RE: [ActiveDir] adding a group to the RDP permissions
Title: Message
Thanks joe
(theoretically)
;-)
mc
-Original Message-
From: joe [mailto:listmail@joeware.net]
Sent: Thursday, May 27, 2004 6:23
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] adding a
group to the RDP permissions
Hmmm theoretically
eg, the permissions are probably stored in the registry The
most likely place would be someplace say like
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
Server\WinStations\RDP-Tcp
possibly in the Security
value.
Now theoretically if you
used a domain group or a built-in group with a specific SID that doesn't change
machine to machine (like I wouldn't recommend using a local group on a server)
you could theoretically take that value from one machine and copy to another
and have those permissions applied to that other machine. Theoretically you
could make this even part of a server build process or have it in some setup
script...
Also theoretically it may
or may not require a reboot to make it kick in.
Just chatting
theoretically of course.
If I was to chat some
more theoretically someone looking to write some code to muck with that may
theoretically finethatthat binary format is a type of standard
security definition format.
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Creamer, Mark
Sent: Wednesday, May 26, 2004 1:03
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] adding a
group to the RDP permissions
Thanks Ken! Even if I cant use this on the 2K machines,
itll help a bunch in a couple of months. Many of our TS machines are
about to be upgraded and/or installed. I appreciate it
mc
-Original Message-
From: Ken Cornetet
[mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 26, 2004
12:50 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] adding a
group to the RDP permissions
Here's
some Perl WMI code for adding a local group to the RDP security. However, if
memory serves, W2K doesn't support WMI TS stuff - only 2k3
Anyway,
maybe it will work...
sub
TerminalServerSecurity {
my
$host = shift;
my
$RemoteGroup = shift;
my
$wmi = Win32::OLE-GetObject(winmgmts:{impersonationLevel=impersonate}!$host\\root\\cimv2)
or die WMI error: $^E;
my
$accounts = $wmi-ExecQuery(Select * from
Win32_TSPermissionsSetting )
or die WMI GetObject: .
WmiError(Win32_TSPermissionsSetting);
# Add
local group giving full control
foreach
my $a (in $accounts ) {
print Adding access to , $a-TerminalName,
\n;
$a-AddAccount($host\\$RemoteGroup, 2);
}
-Original
Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Wednesday, May 26, 2004 9:20
AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] adding a
group to the RDP permissions
Anybody know a good way to add a group programmatically (or GPO,
etc.) to the RDP properties visible when you go to Terminal Services
Configuration/Connections/RDP-Tcp [Properties]. I have a bunch of Win2K remote
administration mode servers that I want to add a group of night operators to.
Thanks
Mark Creamer
Systems
Engineer
Cintas
Corporation
Honesty
and Integrity in Everything We Do
�
RE: [ActiveDir] OT: Exchange 2003 SP1
Oddly enough I was JUST looking at that last night before signing off for the evening :-) But yes, it does look like a very handy tool. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, May 27, 2004 7:47 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Exchange 2003 SP1 Yep, good thing to publish. Another cool thing, something I actually was involved in a lot of the testing over the last year or so is http://www.microsoft.com/downloads/details.aspx?FamilyId=3D0884E6-C603-4 91D- BF57-ACF03E046BFEdisplaylang=en This is the autoaccept agent for conference rooms. You give your conference rooms mailboxes in exchange and then use this tool and it will process the meeting requests for you. That way you can have automated calendar management of conference rooms (or other resources say you have a projector or generic laptop or whatever) without people fighting over the conference room and deleting each others entries This could put some people out of work as I know there are some folks whose whole job in life is to manage calendars like that. You used to do this with scripts, that of course was on the slow side. I recall seeing a busy server taking 10-20 minutes to respond when running with a script but the agent is dot net code that rock and rolls and the response is in your inbox about as fast as you hit send on the request. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer Sent: Tuesday, May 25, 2004 10:47 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] OT: Exchange 2003 SP1 Also continuing the OT note, it seems that the long-awaited server-side spam filtering system (IMF) is available too: http://www.microsoft.com/exchange/downloads/2003/imf/default.asp Apologies if this has already been posted. Cheers Ken ~~ From: Tony Murray [EMAIL PROTECTED] Subject: [ActiveDir] OT: Exchange 2003 SP1 : Is now out. : : http://tinyurl.com/35ddy : : Tony ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] MACS
Anyone know where MS are with MACS now? This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT:EXCHANGE weirdness
Permissions get changed all the time. Monitoring the DC's for group membership changes has been helpful here. You'd be surprised what people think is a good idea ;) As for permissions, putting that account in domain admins is likely the wrong thing to do. If you look in the security logs, you'll likely find a clue to the answer as to why it won't start. My guess is that it has conflicting permissions. By default Exchange 200x doesn't allow administrators and other admins the ability to log into to peoples mailboxes. That may be preventing the service from starting. Could also be a GPO change or other I'm sure, but I'd start with the event logs to see why it won't start. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, May 27, 2004 8:20 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT:EXCHANGE weirdness i have a user(blackberry service account) who has full exchange admin rights on our admin group, now suddenly(i know there is no now suddenly, but nothing changed, honest), blackberry service wont start and when i open exchange manager, i can't see any admin group logged in as the blackberry account. when i log in as another account, i can see everything. i put the bb account into domain admins, and still same thing. why? and more importantly, how do permissions and roles get lost like that? I'm running a win2k ad mixed mode and exchange 2k native mode. thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Discontinue Mail Membership
I'm just hoping he doesn't delete me... That sounds like it would leave a mark. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, May 27, 2004 7:10 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Discontinue Mail Membership I love how Tony can kill a thread by contributing. :o) joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony MurraySent: Sunday, May 23, 2004 10:21 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Discontinue Mail Membership In general, yes. Althoughwe do generally havereservations about deleting people (read it again).Subscribed addressesmaybe, but not people. We reserve that treatment only for occasions where people continue dead or off-topic threads longer than is absolutely necessary ;-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Sonntag, 23. Mai 2004 01:16To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Discontinue Mail Membership aren't those the rules that apply to post to this list? ;-)) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Svetlana KouznetsovaSent: Freitag, 21. Mai 2004 15:32To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Discontinue Mail Membership I like the etiquette rules, especially useful reminder: "We have the right to exploite, humilate, delete, ignore, or coddle any person at anytime for no other reason than Our Own amusement." and what's up with those pink...errmm..stuff, you reguire to wear while reading FeMail? That's mean! Lana From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: 21 May 2004 14:19To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Discontinue Mail Membership That is hilarious... go through FAQ on the left if you haven't From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Svetlana KouznetsovaSent: Friday, May 21, 2004 7:30 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Discontinue Mail Membership Hmmm..googled FeMail and got - "Totally new, cool and fast feMail system utilizes the newest technology available! "http://www.femail.sissify.com/ A replacement for ActiveDir? The most important - it promises "No more fretting about system administrators at your workplace!" Lana From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: 21 May 2004 11:16To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Discontinue Mail Membership that's spelled FEMAIL ;-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig CerinoSent: Donnerstag, 20. Mai 2004 15:25To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Discontinue Mail Membership Please continue FEMALE membership J From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike WelbornSent: Thursday, May 20, 2004 8:51 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Discontinue Mail Membership Please remove [EMAIL PROTECTED] from the Activedir.org mailing list. Thanks you Michael Welborn
RE: [ActiveDir] strange error on logon
Picasso, would it just be me, or does anyone else think that making KB searching an art vs. a science is wrong? I mean, as long as it's public vs. say, utopia, wouldn't it make sense to make it so the intended audience could use it? Like Joe said, buy google already. That's what gets used for most KB searches anyway. At least the successful ones. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, May 27, 2004 5:47 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] strange error on logon Yep, too bad so manyWindows folks are pushed to the limit with Spirographs Picasso :o) Just buy google already... Petty cash, whip it out. Let people beat on MS for a while for using linux machines to find content at MS while it getsassimilated. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Thursday, May 27, 2004 5:28 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] strange error on logon Searching KB is an art, so you can call me Picasso. ;) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, May 27, 2004 4:01 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] strange error on logon That support search engine must have missed it :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Thursday, May 27, 2004 4:04 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] strange error on logon Have you seen: 824204 You receive an "Error at logon: Cannot find the file..." error message http://support.microsoft.com/?id=824204 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, May 27, 2004 2:51 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] strange error on logon Just a guess. Check the registry on the workstation. That file error throws some hits on the net referring to shell startup. This maybe the key. You can search the registry and find a reference to the idlist portion of your error. I wouldn't rule out GPO just yet either as it could be something that got locked down inadvertently. Or maybe folder redirection? Seen some reference to Norton, but... HKCR\Folder\shell\rootexplore = "Explore From Here" command = "Explorer.exe /e,/root,/idlist,%I" From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, May 27, 2004 3:20 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] strange error on logon I have never seen an error like that so once you nail down what is running that is throwing the error up, then we can go from there. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raymond McClinnisSent: Thursday, May 27, 2004 12:41 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] strange error on logon I began receiving calls yesterday about a strange looking error that users were getting at logon. Here is the message: Cannot find the file '/idlist,:0:1140,\\DOMAINCONTROLLER\NETLOGON' (or one of its components). I originally thought that it may be an issue with a script I was pushing through group policy, but that is not the case. I still need to look at the startup on the machines in question and see if there is anything there. Thanks,Raymond McClinnis
RE: [ActiveDir] strange error on logon
