Re: [ActiveDir] Lockout after X invalid login attemps

[Tony Murray]

Check to see whether you have Block Policy Inheritance set for the Domain 
Controllers container.  If you have, you need to unset it (i.e. allow inheritance) in 
order for the Account Lockout policy to work.

Account policies are set in the Default Domain Policy, but they are actually enforced 
by the Domain Controllers.  This makes sense given that the DCs handle domain logons.  
If you set Account policies but block inheritance on the Domain Controllers container, 
these policies will not be enforced.

Tony

-- Original Message --
From: EN [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date: Thu, 19 Sep 2002 14:14:48 -0500

Yup, did that too.
I even went back after defining it at the domain level and changed the
settings on each container.  Still no go.
Everything else I try works like a charm with GPOs except this.

Ernesto


- Original Message -
From: Salandra, Justin A. [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, September 19, 2002 2:08 PM
Subject: RE: [ActiveDir] Lockout after X invalid login attemps


 Did you define it at the domain level?

  -Original Message-
 From: EN [mailto:[EMAIL PROTECTED]]
 Sent: Thursday, September 19, 2002 2:58 PM
 To: [EMAIL PROTECTED]
 Subject: [ActiveDir] Lockout after X invalid login attemps

 I've tried to get this to work, but nothing seems to be happening.  I test
 out the setting, placed on BOTH
 the pc container and the user container, but again, nothing happens.  Has
 anyone had this work properly?
 If so, what steps are necessary for this to work?
 Thanks

 Ernesto


 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Mailmerge

[Amit Zinman]

Hi,

Has anyone had any experience with mail merging information
from Active Directory to Word? 



Amit Zinman

Systems Consultant

Integrity Systems

[EMAIL PROTECTED]

03-7522424

058-326753

RE: [ActiveDir] setting/restricting permissions on objects in OU tree

[Darren Sykes]

Tony,

Are you sure ownership can't be given away? That wasn't my understanding
(though it's what you'll read in Microsoft's MCSE books). AFAIK, there's
nothing in the API which will prevent you from doing this, just the GUI.

There are 3rd party applications which add this functionality (Quota
software if I remember rightly, as quotas are assigned to the owner of
an object). So perhaps coding would be possible? 

Darren.


-Original Message-
From: Tony Murray [mailto:[EMAIL PROTECTED]] 
Sent: 20 September 2002 12:57
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] setting/restricting permissions on objects in
OU tree

If I understand this correctly, the issue here is that the creator of an
object is automatically designated as the Owner of the object.  Through
ownership of the object this person has certain permissions that you
don't really want them to have. 

I don't have a neat solution this, but perhaps there are some
workarounds, e.g.

1.  Provide a tool (e.g. web based) that allows people with delegated
permissions to create the objects they are allowed to, but use a
protected account to actually perform the object creation.  In other
words, the tool acts as intermediary.  It checks the credentials of the
user requesting the creation against the ACL and, if the account has the
required permission, the tool will create the object using the protected
account.

2.  Use a protected account to take ownership of objects shortly after
they have been created.  I don't like this approach as the only way that
I know to change ownership is to actually take it by clicking - it can't
be given away.

Tony

-- Original Message --
From: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date: Fri, 20 Sep 2002 11:58:17 +1000

Rick,
Any further ideas?
Gil?

Michael Homsey
Telecommunications and Industrial Physics
CSIRO, Australia


-Original Message-
From: Rick Kingslan [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, 17 September 2002 2:16 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] setting/restricting permissions on objects in
OU
tree

Michael,

Good question here, and one that I haven't run into - hence don't have
an answer.  10 minutes of looking at my references didn't turn up
anything.  I'll keep looking, because I remember reading something about
this andit's kinda bugging me now.

Gil, if you're reading this - what do you know about this?

Rick Kingslan - Microsoft MVP [Windows NT/2000]
  Microsoft Certified Trainer
  MCSA, MCSE+I - Windows NT / 2000
  
Any sufficiently advanced technology
is indistinguishable from magic.
  ---  Arthur C. Clarke





 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED]] On Behalf Of 
 [EMAIL PROTECTED]
 Sent: Monday, September 16, 2002 9:53 PM
 To: [EMAIL PROTECTED]
 Subject: RE: [ActiveDir] setting/restricting permissions on 
 objects in OU tree
 
 
 Thanks Rick,
 there must be something i am missing.
 I can restrict the changes to the immediate OU so its 
 permissions cannot be changed. I can restrict the objects 
 created (eg nesting of OUs ) and the computer objects. 
 However, if I create a sub-ou, it allows me to disconnect the 
 inherited permissions with the check box. which privelege 
 turns this off?
 
 Michael Homsey
 
 -Original Message-
 From: Rick Kingslan [mailto:[EMAIL PROTECTED]]
 Sent: Monday, 16 September 2002 9:48 AM
 To: [EMAIL PROTECTED]
 Subject: RE: [ActiveDir] setting/restricting permissions on 
 objects in OU tree
 
 
 Go to the advanced ACLs of the user / group that you want to 
 remove the ability to change permissions and remove the 
 'Modify Permissions' permission at that level.
 
 This must be done in the Advanced mode of the Security of the 
 object(s) that you want to affect.
 
 Rick Kingslan - Microsoft MVP [Windows NT/2000]
   Microsoft Certified Trainer
   MCSA, MCSE+I - Windows NT / 2000
   
 Any sufficiently advanced technology
 is indistinguishable from magic.
   ---  Arthur C. Clarke
 
 
 
 
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED]] On Behalf Of 
  [EMAIL PROTECTED]
  Sent: Sunday, September 15, 2002 6:17 PM
  To: [EMAIL PROTECTED]
  Subject: [ActiveDir] setting/restricting permissions on 
  objects in OU tree
  
  
  Dear all,
  
  I wish to be able to delegate the creation of OUs and
  specific objects in an OU tree. Giving the permission to 
  create an OU allows the creator to change permissions and 
  cirumvent controls on the OU subtree.
  
  If I wanted peopleto manage a certain type of object eg
  create/deleet computer accounts full control of computer accounts
  
  create delete sub OUs, but not change permissions so that
  they could create delete people objects,
  
  Whats set of permissiosn are need on the parent oU to achieve this?
  
  
  Michael Homsey
  CSIRO Australia
  List info   : http://www.activedir.org/mail_list.htm
  List FAQ: http://www.activedir.org/list_faq.htm
  List 

RE: [ActiveDir] setting/restricting permissions on objects in OU tree

[Tony Murray]

No, I'm not sure - just going on what I've read.  It would make sense from a security 
point of view though.  If I can only _take_ ownership then it's pretty clear that I am 
the authentic owner.  However, if I can assign ownership to anyone and everyone then 
the concept of owner authenticity disappears.

Tony
-- Original Message --
From: Darren Sykes [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date: Fri, 20 Sep 2002 13:00:23 +0100

Tony,

Are you sure ownership can't be given away? That wasn't my understanding
(though it's what you'll read in Microsoft's MCSE books). AFAIK, there's
nothing in the API which will prevent you from doing this, just the GUI.

There are 3rd party applications which add this functionality (Quota
software if I remember rightly, as quotas are assigned to the owner of
an object). So perhaps coding would be possible? 

Darren.


