Re: [ActiveDir] Lockout after X invalid login attemps
Check to see whether you have Block Policy Inheritance set for the Domain Controllers container. If you have, you need to unset it (i.e. allow inheritance) in order for the Account Lockout policy to work. Account policies are set in the Default Domain Policy, but they are actually enforced by the Domain Controllers. This makes sense given that the DCs handle domain logons. If you set Account policies but block inheritance on the Domain Controllers container, these policies will not be enforced. Tony -- Original Message -- From: EN [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 19 Sep 2002 14:14:48 -0500 Yup, did that too. I even went back after defining it at the domain level and changed the settings on each container. Still no go. Everything else I try works like a charm with GPOs except this. Ernesto - Original Message - From: Salandra, Justin A. [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, September 19, 2002 2:08 PM Subject: RE: [ActiveDir] Lockout after X invalid login attemps Did you define it at the domain level? -Original Message- From: EN [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 19, 2002 2:58 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Lockout after X invalid login attemps I've tried to get this to work, but nothing seems to be happening. I test out the setting, placed on BOTH the pc container and the user container, but again, nothing happens. Has anyone had this work properly? If so, what steps are necessary for this to work? Thanks Ernesto List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Mailmerge
Hi, Has anyone had any experience with mail merging information from Active Directory to Word? Amit Zinman Systems Consultant Integrity Systems [EMAIL PROTECTED] 03-7522424 058-326753
RE: [ActiveDir] setting/restricting permissions on objects in OU tree
Tony, Are you sure ownership can't be given away? That wasn't my understanding (though it's what you'll read in Microsoft's MCSE books). AFAIK, there's nothing in the API which will prevent you from doing this, just the GUI. There are 3rd party applications which add this functionality (Quota software if I remember rightly, as quotas are assigned to the owner of an object). So perhaps coding would be possible? Darren. -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED]] Sent: 20 September 2002 12:57 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] setting/restricting permissions on objects in OU tree If I understand this correctly, the issue here is that the creator of an object is automatically designated as the Owner of the object. Through ownership of the object this person has certain permissions that you don't really want them to have. I don't have a neat solution this, but perhaps there are some workarounds, e.g. 1. Provide a tool (e.g. web based) that allows people with delegated permissions to create the objects they are allowed to, but use a protected account to actually perform the object creation. In other words, the tool acts as intermediary. It checks the credentials of the user requesting the creation against the ACL and, if the account has the required permission, the tool will create the object using the protected account. 2. Use a protected account to take ownership of objects shortly after they have been created. I don't like this approach as the only way that I know to change ownership is to actually take it by clicking - it can't be given away. Tony -- Original Message -- From: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Fri, 20 Sep 2002 11:58:17 +1000 Rick, Any further ideas? Gil? Michael Homsey Telecommunications and Industrial Physics CSIRO, Australia -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED]] Sent: Tuesday, 17 September 2002 2:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] setting/restricting permissions on objects in OU tree Michael, Good question here, and one that I haven't run into - hence don't have an answer. 10 minutes of looking at my references didn't turn up anything. I'll keep looking, because I remember reading something about this andit's kinda bugging me now. Gil, if you're reading this - what do you know about this? Rick Kingslan - Microsoft MVP [Windows NT/2000] Microsoft Certified Trainer MCSA, MCSE+I - Windows NT / 2000 Any sufficiently advanced technology is indistinguishable from magic. --- Arthur C. Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] Sent: Monday, September 16, 2002 9:53 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] setting/restricting permissions on objects in OU tree Thanks Rick, there must be something i am missing. I can restrict the changes to the immediate OU so its permissions cannot be changed. I can restrict the objects created (eg nesting of OUs ) and the computer objects. However, if I create a sub-ou, it allows me to disconnect the inherited permissions with the check box. which privelege turns this off? Michael Homsey -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED]] Sent: Monday, 16 September 2002 9:48 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] setting/restricting permissions on objects in OU tree Go to the advanced ACLs of the user / group that you want to remove the ability to change permissions and remove the 'Modify Permissions' permission at that level. This must be done in the Advanced mode of the Security of the object(s) that you want to affect. Rick Kingslan - Microsoft MVP [Windows NT/2000] Microsoft Certified Trainer MCSA, MCSE+I - Windows NT / 2000 Any sufficiently advanced technology is indistinguishable from magic. --- Arthur C. Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] Sent: Sunday, September 15, 2002 6:17 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] setting/restricting permissions on objects in OU tree Dear all, I wish to be able to delegate the creation of OUs and specific objects in an OU tree. Giving the permission to create an OU allows the creator to change permissions and cirumvent controls on the OU subtree. If I wanted peopleto manage a certain type of object eg create/deleet computer accounts full control of computer accounts create delete sub OUs, but not change permissions so that they could create delete people objects, Whats set of permissiosn are need on the parent oU to achieve this? Michael Homsey CSIRO Australia List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List
RE: [ActiveDir] setting/restricting permissions on objects in OU tree
No, I'm not sure - just going on what I've read. It would make sense from a security point of view though. If I can only _take_ ownership then it's pretty clear that I am the authentic owner. However, if I can assign ownership to anyone and everyone then the concept of owner authenticity disappears. Tony -- Original Message -- From: Darren Sykes [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Fri, 20 Sep 2002 13:00:23 +0100 Tony, Are you sure ownership can't be given away? That wasn't my understanding (though it's what you'll read in Microsoft's MCSE books). AFAIK, there's nothing in the API which will prevent you from doing this, just the GUI. There are 3rd party applications which add this functionality (Quota software if I remember rightly, as quotas are assigned to the owner of an object). So perhaps coding would be possible? Darren. -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED]] Sent: 20 September 2002 12:57 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] setting/restricting permissions on objects in OU tree If I understand this correctly, the issue here is that the creator of an object is automatically designated as the Owner of the object. Through ownership of the object this person has certain permissions that you don't really want them to have. I don't have a neat solution this, but perhaps there are some workarounds, e.g. 1. Provide a tool (e.g. web based) that allows people with delegated permissions to create the objects they are allowed to, but use a protected account to actually perform the object creation. In other words, the tool acts as intermediary. It checks the credentials of the user requesting the creation against the ACL and, if the account has the required permission, the tool will create the object using the protected account. 