time based on targets (which is expected to be cluster).
    We recommend that applications should be targeted to a cluster instead of individual servers whenever a cluster configuration is available.
    So, as long as you target the application to the cluster, the admin server will initiate the deployment on all the servers in a cluster at the same type, so application is in sync on all servers.
    Hope that answers your queries. If not, please let me know what exactly you mean by synchronization.
    Regards,
    Moh

  • Best practices for defining Environment Variables/User Accounts in Linux

    Hello,
    After reading throught the Quick Install guide for 10gR2 on x86_64 Linux, I see that it is not recommended to define ANY variables in .bash_profile.
    I'm hoping to get a Best practices approach for defining environment variables - right now we use the oracle linux account for administration including sql*plus. So, where should the myriad variables be defined? Is it important enough to create a user account in linux to support best practices?
    What variables, exactly, should be defined? It seems that LD_LIBRARY_PATH is no longer being used?
    Thanks in advance
    Doug

    Something that I've done for years on unix/linux boxes is to create a seperate environment variable setup file for each instance on the box. This would include things like ORACLE_HOME, ORACLE_SID, etc. Then I would create an alias in my .bash_profile that would execute this script. As an example, I would create a orcl.env file that would hold all of the environment variables for this instance. Then in my .bash_profile I would create a line like the following:
    alias orcl=". $HOME/orcl.env"
    Then from anywhere you could type orcl and you would set your environment to connect to that database.
    Also, if you are using 10g, something else that is really nice if you are using sqlplus, and you connect to different databases without starting a new sqlplus session is to set a parameter in your $ORACLE_HOME/sqlplus/admin/glogin.sql file:
    set sqlprompt "_user 'at' _connect_identifier >"
    This will automatically change your command prompt to look like this:
    RALPH at ORCL >
    if you connect as GEORGE, your prompt will immediately change to :
    GEORGE at ORCL >
    This way you can always know who and where you are connected to.
    Good luck!

  • Best practices TopLink Mapping Workbench multi-user + CVS?

    This might be a very important issue, in our decision whether or not to choose TopLink --
    How well is multi-user development and CVS supported when using the TopLink Mapping Workbench? Are there best practices regarding this use case?
    Thanks.

    We have no problem with the workbench and CVS. Only a couple of our developers are responsible for the mappings so we havn't really run into concurrent edits. It's pure XML so a decent mergetool with XML support should let you resolve conflicts pretty easily.

  • How to disable via Group Policy - "Any user who has a password doesn't need to enter it when waking this PC"

    The setting can be found in the following location:
    From the “Charm” bar, Settings>Change PC Settings>Users>Sign-in Options> click the “Change” button next to “Any user who has a password must enter it when waking this PC”.
    I am looking to disable this option via Group Policy on our domain, but am unable to find a default policy related to this setting.  I am searching Group Policy on a Server 2012 machine, and in local Group Policy in Windows 8, but have found nothing. 
    Hoping I'm just missing the location of this and someone can point me to the right place.
    Regards,
    -BN

    There is no specific policy for this item. Please set “Require a password on wakeup” policy instead.
    Niki Han
    TechNet Community Support
    I'm using Windows Server 2012 R2, and I can't find the above quoted policy, and don't know where to anymore where to look. I searched for "Require a password when the computer wakes up", but it took me to the "Define Power Buttons and Turn On
    Password Protection" page of System Settings, but there's NOTHING there except the "When I press the power button".  I really want to stop having to enter a password every time I wake up the monitor screen.
    Capt. Dinosaur

  • Event 4098, Group Policy Local Users and Groups

    Hello,
    A few of our computers on the network are not replacing the local "Administrator (built-in)"account with our administrator account we set up through Group Policy. I recieve the follow error message from the Applicaiton Logs. I'm
    not sure if this error is a PC issue instead of a Group Policy issue, because Group Policy seems to be working fine on our other PCs. Any suggestions/ideas would be helpful. Thank you.
    Error message: The computer "Administrators (built-in) preference item in the "Security Policies {CD8199AF-99A8-41F8-8D28-C92DD9C57A51}" Group Policy object did not apply because it failed with error code '0x80070526 The specified group policy
    already exists.' This error was suppressed.