We keep tweaking it to make it better. As youve probably read, this is a major work item for us. Were working on it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, May 28, 2004 8:37 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] strange error on logon Picasso, would it just be me, or does anyone else think that making KB searching an art vs. a science is wrong? I mean, as long as it's public vs. say, utopia, wouldn't it make sense to make it so the intended audience could use it? Like Joe said, buy google already. That's what gets used for most KB searches anyway. At least the successful ones. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, May 27, 2004 5:47 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] strange error on logon Yep, too bad so manyWindows folks are pushed to the limit with Spirographs Picasso :o) Just buy google already... Petty cash, whip it out. Let people beat on MS for a while for using linux machines to find content at MS while it getsassimilated. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Thursday, May 27, 2004 5:28 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] strange error on logon Searching KB is an art, so you can call me Picasso. ;) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, May 27, 2004 4:01 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] strange error on logon That support search engine must have missed it :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Thursday, May 27, 2004 4:04 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] strange error on logon Have you seen: 824204 You receive an Error at logon: Cannot find the file... error message http://support.microsoft.com/?id=824204 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, May 27, 2004 2:51 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] strange error on logon Just a guess. Check the registry on the workstation. That file error throws some hits on the net referring to shell startup. This maybe the key. You can search the registry and find a reference to the idlist portion of your error. I wouldn't rule out GPO just yet either as it could be something that got locked down inadvertently. Or maybe folder redirection? Seen some reference to Norton, but... HKCR\Folder\shell\rootexplore = Explore From Here command = Explorer.exe /e,/root,/idlist,%I From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, May 27, 2004 3:20 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] strange error on logon I have never seen an error like that so once you nail down what is running that is throwing the error up, then we can go from there. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raymond McClinnis Sent: Thursday, May 27, 2004 12:41 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] strange error on logon I began receiving calls yesterday about a strange looking error that users were getting at logon. Here is the message: Cannot find the file '/idlist,:0:1140,\\DOMAINCONTROLLER\NETLOGON' (or one of its components). I originally thought that it may be an issue with a script I was pushing through group policy, but that is not the case. I still need to look at the startup on the machines in question and see if there is anything there. Thanks, Raymond McClinnis
RE: [ActiveDir] OT:EXCHANGE weirdness
here's the deal- i've had this samething happen to a child domain. the domain admins had full exchange admin rights on their admin group. however, when you open up exchange system manager, you could'nt see anything. In adsiedit, if you looked in the exchange services container in the configuration partition, you could'nt look deeper than the org. there was nothing there. and if you wanted to look at the acl's of the org, it was empty. STILL, in exchange system manager, you saw they had full exchange admin rights(and i'm not talking about recieve as, to open a mailbox. i just mean full rights to view and administer their admin group.). this was never resolved. Now i have the same issue in my child domain with the blackberry service account. I'm the only one who administers this domain and nothing was changed. really. is there an explicit deny somewhere? how would i find it? tgere's nothing in the security log on the blackberry server. this is the kind of stuff that keeps me up all night. could someone have done something at the root? we have no gpo on our domain, dc, or site that would cause this. i checked them all, including the local one on the server. what the heck is going on here? this is twice now with 2 seperate domains!!! both domains are mixed mode running win2k. the root domain is native mode. exchange 2k is native mode. all servers are win2k except on win2k3 server in the root and an exchange2k3 server, also in the root. thanks -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Friday, May 28, 2004 9:09 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT:EXCHANGE weirdness Permissions get changed all the time. Monitoring the DC's for group membership changes has been helpful here. You'd be surprised what people think is a good idea ;) As for permissions, putting that account in domain admins is likely the wrong thing to do. If you look in the security logs, you'll likely find a clue to the answer as to why it won't start. My guess is that it has conflicting permissions. By default Exchange 200x doesn't allow administrators and other admins the ability to log into to peoples mailboxes. That may be preventing the service from starting. Could also be a GPO change or other I'm sure, but I'd start with the event logs to see why it won't start. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, May 27, 2004 8:20 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT:EXCHANGE weirdness i have a user(blackberry service account) who has full exchange admin rights on our admin group, now suddenly(i know there is no now suddenly, but nothing changed, honest), blackberry service wont start and when i open exchange manager, i can't see any admin group logged in as the blackberry account. when i log in as another account, i can see everything. i put the bb account into domain admins, and still same thing. why? and more importantly, how do permissions and roles get lost like that? I'm running a win2k ad mixed mode and exchange 2k native mode. thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT:EXCHANGE weirdness
What's the error messages when the service tries to start? What's in the security and application and system logs? What groups is the bb service a member of completely? Which one is delegated exchange rights and how does that compare with the service account? I think that's a good place to start troubleshooting this. I think you should also look for any errors indicating a change in server group membership and any changes to the Exchange domain servers and enterprise servers groups. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Friday, May 28, 2004 9:55 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:EXCHANGE weirdness here's the deal- i've had this samething happen to a child domain. the domain admins had full exchange admin rights on their admin group. however, when you open up exchange system manager, you could'nt see anything. In adsiedit, if you looked in the exchange services container in the configuration partition, you could'nt look deeper than the org. there was nothing there. and if you wanted to look at the acl's of the org, it was empty. STILL, in exchange system manager, you saw they had full exchange admin rights(and i'm not talking about recieve as, to open a mailbox. i just mean full rights to view and administer their admin group.). this was never resolved. Now i have the same issue in my child domain with the blackberry service account. I'm the only one who administers this domain and nothing was changed. really. is there an explicit deny somewhere? how would i find it? tgere's nothing in the security log on the blackberry server. this is the kind of stuff that keeps me up all night. could someone have done something at the root? we have no gpo on our domain, dc, or site that would cause this. i checked them all, including the local one on the server. what the heck is going on here? this is twice now with 2 seperate domains!!! both domains are mixed mode running win2k. the root domain is native mode. exchange 2k is native mode. all servers are win2k except on win2k3 server in the root and an exchange2k3 server, also in the root. thanks -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Friday, May 28, 2004 9:09 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT:EXCHANGE weirdness Permissions get changed all the time. Monitoring the DC's for group membership changes has been helpful here. You'd be surprised what people think is a good idea ;) As for permissions, putting that account in domain admins is likely the wrong thing to do. If you look in the security logs, you'll likely find a clue to the answer as to why it won't start. My guess is that it has conflicting permissions. By default Exchange 200x doesn't allow administrators and other admins the ability to log into to peoples mailboxes. That may be preventing the service from starting. Could also be a GPO change or other I'm sure, but I'd start with the event logs to see why it won't start. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, May 27, 2004 8:20 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT:EXCHANGE weirdness i have a user(blackberry service account) who has full exchange admin rights on our admin group, now suddenly(i know there is no now suddenly, but nothing changed, honest), blackberry service wont start and when i open exchange manager, i can't see any admin group logged in as the blackberry account. when i log in as another account, i can see everything. i put the bb account into domain admins, and still same thing. why? and more importantly, how do permissions and roles get lost like that? I'm running a win2k ad mixed mode and exchange 2k native mode. thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] strange error on logon
Hi Eric, Improvements in this area would be great! I'd like to suggest that MS thinks about moving KB articles from the Premier site to the Public site a little faster also. Keeping known problems from the public is not a good policy. (Yes, there are at least two KB databases!) Mike Thommes -Original Message-From: Eric Fleischman [mailto:[EMAIL PROTECTED]Sent: Friday, May 28, 2004 8:43 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] strange error on logon We keep tweaking it to make it better. As youve probably read, this is a major work item for us. Were working on it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Friday, May 28, 2004 8:37 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] strange error on logon Picasso, would it just be me, or does anyone else think that making KB searching an art vs. a science is wrong? I mean, as long as it's public vs. say, utopia, wouldn't it make sense to make it so the intended audience could use it? Like Joe said, buy google already. That's what gets used for most KB searches anyway. At least the successful ones. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, May 27, 2004 5:47 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] strange error on logon Yep, too bad so manyWindows folks are pushed to the limit with Spirographs Picasso :o) Just buy google already... Petty cash, whip it out. Let people beat on MS for a while for using linux machines to find content at MS while it getsassimilated. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Thursday, May 27, 2004 5:28 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] strange error on logon Searching KB is an art, so you can call me Picasso. ;) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, May 27, 2004 4:01 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] strange error on logon That support search engine must have missed it :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Thursday, May 27, 2004 4:04 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] strange error on logon Have you seen: 824204 You receive an "Error at logon: Cannot find the file..." error message http://support.microsoft.com/?id=824204 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, May 27, 2004 2:51 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] strange error on logon Just a guess. Check the registry on the workstation. That file error throws some hits on the net referring to shell startup. This maybe the key. You can search the registry and find a reference to the idlist portion of your error. I wouldn't rule out GPO just yet either as it could be something that got locked down inadvertently. Or maybe folder redirection? Seen some reference to Norton, but... HKCR\Folder\shell\rootexplore = "Explore From Here" command = "Explorer.exe /e,/root,/idlist,%I" From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, May 27, 2004 3:20 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] strange error on logon I have never seen an error like that so once you nail down what is running that is throwing the error up, then we can go from there. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raymond McClinnisSent: Thursday, May 27, 2004 12:41 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] strange error on logon I began receiving calls yesterday about a strange looking error that users were getting at logon. Here is the message: Cannot find the file '/idlist,:0:1140,\\DOMAINCONTROLLER\NETLOGON' (or one of its components). I originally thought that it may be an issue with a script I was pushing through group policy, but that is not the case. I still need to look at the startup on the machines in question and see if there is anything there. Thanks,Raymond McClinnis