2. Use a protected account to take ownership of objects shortly after they have been created. I don't like this approach as the only way that I know to change ownership is to actually take it by clicking - it can't be given away. Tony -- Original Message -- From: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Fri, 20 Sep 2002 11:58:17 +1000 Rick, Any further ideas? Gil? Michael Homsey Telecommunications and Industrial Physics CSIRO, Australia -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED]] Sent: Tuesday, 17 September 2002 2:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] setting/restricting permissions on objects in OU tree Michael, Good question here, and one that I haven't run into - hence don't have an answer. 10 minutes of looking at my references didn't turn up anything. I'll keep looking, because I remember reading something about this andit's kinda bugging me now. Gil, if you're reading this - what do you know about this? Rick Kingslan - Microsoft MVP [Windows NT/2000] Microsoft Certified Trainer MCSA, MCSE+I - Windows NT / 2000 Any sufficiently advanced technology is indistinguishable from magic. --- Arthur C. Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] Sent: Monday, September 16, 2002 9:53 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] setting/restricting permissions on objects in OU tree Thanks Rick, there must be something i am missing. I can restrict the changes to the immediate OU so its permissions cannot be changed. I can restrict the objects created (eg nesting of OUs ) and the computer objects. However, if I create a sub-ou, it allows me to disconnect the inherited permissions with the check box. which privelege turns this off? Michael Homsey -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED]] Sent: Monday, 16 September 2002 9:48 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] setting/restricting permissions on objects in OU tree Go to the advanced ACLs of the user / group that you want to remove the ability to change permissions and remove the 'Modify Permissions' permission at that level. This must be done in the Advanced mode of the Security of the object(s) that you want to affect. Rick Kingslan - Microsoft MVP [Windows NT/2000] Microsoft Certified Trainer MCSA, MCSE+I - Windows NT / 2000 Any sufficiently advanced technology is indistinguishable from magic. --- Arthur C. Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] Sent: Sunday, September 15, 2002 6:17 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] setting/restricting permissions on objects in OU tree Dear all, I wish to be able to delegate the creation of OUs and specific objects in an OU tree. Giving the permission to create an OU allows the creator to change permissions and cirumvent controls on the OU
RE: [ActiveDir] setting/restricting permissions on objects in OU tree
I fully understand the theory behind ownership, however on NTFS permissions, this could be manipulated. Look at number 16) on http://www.giant-technologies.co.uk/quotaadvisor/ which mentions the utility they provide. Presumably a dACL on a file will by the same structure as those on an AD object? Darren. -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED]] Sent: 20 September 2002 13:23 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] setting/restricting permissions on objects in OU tree No, I'm not sure - just going on what I've read. It would make sense from a security point of view though. If I can only _take_ ownership then it's pretty clear that I am the authentic owner. However, if I can assign ownership to anyone and everyone then the concept of owner authenticity disappears. Tony -- Original Message -- From: Darren Sykes [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Fri, 20 Sep 2002 13:00:23 +0100 Tony, Are you sure ownership can't be given away? That wasn't my understanding (though it's what you'll read in Microsoft's MCSE books). AFAIK, there's nothing in the API which will prevent you from doing this, just the GUI. There are 3rd party applications which add this functionality (Quota software if I remember rightly, as quotas are assigned to the owner of an object). So perhaps coding would be possible? Darren. -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED]] Sent: 20 September 2002 12:57 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] setting/restricting permissions on objects in OU tree If I understand this correctly, the issue here is that the creator of an object is automatically designated as the Owner of the object. Through ownership of the object this person has certain permissions that you don't really want them to have. I don't have a neat solution this, but perhaps there are some workarounds, e.g. 1. Provide a tool (e.g. web based) that allows people with delegated permissions to create the objects they are allowed to, but use a protected account to actually perform the object creation. In other words, the tool acts as intermediary. It checks the credentials of the user requesting the creation against the ACL and, if the account has the required permission, the tool will create the object using the protected account. 2. Use a protected account to take ownership of objects shortly after they have been created. I don't like this approach as the only way that I know to change ownership is to actually take it by clicking - it can't be given away. Tony -- Original Message -- From: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Fri, 20 Sep 2002 11:58:17 +1000 Rick, Any further ideas? Gil? Michael Homsey Telecommunications and Industrial Physics CSIRO, Australia -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED]] Sent: Tuesday, 17 September 2002 2:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] setting/restricting permissions on objects in OU tree Michael, Good question here, and one that I haven't run into - hence don't have an answer. 10 minutes of looking at my references didn't turn up anything. I'll keep looking, because I remember reading something about this andit's kinda bugging me now. Gil, if you're reading this - what do you know about this? Rick Kingslan - Microsoft MVP [Windows NT/2000] Microsoft Certified Trainer MCSA, MCSE+I - Windows NT / 2000 Any sufficiently advanced technology is indistinguishable from magic. --- Arthur C. Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] Sent: Monday, September 16, 2002 9:53 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] setting/restricting permissions on objects in OU tree Thanks Rick, there must be something i am missing. I can restrict the changes to the immediate OU so its permissions cannot be changed. I can restrict the objects created (eg nesting of OUs ) and the computer objects. However, if I create a sub-ou, it allows me to disconnect the inherited permissions with the check box. which privelege turns this off? Michael Homsey -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED]] Sent: Monday, 16 September 2002 9:48 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] setting/restricting permissions on objects in OU tree Go to the advanced ACLs of the user / group that you want to remove the ability to change permissions and remove the 'Modify Permissions' permission at that level. This must be done in the Advanced mode of the Security of the object(s) that you want to affect. Rick Kingslan - Microsoft MVP [Windows NT/2000] Microsoft Certified Trainer MCSA, MCSE+I - Windows NT / 2000 Any sufficiently advanced technology is indistinguishable from magic. --- Arthur C.