-Original Message-
From: Tony Murray [mailto:[EMAIL PROTECTED]] 
Sent: 20 September 2002 12:57
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] setting/restricting permissions on objects in
OU tree

If I understand this correctly, the issue here is that the creator of an
object is automatically designated as the Owner of the object.  Through
ownership of the object this person has certain permissions that you
don't really want them to have. 

I don't have a neat solution this, but perhaps there are some
workarounds, e.g.

1.  Provide a tool (e.g. web based) that allows people with delegated
permissions to create the objects they are allowed to, but use a
protected account to actually perform the object creation.  In other
words, the tool acts as intermediary.  It checks the credentials of the
user requesting the creation against the ACL and, if the account has the
required permission, the tool will create the object using the protected
account.

2.  Use a protected account to take ownership of objects shortly after
they have been created.  I don't like this approach as the only way that
I know to change ownership is to actually take it by clicking - it can't
be given away.

Tony

-- Original Message --
From: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date: Fri, 20 Sep 2002 11:58:17 +1000

Rick,
Any further ideas?
Gil?

Michael Homsey
Telecommunications and Industrial Physics
CSIRO, Australia


-Original Message-
From: Rick Kingslan [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, 17 September 2002 2:16 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] setting/restricting permissions on objects in
OU
tree

Michael,

Good question here, and one that I haven't run into - hence don't have
an answer.  10 minutes of looking at my references didn't turn up
anything.  I'll keep looking, because I remember reading something about
this andit's kinda bugging me now.

Gil, if you're reading this - what do you know about this?

Rick Kingslan - Microsoft MVP [Windows NT/2000]
  Microsoft Certified Trainer
  MCSA, MCSE+I - Windows NT / 2000
  
Any sufficiently advanced technology
is indistinguishable from magic.
  ---  Arthur C. Clarke





 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED]] On Behalf Of 
 [EMAIL PROTECTED]
 Sent: Monday, September 16, 2002 9:53 PM
 To: [EMAIL PROTECTED]
 Subject: RE: [ActiveDir] setting/restricting permissions on 
 objects in OU tree
 
 
 Thanks Rick,
 there must be something i am missing.
 I can restrict the changes to the immediate OU so its 
 permissions cannot be changed. I can restrict the objects 
 created (eg nesting of OUs ) and the computer objects. 
 However, if I create a sub-ou, it allows me to disconnect the 
 inherited permissions with the check box. which privelege 
 turns this off?
 
 Michael Homsey
 
 -Original Message-
 From: Rick Kingslan [mailto:[EMAIL PROTECTED]]
 Sent: Monday, 16 September 2002 9:48 AM
 To: [EMAIL PROTECTED]
 Subject: RE: [ActiveDir] setting/restricting permissions on 
 objects in OU tree
 
 
 Go to the advanced ACLs of the user / group that you want to 
 remove the ability to change permissions and remove the 
 'Modify Permissions' permission at that level.
 
 This must be done in the Advanced mode of the Security of the 
 object(s) that you want to affect.
 
 Rick Kingslan - Microsoft MVP [Windows NT/2000]
   Microsoft Certified Trainer
   MCSA, MCSE+I - Windows NT / 2000
   
 Any sufficiently advanced technology
 is indistinguishable from magic.
   ---  Arthur C. Clarke
 
 
 
 
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED]] On Behalf Of 
  [EMAIL PROTECTED]
  Sent: Sunday, September 15, 2002 6:17 PM
  To: [EMAIL PROTECTED]
  Subject: [ActiveDir] setting/restricting permissions on 
  objects in OU tree
  
  
  Dear all,
  
  I wish to be able to delegate the creation of OUs and
  specific objects in an OU tree. Giving the permission to 
  create an OU allows the creator to change permissions and 
  cirumvent controls on the OU 

RE: [ActiveDir] setting/restricting permissions on objects in OU tree

[Darren Sykes]

I fully understand the theory behind ownership, however on NTFS
permissions, this could be manipulated.  Look at number 16) on
http://www.giant-technologies.co.uk/quotaadvisor/ which mentions the
utility they provide. Presumably a dACL on a file will by the same
structure as those on an AD object?

Darren.


-Original Message-
From: Tony Murray [mailto:[EMAIL PROTECTED]] 
Sent: 20 September 2002 13:23
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] setting/restricting permissions on objects in
OU tree

No, I'm not sure - just going on what I've read.  It would make sense
from a security point of view though.  If I can only _take_ ownership
then it's pretty clear that I am the authentic owner.  However, if I can
assign ownership to anyone and everyone then the concept of owner
authenticity disappears.

Tony
-- Original Message --
From: Darren Sykes [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date: Fri, 20 Sep 2002 13:00:23 +0100

Tony,

Are you sure ownership can't be given away? That wasn't my understanding
(though it's what you'll read in Microsoft's MCSE books). AFAIK, there's
nothing in the API which will prevent you from doing this, just the GUI.

There are 3rd party applications which add this functionality (Quota
software if I remember rightly, as quotas are assigned to the owner of
an object). So perhaps coding would be possible? 

Darren.


-Original Message-
From: Tony Murray [mailto:[EMAIL PROTECTED]] 
Sent: 20 September 2002 12:57
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] setting/restricting permissions on objects in
OU tree

If I understand this correctly, the issue here is that the creator of an
object is automatically designated as the Owner of the object.  Through
ownership of the object this person has certain permissions that you
don't really want them to have. 

I don't have a neat solution this, but perhaps there are some
workarounds, e.g.

1.  Provide a tool (e.g. web based) that allows people with delegated
permissions to create the objects they are allowed to, but use a
protected account to actually perform the object creation.  In other
words, the tool acts as intermediary.  It checks the credentials of the
user requesting the creation against the ACL and, if the account has the
required permission, the tool will create the object using the protected
account.

2.  Use a protected account to take ownership of objects shortly after
they have been created.  I don't like this approach as the only way that
I know to change ownership is to actually take it by clicking - it can't
be given away.

Tony

-- Original Message --
From: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date: Fri, 20 Sep 2002 11:58:17 +1000

Rick,
Any further ideas?
Gil?

Michael Homsey
Telecommunications and Industrial Physics
CSIRO, Australia


-Original Message-
From: Rick Kingslan [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, 17 September 2002 2:16 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] setting/restricting permissions on objects in
OU
tree

Michael,

Good question here, and one that I haven't run into - hence don't have
an answer.  10 minutes of looking at my references didn't turn up
anything.  I'll keep looking, because I remember reading something about
this andit's kinda bugging me now.

Gil, if you're reading this - what do you know about this?

Rick Kingslan - Microsoft MVP [Windows NT/2000]
  Microsoft Certified Trainer
  MCSA, MCSE+I - Windows NT / 2000
  
Any sufficiently advanced technology
is indistinguishable from magic.
  ---  Arthur C. Clarke





 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED]] On Behalf Of 
 [EMAIL PROTECTED]
 Sent: Monday, September 16, 2002 9:53 PM
 To: [EMAIL PROTECTED]
 Subject: RE: [ActiveDir] setting/restricting permissions on 
 objects in OU tree
 
 
 Thanks Rick,
 there must be something i am missing.
 I can restrict the changes to the immediate OU so its 
 permissions cannot be changed. I can restrict the objects 
 created (eg nesting of OUs ) and the computer objects. 
 However, if I create a sub-ou, it allows me to disconnect the 
 inherited permissions with the check box. which privelege 
 turns this off?
 