[ActiveDir] 1000 user limit
I need to increase the search limit on 2003 so that when I do an ldap search I can retrieve everything. Everywhere I look it just tells me to use ntdsutil and change the maxpagesize (I believe that was it), but doesnt give any specific permissions on how to do it. Do you guys have a link on the details? Also, can I limit this ability to a single user? OT-Is there a way to change permissions on a Global Address List in Exchange 2003 so that a certain group cannot see or use it? My reasoning for this would be so that if a virus is executed that spreads via address book, then it doesnt spread to every user in the Exchange Organization. Any other ideas?? Also, is there an archive of this group?? Searchable?? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT:EXCHANGE weirdness
There would be an event logged on the Exchange server if your membership were incorrect. Depending on version, this would be different. Have you checked with the root folks to see if they've done anything lately? How's replication working? Interested to hear what RIM comes back with as well. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Friday, May 28, 2004 10:18 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:EXCHANGE weirdness the bb service logs an application specfic error(i'm trying to find out its meaning from RIM). there is nothing in the other logs. the bb service is a member of the local admin group on the server and domain users, thats it. exchange view only admin is delegated directly to the bb acount on our admin group. the other delegation is full exchange admin to the domain admins group. where would i check for changes to the Exchange domain servers/enterprise servers groups? or errors in group membership? as per my pervious post, rthis kind of thing has happened before to the domain admins which had full exchange admin rights delegated directly to them. thanks -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Friday, May 28, 2004 10:02 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT:EXCHANGE weirdness What's the error messages when the service tries to start? What's in the security and application and system logs? What groups is the bb service a member of completely? Which one is delegated exchange rights and how does that compare with the service account? I think that's a good place to start troubleshooting this. I think you should also look for any errors indicating a change in server group membership and any changes to the Exchange domain servers and enterprise servers groups. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Friday, May 28, 2004 9:55 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:EXCHANGE weirdness here's the deal- i've had this samething happen to a child domain. the domain admins had full exchange admin rights on their admin group. however, when you open up exchange system manager, you could'nt see anything. In adsiedit, if you looked in the exchange services container in the configuration partition, you could'nt look deeper than the org. there was nothing there. and if you wanted to look at the acl's of the org, it was empty. STILL, in exchange system manager, you saw they had full exchange admin rights(and i'm not talking about recieve as, to open a mailbox. i just mean full rights to view and administer their admin group.). this was never resolved. Now i have the same issue in my child domain with the blackberry service account. I'm the only one who administers this domain and nothing was changed. really. is there an explicit deny somewhere? how would i find it? tgere's nothing in the security log on the blackberry server. this is the kind of stuff that keeps me up all night. could someone have done something at the root? we have no gpo on our domain, dc, or site that would cause this. i checked them all, including the local one on the server. what the heck is going on here? this is twice now with 2 seperate domains!!! both domains are mixed mode running win2k. the root domain is native mode. exchange 2k is native mode. all servers are win2k except on win2k3 server in the root and an exchange2k3 server, also in the root. thanks -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Friday, May 28, 2004 9:09 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT:EXCHANGE weirdness Permissions get changed all the time. Monitoring the DC's for group membership changes has been helpful here. You'd be surprised what people think is a good idea ;) As for permissions, putting that account in domain admins is likely the wrong thing to do. If you look in the security logs, you'll likely find a clue to the answer as to why it won't start. My guess is that it has conflicting permissions. By default Exchange 200x doesn't allow administrators and other admins the ability to log into to peoples mailboxes. That may be preventing the service from starting. Could also be a GPO change or other I'm sure, but I'd start with the event logs to see why it won't start. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, May 27, 2004 8:20 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT:EXCHANGE weirdness i have a user(blackberry service account) who has full exchange admin rights on our admin group, now suddenly(i know there is no now suddenly, but nothing changed, honest), blackberry service wont start and when i open exchange manager, i can't see any admin group logged in as the blackberry account. when i log in as another account, i can see everything. i put the bb account into domain
RE: [ActiveDir] Probable GPO issue
Seems like it could be down to an MS patch as the new machines are patched to the 'nth' degree while the old ones typically only had critical patches. I investigate further. -Original Message- From: Rutherford, Robert Sent: 28 May 2004 15:43 To: '[EMAIL PROTECTED]' Subject: Probable GPO issue Hello, I'm having a strange one here We have just deployed a large batch of new pc's into the enterprise. The users do not have access to the file associate option within explorer as it is greyed out. I can't think or see of any policy change which would have such an effect? Old machines are fine and have exactly the same GPO's applied... I suspect they must have had some registry tattoos left from a previous deployment or something. I have compared the two different registries and they seem identical in the hklm\sw\ms\windows\cv\policies\ and hk_cu. They have exactly the same permissions on the old boxes as the new. Any ideas out there? This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT:EXCHANGE weirdness
According to RIM, its a premissions error(duh). they suggested upgrading the mapi32.dll and cdo.dll to the same version as the exchange server. while the blackberry service is now starting, i still can't see anything in exchange system manager or adsiedit logged in as the blackberry account. there is nothing logged on the exchange server. no replication errors on any of my DC's. or the ones in the root. have'nt spoken to the guys in the root, but what could they do to change things if the account seems ok in ESM? thanks -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Friday, May 28, 2004 10:42 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT:EXCHANGE weirdness There would be an event logged on the Exchange server if your membership were incorrect. Depending on version, this would be different. Have you checked with the root folks to see if they've done anything lately? How's replication working? Interested to hear what RIM comes back with as well. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Friday, May 28, 2004 10:18 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:EXCHANGE weirdness the bb service logs an application specfic error(i'm trying to find out its meaning from RIM). there is nothing in the other logs. the bb service is a member of the local admin group on the server and domain users, thats it. exchange view only admin is delegated directly to the bb acount on our admin group. the other delegation is full exchange admin to the domain admins group. where would i check for changes to the Exchange domain servers/enterprise servers groups? or errors in group membership? as per my pervious post, rthis kind of thing has happened before to the domain admins which had full exchange admin rights delegated directly to them. thanks -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Friday, May 28, 2004 10:02 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT:EXCHANGE weirdness What's the error messages when the service tries to start? What's in the security and application and system logs? What groups is the bb service a member of completely? Which one is delegated exchange rights and how does that compare with the service account? I think that's a good place to start troubleshooting this. I think you should also look for any errors indicating a change in server group membership and any changes to the Exchange domain servers and enterprise servers groups. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Friday, May 28, 2004 9:55 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:EXCHANGE weirdness here's the deal- i've had this samething happen to a child domain. the domain admins had full exchange admin rights on their admin group. however, when you open up exchange system manager, you could'nt see anything. In adsiedit, if you looked in the exchange services container in the configuration partition, you could'nt look deeper than the org. there was nothing there. and if you wanted to look at the acl's of the org, it was empty. STILL, in exchange system manager, you saw they had full exchange admin rights(and i'm not talking about recieve as, to open a mailbox. i just mean full rights to view and administer their admin group.). this was never resolved. Now i have the same issue in my child domain with the blackberry service account. I'm the only one who administers this domain and nothing was changed. really. is there an explicit deny somewhere? how would i find it? tgere's nothing in the security log on the blackberry server. this is the kind of stuff that keeps me up all night. could someone have done something at the root? we have no gpo on our domain, dc, or site that would cause this. i checked them all, including the local one on the server. what the heck is going on here? this is twice now with 2 seperate domains!!! both domains are mixed mode running win2k. the root domain is native mode. exchange 2k is native mode. all servers are win2k except on win2k3 server in the root and an exchange2k3 server, also in the root. thanks -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Friday, May 28, 2004 9:09 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT:EXCHANGE weirdness Permissions get changed all the time. Monitoring the DC's for group membership changes has been helpful here. You'd be surprised what people think is a good idea ;) As for permissions, putting that account in domain admins is likely the wrong thing to do. If you look in the security logs, you'll likely find a clue to the answer as to why it won't start. My guess is that it has conflicting permissions. By default Exchange 200x doesn't allow administrators and other admins the ability to log into to peoples mailboxes. That may be preventing the service from starting.