[ActiveDir] Extended Account Properties (?)
Hi, Does anyone know of a AD Tool/Query which will tell you the last date/time an AD Object was modified? Thanks, Justin Leney NIST/Systems Plus Windows Server Team 301-975-4903 (Desk) 301-664-0106 (Pager) List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] setting/restricting permissions on objects in OU tree
The Owner SID for a Security Descriptor is most definitely replaceable. You can initialize a blank security descriptor (SD), fill in the Owner SID (SetSecurityDescriptorOwner) with your desired new owner, then overwrite the existing SD (the neat part is during the overwrite the blank sections of the new SD are ignored, leaving the existing SD components in place). The trick (at the time) was that you required SeDebugPrivileges to perform the low level SD replacement. I wrote a Windows version of Chown back in 1998 after a breakout discussion on Security programming at MS PDC, where it was questioned whether or not it was possible to do programmatically. If you're interested, I think the source is still posted on VbAdminCode (http://www.vbadmincode.btinternet.co.uk/). Please note that it's very old code and was at the time intended to work against file objects in NTFS, but I believe the principals still hold true for manipulation of Directory objects (and it still works on NTFS 5 file objects, I just tested it). As for the architectural concept of assigned ownership control, the two-part process of object ownership defined by Microsoft has it's pros and cons. Owner identity control from the standpoint of giving a user the 'right' to be the owner of an object and then that user actually 'taking' ownership does ensure a degree of ownership integrity, but in my mind the overhead required to perform this two-part procedure has the potential for creating an administrative problem (esp. in large-scale environments where the ownership of objects may change hands frequently). Also, it begs the greater question of what your 'trusted' administrators should be able to do (which is why I wrote Chown :-)). Richard -Original Message- From: Darren Sykes [mailto:[EMAIL PROTECTED]] Sent: Friday, September 20, 2002 8:32 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] setting/restricting permissions on objects in OU tree I fully understand the theory behind ownership, however on NTFS permissions, this could be manipulated. Look at number 16) on http://www.giant-technologies.co.uk/quotaadvisor/ which mentions the utility they provide. Presumably a dACL on a file will by the same structure as those on an AD object? Darren. -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED]] Sent: 20 September 2002 13:23 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] setting/restricting permissions on objects in OU tree No, I'm not sure - just going on what I've read. It would make sense from a security point of view though. If I can only _take_ ownership then it's pretty clear that I am the authentic owner. However, if I can assign ownership to anyone and everyone then the concept of owner authenticity disappears. Tony -- Original Message -- From: Darren Sykes [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Fri, 20 Sep 2002 13:00:23 +0100 Tony, Are you sure ownership can't be given away? That wasn't my understanding (though it's what you'll read in Microsoft's MCSE books). AFAIK, there's nothing in the API which will prevent you from doing this, just the GUI. There are 3rd party applications which add this functionality (Quota software if I remember rightly, as quotas are assigned to the owner of an object). So perhaps coding would be possible? Darren. -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED]] Sent: 20 September 2002 12:57 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] setting/restricting permissions on objects in OU tree If I understand this correctly, the issue here is that the creator of an object is automatically designated as the Owner of the object. Through ownership of the object this person has certain permissions that you don't really want them to have. I don't have a neat solution this, but perhaps there are some workarounds, e.g. 1. Provide a tool (e.g. web based) that allows people with delegated permissions to create the objects they are allowed to, but use a protected account to actually perform the object creation. In other words, the tool acts as intermediary. It checks the credentials of the user requesting the creation against the ACL and, if the account has the required permission, the tool will create the object using the protected account. 2. Use a protected account to take ownership of objects shortly after they have been created. I don't like this approach as the only way that I know to change ownership is to actually take it by clicking - it can't be given away. Tony -- Original Message -- From: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Fri, 20 Sep 2002 11:58:17 +1000 Rick, Any further ideas? Gil? Michael Homsey Telecommunications and Industrial Physics CSIRO, Australia -Original
RE: [ActiveDir] Allowed windows applications
Have you tried removing the RUN command from the Start Menu via Group Policy? Rick Kingslan - Microsoft MVP [Windows NT/2000] Microsoft Certified Trainer MCSA, MCSE+I - Windows NT / 2000 Any sufficiently advanced technology is indistinguishable from magic. --- Arthur C. Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of marija efnuseva Sent: Friday, September 20, 2002 7:48 AM To: ActiveDirLista Subject: [ActiveDir] Allowed windows applications Hi, Thank you very much for the answer about my folder problems. I would also appreciate if someone could tell me where can I find some more documentation about Security Templates. I would also like to ask if anyone knows how can I allow my users on the client computers activate only one program: Borland C. I tried giving the administrative template Run only allowed Windows applications, but when I try to start bc.exe from the client computer as a shortcut in the Start menu, it says that the action was prevented by the policy. on the other hand, if I try to start it by the command line it - STARTs. My problem is that I do not want to allow access to the command prompt for my users, since then they can do and go almost everywhere. All they need for their work is Borland C. Is the shortcut the problem, or the problem is that Borland C is a DOS application. Thanks for all answers. Marija List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] setting/restricting permissions on objects in OU tree