    Hi,
    It seems that you have configured this security policy already, you can try run GPupdate /force command and then check if all security policies are applied in your computer:
    Resultant Set of Policy
    http://technet.microsoft.com/en-us/library/cc772175.aspx
    you can use this command to retrieve the specific group policy:
    http://technet.microsoft.com/en-us/library/ee461059.aspx
    If you have any feedback on our support, please click
    here
    Alex Zhao
    TechNet Community Support

  • Best practice for a same query against 2 different tables

    Hello all,
    I want to extract info about tablespaces storage, both permanent and temporary. For that I use 2 different cursors that do exactly the same query but against a different table (dba_data_files and dba_temp_files).
    CURSOR permanentTBSStorageInfo (tablespaceName VARCHAR2) IS
    SELECT file_name, bytes, autoextensible, maxbytes, increment_by
    FROM dba_data_files
    WHERE tablespace_name = tablespaceName;
    CURSOR temporaryTBSStorageInfo (tablespaceName VARCHAR2) IS
    SELECT file_name, bytes, autoextensible, maxbytes, increment_by
    FROM dba_temp_files
    WHERE tablespace_name = tablespaceName;
    First I'm bothered that I have to use 2 cursors to execute the same query against 2 different tables. Is there no another way around?
    Then I fetch the results of this cursors in 2 different loops because I didn't find a way to dynamically call the cursors. I am looking for best practice here, knowing that I will do the same parsing against the results of the 2 cursors.
    Thank you,

    Hi
    Check whether the below query is helpful or not
    select      fs.tablespace_name "Tablespace",
         fs.tempspace "Temp MB",
         df.totalspace "Total MB"
         from
         (select
         tablespace_name,
         round(sum(bytes) / 1048576) TotalSpace
         from
         dba_data_files
         group by
         tablespace_name
         ) df,
         (select
         tablespace_name,
         round(sum(bytes) / 1048576) tempSpace
         from
         dba_temp_files
         group by
         tablespace_name
         ) fs
         where
         df.tablespace_name = fs.tablespace_name;
    Thanks

  • OSB best practices to run business service on two different environments

    Hi.
    I am using Service Bus 11gR1
    Oracle Service Bus Version: [Oracle Service Bus L10N Dependencies 11.1 Fri Dec 4 17:43:22 EST 2009 ]
    Oracle Weblogic Server Version: [WebLogic Server 10.3.5.0 Fri Apr 1 20:20:06 PDT 2011 1398638 ]
    I deploy my OSB services on two different environments (development, production).
    How to setup business service to run on two different environments without changing source (business service transport Endpoint URI)?
    Thanks in advance.

    I am not sure of any tutorial.
    For your case if you just have one URI and you want to change the URI for the business service you can simply use the OSB Customization file.This is straight forward.
    If you have complex routing logic based on inputs fields ,you can follow the below steps,
    Create a simple table with Business Service Name,Env and URI as columns.
    Create a select DBAdapter to return the URI
    Create a business svc out the DBAdapter files
    Use the business service to fetch the URI and finally
    Use the URI override( ref - http://www.oracle.com/technetwork/middleware/service-bus/learnmore/index.html)
    Edited by: Prabu on Feb 21, 2012 8:10 PM

Maybe you are looking for

  • How do I restore my Time Capsule?

    When I got my Time Capsule, I was hoping to use it as both a back-up system and as an external drive. However, after using it, I found out that it will continue to back up until it has no more room. So, I'm looking to restore my TC back to factory se

  • Configuring a BT Home Hub to Reduce Disconnections

    Hi, I have had disconnections over the last 2 days while I was playing poker. This has caused me a great deal of inconvenience. I've been in touch with Pokerstars and have sent them log files, and they seem to believe that they have found the issue,

  • G/L account determination for movement type 702, 309

    All SAP Gurus, In our plant, for movement type 702 (inventory count), 309 (material to material transfer), some /L account assignment is wrong. I suppose these settings are in Keys GBB, AUM and PRD. Will cahnging the G/L accounts n these keys will gi

  • Configuration error in RWB

    Hi all,     I am getting the following error in RWB-->configuration.              com.sap.aii.proxy.framework.core.BaseProxyException: User XIISUSER has no RFC authorization for function group SXI_PMI_CONFIG ., error key: RFC_ERROR_SYSTEM_FAILURE Log

  • StyleableTextField doesn't display fontWeight or fontStyle in iPad 3

    I have some LabelItemRenderers in my app that have a few StyleableTextFields in them: one to display a title in bold, one to display a bit of content and one to display a status in italics and another colour.  I apply the text stylings through setSty