[ActiveDir] GPO Question
Running Windows 2k AD with sp3 Hi, I'm trying to create a GPO for my users that will place a shortcut to their departmental folder that is on a NTFS network share to their desktop. Has anyone done this before? I'm not sure what GPO I should be using or what proceedure I should follow. Any help with be appriciated. Thanks! List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT:EXCHANGE weirdness
They could have added an Exchange 2k3 server for starters :) Nothing is logged on the Exchange server or the DC/GC when you try to access that information? Is audit logging turned on? Did they upgrade the root domain as well? Those permissions are set on the configuration container and you should have view rights to them as a delegated admin. If you don't, then something has changed and seems to be recurring. Check with the root folks to see what's changed in the last few days in the root domain. What was added etc? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Friday, May 28, 2004 12:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:EXCHANGE weirdness According to RIM, its a premissions error(duh). they suggested upgrading the mapi32.dll and cdo.dll to the same version as the exchange server. while the blackberry service is now starting, i still can't see anything in exchange system manager or adsiedit logged in as the blackberry account. there is nothing logged on the exchange server. no replication errors on any of my DC's. or the ones in the root. have'nt spoken to the guys in the root, but what could they do to change things if the account seems ok in ESM? thanks -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Friday, May 28, 2004 10:42 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT:EXCHANGE weirdness There would be an event logged on the Exchange server if your membership were incorrect. Depending on version, this would be different. Have you checked with the root folks to see if they've done anything lately? How's replication working? Interested to hear what RIM comes back with as well. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Friday, May 28, 2004 10:18 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:EXCHANGE weirdness the bb service logs an application specfic error(i'm trying to find out its meaning from RIM). there is nothing in the other logs. the bb service is a member of the local admin group on the server and domain users, thats it. exchange view only admin is delegated directly to the bb acount on our admin group. the other delegation is full exchange admin to the domain admins group. where would i check for changes to the Exchange domain servers/enterprise servers groups? or errors in group membership? as per my pervious post, rthis kind of thing has happened before to the domain admins which had full exchange admin rights delegated directly to them. thanks -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Friday, May 28, 2004 10:02 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT:EXCHANGE weirdness What's the error messages when the service tries to start? What's in the security and application and system logs? What groups is the bb service a member of completely? Which one is delegated exchange rights and how does that compare with the service account? I think that's a good place to start troubleshooting this. I think you should also look for any errors indicating a change in server group membership and any changes to the Exchange domain servers and enterprise servers groups. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Friday, May 28, 2004 9:55 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:EXCHANGE weirdness here's the deal- i've had this samething happen to a child domain. the domain admins had full exchange admin rights on their admin group. however, when you open up exchange system manager, you could'nt see anything. In adsiedit, if you looked in the exchange services container in the configuration partition, you could'nt look deeper than the org. there was nothing there. and if you wanted to look at the acl's of the org, it was empty. STILL, in exchange system manager, you saw they had full exchange admin rights(and i'm not talking about recieve as, to open a mailbox. i just mean full rights to view and administer their admin group.). this was never resolved. Now i have the same issue in my child domain with the blackberry service account. I'm the only one who administers this domain and nothing was changed. really. is there an explicit deny somewhere? how would i find it? tgere's nothing in the security log on the blackberry server. this is the kind of stuff that keeps me up all night. could someone have done something at the root? we have no gpo on our domain, dc, or site that would cause this. i checked them all, including the local one on the server. what the heck is going on here? this is twice now with 2 seperate domains!!! both domains are mixed mode running win2k. the root domain is native mode. exchange 2k is native mode. all servers are win2k except on win2k3 server in the root and an exchange2k3 server, also in the root. thanks -Original
RE: [ActiveDir] GPO Question
Use the GPO to run a logon script that creates the shortcut http://msdn.microsoft.com/library/default.asp?url=/library/en-us/script5 6/html/wsconcreatingshortcut.asp -Original Message- From: Christine Easton [mailto:[EMAIL PROTECTED] Sent: Friday, May 28, 2004 11:09 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] GPO Question Running Windows 2k AD with sp3 Hi, I'm trying to create a GPO for my users that will place a shortcut to their departmental folder that is on a NTFS network share to their desktop. Has anyone done this before? I'm not sure what GPO I should be using or what proceedure I should follow. Any help with be appriciated. Thanks! List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] MACS
Anyone know where MS are with MACS now? MACS is now called The Microsoft Windows Audit Collection Services (ACS) Release Candidate 1 became available to beta testers at the end of April. ACS Release Candiate changes include: 1) Simplified and updated database schema 2) Updated communcations protocol 3) Complete support for SSL/TLS authentication 4) Improved performance scalability 5) Improved setup experience 6) Improved security (on Windows XP and Windows Server 2003, ACS runs as NetworkService) 7) Improved manageability 8) Database included 9) Many quality stability improvements -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Friday, May 28, 2004 6:04 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] MACS Anyone know where MS are with MACS now? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GPO Question
How are the users organized? Is there some attribute populated already in your AD that can properly match the user to the directory shortcut they should receive? I think I'd use a login script for this... mc -Original Message- From: Christine Easton [mailto:[EMAIL PROTECTED] Sent: Friday, May 28, 2004 2:09 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] GPO Question Running Windows 2k AD with sp3 Hi, I'm trying to create a GPO for my users that will place a shortcut to their departmental folder that is on a NTFS network share to their desktop. Has anyone done this before? I'm not sure what GPO I should be using or what proceedure I should follow. Any help with be appriciated. Thanks! List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] LDAP Query Response Time
Title: LDAP Query Response Time Anyone found a clever way to monitor and alert on this stuff? J Counters maybe?
RE: [ActiveDir] OT:EXCHANGE weirdness
they added an exchange2k3 server and a win2k3 dc. how would that change things? in my child domain, i'm a full exchange admin and can see everything. in another domain, the exchange full admins can't see anything. and of course the view only blackberry service account can't see anything in my domain. all our dc's are at sp 3 or 4. how would installing exchange2k3 or win2k3 change the security on the config container as to diallow viewing for one domain and not another? thats the only change made according to them... i'm very confused. thanks for yor continuing help in this. i really appreciate it. -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Friday, May 28, 2004 2:13 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT:EXCHANGE weirdness They could have added an Exchange 2k3 server for starters :) Nothing is logged on the Exchange server or the DC/GC when you try to access that information? Is audit logging turned on? Did they upgrade the root domain as well? Those permissions are set on the configuration container and you should have view rights to them as a delegated admin. If you don't, then something has changed and seems to be recurring. Check with the root folks to see what's changed in the last few days in the root domain. What was added etc? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Friday, May 28, 2004 12:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:EXCHANGE weirdness According to RIM, its a premissions error(duh). they suggested upgrading the mapi32.dll and cdo.dll to the same version as the exchange server. while the blackberry service is now starting, i still can't see anything in exchange system manager or adsiedit logged in as the blackberry account. there is nothing logged on the exchange server. no replication errors on any of my DC's. or the ones in the root. have'nt spoken to the guys in the root, but what could they do to change things if the account seems ok in ESM? thanks -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Friday, May 28, 2004 10:42 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT:EXCHANGE weirdness There would be an event logged on the Exchange server if your membership were incorrect. Depending on version, this would be different. Have you checked with the root folks to see if they've done anything lately? How's replication working? Interested to hear what RIM comes back with as well. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Friday, May 28, 2004 10:18 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:EXCHANGE weirdness the bb service logs an application specfic error(i'm trying to find out its meaning from RIM). there is nothing in the other logs. the bb service is a member of the local admin group on the server and domain users, thats it. exchange view only admin is delegated directly to the bb acount on our admin group. the other delegation is full exchange admin to the domain admins group. where would i check for changes to the Exchange domain servers/enterprise servers groups? or errors in group membership? as per my pervious post, rthis kind of thing has happened before to the domain admins which had full exchange admin rights delegated directly to them. thanks -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Friday, May 28, 2004 10:02 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT:EXCHANGE weirdness What's the error messages when the service tries to start? What's in the security and application and system logs? What groups is the bb service a member of completely? Which one is delegated exchange rights and how does that compare with the service account? I think that's a good place to start troubleshooting this. I think you should also look for any errors indicating a change in server group membership and any changes to the Exchange domain servers and enterprise servers groups. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Friday, May 28, 2004 9:55 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:EXCHANGE weirdness here's the deal- i've had this samething happen to a child domain. the domain admins had full exchange admin rights on their admin group. however, when you open up exchange system manager, you could'nt see anything. In adsiedit, if you looked in the exchange services container in the configuration partition, you could'nt look deeper than the org. there was nothing there. and if you wanted to look at the acl's of the org, it was empty. STILL, in exchange system manager, you saw they had full exchange admin rights(and i'm not talking about recieve as, to open a mailbox. i just mean full rights to view and administer their admin group.). this was never resolved. Now i have the same issue in my
RE: [ActiveDir] MACS
And, as I understand it, it is not going to be a free download or Resource Kit component any more. MSFT is going to charge for it. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Friday, May 28, 2004 11:19 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] MACS Anyone know where MS are with MACS now? MACS is now called The Microsoft Windows Audit Collection Services (ACS) Release Candidate 1 became available to beta testers at the end of April. ACS Release Candiate changes include: 1) Simplified and updated database schema 2) Updated communcations protocol 3) Complete support for SSL/TLS authentication 4) Improved performance scalability 5) Improved setup experience 6) Improved security (on Windows XP and Windows Server 2003, ACS runs as NetworkService) 7) Improved manageability 8) Database included 9) Many quality stability improvements -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Friday, May 28, 2004 6:04 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] MACS Anyone know where MS are with MACS now? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] MACS
Where did you hear that? Last I heard in the beta group it was to be included in the next 2K/2003 SP's but I am not as well connected as you are :-] Maybe ~eric can answer G -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Friday, May 28, 2004 11:21 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] MACS And, as I understand it, it is not going to be a free download or Resource Kit component any more. MSFT is going to charge for it. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Friday, May 28, 2004 11:19 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] MACS Anyone know where MS are with MACS now? MACS is now called The Microsoft Windows Audit Collection Services (ACS) Release Candidate 1 became available to beta testers at the end of April. ACS Release Candiate changes include: 1) Simplified and updated database schema 2) Updated communcations protocol 3) Complete support for SSL/TLS authentication 4) Improved performance scalability 5) Improved setup experience 6) Improved security (on Windows XP and Windows Server 2003, ACS runs as NetworkService) 7) Improved manageability 8) Database included 9) Many quality stability improvements -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Friday, May 28, 2004 6:04 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] MACS Anyone know where MS are with MACS now? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] wierd request
my manager just came to me and asked if there is a way to prevent a user from doing anything but email on the network or from a specific pc? we use exchange2k with win2k ad. is ther a way to do this via a local gpo or put them into an ou and apply a gpo that way? very strange thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] wierd request
You could probably set the machine up like a kiosk with lots of GPO lockdown policies - personally I'd get one of those rdp thin clients and have it connect to a terminal server - setting the session to run the application (eg Outlook) only, rather than showing the desktop mc -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Friday, May 28, 2004 2:48 PM To: ActiveDir (E-mail) Subject: [ActiveDir] wierd request my manager just came to me and asked if there is a way to prevent a user from doing anything but email on the network or from a specific pc? we use exchange2k with win2k ad. is ther a way to do this via a local gpo or put them into an ou and apply a gpo that way? very strange thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] wierd request
You can definitely do this with GPO. You could even try to change the shell from Explorer to Outlook, which would prevent any access to the Explorer. I haven't tried this with Outlook but have done it successsfully with IE for web kiosks. You might want to check out the GPO scenarios that MS provides at http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technolog ies/management/csws2003.mspx The scenarios are a set of GPO settings for various levels of lockdown and have some good guidelines for doing kiosk type machines. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Friday, May 28, 2004 12:01 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] wierd request You could probably set the machine up like a kiosk with lots of GPO lockdown policies - personally I'd get one of those rdp thin clients and have it connect to a terminal server - setting the session to run the application (eg Outlook) only, rather than showing the desktop mc -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Friday, May 28, 2004 2:48 PM To: ActiveDir (E-mail) Subject: [ActiveDir] wierd request my manager just came to me and asked if there is a way to prevent a user from doing anything but email on the network or from a specific pc? we use exchange2k with win2k ad. is ther a way to do this via a local gpo or put them into an ou and apply a gpo that way? very strange thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] wierd request
my manager just came to me and asked if there is a way to prevent a user from doing anything but email on the network or from a specific pc? we use exchange2k with win2k ad. is ther a way to do this via a local gpo or put them into an ou and apply a gpo that way? In situations similar, I've recommended locking the machine to only allow access to the browser which connects to Exchange via Outlook Web Access. FYI, this is how the machines in the lobbies of the Microsoft buildings in Redmond are configured. You can go two routes with those machines - TS to your desktop, or OWA to your mailbox. Of course, you have to insert your smart card to get started and provide your password. Charles Oppermann, [EMAIL PROTECTED], http://weblogs.asp.net/chuckop/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDAP Query Response Time
Title: LDAP Query Response Time http://msdn.microsoft.com/library/en-us/dnactdir/html/efficientadapps.asp This article summarizes some techniques. Look towards the middle and end of the article. If you have control over a particular LDAP client application, consider building a debug version that uses the STATS control as part of its LDAP queries. Thatll give you exactly what youre looking for. For different applications, bumping a registry value on the DCs can give you a lot of information. Perf counters will let you know how long the last bind took, but not queries I dont think. Charles Oppermann, [EMAIL PROTECTED], http://weblogs.asp.net/chuckop/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, May 28, 2004 11:23 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] LDAP Query Response Time Anyone found a clever way to monitor and alert on this stuff? J Counters maybe?