Richard, Sure, I build a fire and you come throw water on it. Damn you! :-) Thanks for this. I do now remember this. Thanks for the correction. I do, somehow, think that we've strayed from the original requstors needs. :-) Rick Kingslan - Microsoft MVP [Windows NT/2000] Microsoft Certified Trainer MCSA, MCSE+I - Windows NT / 2000 Any sufficiently advanced technology is indistinguishable from magic. --- Arthur C. Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Puckett, Richard Sent: Friday, September 20, 2002 8:22 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] setting/restricting permissions on objects in OU tree The Owner SID for a Security Descriptor is most definitely replaceable. You can initialize a blank security descriptor (SD), fill in the Owner SID (SetSecurityDescriptorOwner) with your desired new owner, then overwrite the existing SD (the neat part is during the overwrite the blank sections of the new SD are ignored, leaving the existing SD components in place). The trick (at the time) was that you required SeDebugPrivileges to perform the low level SD replacement. I wrote a Windows version of Chown back in 1998 after a breakout discussion on Security programming at MS PDC, where it was questioned whether or not it was possible to do programmatically. If you're interested, I think the source is still posted on VbAdminCode (http://www.vbadmincode.btinternet.co.uk/). Please note that it's very old code and was at the time intended to work against file objects in NTFS, but I believe the principals still hold true for manipulation of Directory objects (and it still works on NTFS 5 file objects, I just tested it). As for the architectural concept of assigned ownership control, the two-part process of object ownership defined by Microsoft has it's pros and cons. Owner identity control from the standpoint of giving a user the 'right' to be the owner of an object and then that user actually 'taking' ownership does ensure a degree of ownership integrity, but in my mind the overhead required to perform this two-part procedure has the potential for creating an administrative problem (esp. in large-scale environments where the ownership of objects may change hands frequently). Also, it begs the greater question of what your 'trusted' administrators should be able to do (which is why I wrote Chown :-)). Richard -Original Message- From: Darren Sykes [mailto:[EMAIL PROTECTED]] Sent: Friday, September 20, 2002 8:32 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] setting/restricting permissions on objects in OU tree I fully understand the theory behind ownership, however on NTFS permissions, this could be manipulated. Look at number 16) on http://www.giant-technologies.co.uk/quotaadvisor/ which mentions the utility they provide. Presumably a dACL on a file will by the same structure as those on an AD object? Darren. -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED]] Sent: 20 September 2002 13:23 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] setting/restricting permissions on objects in OU tree No, I'm not sure - just going on what I've read. It would make sense from a security point of view though. If I can only _take_ ownership then it's pretty clear that I am the authentic owner. However, if I can assign ownership to anyone and everyone then the concept of owner authenticity disappears. Tony -- Original Message -- From: Darren Sykes [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Fri, 20 Sep 2002 13:00:23 +0100 Tony, Are you sure ownership can't be given away? That wasn't my understanding (though it's what you'll read in Microsoft's MCSE books). AFAIK, there's nothing in the API which will prevent you from doing this, just the GUI. There are 3rd party applications which add this functionality (Quota software if I remember rightly, as quotas are assigned to the owner of an object). So perhaps coding would be possible? Darren. -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED]] Sent: 20 September 2002 12:57 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] setting/restricting permissions on objects in OU tree If I understand this correctly, the issue here is that the creator of an object is automatically designated as the Owner of the object. Through ownership of the object this person has certain permissions that you don't really want them to have. I don't have a neat solution this, but perhaps there are some workarounds, e.g. 1. Provide a tool (e.g. web based) that allows people with delegated permissions to create the objects they are allowed to, but use a protected
RE: [ActiveDir] Extended Account Properties (?)
Justin, I'd done an earlier posting for someone (w/ source) to view the whenChanged attribute on objects within a given timeframe. I can repost it if necessary. Additionally you can use ADSIEDIT.MSC to view that attribute directly on the desired object, or ENUMPROP.EXE LDAP://cn=administrator,...,dc=com; to view that value within the list of other returned attributes. Hope this helps, Richard -Original Message- From: Thornley, Dave H [mailto:[EMAIL PROTECTED]] Sent: Friday, September 20, 2002 9:09 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Extended Account Properties (?) Turn on Advanced Features (View menu in ADUC) and look on the Object tab? dave -Original Message- From: Leney, Justin [mailto:[EMAIL PROTECTED]] Sent: 20 September 2002 14:02 To: [EMAIL PROTECTED] Subject: [ActiveDir] Extended Account Properties (?) Hi, Does anyone know of a AD Tool/Query which will tell you the last date/time an AD Object was modified? Thanks, Justin Leney NIST/Systems Plus Windows Server Team 301-975-4903 (Desk) 301-664-0106 (Pager) List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Querying the DN
I have been trying to figure out a way using LDP to query the DN or Canonical Name with no success. I can query fields using samaccountName, Notes, etc. Any one know how to query it? I know I can LDIF it and use ADSI. Todd List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Querying the DN
The 'distinguishedName' attribute is present on all objects, which can be used to query or retrieve the DN. Have you tried that? Robbie Allen -Original Message- From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED]] Sent: Friday, September 20, 2002 10:22 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Querying the DN I have been trying to figure out a way using LDP to query the DN or Canonical Name with no success. I can query fields using samaccountName, Notes, etc. Any one know how to query it? I know I can LDIF it and use ADSI. Todd List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Utilities needed
Cool, thanks for the info, I will give that a try Thornley, Dave H [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 09/20/2002 10:30 AM Please respond to [EMAIL PROTECTED] To '[EMAIL PROTECTED]' [EMAIL PROTECTED] cc Subject RE: [ActiveDir] OT: Utilities needed You should be able to monitor the Elapsed time and CPU use of any process - Elapsed time isn't pretty (seconds it's been running for) but may do the job... They're both under the Process counter dave -Original Message- From: John Hicks/MIS/HQ/KEMET/US [mailto:[EMAIL PROTECTED]] Sent: 20 September 2002 13:52 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Utilities needed I did not think that I could use perfmon to monitor services. How would you use it to monitor service uptime? Thanks Rick Kingslan [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 09/19/2002 09:09 PM Please respond to [EMAIL PROTECTED] To [EMAIL PROTECTED] cc Subject RE: [ActiveDir] OT: Utilities needed John, Though a completely MS solution and not 100% foolproof (though it's worked very well for my needs) setting up a simple perfmon with high and low watermarks with the proper alerting could work here. Rick Kingslan - Microsoft Certified Trainer MCSE+I on Windows NT 4.0 MCSE on Windows 2000 MVP [Windows NT/2000 Server] Any sufficiently advanced technology is indistinguishable from magic. --- Arthur C. Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Hicks/MIS/HQ/KEMET/US Sent: Thursday, September 19, 2002 7:27 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT: Utilities needed I have been having problems with our Lotus Notes administrators making claims of services not running and using extremely high cpu. Of course I am never able to see the problem happening because they will kill the service. Sorry had to vent. I am looking for a utility that I can monitor the uptime of a service and monitor cpu usage of a service. Any suggestions would be greatly appreciated. Thanks
RE: [ActiveDir] Extended Account Properties (?)