 Michael Homsey
 
 -Original Message-
 From: Rick Kingslan [mailto:[EMAIL PROTECTED]]
 Sent: Monday, 16 September 2002 9:48 AM
 To: [EMAIL PROTECTED]
 Subject: RE: [ActiveDir] setting/restricting permissions on 
 objects in OU tree
 
 
 Go to the advanced ACLs of the user / group that you want to 
 remove the ability to change permissions and remove the 
 'Modify Permissions' permission at that level.
 
 This must be done in the Advanced mode of the Security of the 
 object(s) that you want to affect.
 
 Rick Kingslan - Microsoft MVP [Windows NT/2000]
   Microsoft Certified Trainer
   MCSA, MCSE+I - Windows NT / 2000
   
 Any sufficiently advanced technology
 is indistinguishable from magic.
   ---  Arthur C. 

[ActiveDir] Extended Account Properties (?)

[Leney, Justin]

Hi, 

Does anyone know of a AD Tool/Query which will tell you the last date/time
an AD Object was modified?




Thanks, 

Justin Leney
NIST/Systems Plus
Windows Server Team
301-975-4903 (Desk)
301-664-0106 (Pager)

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] setting/restricting permissions on objects in OU tree

[Puckett, Richard]

The Owner SID for a Security Descriptor is most definitely replaceable.
You can initialize a blank security descriptor (SD), fill in the Owner
SID (SetSecurityDescriptorOwner) with your desired new owner, then
overwrite the existing SD (the neat part is during the overwrite the
blank sections of the new SD are ignored, leaving the existing SD
components in place).  The trick (at the time) was that you required
SeDebugPrivileges to perform the low level SD replacement.

I wrote a Windows version of Chown back in 1998 after a breakout
discussion on Security programming at MS PDC, where it was questioned
whether or not it was possible to do programmatically.  If you're
interested, I think the source is still posted on VbAdminCode
(http://www.vbadmincode.btinternet.co.uk/).  Please note that it's very
old code and was at the time intended to work against file objects in
NTFS, but I believe the principals still hold true for manipulation of
Directory objects (and it still works on NTFS 5 file objects, I just
tested it).

As for the architectural concept of assigned ownership control, the
two-part process of object ownership defined by Microsoft has it's pros
and cons.  Owner identity control from the standpoint of giving a user
the 'right' to be the owner of an object and then that user actually
'taking' ownership does ensure a degree of ownership integrity, but in
my mind the overhead required to perform this two-part procedure has the
potential for creating an administrative problem (esp. in large-scale
environments where the ownership of objects may change hands
frequently).  Also, it begs the greater question of what your 'trusted'
administrators should be able to do (which is why I wrote Chown :-)).  

Richard





 -Original Message-
 From: Darren Sykes [mailto:[EMAIL PROTECTED]] 
 Sent: Friday, September 20, 2002 8:32 AM
 To: [EMAIL PROTECTED]
 Subject: RE: [ActiveDir] setting/restricting permissions on 
 objects in OU tree
 
 
 I fully understand the theory behind ownership, however on 
 NTFS permissions, this could be manipulated.  Look at number 
 16) on http://www.giant-technologies.co.uk/quotaadvisor/ 
 which mentions the utility they provide. Presumably a dACL on 
 a file will by the same structure as those on an AD object?
 
 Darren.
 
 
 -Original Message-
 From: Tony Murray [mailto:[EMAIL PROTECTED]] 
 Sent: 20 September 2002 13:23
 To: [EMAIL PROTECTED]
 Subject: RE: [ActiveDir] setting/restricting permissions on 
 objects in OU tree
 
 No, I'm not sure - just going on what I've read.  It would 
 make sense from a security point of view though.  If I can 
 only _take_ ownership then it's pretty clear that I am the 
 authentic owner.  However, if I can assign ownership to 
 anyone and everyone then the concept of owner authenticity disappears.
 
 Tony
 -- Original Message --
 From: Darren Sykes [EMAIL PROTECTED]
 Reply-To: [EMAIL PROTECTED]
 Date: Fri, 20 Sep 2002 13:00:23 +0100
 
 Tony,
 
 Are you sure ownership can't be given away? That wasn't my 
 understanding (though it's what you'll read in Microsoft's 
 MCSE books). AFAIK, there's nothing in the API which will 
 prevent you from doing this, just the GUI.
 
 There are 3rd party applications which add this functionality 
 (Quota software if I remember rightly, as quotas are assigned 
 to the owner of an object). So perhaps coding would be possible? 
 
 Darren.
 
 
 -Original Message-
 From: Tony Murray [mailto:[EMAIL PROTECTED]] 
 Sent: 20 September 2002 12:57
 To: [EMAIL PROTECTED]
 Subject: RE: [ActiveDir] setting/restricting permissions on 
 objects in OU tree
 
 If I understand this correctly, the issue here is that the 
 creator of an object is automatically designated as the Owner 
 of the object.  Through ownership of the object this person 
 has certain permissions that you don't really want them to have. 
 
 I don't have a neat solution this, but perhaps there are some 
 workarounds, e.g.
 
 1.  Provide a tool (e.g. web based) that allows people with 
 delegated permissions to create the objects they are allowed 
 to, but use a protected account to actually perform the 
 object creation.  In other words, the tool acts as 
 intermediary.  It checks the credentials of the user 
 requesting the creation against the ACL and, if the account 
 has the required permission, the tool will create the object 
 using the protected account.
 
 2.  Use a protected account to take ownership of objects 
 shortly after they have been created.  I don't like this 
 approach as the only way that I know to change ownership is 
 to actually take it by clicking - it can't be given away.
 
 Tony
 
 -- Original Message --
 From: [EMAIL PROTECTED]
 Reply-To: [EMAIL PROTECTED]
 Date: Fri, 20 Sep 2002 11:58:17 +1000
 
 Rick,
 Any further ideas?
 Gil?
 
 Michael Homsey
 Telecommunications and Industrial Physics
 CSIRO, Australia
 
 
 -Original 

RE: [ActiveDir] Allowed windows applications

[Rick Kingslan]

Have you tried removing the RUN command from the Start Menu via Group
Policy?

Rick Kingslan - Microsoft MVP [Windows NT/2000]
  Microsoft Certified Trainer
  MCSA, MCSE+I - Windows NT / 2000
  
Any sufficiently advanced technology
is indistinguishable from magic.
  ---  Arthur C. Clarke





 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED]] On Behalf Of 
 marija efnuseva
 Sent: Friday, September 20, 2002 7:48 AM
 To: ActiveDirLista
 Subject: [ActiveDir] Allowed windows applications
 
 
 Hi,
 
 Thank you very much for the answer about my folder problems. 
 I would also appreciate if someone could tell me where can I 
 find some more documentation about Security Templates.
 
 I would also like to ask if anyone knows how can I allow my 
 users on the client computers activate only one program: 
 Borland C. I tried giving the administrative template Run 
 only allowed Windows applications, but when I try to start 
 bc.exe from the client computer as a shortcut in the Start 
 menu, it says that the action was prevented by the policy. on 
 the other hand, if I try to start it by the command line it 
 - STARTs. My problem is that I do not want to allow access 
 to the command prompt for my users, since then they can do 
 and go almost everywhere. All they need for their work is Borland C. 
 