RE: [ActiveDir] OT:EXCHANGE weirdness
Everything I read in this chain is definitely saying permission issues. Note that the main permissions for Exchange are iun the config container. Anyone from any domain that has permissions to that container can be dangerous. Including domain admins of children domain. The fact that you can't even read the permissions from a certain level on is screaming someone changed the permissions AT THAT level. The fun thing is if you don't have permissions to see the permissions, you will have to take ownership to see them or figure out what account has the perms necessary to see them. Once you can see them, then you can figure out how bad it is. I would personally try to do a dsacls dump of each layer under the Exchange Services level and see where the perms start locking down. Again, you may have to take ownership at some point to see anything. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, May 28, 2004 2:52 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT:EXCHANGE weirdness Checking this document, can you verify what permissions are associated with the BB account? http://support.microsoft.com/default.aspx?scid=kb;en-us;823018 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Friday, May 28, 2004 2:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:EXCHANGE weirdness they added an exchange2k3 server and a win2k3 dc. how would that change things? in my child domain, i'm a full exchange admin and can see everything. in another domain, the exchange full admins can't see anything. and of course the view only blackberry service account can't see anything in my domain. all our dc's are at sp 3 or 4. how would installing exchange2k3 or win2k3 change the security on the config container as to diallow viewing for one domain and not another? thats the only change made according to them... i'm very confused. thanks for yor continuing help in this. i really appreciate it. -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Friday, May 28, 2004 2:13 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT:EXCHANGE weirdness They could have added an Exchange 2k3 server for starters :) Nothing is logged on the Exchange server or the DC/GC when you try to access that information? Is audit logging turned on? Did they upgrade the root domain as well? Those permissions are set on the configuration container and you should have view rights to them as a delegated admin. If you don't, then something has changed and seems to be recurring. Check with the root folks to see what's changed in the last few days in the root domain. What was added etc? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Friday, May 28, 2004 12:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:EXCHANGE weirdness According to RIM, its a premissions error(duh). they suggested upgrading the mapi32.dll and cdo.dll to the same version as the exchange server. while the blackberry service is now starting, i still can't see anything in exchange system manager or adsiedit logged in as the blackberry account. there is nothing logged on the exchange server. no replication errors on any of my DC's. or the ones in the root. have'nt spoken to the guys in the root, but what could they do to change things if the account seems ok in ESM? thanks -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Friday, May 28, 2004 10:42 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT:EXCHANGE weirdness There would be an event logged on the Exchange server if your membership were incorrect. Depending on version, this would be different. Have you checked with the root folks to see if they've done anything lately? How's replication working? Interested to hear what RIM comes back with as well. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Friday, May 28, 2004 10:18 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:EXCHANGE weirdness the bb service logs an application specfic error(i'm trying to find out its meaning from RIM). there is nothing in the other logs. the bb service is a member of the local admin group on the server and domain users, thats it. exchange view only admin is delegated directly to the bb acount on our admin group. the other delegation is full exchange admin to the domain admins group. where would i check for changes to the Exchange domain servers/enterprise servers groups? or errors in group membership? as per my pervious post, rthis kind of thing has happened before to the domain admins which had full exchange admin rights delegated directly to them. thanks -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Friday, May 28, 2004 10:02 AM To: '[EMAIL PROTECTED]' Subject: RE:
RE: [ActiveDir] MS Exchange Tools on Domain Controller
Heck even when installing patches I would recoomend avoiding desktop logon. My usual process would be to wrap the qfe in a batch file that would fire it and then rcmd into the server to do the launch. Yes, you are running a console from the server but I found it is less likely tohave accidents that way still as the whole point and click thing is out of the way. As a rule, I like to see DCs running lean and mean. That way when you have issues, and you will, they are much simpler to chase down. If you have to chase through60 different pieces of software that could be possibly causing issues you aren't going to be happy because generally DC issues are very visible issues and you have exceeded the weight rating on your butt. I have also found that MS is far more helpful in troubleshooting when you have ALL MS products on the server and nothing else, they have no place to toss the potatoe. Not that I blame them, I understand completely. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck OppermannSent: Saturday, May 22, 2004 12:56 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] MS Exchange Tools on Domain Controller Id like to reinforce Joes point. I go by the following rule of thumb A Windows machine is only as stable as the worst piece of software installed on it. The less of anything installed on any critical machine, the better. Logging onto a DC should be an absolute no-no unless something truly cannot be done remotely, like installing a patch. Charles Oppermann, [EMAIL PROTECTED], http://weblogs.asp.net/chuckop/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, May 21, 2004 11:49 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] MS Exchange Tools on Domain Controller That is it however, that brings up the question... Is Exchange Admin something you should be doing from a domain controller? As a general rule you shouldn't be logging onto DCs very often, that way leads to mistakes and problems. You manage the stuff from workstations. Let servers just sit and cook in the background. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of EdwinSent: Friday, May 21, 2004 2:27 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] MS Exchange Tools on Domain Controller Thats it? Cool. Okay..I will give it a try. Thank you again for the reply. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.Sent: Friday, May 21, 2004 1:56 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] MS Exchange Tools on Domain Controller Yes, just install the ESM on the DC -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of EdwinSent: Friday, May 21, 2004 1:54 PMTo: Active Directory ListSubject: [ActiveDir] MS Exchange Tools on Domain Controller I have an Exchange server and would like to know if it would be possible to have the properties menus available when logged into the domain controller? The domain and the exchange server are two separate machines. Is this possible? Thank you all for your replies in advance.
RE: [ActiveDir] 1000 user limit
Agreed. People should remember that it's not a search limit; it's the maximum number of results in a single page of results returned. Without limits like this, it would be trivial to write an Denial of Service program that queries (objectClass=*) repetitively forcing the server to keep returning huge result sets to the client. ---Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Friday, May 28, 2004 7:27 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] 1000 user limit Oy! Please do not do this! MaxPageSize is there for a reason...it prevents us from having long-running transactions that can hurt overall DB perf. Rather, use paged searches. We implement paged searches as per RFC spec. If you're using ADSI, you can make it used paged searches with one extra line of codejust tell the search what page size to use (say 1000) and it will page for you under the hood. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Friday, May 28, 2004 9:12 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] 1000 user limit I need to increase the search limit on 2003 so that when I do an ldap search I can retrieve everything. Everywhere I look it just tells me to use ntdsutil and change the maxpagesize (I believe that was it), but doesnt give any specific permissions on how to do it. Do you guys have a link on the details? Also, can I limit this ability to a single user? OT-Is there a way to change permissions on a Global Address List in Exchange 2003 so that a certain group cannot see or use it? My reasoning for this would be so that if a virus is executed that spreads via address book, then it doesnt spread to every user in the Exchange Organization. Any other ideas?? Also, is there an archive of this group?? Searchable?? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDAP Query Response Time
Title: LDAP Query Response Time One way to do this is set up "stations" that on some frequency will send ldap queries to your DCs. You will then simply record the time it took to process the query. Obviously do something that is consistent (rootdse or specific attribs from the default context)so your times don't deviate based on amount of information returned. This gives you data you can track long term for how fast or slow a given DC is. If you exceed some average you define as bad, you alert on it. This could warn you of network issues (say a virus is eating up more and more bandwidth) or your DC is getting overloaded or hurting. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, May 28, 2004 2:23 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] LDAP Query Response Time Anyone found a clever way to monitor and alert on this stuff? J Counters maybe?