Richard, thanks for the info. The WhenChanged attribute in ADSIEDIT is sufficient. Also, ENUMPROP.EXE; is that part of the 2000 Server Resource Kit? Jbl -Original Message- From: Puckett, Richard [mailto:[EMAIL PROTECTED]] Sent: Friday, September 20, 2002 9:35 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Extended Account Properties (?) Justin, I'd done an earlier posting for someone (w/ source) to view the whenChanged attribute on objects within a given timeframe. I can repost it if necessary. Additionally you can use ADSIEDIT.MSC to view that attribute directly on the desired object, or ENUMPROP.EXE LDAP://cn=administrator,...,dc=com; to view that value within the list of other returned attributes. Hope this helps, Richard -Original Message- From: Thornley, Dave H [mailto:[EMAIL PROTECTED]] Sent: Friday, September 20, 2002 9:09 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Extended Account Properties (?) Turn on Advanced Features (View menu in ADUC) and look on the Object tab? dave -Original Message- From: Leney, Justin [mailto:[EMAIL PROTECTED]] Sent: 20 September 2002 14:02 To: [EMAIL PROTECTED] Subject: [ActiveDir] Extended Account Properties (?) Hi, Does anyone know of a AD Tool/Query which will tell you the last date/time an AD Object was modified? Thanks, Justin Leney NIST/Systems Plus Windows Server Team 301-975-4903 (Desk) 301-664-0106 (Pager) List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Admin Account Trouble
Hello Everyone, My administrator account (Windows 2000 server) can not access the group policies for the Domain\ Domain Controller. I can not install software nor does the hardware wizard respond. Any ideas or suggestions? I would appreciate any advice. Thanks in advance, Mike List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Utilities needed
Title: Message John, Not sure if you're interested in this, but if the hosts support the use of WMI, you can do some fairly small (and cool) things with WMI, EventSinks and the Event Log, or with private EventFilters, Consumers (SMTPEventConsumer) FilterToConsumerBinding. These will allow you to create alerts (and e-mails) based on criteria you define for monitoring your service/process(to include service CreationDates, state changes, etc.) You can also chooseto useEventSinks to monitor the System event log for thecreation of 7023 (service terminations). MS recently released their WMI script repository help file that has quite a few useful snippets in it (see the second link below). MS Script Center http://www.microsoft.com/technet/treeview/default.asp?url=/technet/scriptcenter/compmgmt/default.asp MS WMI System Administration Script repository http://www.microsoft.com/downloads/release.asp?ReleaseID=38942 Here's anexample: Monitor Changes in Service Status DescriptionTemporary event consumer that issues an alert any time a service changes status (for example, an active service that is paused or stopped). strComputer = "."Set objWMIService = GetObject("winmgmts:" _ "{impersonationLevel=impersonate}!\\" strComputer "\root\cimv2")Set colServices = objWMIService. _ ExecNotificationQuery("Select * from __instancemodificationevent " _ "within 30 where TargetInstance isa 'Win32_Service'")i = 0Do While i = 0 Set objService = colServices.NextEvent If objService.TargetInstance.State _ objService.PreviousInstance.State Then Wscript.Echo objService.TargetInstance.Name _ " is " objService.TargetInstance.State _ ". The service previously was " objService.PreviousInstance.State "." End IfLoop Regards, Richard -Original Message-From: John Hicks/MIS/HQ/KEMET/US [mailto:[EMAIL PROTECTED]] Sent: Friday, September 20, 2002 11:17 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Utilities neededCool, thanks for the info, I will give that a try "Thornley, Dave H" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 09/20/2002 10:30 AM Please respond to[EMAIL PROTECTED] To "'[EMAIL PROTECTED]'" [EMAIL PROTECTED] cc Subject RE: [ActiveDir] OT: Utilities needed You should be able to monitor the Elapsed time and CPU use of any process - Elapsed time isn't pretty (seconds it's been running for) but may do the job... They're both under the Process counter dave -Original Message-From: John Hicks/MIS/HQ/KEMET/US [mailto:[EMAIL PROTECTED]] Sent: 20 September 2002 13:52To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Utilities neededI did not think that I could use perfmon to monitor services. How would you use it to monitor service uptime? Thanks "Rick Kingslan" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 09/19/2002 09:09 PM Please respond to[EMAIL PROTECTED] To [EMAIL PROTECTED] cc Subject RE: [ActiveDir] OT: Utilities needed John, Though a completely MS solution and not 100% foolproof (though it's worked very well for my needs) setting up a simple perfmon with high and low watermarks with the proper alerting could work here. Rick Kingslan - Microsoft Certified TrainerMCSE+I on Windows NT 4.0MCSE on Windows 2000MVP [Windows NT/2000 Server]"Any sufficiently advanced technologyis indistinguishable from magic."--- Arthur C. Clarke -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Hicks/MIS/HQ/KEMET/USSent: Thursday, September 19, 2002 7:27 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] OT: Utilities neededI have been having problems with our Lotus Notes administrators making claims of services not running and using extremely high cpu. Of course I am never able to see the problem happening because they will kill the service. Sorry had to vent. I am looking for a utility that I can monitor the uptime of a service and monitor cpu usage of a service. Any suggestions would be greatly appreciated. Thanks
RE: [ActiveDir] Admin Account Trouble
I REALLY don't mean to be insulting -- but is it locked out? -Original Message- From: Michael Payne [mailto:[EMAIL PROTECTED]] Sent: Friday, September 20, 2002 12:43 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Admin Account Trouble Hello Everyone, My administrator account (Windows 2000 server) can not access the group policies for the Domain\ Domain Controller. I can not install software nor does the hardware wizard respond. Any ideas or suggestions? I would appreciate any advice. Thanks in advance, Mike List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Admin Account Trouble