 Is the shortcut the problem, or the problem is that Borland C 
 is a DOS application. 
 
 Thanks for all answers.
 Marija
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: 
 http://www.mail-archive.com/activedir% 40mail.activedir.org/
 


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] setting/restricting permissions on objects in OU tree

[Rick Kingslan]

Richard,

Sure, I build a fire and you come throw water on it.  Damn you!  :-)

Thanks for this.  I do now remember this.  Thanks for the correction.  I
do, somehow, think that we've strayed from the original requstors needs.
:-)

Rick Kingslan - Microsoft MVP [Windows NT/2000]
  Microsoft Certified Trainer
  MCSA, MCSE+I - Windows NT / 2000
  
Any sufficiently advanced technology
is indistinguishable from magic.
  ---  Arthur C. Clarke





 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED]] On Behalf Of 
 Puckett, Richard
 Sent: Friday, September 20, 2002 8:22 AM
 To: '[EMAIL PROTECTED]'
 Subject: RE: [ActiveDir] setting/restricting permissions on 
 objects in OU tree
 
 
 
 
 The Owner SID for a Security Descriptor is most definitely 
 replaceable. You can initialize a blank security descriptor 
 (SD), fill in the Owner SID (SetSecurityDescriptorOwner) with 
 your desired new owner, then overwrite the existing SD (the 
 neat part is during the overwrite the blank sections of the 
 new SD are ignored, leaving the existing SD components in 
 place).  The trick (at the time) was that you required 
 SeDebugPrivileges to perform the low level SD replacement.
 
 I wrote a Windows version of Chown back in 1998 after a 
 breakout discussion on Security programming at MS PDC, where 
 it was questioned whether or not it was possible to do 
 programmatically.  If you're interested, I think the source 
 is still posted on VbAdminCode 
 (http://www.vbadmincode.btinternet.co.uk/).  Please note that 
 it's very old code and was at the time intended to work 
 against file objects in NTFS, but I believe the principals 
 still hold true for manipulation of Directory objects (and it 
 still works on NTFS 5 file objects, I just tested it).
 
 As for the architectural concept of assigned ownership 
 control, the two-part process of object ownership defined by 
 Microsoft has it's pros and cons.  Owner identity control 
 from the standpoint of giving a user the 'right' to be the 
 owner of an object and then that user actually 'taking' 
 ownership does ensure a degree of ownership integrity, but in 
 my mind the overhead required to perform this two-part 
 procedure has the potential for creating an administrative 
 problem (esp. in large-scale environments where the ownership 
 of objects may change hands frequently).  Also, it begs the 
 greater question of what your 'trusted' administrators should 
 be able to do (which is why I wrote Chown :-)).  
 
 Richard
 
 
 
 
 
  -Original Message-
  From: Darren Sykes [mailto:[EMAIL PROTECTED]]
  Sent: Friday, September 20, 2002 8:32 AM
  To: [EMAIL PROTECTED]
  Subject: RE: [ActiveDir] setting/restricting permissions on 
  objects in OU tree
  
  
  I fully understand the theory behind ownership, however on
  NTFS permissions, this could be manipulated.  Look at number 
  16) on http://www.giant-technologies.co.uk/quotaadvisor/ 
  which mentions the utility they provide. Presumably a dACL on 
  a file will by the same structure as those on an AD object?
  
  Darren.
  
  
  -Original Message-
  From: Tony Murray [mailto:[EMAIL PROTECTED]]
  Sent: 20 September 2002 13:23
  To: [EMAIL PROTECTED]
  Subject: RE: [ActiveDir] setting/restricting permissions on 
  objects in OU tree
  
  No, I'm not sure - just going on what I've read.  It would
  make sense from a security point of view though.  If I can 
  only _take_ ownership then it's pretty clear that I am the 
  authentic owner.  However, if I can assign ownership to 
  anyone and everyone then the concept of owner authenticity 
 disappears.
  
  Tony
  -- Original Message --
  From: Darren Sykes [EMAIL PROTECTED]
  Reply-To: [EMAIL PROTECTED]
  Date: Fri, 20 Sep 2002 13:00:23 +0100
  
  Tony,
  
  Are you sure ownership can't be given away? That wasn't my
  understanding (though it's what you'll read in Microsoft's 
  MCSE books). AFAIK, there's nothing in the API which will 
  prevent you from doing this, just the GUI.
  
  There are 3rd party applications which add this functionality
  (Quota software if I remember rightly, as quotas are assigned 
  to the owner of an object). So perhaps coding would be possible? 
  
  Darren.
  
  
  -Original Message-
  From: Tony Murray [mailto:[EMAIL PROTECTED]]
  Sent: 20 September 2002 12:57
  To: [EMAIL PROTECTED]
  Subject: RE: [ActiveDir] setting/restricting permissions on 
  objects in OU tree
  
  If I understand this correctly, the issue here is that the
  creator of an object is automatically designated as the Owner 
  of the object.  Through ownership of the object this person 
  has certain permissions that you don't really want them to have. 
  
  I don't have a neat solution this, but perhaps there are some
  workarounds, e.g.
  
  1.  Provide a tool (e.g. web based) that allows people with
  delegated permissions to create the objects they are allowed 
  to, but use a protected 

RE: [ActiveDir] Extended Account Properties (?)

[Puckett, Richard]

Justin,

I'd done an earlier posting for someone (w/ source) to view the
whenChanged attribute on objects within a given timeframe.  I can repost
it if necessary.  Additionally you can use ADSIEDIT.MSC to view that
attribute directly on the desired object, or ENUMPROP.EXE
LDAP://cn=administrator,...,dc=com; to view that value within the list
of other returned attributes.

Hope this helps,
Richard
 


 -Original Message-
 From: Thornley, Dave H [mailto:[EMAIL PROTECTED]] 
 Sent: Friday, September 20, 2002 9:09 AM
 To: '[EMAIL PROTECTED]'
 Subject: RE: [ActiveDir] Extended Account Properties (?)
 
 
 Turn on Advanced Features (View menu in ADUC) and look on 
 the Object tab?
 
 dave
 
 -Original Message-
 From: Leney, Justin [mailto:[EMAIL PROTECTED]] 
 Sent: 20 September 2002 14:02
 To: [EMAIL PROTECTED]
 Subject: [ActiveDir] Extended Account Properties (?)
 
 
 Hi, 
 
 Does anyone know of a AD Tool/Query which will tell you the 
 last date/time an AD Object was modified?
 
 
 
 
 Thanks, 
 
 Justin Leney
 NIST/Systems Plus
 Windows Server Team
 301-975-4903 (Desk)
 301-664-0106 (Pager)
 
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: 
 http://www.mail-archive.com/activedir% 40mail.activedir.org/
 
 List info   : 
 http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: 
 http://www.mail-archive.com/activedir% 40mail.activedir.org/
 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Querying the DN

[Myrick, Todd (NIH/CIT)]

I have been trying to figure out a way using LDP to query the DN or
Canonical Name with no success. I can query fields using samaccountName,
Notes, etc.  

Any one know how to query it?  I know I can LDIF it and use ADSI.

Todd 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Querying the DN

[Robbie Allen]

The 'distinguishedName' attribute is present on all objects, which can be
used to query or retrieve the DN.  Have you tried that?