RE: [ActiveDir] OT:EXCHANGE weirdness
i checked the perms thru adsiedit- blackberry account(ex view only admin according to ESM)- has all the appropriate rights except no entry at the ORG container and at the Administrative groups container. Domain admins in child domain with similliar issues(ex full admin according to ESM)- same thing Now, the questions- 1.how could this just change? I know the root domain guys took us out of the Exchange org and used the delegation wizard to give us full access to our admin group thru ESM. same thing for the blackberry account, except view only. do we still need to be delegated something at the org level? it would seem to be so. to be able to administer our admin group, would we still need some rights on the org level? 2. how can i take ownership with no rights on an object. can a domain admin in a child domain write to the config container of a forest? This is why i want our own forest. If you see my previous threads, its always about how to break away from the forest or what a child domain admin can or can't do without enterprise admin access, dependency on the root, etc. we always have issues with the guys on top screwing us up on the bottom and the serious lack of communication. they seem to think that as child domain admins we can't screw THEM. i'm trying to convince my CIO to beak away or at least ask for enterprise admin rights. I want to at least show them that we can screw them up or get access to enterprise admin so they would then give us this access or we would leave the forest(since as a sister corp, we are on equal footing with them in everyway. its just politics). thank you guys so much for all your help. -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, May 28, 2004 4:05 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:EXCHANGE weirdness Everything I read in this chain is definitely saying permission issues. Note that the main permissions for Exchange are iun the config container. Anyone from any domain that has permissions to that container can be dangerous. Including domain admins of children domain. The fact that you can't even read the permissions from a certain level on is screaming someone changed the permissions AT THAT level. The fun thing is if you don't have permissions to see the permissions, you will have to take ownership to see them or figure out what account has the perms necessary to see them. Once you can see them, then you can figure out how bad it is. I would personally try to do a dsacls dump of each layer under the Exchange Services level and see where the perms start locking down. Again, you may have to take ownership at some point to see anything. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, May 28, 2004 2:52 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT:EXCHANGE weirdness Checking this document, can you verify what permissions are associated with the BB account? http://support.microsoft.com/default.aspx?scid=kb;en-us;823018 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Friday, May 28, 2004 2:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:EXCHANGE weirdness they added an exchange2k3 server and a win2k3 dc. how would that change things? in my child domain, i'm a full exchange admin and can see everything. in another domain, the exchange full admins can't see anything. and of course the view only blackberry service account can't see anything in my domain. all our dc's are at sp 3 or 4. how would installing exchange2k3 or win2k3 change the security on the config container as to diallow viewing for one domain and not another? thats the only change made according to them... i'm very confused. thanks for yor continuing help in this. i really appreciate it. -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Friday, May 28, 2004 2:13 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT:EXCHANGE weirdness They could have added an Exchange 2k3 server for starters :) Nothing is logged on the Exchange server or the DC/GC when you try to access that information? Is audit logging turned on? Did they upgrade the root domain as well? Those permissions are set on the configuration container and you should have view rights to them as a delegated admin. If you don't, then something has changed and seems to be recurring. Check with the root folks to see what's changed in the last few days in the root domain. What was added etc? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Friday, May 28, 2004 12:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:EXCHANGE weirdness According to RIM, its a premissions error(duh). they suggested upgrading the mapi32.dll and cdo.dll to the same version as the exchange server. while the blackberry service is now starting, i
RE: [ActiveDir] 1000 user limit
Youch, I am with ~Eric and Al on this one. Scary day. :oP Do NOT increase the maxpagesize on the DCs. You have to ask yourself, maybe 2000 is ok for now but maybe next year I will need 3000 or 4000. Obviously there has to be a more flexible and standard method... And there is! It is to use paging. :o) On the GAL issue. As Al said, if a virus is spreading via the GAL, the virus is probably running as the person and on the person's mailbox. Your solution would be to have NO GAL and no local contacts. Of course that would be silly unless you are in some super secret organization like maybe the Legion of Doom or something and don't want anyone to look anyone else up. AV software either running on your client or your servers or on your Internet Relays or all three or some combination of the three is the way to go. Also doesn't hurt to have honeypot email addresses in your GAL which shouldn't even get email and if it does, you have it react in some way because it is either SPAM or a Virus. Have multiple accounts at multiple points in the GAL, maybe one or two or 25 in every letter of the alphabet depending on how big GAL already is. It is sort of like an IDS for email mailboxes. Personally I think it would be fun to set something up to disable mail flow from the mailbox where the messages came from and if they come from outside the Exchange system you black flag the source and subject and if you are really confident of your system's ability to figure things out, have them scrub the messages as well. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Friday, May 28, 2004 10:12 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] 1000 user limit I need to increase the search limit on 2003 so that when I do an ldap search I can retrieve everything. Everywhere I look it just tells me to use ntdsutil and change the maxpagesize (I believe that was it), but doesnt give any specific permissions on how to do it. Do you guys have a link on the details? Also, can I limit this ability to a single user? OT-Is there a way to change permissions on a Global Address List in Exchange 2003 so that a certain group cannot see or use it? My reasoning for this would be so that if a virus is executed that spreads via address book, then it doesnt spread to every user in the Exchange Organization. Any other ideas?? Also, is there an archive of this group?? Searchable?? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] [OT] Discontinue Mail Membership
He wouldn't do that. Tony is a great big teddy bear with outstanding wineselection skills. :o) joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Friday, May 28, 2004 9:34 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Discontinue Mail Membership I'm just hoping he doesn't delete me... That sounds like it would leave a mark. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, May 27, 2004 7:10 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Discontinue Mail Membership I love how Tony can kill a thread by contributing. :o) joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony MurraySent: Sunday, May 23, 2004 10:21 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Discontinue Mail Membership In general, yes. Althoughwe do generally havereservations about deleting people (read it again).Subscribed addressesmaybe, but not people. We reserve that treatment only for occasions where people continue dead or off-topic threads longer than is absolutely necessary ;-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Sonntag, 23. Mai 2004 01:16To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Discontinue Mail Membership aren't those the rules that apply to post to this list? ;-)) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Svetlana KouznetsovaSent: Freitag, 21. Mai 2004 15:32To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Discontinue Mail Membership I like the etiquette rules, especially useful reminder: "We have the right to exploite, humilate, delete, ignore, or coddle any person at anytime for no other reason than Our Own amusement." and what's up with those pink...errmm..stuff, you reguire to wear while reading FeMail? That's mean! Lana From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: 21 May 2004 14:19To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Discontinue Mail Membership That is hilarious... go through FAQ on the left if you haven't From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Svetlana KouznetsovaSent: Friday, May 21, 2004 7:30 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Discontinue Mail Membership Hmmm..googled FeMail and got - "Totally new, cool and fast feMail system utilizes the newest technology available! "http://www.femail.sissify.com/ A replacement for ActiveDir? The most important - it promises "No more fretting about system administrators at your workplace!" Lana From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: 21 May 2004 11:16To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Discontinue Mail Membership that's spelled FEMAIL ;-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig CerinoSent: Donnerstag, 20. Mai 2004 15:25To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Discontinue Mail Membership Please continue FEMALE membership J From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike WelbornSent: Thursday, May 20, 2004 8:51 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Discontinue Mail Membership Please remove [EMAIL PROTECTED] from the Activedir.org mailing list. Thanks you Michael Welborn
RE: [ActiveDir] strange error on logon
I think the KBs are the same, just different permissions required to see different things. You have public content, partner level content, and internal content and actually that may be accessed through a different engine I think, not positive, I don't seem to have access. :o) Honestly though I have had Partner level access in some shape or fashion for about 7 or so years and I can't say I have seen more than maybe 50 articles tops in that time that were partner level with the big banners on it saying this is partner level. The interesting thing, several of those I could actually find the same content to through google on other channels such as technet or msdn. I have had more issues with KBs just disappearing, there one day, gone the next. Very frustrating. You get to the point where you start archiving your own copies which is silly. For a while MS had a service where you could email an address and it would send you articles even ones that weren't reachable through the web site, but I think that died a long while back. I found that one out ages ago when learning the evils of multiple default gateways on a machine with multiple NICS. I will always remember that one because I read the article and was swearing for a solid 3 days because it was a problem that had cursed us for a couple of months and no one seemed to know the answer and finally hit one PSS guy after dealing with several who said I should email this certain address with this certain KB number and I would get my info... joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.Sent: Friday, May 28, 2004 10:07 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] strange error on logon Hi Eric, Improvements in this area would be great! I'd like to suggest that MS thinks about moving KB articles from the Premier site to the Public site a little faster also. Keeping known problems from the public is not a good policy. (Yes, there are at least two KB databases!) Mike Thommes -Original Message-From: Eric Fleischman [mailto:[EMAIL PROTECTED]Sent: Friday, May 28, 2004 8:43 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] strange error on logon We keep tweaking it to make it better. As youve probably read, this is a major work item for us. Were working on it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Friday, May 28, 2004 8:37 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] strange error on logon Picasso, would it just be me, or does anyone else think that making KB searching an art vs. a science is wrong? I mean, as long as it's public vs. say, utopia, wouldn't it make sense to make it so the intended audience could use it? Like Joe said, buy google already. That's what gets used for most KB searches anyway. At least the successful ones. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, May 27, 2004 5:47 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] strange error on logon Yep, too bad so manyWindows folks are pushed to the limit with Spirographs Picasso :o) Just buy google already... Petty cash, whip it out. Let people beat on MS for a while for using linux machines to find content at MS while it getsassimilated. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Thursday, May 27, 2004 5:28 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] strange error on logon Searching KB is an art, so you can call me Picasso. ;) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, May 27, 2004 4:01 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] strange error on logon That support search engine must have missed it :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Thursday, May 27, 2004 4:04 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] strange error on logon Have you seen: 824204 You receive an "Error at logon: Cannot find the file..." error message http://support.microsoft.com/?id=824204 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, May 27, 2004 2:51 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] strange error on logon Just a guess. Check the registry on the workstation. That file error throws some hits on the net referring to shell startup. This maybe the key. You can search the registry and find a reference to the idlist portion of your error. I wouldn't rule out GPO just yet either as it could be something that got locked down inadvertently. Or maybe folder redirection?