Did the NTFS Permissions on the C:\ change on the Domain Controller in Question? -Original Message- From: Michael Payne [mailto:[EMAIL PROTECTED]] Sent: Friday, September 20, 2002 12:43 PM To: [EMAIL PROTECTED] Subject:[ActiveDir] Admin Account Trouble Hello Everyone, My administrator account (Windows 2000 server) can not access the group policies for the Domain\ Domain Controller. I can not install software nor does the hardware wizard respond. Any ideas or suggestions? I would appreciate any advice. Thanks in advance, Mike List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Utilities needed
Great, this looks like some good info. Thanks for the help Puckett, Richard [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 09/20/2002 12:37 PM Please respond to [EMAIL PROTECTED] To '[EMAIL PROTECTED]' [EMAIL PROTECTED] cc Subject RE: [ActiveDir] OT: Utilities needed John, Not sure if you're interested in this, but if the hosts support the use of WMI, you can do some fairly small (and cool) things with WMI, EventSinks and the Event Log, or with private EventFilters, Consumers (SMTPEventConsumer) FilterToConsumerBinding. These will allow you to create alerts (and e-mails) based on criteria you define for monitoring your service/process (to include service CreationDates, state changes, etc.) You can also choose to use EventSinks to monitor the System event log for the creation of 7023 (service terminations). MS recently released their WMI script repository help file that has quite a few useful snippets in it (see the second link below). MS Script Center http://www.microsoft.com/technet/treeview/default.asp?url=/technet/scriptcenter/compmgmt/default.asp MS WMI System Administration Script repository http://www.microsoft.com/downloads/release.asp?ReleaseID=38942 Here's an example: Monitor Changes in Service Status Description Temporary event consumer that issues an alert any time a service changes status (for example, an active service that is paused or stopped). strComputer = . Set objWMIService = GetObject(winmgmts: _ {impersonationLevel=impersonate}!\\ strComputer \root\cimv2) Set colServices = objWMIService. _ ExecNotificationQuery(Select * from __instancemodificationevent _ within 30 where TargetInstance isa 'Win32_Service') i = 0 Do While i = 0 Set objService = colServices.NextEvent If objService.TargetInstance.State _ objService.PreviousInstance.State Then Wscript.Echo objService.TargetInstance.Name _ is objService.TargetInstance.State _ . The service previously was objService.PreviousInstance.State . End If Loop Regards, Richard -Original Message- From: John Hicks/MIS/HQ/KEMET/US [mailto:[EMAIL PROTECTED]] Sent: Friday, September 20, 2002 11:17 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Utilities needed Cool, thanks for the info, I will give that a try Thornley, Dave H [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 09/20/2002 10:30 AM Please respond to [EMAIL PROTECTED] To '[EMAIL PROTECTED]' [EMAIL PROTECTED] cc Subject RE: [ActiveDir] OT: Utilities needed You should be able to monitor the Elapsed time and CPU use of any process - Elapsed time isn't pretty (seconds it's been running for) but may do the job... They're both under the Process counter dave -Original Message- From: John Hicks/MIS/HQ/KEMET/US [mailto:[EMAIL PROTECTED]] Sent: 20 September 2002 13:52 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Utilities needed I did not think that I could use perfmon to monitor services. How would you use it to monitor service uptime? Thanks Rick Kingslan [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 09/19/2002 09:09 PM Please respond to [EMAIL PROTECTED] To [EMAIL PROTECTED] cc Subject RE: [ActiveDir] OT: Utilities needed John, Though a completely MS solution and not 100% foolproof (though it's worked very well for my needs) setting up a simple perfmon with high and low watermarks with the proper alerting could work here. Rick Kingslan - Microsoft Certified Trainer MCSE+I on Windows NT 4.0 MCSE on Windows 2000 MVP [Windows NT/2000 Server] Any sufficiently advanced technology is indistinguishable from magic. --- Arthur C. Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Hicks/MIS/HQ/KEMET/US Sent: Thursday, September 19, 2002 7:27 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT: Utilities needed I have been having problems with our Lotus Notes administrators making claims of services not running and using extremely high cpu. Of course I am never able to see the problem happening because they will kill the service. Sorry had to vent. I am looking for a utility that I can monitor the uptime of a service and monitor cpu usage of a service. Any suggestions would be greatly appreciated. Thanks
Re: [ActiveDir] Allowed windows applications
Yes I have removed everything, but the shortcut for Borland C from the Start Menu, but I can not start this application, although it is allowed in the run only allowed Windows applications. Marija - Original Message - From: Rick Kingslan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, September 20, 2002 3:27 PM Subject: RE: [ActiveDir] Allowed windows applications Have you tried removing the RUN command from the Start Menu via Group Policy? Rick Kingslan - Microsoft MVP [Windows NT/2000] Microsoft Certified Trainer MCSA, MCSE+I - Windows NT / 2000 Any sufficiently advanced technology is indistinguishable from magic. --- Arthur C. Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of marija efnuseva Sent: Friday, September 20, 2002 7:48 AM To: ActiveDirLista Subject: [ActiveDir] Allowed windows applications Hi, Thank you very much for the answer about my folder problems. I would also appreciate if someone could tell me where can I find some more documentation about Security Templates. I would also like to ask if anyone knows how can I allow my users on the client computers activate only one program: Borland C. I tried giving the administrative template Run only allowed Windows applications, but when I try to start bc.exe from the client computer as a shortcut in the Start menu, it says that the action was prevented by the policy. on the other hand, if I try to start it by the command line it - STARTs. My problem is that I do not want to allow access to the command prompt for my users, since then they can do and go almost everywhere. All they need for their work is Borland C. Is the shortcut the problem, or the problem is that Borland C is a DOS application. Thanks for all answers. Marija List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Active directory object creation and usage