Robbie Allen

 -Original Message-
 From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED]] 
 Sent: Friday, September 20, 2002 10:22 AM
 To: '[EMAIL PROTECTED]'
 Subject: [ActiveDir] Querying the DN
 
 
 I have been trying to figure out a way using LDP to query the DN or
 Canonical Name with no success. I can query fields using 
 samaccountName,
 Notes, etc.  
 
 Any one know how to query it?  I know I can LDIF it and use ADSI.
 
 Todd 
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: 
 http://www.mail-archive.com/activedir% 40mail.activedir.org/
 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: Utilities needed

[John Hicks/MIS/HQ/KEMET/US]

Cool, thanks for the info, I will give
that a try





Thornley, Dave H
[EMAIL PROTECTED] 
Sent by: [EMAIL PROTECTED]
09/20/2002 10:30 AM



Please respond to
[EMAIL PROTECTED]





To
'[EMAIL PROTECTED]'
[EMAIL PROTECTED]


cc



Subject
RE: [ActiveDir] OT: Utilities
needed








You should be able to monitor
the Elapsed time and CPU use of any process - Elapsed time isn't pretty
(seconds it's been running for) but may do the job...

They're both under the Process
counter

dave
-Original Message-
From: John Hicks/MIS/HQ/KEMET/US [mailto:[EMAIL PROTECTED]] 
Sent: 20 September 2002 13:52
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OT: Utilities needed


I did not think that I could use perfmon to monitor services. How would
you use it to monitor service uptime? 

Thanks 




Rick Kingslan
[EMAIL PROTECTED] 
Sent by: [EMAIL PROTECTED] 
09/19/2002 09:09 PM





Please respond to
[EMAIL PROTECTED]






To
[EMAIL PROTECTED]



cc



Subject
RE: [ActiveDir] OT: Utilities
needed










John, 
 
Though a completely MS solution and not 100% foolproof (though it's worked
very well for my needs) setting up a simple perfmon with high and low watermarks
with the proper alerting could work here. 
Rick Kingslan - Microsoft Certified Trainer
 MCSE+I on Windows NT 4.0
 MCSE on Windows 2000
 MVP [Windows NT/2000 Server]

Any sufficiently advanced technology
is indistinguishable from magic.
 --- Arthur C. Clarke



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
On Behalf Of John Hicks/MIS/HQ/KEMET/US
Sent: Thursday, September 19, 2002 7:27 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] OT: Utilities needed


I have been having problems with our Lotus Notes administrators making
claims of services not running and using extremely high cpu. Of course
I am never able to see the problem happening because they will kill the
service. Sorry had to vent. I am looking for a utility that I can monitor
the uptime of a service and monitor cpu usage of a service. Any suggestions
would be greatly appreciated. 

Thanks 

RE: [ActiveDir] Extended Account Properties (?)

[Leney, Justin]

Richard, thanks for the info. The WhenChanged attribute in ADSIEDIT is
sufficient. 

Also, ENUMPROP.EXE; is that part of the 2000 Server Resource Kit? 

Jbl



-Original Message-
From: Puckett, Richard [mailto:[EMAIL PROTECTED]]
Sent: Friday, September 20, 2002 9:35 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Extended Account Properties (?)



Justin,

I'd done an earlier posting for someone (w/ source) to view the
whenChanged attribute on objects within a given timeframe.  I can repost
it if necessary.  Additionally you can use ADSIEDIT.MSC to view that
attribute directly on the desired object, or ENUMPROP.EXE
LDAP://cn=administrator,...,dc=com; to view that value within the list
of other returned attributes.

Hope this helps,
Richard
 


 -Original Message-
 From: Thornley, Dave H [mailto:[EMAIL PROTECTED]] 
 Sent: Friday, September 20, 2002 9:09 AM
 To: '[EMAIL PROTECTED]'
 Subject: RE: [ActiveDir] Extended Account Properties (?)
 
 
 Turn on Advanced Features (View menu in ADUC) and look on 
 the Object tab?
 
 dave
 
 -Original Message-
 From: Leney, Justin [mailto:[EMAIL PROTECTED]] 
 Sent: 20 September 2002 14:02
 To: [EMAIL PROTECTED]
 Subject: [ActiveDir] Extended Account Properties (?)
 
 
 Hi, 
 
 Does anyone know of a AD Tool/Query which will tell you the 
 last date/time an AD Object was modified?
 
 
 
 
 Thanks, 
 
 Justin Leney
 NIST/Systems Plus
 Windows Server Team
 301-975-4903 (Desk)
 301-664-0106 (Pager)
 
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: 
 http://www.mail-archive.com/activedir% 40mail.activedir.org/
 
 List info   : 
 http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: 
 http://www.mail-archive.com/activedir% 40mail.activedir.org/
 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Admin Account Trouble

[Michael Payne]

Hello Everyone,

My administrator account (Windows 2000 server) can not access the group
policies for the Domain\ Domain Controller. I can not install software
nor does the hardware wizard respond. Any ideas or suggestions? I would
appreciate any advice.

Thanks in advance,


Mike
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: Utilities needed

[Puckett, Richard]

Title: Message



John,

Not 
sure if you're interested in this, but if the hosts support the use of WMI, you 
can do some fairly small (and cool) things with WMI, EventSinks and the Event 
Log, or with private EventFilters, Consumers (SMTPEventConsumer)  
FilterToConsumerBinding. These will allow you to create alerts (and 
e-mails) based on criteria you define for monitoring your 
service/process(to include service CreationDates, state changes, 
etc.) You can also chooseto useEventSinks to monitor the 
System event log for thecreation of 7023 (service terminations). MS 
recently released their WMI script repository help file that has quite a few 
useful snippets in it (see the second link below).

MS Script Center
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/scriptcenter/compmgmt/default.asp

MS WMI 
System Administration Script repository
http://www.microsoft.com/downloads/release.asp?ReleaseID=38942


Here's 
anexample:

Monitor Changes in Service 
Status
DescriptionTemporary event 
consumer that issues an alert any time a service changes status (for example, an 
active service that is paused or stopped).
strComputer = "."Set objWMIService = 
GetObject("winmgmts:" _  
"{impersonationLevel=impersonate}!\\"  strComputer  
"\root\cimv2")Set colServices = objWMIService. _  
ExecNotificationQuery("Select * from __instancemodificationevent " _ 
  "within 30 where 
TargetInstance isa 'Win32_Service'")i = 0Do While i = 
0 Set objService = 
colServices.NextEvent If objService.TargetInstance.State 
 _  
objService.PreviousInstance.State 
Then Wscript.Echo 
objService.TargetInstance.Name _ 
 
 " is "  objService.TargetInstance.State 
_ 
 ". The service previously was "  objService.PreviousInstance.State 
 "." End IfLoop

Regards,
Richard



  
  -Original Message-From: John 
  Hicks/MIS/HQ/KEMET/US [mailto:[EMAIL PROTECTED]] Sent: Friday, 
  September 20, 2002 11:17 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Utilities 
  neededCool, thanks for 
  the info, I will give that a try 
  


  "Thornley, Dave H" 
[EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 
09/20/2002 10:30 AM 

  
  

  Please respond 
  to[EMAIL PROTECTED]
  

  
  

  To
"'[EMAIL PROTECTED]'" 
  [EMAIL PROTECTED] 
  

  cc

  