RE: [ActiveDir] LDAP Query Response Time
Title: LDAP Query Response Time So a few ideas have been floated out on this thread. I can float a few myself if you can answer a question first: what is your goal? Common goals Ive heard of: I want to understand all queries my DCs are seeing I want to identify queries bogging me down I want to try and spot DC perf issues generally before they become major problems Or do you have another goal? ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, May 28, 2004 3:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP Query Response Time One way to do this is set up stations that on some frequency will send ldap queries to your DCs. You will then simply record the time it took to process the query. Obviously do something that is consistent (rootdse or specific attribs from the default context)so your times don't deviate based on amount of information returned. This gives you data you can track long term for how fast or slow a given DC is. If you exceed some average you define as bad, you alert on it. This could warn you of network issues (say a virus is eating up more and more bandwidth) or your DC is getting overloaded or hurting. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, May 28, 2004 2:23 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] LDAP Query Response Time Anyone found a clever way to monitor and alert on this stuff? J Counters maybe?
RE: [ActiveDir] OT:EXCHANGE weirdness
i checked the perms thru adsiedit- blackberry account(ex view only admin according to ESM)- has all the appropriate rights except no entry at the ORG container and at the Administrative groups container. Domain admins in child domain with similliar issues(ex full admin according to ESM)- same thing Now, the questions- 1.how could this just change? I know the root domain guys took us out of the Exchange org and used the delegation wizard to give us full access to our admin group thru ESM. same thing for the blackberry account, except view only. do we still need to be delegated something at the org level? it would seem to be so. to be able to administer our admin group, would we still need some rights on the org level? 2. how can i take ownership with no rights on an object. can a domain admin in a child domain write to the config container of a forest? This is why i want our own forest. If you see my previous threads, its always about how to break away from the forest or what a child domain admin can or can't do without enterprise admin access, dependency on the root, etc. we always have issues with the guys on top screwing us up on the bottom and the serious lack of communication. they seem to think that as child domain admins we can't screw THEM. i'm trying to convince my CIO to beak away or at least ask for enterprise admin rights. I want to at least show them that we can screw them up or get access to enterprise admin so they would then give us this access or we would leave the forest(since as a sister corp, we are on equal footing with them in everyway. its just politics). thank you guys so much for all your help. -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, May 28, 2004 4:05 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:EXCHANGE weirdness Everything I read in this chain is definitely saying permission issues. Note that the main permissions for Exchange are iun the config container. Anyone from any domain that has permissions to that container can be dangerous. Including domain admins of children domain. The fact that you can't even read the permissions from a certain level on is screaming someone changed the permissions AT THAT level. The fun thing is if you don't have permissions to see the permissions, you will have to take ownership to see them or figure out what account has the perms necessary to see them. Once you can see them, then you can figure out how bad it is. I would personally try to do a dsacls dump of each layer under the Exchange Services level and see where the perms start locking down. Again, you may have to take ownership at some point to see anything. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, May 28, 2004 2:52 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT:EXCHANGE weirdness Checking this document, can you verify what permissions are associated with the BB account? http://support.microsoft.com/default.aspx?scid=kb;en-us;823018 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Friday, May 28, 2004 2:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:EXCHANGE weirdness they added an exchange2k3 server and a win2k3 dc. how would that change things? in my child domain, i'm a full exchange admin and can see everything. in another domain, the exchange full admins can't see anything. and of course the view only blackberry service account can't see anything in my domain. all our dc's are at sp 3 or 4. how would installing exchange2k3 or win2k3 change the security on the config container as to diallow viewing for one domain and not another? thats the only change made according to them... i'm very confused. thanks for yor continuing help in this. i really appreciate it. -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Friday, May 28, 2004 2:13 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT:EXCHANGE weirdness They could have added an Exchange 2k3 server for starters :) Nothing is logged on the Exchange server or the DC/GC when you try to access that information? Is audit logging turned on? Did they upgrade the root domain as well? Those permissions are set on the configuration container and you should have view rights to them as a delegated admin. If you don't, then something has changed and seems to be recurring. Check with the root folks to see what's changed in the last few days in the root domain. What was added etc? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Friday, May 28, 2004 12:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:EXCHANGE weirdness According to RIM, its a premissions error(duh). they suggested upgrading the mapi32.dll and cdo.dll to the same version as the exchange server. while the blackberry service is now starting, i
[ActiveDir] Group Policy at the Site Level With Remote VPN Users - Wrong Site Applied
We have our logon scripts in GPOs tied to AD Sites in our Win2K domain, with each site having its own GPO that calls a script tailored to the locally available file shares. This has worked exceedingly well, until... Based on some great input from another list reader we started testing a feature in the Cisco VPN Client that forces a user to log off his/her system as soon as the VPN is established. When the user logs back on to the machine then she/he is authenticating with the domain. We want this functionality so that the cached copy of the user's password is updated if he/she changed it recently, and so that the user's logon script runs to map drives, check A-V signatures, etc. When I tried this from my home network (192.168.2.0/24) I connected to our corporate network in L.A. (Compton) and my notebook was assigned an IP address from the L.A. facility's internal network (172.16.0.0/21), which is the IP subnet associated with the Compton-Site in AD. After the logoff, I would have expected the Compton-Site logon script to run and map my drives. Instead, Group Policy was applied from a domain controller in Shanghai China (172.16.56.0/22) and my drives were mapped by their logon script to their servers. My colleague had a similar experience, except that he received policy from and was mapped to drives in the Singapore AD Site (172.16.48.0/22). I ran GPResult to see if I could figure out what was happening: RSOP results for BELKIN\my user name on my machine name : Logging Mode OS Type: Microsoft Windows XP Professional OS Configuration:Member Workstation OS Version: 5.1.2600 Domain Name: BELKIN Domain Type: Windows 2000 Site Name: compton-site -- This is what I expected Roaming Profile: Local Profile: C:\Documents and Settings\my user name Connected over a slow link?: No COMPUTER SETTINGS -- CN=my machine name,OU=Notebooks,OU=Compton,OU=US,OU=NA,DC=belkin,DC=com Last time Group Policy was applied: 5/27/2004 at 9:18:37 PM Group Policy was applied from: shanghai.belkin.com -- This DC is in the Shanghai China Site! Group Policy slow link threshold: 500 kbps Applied Group Policy Objects - Default Domain Policy Local Group Policy The following GPOs were not applied because they were filtered out --- Shanghai Site Logon Scripts- There are not logon scripts tied to the computer Filtering: Not Applied (Empty) The computer is a part of the following security groups: SNIP USER SETTINGS -- CN=my user name,OU=Information Services,OU=Compton,OU=US,OU=NA,DC=belkin,DC=com Last time Group Policy was applied: 5/27/2004 at 9:20:20 PM Group Policy was applied from: shanghai.belkin.com -- This DC is in the Shanghai China Site! Group Policy slow link threshold: 500 kbps Applied Group Policy Objects - Default Domain Policy Shanghai Site Logon Scripts - Here is what mapped the drives to Shanghai servers The following GPOs were not applied because they were filtered out --- Local Group Policy Filtering: Not Applied (Empty) The user is a part of the following security groups: SNIP I looked through Jeremy Moskowitz's great book (Group Policy, Profiles, and Intellimirror) and on his web site (www.gpanswers.com), but I can't find any reference to this mystery. My understanding is that the notebook's IP address would determine what Site's GP is applied. If the internal address assigned by VPN is used, then it should apply the Compton-Site policy. It looks like it DID determine that I was in the Compton site, but went off and pulled/applied GP from a different site. I have verified that the sites in AD have the correct subnets assigned to them, with no overlap. Has anyone else seen this happen or see what I am missing? Thanks! Jeff Salisbury Network Infrastructure and Security Manager Belkin Corporation Information Services 310 604-2061 310 604-2022 fax www.belkin.com Confidential This e-mail and any files transmitted with it are the property of Belkin Corporation and/or its affiliates, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipients or otherwise have reason to believe that you have received this e-mail in error, please notify the sender and delete this message immediately from your computer. Any other use,
RE: [ActiveDir] Users and Computers
Or you can download from here: http://www.microsoft.com/downloads/results.aspx?productID=freetext=adminpak.msiDisplayLang=en I believe you need the 2003 tools to admin a 2000 server from XP. nme From: Brent Westmoreland [mailto:[EMAIL PROTECTED] Sent: Thursday, May 27, 2004 6:27 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Users and Computers Install adminpak.msi available in the C:\windows\system directory of any server, also it is available on the server cd. On May 27, 2004, at 9:12 PM, Caple, Andrew wrote: I'm sure this is an easy one I'm currently setting up some Support Desk PC's and need to give them access to Users and Computers locally (so that they don't need to RDP into a DC all the time). How do you add the snap-in into a MMC with a computer that doesn't have AD installed on it? Andrew Caple Infrastructure Engineer Phone:+61 3 9861 5425 Facsimile:+61 3 9861 5510 [EMAIL PROTECTED] 105 Camberwell Road,Hawthorn East, Vic 3123 image.tiffimage.tiffimage.tiffimage.tiff
RE: [ActiveDir] OT:EXCHANGE weirdness