Hi Dipu, There is not a general purpose cclass to use... You'll have to extend the schema. Search MSDN for How to Extend the Schema... There is a Platform SDK article that describes all the steps. shamless plug Or you could check out my book Active Directory Programming (http://www.amazon.com/exec/obidos/tg/detail/-/0672315874/) from MacMillan. It describes how to extend the schema and includes C++ code to do it using either ADSI or LDAP. /shameless plug -gil Gil Kirkpatrick CTO, NetPro Author of Active Directory Programming from MacMillan -Original Message- From: Dipu Karuthedathu [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 19, 2002 10:14 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Active directory object creation and usage Hello All, I would like to get more info on the following: 1) Is there a general purpose ADS object class with a list of strings as attribute? If so, can i create and use an object of this class for my own application data? 2) If there is not a generic class, how do i extend the existing schema to create a custom object class programatically using C++? What are the interfaces available? Is there any samples available? Thanks and Best regards, Dipu. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] setting/restricting permissions on objects in OU tree
Brian, Funny - (well, to a simpleton like me at least) but I realized this once I got to work and had to chance to actually LOOK at your product. Yep - right there is a big ole button called Set Owner. This button in AA, the discussion here, all prompted me to start looking. And yeah, I found what you just repeated here. Pretty easy in AD, but a bit more difficult (but quite do-able) in NTFS. BTW, I really LIKE AA. As to the original question, I can't find any direct way to prevent a delegate from 'disengaging' and setting his/her own path. I, too, agree with Tony. (Tony being the really smart guy that he is - me, I'm the simpleton, remember? :-) ) Currently, I do see this as a hole in the delegation structure of the OUs. Needs to be addressed and I'm sure that we're too far into .Net to do anything now. But, it can go on the 'wish list' for Longhorn - which will be along around 2005 - 2006. Thanks for the input, Brian. And keep up the good work down there in Fla. I'm taking a serious look at AA, Sec Reporter and Sec Disc. Looking PRETTY good. Rick Kingslan - Microsoft MVP [Windows NT/2000] Microsoft Certified Trainer MCSA, MCSE+I - Windows NT / 2000 Any sufficiently advanced technology is indistinguishable from magic. --- Arthur C. Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Brian T. Small Sent: Friday, September 20, 2002 11:23 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] setting/restricting permissions on objects in OU tree Rick, We provide a set owner function for AD in our Active Administrator product. It's actually a very simple thing to do - use the SetNamedSecurityInfo API and provide the sid to the new owner - that's it. It was actually more difficult to write the code for setting the owner on NTFS. Getting back to the original request, I think he was asking for a way to allow someone to create an OU, but then disallow him from changing security on that object. I agree with Tony - the only way I see to do this is to create a proxy to create the OU, or make them submit a work order for the creation of OUs (more work for real administrators, though). It doesn't matter what you put in the ACL (Deny Write Permissions, etc) - as long as he is the owner, he can do anything. Maybe a process running on the domain controllers, waiting for AD objects to be created and immediately setting the owner to BUILTIN\Administrators? Doesn't sound very realistic, though :) All the best, Brian Small President == Small Wonders Software [EMAIL PROTECTED] http://www.smallwonders.com 407.647.4555 : voice 407.647.9029 : fax == IMPORTANT - This e-mail message (and attachments) may contain information that is confidential to Small Wonders Software. If you are not the intended recipient you cannot use, distribute or copy the message or attachments. In such a case, please notify the sender by return e-mail immediately and erase all copies of the message and attachments. Opinions, conclusions and other information in this message and attachments that do not relate to the official business of Small Wonders Software are neither given nor endorsed by it. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED]] Sent: Friday, September 20, 2002 9:26 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] setting/restricting permissions on objects in OU tree Darren, Tony - Interesting thought. At this point, just to clarify, until I see something that convinces me otherwise (API, code example, tool) Ownership must be taken, not given. Let me explain why it SHOULD be this way and not allowed to be circumvented. I take ownership of the payroll records. I give myself a 7 digit slaray, then assign ownership back to the original owner. (Granted - if IT SEC or the Payroll dept. has half a brain, these files are going to be audited anyway...). This is why I stand behind ownership needing to be taken, but not being able to ASSIGN. By default, all files are initially assigned to the Administrator at setup. Now as to AD objects, I still need to take a walk through the AD with DSACLS to see if I can find the answer for Michael. Time constraints and 24 hr. days suck. :-) Rick Kingslan - Microsoft MVP [Windows NT/2000] Microsoft Certified Trainer MCSA, MCSE+I - Windows NT / 2000 Any sufficiently advanced technology is indistinguishable from magic. --- Arthur C. Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darren Sykes Sent: Friday, September 20, 2002 7:32 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] setting/restricting permissions on objects in OU tree I fully understand the theory behind ownership, however on NTFS