  Subject
RE: [ActiveDir] OT: 
  Utilities needed

  
  

You should be able to monitor the Elapsed time and CPU use 
  of any process - Elapsed time isn't pretty (seconds it's been running for) but 
  may do the job...  They're both under the Process counter  dave 
  -Original Message-From: John 
  Hicks/MIS/HQ/KEMET/US [mailto:[EMAIL PROTECTED]] Sent: 20 
  September 2002 13:52To: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Utilities 
  neededI did not think that I 
  could use perfmon to monitor services. How would you use it to monitor service 
  uptime? Thanks 
  


  "Rick Kingslan" 
[EMAIL PROTECTED] Sent by: 
[EMAIL PROTECTED] 
09/19/2002 09:09 PM 


  
  

  Please respond 
  to[EMAIL PROTECTED]

  

  
  

  To
[EMAIL PROTECTED] 
  
  

  cc

  

  Subject
RE: [ActiveDir] OT: 
  Utilities needed

  
  

John, Though a 
  completely MS solution and not 100% foolproof (though it's worked very well 
  for my needs) setting up a simple perfmon with high and low watermarks with 
  the proper alerting could work here. 
  Rick Kingslan - Microsoft Certified TrainerMCSE+I on 
  Windows NT 4.0MCSE on Windows 2000MVP [Windows NT/2000 
  Server]"Any sufficiently advanced technologyis indistinguishable 
  from magic."--- Arthur C. Clarke
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
  On Behalf Of John Hicks/MIS/HQ/KEMET/USSent: Thursday, 
  September 19, 2002 7:27 PMTo: 
  [EMAIL PROTECTED]Subject: [ActiveDir] OT: Utilities 
  neededI 
  have been having problems with our Lotus Notes administrators making claims of 
  services not running and using extremely high cpu. Of course I am never able 
  to see the problem happening because they will kill the service. Sorry had to 
  vent. I am looking for a utility that I can monitor the uptime of a service 
  and monitor cpu usage of a service. Any suggestions would be greatly 
  appreciated. Thanks 
  

RE: [ActiveDir] Admin Account Trouble

[Craig Cerino]

I REALLY don't mean to be insulting -- but is it locked out? 

-Original Message-
From: Michael Payne [mailto:[EMAIL PROTECTED]] 
Sent: Friday, September 20, 2002 12:43 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Admin Account Trouble

Hello Everyone,

My administrator account (Windows 2000 server) can not access the group
policies for the Domain\ Domain Controller. I can not install software
nor does the hardware wizard respond. Any ideas or suggestions? I would
appreciate any advice.

Thanks in advance,


Mike
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Admin Account Trouble

[Salandra, Justin A.]

Did the NTFS Permissions on the C:\ change on the Domain Controller in
Question?


 -Original Message-
From:   Michael Payne [mailto:[EMAIL PROTECTED]] 
Sent:   Friday, September 20, 2002 12:43 PM
To: [EMAIL PROTECTED]
Subject:[ActiveDir] Admin Account Trouble

Hello Everyone,

My administrator account (Windows 2000 server) can not access the group
policies for the Domain\ Domain Controller. I can not install software
nor does the hardware wizard respond. Any ideas or suggestions? I would
appreciate any advice.

Thanks in advance,


Mike
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: Utilities needed

[John Hicks/MIS/HQ/KEMET/US]

Great, this looks like some good info.

Thanks for the help





Puckett, Richard
[EMAIL PROTECTED] 
Sent by: [EMAIL PROTECTED]
09/20/2002 12:37 PM



Please respond to
[EMAIL PROTECTED]





To
'[EMAIL PROTECTED]'
[EMAIL PROTECTED]


cc



Subject
RE: [ActiveDir] OT: Utilities
needed








John,

Not sure if you're interested
in this, but if the hosts support the use of WMI, you can do some fairly
small (and cool) things with WMI, EventSinks and the Event Log, or with
private EventFilters, Consumers (SMTPEventConsumer)  FilterToConsumerBinding.
These will allow you to create alerts (and e-mails) based on criteria
you define for monitoring your service/process (to include service CreationDates,
state changes, etc.) You can also choose to use EventSinks to monitor
the System event log for the creation of 7023 (service terminations). MS
recently released their WMI script repository help file that has quite
a few useful snippets in it (see the second link below).

MS Script Center
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/scriptcenter/compmgmt/default.asp

MS WMI System Administration Script
repository
http://www.microsoft.com/downloads/release.asp?ReleaseID=38942


Here's an example:

Monitor Changes in Service Status
Description
Temporary event consumer that issues an alert any time a service changes
status (for example, an active service that is paused or stopped).

strComputer = .
Set objWMIService = GetObject(winmgmts: _
   {impersonationLevel=impersonate}!\\ 
strComputer  \root\cimv2)
Set colServices = objWMIService. _ 
  ExecNotificationQuery(Select * from __instancemodificationevent
 _ 
 within 30 where TargetInstance
isa 'Win32_Service')
i = 0
Do While i = 0
  Set objService = colServices.NextEvent
  If objService.TargetInstance.State  _ 
objService.PreviousInstance.State Then
Wscript.Echo objService.TargetInstance.Name
_ 
is 
 objService.TargetInstance.State _
 . The
service previously was   objService.PreviousInstance.State 
.
  End If
Loop

Regards,
Richard


-Original Message-
From: John Hicks/MIS/HQ/KEMET/US [mailto:[EMAIL PROTECTED]] 
Sent: Friday, September 20, 2002 11:17 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OT: Utilities needed


Cool, thanks for the info, I will give that a try 




Thornley, Dave H
[EMAIL PROTECTED] 
Sent by: [EMAIL PROTECTED] 
09/20/2002 10:30 AM





Please respond to
[EMAIL PROTECTED]






To
'[EMAIL PROTECTED]'
[EMAIL PROTECTED] 


cc



Subject
RE: [ActiveDir] OT: Utilities
needed










You should be able to monitor the Elapsed time and CPU use of any process
- Elapsed time isn't pretty (seconds it's been running for) but may do
the job... 
 
They're both under the Process counter 
 
dave 
-Original Message-
From: John Hicks/MIS/HQ/KEMET/US [mailto:[EMAIL PROTECTED]] 
Sent: 20 September 2002 13:52
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OT: Utilities needed


I did not think that I could use perfmon to monitor services. How would
you use it to monitor service uptime? 

Thanks 



Rick Kingslan
[EMAIL PROTECTED] 
Sent by: [EMAIL PROTECTED] 
09/19/2002 09:09 PM





Please respond to
[EMAIL PROTECTED]






To
[EMAIL PROTECTED]



cc



Subject
RE: [ActiveDir] OT: Utilities
needed












John, 
 
Though a completely MS solution and not 100% foolproof (though it's worked
very well for my needs) setting up a simple perfmon with high and low watermarks
with the proper alerting could work here. 
Rick Kingslan - Microsoft Certified Trainer
MCSE+I on Windows NT 4.0
MCSE on Windows 2000
MVP [Windows NT/2000 Server]

Any sufficiently advanced technology
is indistinguishable from magic.
--- Arthur C. Clarke


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
On Behalf Of John Hicks/MIS/HQ/KEMET/US
Sent: Thursday, September 19, 2002 7:27 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] OT: Utilities needed


I have been having problems with our Lotus Notes administrators making
claims of services not running and using extremely high cpu. Of course
I am never able to see the problem happening because they will kill the
service. Sorry had to vent. I am looking for a utility that I can monitor
the uptime of a service and monitor cpu usage of a service. Any suggestions
would be greatly appreciated. 