RE: [ActiveDir] Admin Account Trouble
Craig, Can't happen - the Administrator account can't be locked out. Which, if you think about it is the reason that it's attacked over any other potential admin equivalent account. If the account 'Rick' is an admin equiv but has a lockout of 3 attempts, I may as well go after the Administrator who won't lockout even though I'm going after it with a full onslaught brute force dictionary attack with my mongo dictionary with all possible replacement text. By open of business Monday the administrator account has taken on millions of password attempts. Yeah, it's kind of a small problem. Rick Kingslan - Microsoft MVP [Windows NT/2000] Microsoft Certified Trainer MCSA, MCSE+I - Windows NT / 2000 Any sufficiently advanced technology is indistinguishable from magic. --- Arthur C. Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Craig Cerino Sent: Friday, September 20, 2002 12:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Admin Account Trouble I REALLY don't mean to be insulting -- but is it locked out? -Original Message- From: Michael Payne [mailto:[EMAIL PROTECTED]] Sent: Friday, September 20, 2002 12:43 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Admin Account Trouble Hello Everyone, My administrator account (Windows 2000 server) can not access the group policies for the Domain\ Domain Controller. I can not install software nor does the hardware wizard respond. Any ideas or suggestions? I would appreciate any advice. Thanks in advance, Mike List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] netdiag results
Any errors in the logs? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Lori Demkovich Sent: Thursday, September 19, 2002 11:14 To: [EMAIL PROTECTED] Subject: [ActiveDir] netdiag results I ran Netdiag and the trust relationship test failed. It said, Trust relationship test. . . . . . : Failed Test to ensure DomainSid of domain 'domainname' is correct. [FATAL] Secure channel to domain 'domainname' is broken. [ERROR_NO_LOGON_SERVERS] I've looked on Technet and can't find much on this. Any idea where I start and what I do to fix? Thanks, Lori D. .+-w i 0g-��+Yb mPi 0 -��+b ڪf.+-j! 0j! or yﶜ�I㚊V+v* List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Service Pack 3
Acrobat 4 or 5 ? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, September 17, 2002 18:16 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Service Pack 3 Justin, Broke our Adobe Acrobat PDF printer (Had to roll back to SP2 and re-install) and know of issues with Hummingbird Exceed other than I have had no problems... James -Original Message- From: Ken Cornetet [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 18 September 2002 8:07 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Service Pack 3 It broke our Network Appliance NutScratch, er, um, I mean NetCache when we put it on our DCs. It will no longer authenticate users against our AD domain. NetApp is working with us to fix it. Other than that, we've seen no problems. -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 17, 2002 3:54 PM To: ActiveDir (E-mail) Subject: [ActiveDir] Service Pack 3 So what is the consensus on Service Pack 3 for Windows 2000? I have been running it on my laptop for a while now with no errors. Has anyone had any major problems that resulted from installing Service Pack 3 in their production environment?. Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Service Pack 3
Running with no issues on my laptop and AD server -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Salandra, Justin A. Sent: Tuesday, September 17, 2002 16:54 To: ActiveDir (E-mail) Subject: [ActiveDir] Service Pack 3 So what is the consensus on Service Pack 3 for Windows 2000? I have been running it on my laptop for a while now with no errors. Has anyone had any major problems that resulted from installing Service Pack 3 in their production environment?. Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Util/software to Log into Multiple AD domains for Administration
Title: Message RAdmin, too. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED]Sent: Sunday, September 15, 2002 18:05To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Util/software to Log into Multiple AD domains for Administration Currently use PCAnywhere which is fantastic especially the latest version 10.5 but it is extremely expensive. The below product from the University of Cambridge is FREE: http://www.uk.research.att.com/vnc/ Alternatively you could set up terminal services and utilise the admin mode... James -Original Message-From: David N. Precht [mailto:[EMAIL PROTECTED]] Sent: Sunday, 15 September 2002 11:25 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Util/software to Log into Multiple AD domains for Administration PcAnywhere or Netswitcher -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Steve WilliamsSent: Friday, September 13, 2002 20:37To: [EMAIL PROTECTED]Subject: [ActiveDir] Util/software to Log into Multiple AD domains for Administration I log into about 10 different AD domains for Nets that I support, has anyone ever run into a utility that allows you to select which domain you want to select when you boot up, their used to be one for NT4 Wks that you could set up for multiple domains, I am tired of having to log in locally then rejoining a domain to be able to administer it, does anyone do this ?? Thanks in advance
RE: [ActiveDir] Networkdrive-mapping @ logon
Title: Message Kixtart login script -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Jochen AndriesSent: Wednesday, September 18, 2002 08:08To: [EMAIL PROTECTED]Subject: [ActiveDir] Networkdrive-mapping @ logon Hello all, Is there a way I can configure to map drives at startup ? But more than 1 mapping. Also can I put in this same file other commands ? (Like route add .) Greetings, Jochen Andries Jabbeke Belgium