Thanks 

Re: [ActiveDir] Allowed windows applications

[Marija Efnuseva]

Yes I have removed everything, but the shortcut for Borland C from the Start
Menu, but  I can not start this application, although it is allowed in the
run only allowed Windows applications.

Marija
- Original Message -
From: Rick Kingslan [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, September 20, 2002 3:27 PM
Subject: RE: [ActiveDir] Allowed windows applications


 Have you tried removing the RUN command from the Start Menu via Group
 Policy?

 Rick Kingslan - Microsoft MVP [Windows NT/2000]
   Microsoft Certified Trainer
   MCSA, MCSE+I - Windows NT / 2000

 Any sufficiently advanced technology
 is indistinguishable from magic.
   ---  Arthur C. Clarke





  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED]] On Behalf Of
  marija efnuseva
  Sent: Friday, September 20, 2002 7:48 AM
  To: ActiveDirLista
  Subject: [ActiveDir] Allowed windows applications
 
 
  Hi,
 
  Thank you very much for the answer about my folder problems.
  I would also appreciate if someone could tell me where can I
  find some more documentation about Security Templates.
 
  I would also like to ask if anyone knows how can I allow my
  users on the client computers activate only one program:
  Borland C. I tried giving the administrative template Run
  only allowed Windows applications, but when I try to start
  bc.exe from the client computer as a shortcut in the Start
  menu, it says that the action was prevented by the policy. on
  the other hand, if I try to start it by the command line it
  - STARTs. My problem is that I do not want to allow access
  to the command prompt for my users, since then they can do
  and go almost everywhere. All they need for their work is Borland C.
 
  Is the shortcut the problem, or the problem is that Borland C
  is a DOS application.
 
  Thanks for all answers.
  Marija
  List info   : http://www.activedir.org/mail_list.htm
  List FAQ: http://www.activedir.org/list_faq.htm
  List archive:
  http://www.mail-archive.com/activedir% 40mail.activedir.org/
 


 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Active directory object creation and usage

[Gil Kirkpatrick]

Hi Dipu,

There is not a general purpose cclass to use... You'll have to extend the
schema. Search MSDN for How to Extend the Schema... There is a Platform
SDK article that describes all the steps. 

shamless plug
Or you could check out my book Active Directory Programming
(http://www.amazon.com/exec/obidos/tg/detail/-/0672315874/) from MacMillan.
It describes how to extend the schema and includes C++ code to do it using
either ADSI or LDAP.
/shameless plug

-gil

Gil Kirkpatrick
CTO, NetPro
Author of Active Directory Programming from MacMillan

-Original Message-
From: Dipu Karuthedathu [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, September 19, 2002 10:14 PM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Active directory object creation and usage


Hello All,

I would like to get more info on the following:

1) Is there a general purpose ADS object class with a list of strings as
attribute? If so, can i create and use an object of this class for my own
application data?

2) If there is not a generic class, how do i extend the existing schema to
create a custom object class programatically using C++? What are the
interfaces available? Is there any samples available?

Thanks and Best regards,
Dipu.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] setting/restricting permissions on objects in OU tree

[Rick Kingslan]

Brian,

Funny - (well, to a simpleton like me at least) but I realized this
once I got to work and had to chance to actually LOOK at your product.
Yep - right there is a big ole button called Set Owner.  This button in
AA, the discussion here, all prompted me to start looking.  And yeah, I
found what you just repeated here.  Pretty easy in AD, but a bit more
difficult (but quite do-able) in NTFS.

BTW, I really LIKE AA.  

As to the original question, I can't find any direct way to prevent a
delegate from 'disengaging' and setting his/her own path.  I, too, agree
with Tony.  (Tony being the really smart guy that he is - me, I'm the
simpleton, remember?  :-)  )  

Currently, I do see this as a hole in the delegation structure of the
OUs.  Needs to be addressed and I'm sure that we're too far into .Net to
do anything now.  But, it can go on the 'wish list' for Longhorn - which
will be along around 2005 - 2006.

Thanks for the input, Brian.  And keep up the good work down there in
Fla.  I'm taking a serious look at AA, Sec Reporter and Sec Disc.
Looking PRETTY good.

Rick Kingslan - Microsoft MVP [Windows NT/2000]
  Microsoft Certified Trainer
  MCSA, MCSE+I - Windows NT / 2000
  
Any sufficiently advanced technology
is indistinguishable from magic.
  ---  Arthur C. Clarke





 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED]] On Behalf Of 
 Brian T. Small
 Sent: Friday, September 20, 2002 11:23 AM
 To: [EMAIL PROTECTED]
 Subject: RE: [ActiveDir] setting/restricting permissions on 
 objects in OU tree
 
 
 Rick,
 
 We provide a set owner function for AD in our Active 
 Administrator product.  It's actually a very simple thing to 
 do - use the SetNamedSecurityInfo API and provide the sid to 
 the new owner - that's it.  It was actually more difficult to 
 write the code for setting the owner on NTFS.
 
 Getting back to the original request, I think he was asking 
 for a way to allow someone to create an OU, but then disallow 
 him from changing security on that object. I agree with Tony 
 - the only way I see to do this is to create a proxy to 
 create the OU, or make them submit a work order for the 
 creation of OUs (more work for real administrators, 
 though).  It doesn't matter what you put in the ACL (Deny 
 Write Permissions, etc) - as long as he is the owner, he can 
 do anything. Maybe a process running on the domain 
 controllers, waiting for AD objects to be created and 
 immediately setting the owner to BUILTIN\Administrators?  
 Doesn't sound very realistic, though :)
  
 All the best,
  
 Brian Small 
 President 
 
 == 
 Small Wonders Software 
 [EMAIL PROTECTED] 
 http://www.smallwonders.com 
 407.647.4555 : voice 
 407.647.9029 : fax 
 ==
 
 IMPORTANT - This e-mail message (and attachments) may contain 
 information that is confidential to Small Wonders Software. 
 If you are not the intended recipient you cannot use, 
 distribute or copy the message or attachments. In such a 
 case, please notify the sender by return e-mail immediately 
 and erase all copies of the message and attachments.  
 Opinions, conclusions and other information in this message 
 and attachments that do not relate to the official business 
 of Small Wonders Software are neither given nor endorsed by it.
 
 
  
 
 
 -Original Message-
 From: Rick Kingslan [mailto:[EMAIL PROTECTED]] 
 Sent: Friday, September 20, 2002 9:26 AM
 To: [EMAIL PROTECTED]
 Subject: RE: [ActiveDir] setting/restricting permissions on 
 objects in OU tree
 
 Darren, Tony - 
 
 Interesting thought.  At this point, just to clarify, until I 
 see something that convinces me otherwise (API, code example, 
 tool) Ownership must be taken, not given.  Let me explain why 
 it SHOULD be this way and not allowed to be circumvented.
 
 I take ownership of the payroll records.  I give myself a 7 
 digit slaray, then assign ownership back to the original 
 owner.  (Granted - if IT SEC or the Payroll dept. has half a 
 brain, these files are going to be audited anyway...).  This 
 is why I stand behind ownership needing to be taken, but not 
 being able to ASSIGN.  By default, all files are initially 
 assigned to the Administrator at setup.
 
 Now as to AD objects, I still need to take a walk through the 
 AD with DSACLS to see if I can find the answer for Michael.  
 Time constraints and 24 hr. days suck.  :-)
 
 Rick Kingslan - Microsoft MVP [Windows NT/2000]
   Microsoft Certified Trainer
   MCSA, MCSE+I - Windows NT / 2000
   
 Any sufficiently advanced technology
 is indistinguishable from magic.
   ---  Arthur C. Clarke
 
 
 
 
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED]] On Behalf Of 
 Darren Sykes
  Sent: Friday, September 20, 2002 7:32 AM
  To: [EMAIL PROTECTED]
  Subject: RE: [ActiveDir] setting/restricting permissions on 
  objects in OU tree
  
  
  I fully understand the theory behind ownership, however on
  NTFS 

RE: [ActiveDir] Admin Account Trouble

[Rick Kingslan]

Craig,

Can't happen - the Administrator account can't be locked out.  Which, if
you think about it is the reason that it's attacked over any other
potential admin equivalent account.  If the account 'Rick' is an admin
equiv but has a lockout of 3 attempts, I may as well go after the
Administrator who won't lockout even though I'm going after it with a
full onslaught brute force dictionary attack with my mongo dictionary
with all possible replacement text.  By open of business Monday the
administrator account has taken on millions of password attempts.

Yeah, it's kind of a small problem.

Rick Kingslan - Microsoft MVP [Windows NT/2000]
  Microsoft Certified Trainer
  MCSA, MCSE+I - Windows NT / 2000
  
Any sufficiently advanced technology
is indistinguishable from magic.
  ---  Arthur C. Clarke





 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED]] On Behalf Of Craig Cerino
 Sent: Friday, September 20, 2002 12:16 PM
 To: [EMAIL PROTECTED]
 Subject: RE: [ActiveDir] Admin Account Trouble
 
 
 I REALLY don't mean to be insulting -- but is it locked out? 
 
 -Original Message-
 From: Michael Payne [mailto:[EMAIL PROTECTED]] 
 Sent: Friday, September 20, 2002 12:43 PM
 To: [EMAIL PROTECTED]
 Subject: [ActiveDir] Admin Account Trouble
 
 Hello Everyone,
 
 My administrator account (Windows 2000 server) can not access 
 the group policies for the Domain\ Domain Controller. I can 
 not install software nor does the hardware wizard respond. 
 Any ideas or suggestions? I would appreciate any advice.
 
 Thanks in advance,
 
 
 Mike
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: 
 http://www.mail-archive.com/activedir% 40mail.activedir.org/
 
 List info   : 
 http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: 
 http://www.mail-archive.com/activedir% 40mail.activedir.org/
 


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] netdiag results

[David N. Precht]

Any errors in the logs?

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
On Behalf Of Lori Demkovich
Sent: Thursday, September 19, 2002 11:14
To: [EMAIL PROTECTED]
Subject: [ActiveDir] netdiag results


I ran Netdiag and the trust relationship test failed.  It said,
 
Trust relationship test. . . . . . : Failed
Test to ensure DomainSid of domain 'domainname' is correct.
[FATAL] Secure channel to domain 'domainname' is broken. [ERROR_NO_LOGON_SERVERS]

I've looked on Technet and can't find much on this.  Any idea where I start and what I 
do to fix?  Thanks,
 
Lori D.
.+-w i 0g-��+Yb mPi 0 -��+b ڪf.+-j! 0j! or yﶜ�I㚊V+v*

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Service Pack 3

[David N. Precht]

Acrobat 4 or 5 ?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, September 17, 2002 18:16
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Service Pack 3


Justin,

Broke our Adobe Acrobat PDF printer (Had to roll back to SP2 and
re-install) and know of issues with Hummingbird Exceed other than I have
had no problems...

James

-Original Message-
From: Ken Cornetet [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, 18 September 2002 8:07 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Service Pack 3

It broke our Network Appliance NutScratch, er, um, I mean NetCache when
we put it on our DCs. It will no longer authenticate users against our
AD domain. NetApp is working with us to fix it.

Other than that, we've seen no problems. 

-Original Message-
From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 17, 2002 3:54 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] Service Pack 3


So what is the consensus on Service Pack 3 for Windows 2000?  I have
been running it on my laptop for a while now with no errors.  Has anyone
had any major problems that resulted from installing Service Pack 3 in
their production environment?.

Justin A. Salandra, MCSE
Senior Network Engineer
Catholic Healthcare System
914.681.8117 office
646.483.3325 cell
[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Service Pack 3

[David N. Precht]

Running with no issues on my laptop and AD server 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Salandra,
Justin A.
Sent: Tuesday, September 17, 2002 16:54
To: ActiveDir (E-mail)
Subject: [ActiveDir] Service Pack 3


So what is the consensus on Service Pack 3 for Windows 2000?  I have
been running it on my laptop for a while now with no errors.  Has anyone
had any major problems that resulted from installing Service Pack 3 in
their production environment?.

Justin A. Salandra, MCSE
Senior Network Engineer
Catholic Healthcare System
914.681.8117 office
646.483.3325 cell
[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Util/software to Log into Multiple AD domains for Administration

[David N. Precht]

Title: Message



RAdmin, too.

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
  On Behalf Of [EMAIL PROTECTED]Sent: 
  Sunday, September 15, 2002 18:05To: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Util/software 
  to Log into Multiple AD domains for Administration
  
  Currently use 
  PCAnywhere which is fantastic especially the latest version 10.5 but it is 
  extremely expensive. The below product from the University of 
  Cambridge is 
  FREE:
  
  http://www.uk.research.att.com/vnc/
  
  Alternatively you 
  could set up terminal services and utilise the admin mode...
  
  James
  
  -Original 
  Message-From: David N. 
  Precht [mailto:[EMAIL PROTECTED]] Sent: Sunday, 15 September 2002 11:25 
  PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Util/software to 
  Log into Multiple AD domains for Administration
  
  
  PcAnywhere
  
  
  
  or 
  Netswitcher
  
-Original 
Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] On Behalf Of Steve WilliamsSent: Friday, September 13, 2002 
20:37To: 
[EMAIL PROTECTED]Subject: [ActiveDir] Util/software to 
Log into Multiple AD domains for Administration

I log into about 10 different AD 
domains for Nets that I support, has anyone ever run into a utility that 
allows you to select which domain you want to select when you boot up, their 
used to be one for NT4 Wks that you could set up for multiple domains, I am 
tired of having to log in locally then rejoining a domain to be able to 
administer it, does anyone do this ?? Thanks in 
advance

RE: [ActiveDir] Networkdrive-mapping @ logon

[David N. Precht]

Title: Message



Kixtart login script

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
  On Behalf Of Jochen AndriesSent: Wednesday, September 18, 
  2002 08:08To: [EMAIL PROTECTED]Subject: 
  [ActiveDir] Networkdrive-mapping @ logon
  
  Hello 
  all,
  
  Is there 
  a way I can configure to map drives at startup ? But more than 1 
  mapping.
  
  Also can 
  I put in this same file other commands ? (Like 
  route add .)
  
  
  Greetings,
  
  Jochen 
  Andries
  Jabbeke 
  Belgium