i checked the perms thru adsiedit- blackberry account(ex view only admin according to ESM)- has all the appropriate rights except no entry at the ORG container and at the Administrative groups container. Domain admins in child domain with similliar issues(ex full admin according to ESM)- same thing Now, the questions- 1.how could this just change? I know the root domain guys took us out of the Exchange org and used the delegation wizard to give us full access to our admin group thru ESM. same thing for the blackberry account, except view only. do we still need to be delegated something at the org level? it would seem to be so. to be able to administer our admin group, would we still need some rights on the org level? 2. how can i take ownership with no rights on an object. can a domain admin in a child domain write to the config container of a forest? This is why i want our own forest. If you see my previous threads, its always about how to break away from the forest or what a child domain admin can or can't do without enterprise admin access, dependency on the root, etc. we always have issues with the guys on top screwing us up on the bottom and the serious lack of communication. they seem to think that as child domain admins we can't screw THEM. i'm trying to convince my CIO to beak away or at least ask for enterprise admin rights. I want to at least show them that we can screw them up or get access to enterprise admin so they would then give us this access or we would leave the forest(since as a sister corp, we are on equal footing with them in everyway. its just politics). thank you guys so much for all your help. -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, May 28, 2004 4:05 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:EXCHANGE weirdness Everything I read in this chain is definitely saying permission issues. Note that the main permissions for Exchange are iun the config container. Anyone from any domain that has permissions to that container can be dangerous. Including domain admins of children domain. The fact that you can't even read the permissions from a certain level on is screaming someone changed the permissions AT THAT level. The fun thing is if you don't have permissions to see the permissions, you will have to take ownership to see them or figure out what account has the perms necessary to see them. Once you can see them, then you can figure out how bad it is. I would personally try to do a dsacls dump of each layer under the Exchange Services level and see where the perms start locking down. Again, you may have to take ownership at some point to see anything. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, May 28, 2004 2:52 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT:EXCHANGE weirdness Checking this document, can you verify what permissions are associated with the BB account? http://support.microsoft.com/default.aspx?scid=kb;en-us;823018 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Friday, May 28, 2004 2:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:EXCHANGE weirdness they added an exchange2k3 server and a win2k3 dc. how would that change things? in my child domain, i'm a full exchange admin and can see everything. in another domain, the exchange full admins can't see anything. and of course the view only blackberry service account can't see anything in my domain. all our dc's are at sp 3 or 4. how would installing exchange2k3 or win2k3 change the security on the config container as to diallow viewing for one domain and not another? thats the only change made according to them... i'm very confused. thanks for yor continuing help in this. i really appreciate it. -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Friday, May 28, 2004 2:13 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT:EXCHANGE weirdness They could have added an Exchange 2k3 server for starters :) Nothing is logged on the Exchange server or the DC/GC when you try to access that information? Is audit logging turned on? Did they upgrade the root domain as well? Those permissions are set on the configuration container and you should have view rights to them as a delegated admin. If you don't, then something has changed and seems to be recurring. Check with the root folks to see what's changed in the last few days in the root domain. What was added etc? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Friday, May 28, 2004 12:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:EXCHANGE weirdness According to RIM, its a premissions error(duh). they suggested upgrading the mapi32.dll and cdo.dll to the same version as the exchange server. while the blackberry service is now starting, i
RE: [ActiveDir] DC not replicating out
The error was Access Denied... My colleague has found a workaround for the replication issue by adding the accounts of the DCs that were trying to pull to Builtin\Administrators group. After that the replication started to flow. More investigation showed that the DC was rejecting any connection of accounts that are not members of Administrators group as a result of local security settings corruption. It looks like WMI db corruption was not along there. Restoring the local security settings solved the issue. Guy On Fri, 2004-05-28 at 01:53, joe wrote: I doubt the GPO is it, could be wrong, but doubt it. However what did you change in the GPO? What does repadmin /showreps say on the DC trying to pull? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Wednesday, May 26, 2004 11:40 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DC not replicating out Both come up clean, despite the fact that the A record for the DC initially didn't have the BAD_DC$ account in the ACL and the owner was SYSTEM instead of BAD_DC$. I adjusted that manually and the change replicated to all DCs. Still the netdiag and dcdiag do not show any DNS related problems - only FRS and AD outbound replication is failing. All other tests are fine. Other DCs that participate in the replication with bad DC come up with KCC errors (eventid 1311: there is insufficient site connectivity, blabla...) - it's the only DC at site. It looks almost like island DNS, but it's W2K3 and that should not happen. Guy On Wed, 2004-05-26 at 17:50, Mulnick, Al wrote: Would be relatively easy to check DNS. DCDIAG and NETDIAG would be two tools to use to check to see that all is well from the bad dc and good dc perspectives. I'd say go the easy part first. Invalid Checksum? Hmmm... Anything in the security logs that gives an indication? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Tuesday, May 25, 2004 6:02 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] DC not replicating out I am banging my head against the wall the whole day. In pilot environment we applied a GPO to replace the Default DC GPO. Apparently one of the DCs had some issues when the GPO was applied. The result was: the inbound replication on the DC works, but no other DC can pull from the sick one. Closer examination showed total WMI repository corruption. I have rebuilt it and it looks that WMI is back (not sure it's related, but worth mentioning) Since than, the new GPO has been unlinked and replaced with default (and as the inbound replication on the DC in question is working, it has replicated to it). But that has not resolved the issue. From faulty DC issued: repadmin /replicate good_dc bad_dc cn=configuration,dc=compay,dc=com /force Traced the session with network monitor from the good DC... What I see is: - LDAP bind - some searches performed and answered correctly - MSRPC session initiated - RPC request from good DC, RPC response from bad DC - RPC bind request from good DC and RCP Bind Ack from bad DC - again RPC request from good DC, RPC response from bad DC - again RPC bind request from good DC and RPC Bind Nack from bad DC with Provider Reject Reason: Invalid checksum I was about to blame the DNS till I got this Invalid checksum in the trace... Now the question is: am I complicating the whole thing and should look closer into DNS or this is something else ? Thanks, Guy List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Anonymous bind
I have went over the Vintela's white paper you posted a link some time ago. Looks very promising. But give the Open Source folks some time... go figure, maybe they will come up with something even better :oP Guy On Fri, 2004-05-28 at 01:28, joe wrote: Nothing free. :oP However Vintela and other companies are working on making this A LOT easier for a price. I expect in another year or so *nix machines will hardly be any more hassle to manage in an Enterprise than Windows machines. I doubt anyone will do something in this arena for free. It isn't exactly the kind of thing the Open Source people really care do to I don't think. More of a corporate thing and I don't visualize any company going through writing this up for themselves and then giving it away. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Tuesday, May 25, 2004 7:23 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous bind LDAP with SSL/TLS is way better than NIS. As for environment, it's two W2K3 forests with Kerberos forest trust. Forest A has several child domains and holds user accounts. Forest B is where my hosts are (We are relatively small organization in the enterprise, but we are RD and want to have control at least over the hosts). So users can come from any child domain of forest A and logon to hosts in forest B. Now Linux does not play well, when the host is in one realm, and users are from several other realms... The only workaround is to map uid to Kerb principal in the LDAP. Modifying the A forest schema (user accounts) is not an option, and it's quite reasonable considering the small size of our division. So here I am, stuck with LDAP authentication ... If you have any better idea, I am all ears ;) Guy On Mon, 2004-05-24 at 16:25, Mulnick, Al wrote: Just for curiousity... You don't want to use NIS because it's less secure, yet you are going to use LDAP for authentication? Isn't that a counter? Can you give an overview of your topology and what you're wanting to accomplish in the end? I think we tried to help with the original post without all of the topology information. Sounds like an interesting problem though... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Friday, May 21, 2004 7:01 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous bind If you excuse me, I will break the inline pattern ;). It got too unreadable. I have seen the interoperability doc. I have also read the whole doc mentioned in the post. It's a very good reference, but is lacking any description of Kerberos deployments in multi-realm environments. Personally I had to choose LDAP authentication instead of Kerberos because my hosts are in one forest, while user accounts are from a child domain of another forest. If someone is aware of a workaround for that, monthly beer supply is on me ;) SFU is nice, but it tries to emulate NIS and with all do respect to NIS, it's time is gone. There are just too many security issues with NIS. As for having more than one directory, see my reply to joe. I wish I could put it all in one place, but it's not always possible. Guy On Thu, 2004-05-20 at 03:15, Eric Fleischman wrote: A few bits more. [Guy] I know that I am speculating here but all I wanted to do is to point the finger to the interoperability issue. Setting up a heterogeneous environment is a pain. Putting *nix clients (or services) into the AD mix is not easy. One would blame the marketing attitude, the other would blame the maturity level of the other OSes. The truth, I believe, is somewhere in between. So here we go: [EFLEIS] - Have you seen the whole paper we wrote on Kerb interop? And just about anything around SFU (which might I point out again won best app at Linux world)? I think we've done a great job of interop. Can we do better? Always! And we continue to work on it. But we're doing a *lot* in this space. We have doc's out there that go down to even walk you through how to set up the pam modules! We have a lot out there. Here's one of my fav docs, but there are others this is from a post to this very DL: http://www.mail-archive.com/[EMAIL PROTECTED]/msg13880.ht ml 1) You are right. Nobody mentioned schema extensions, but the truth is that if you are considering the integration of open source services, you probably do have some Linux boxes around. NIS sucks big time. NIS+ is a pain to configure and both do not give you SSO. AD is great, but does not have out-of-the-box capabilities to absorb non-MS clients. So what is left for those that can not afford VAS ? Either tweak the schema (Linux client will have hard time without
RE: [ActiveDir] GPO Question
You'll need a logon script to do this. There's a CreateShortcut method in Wscript.Shell which you can use. If you need a code sample, let me know I'll look up the syntax. --Brian -Original Message- From: Christine Easton [mailto:[EMAIL PROTECTED] Sent: Fri 5/28/2004 1:08 PM To: '[EMAIL PROTECTED]' Cc: Subject: [ActiveDir] GPO Question Running Windows 2k AD with sp3 Hi, I'm trying to create a GPO for my users that will place a shortcut to their departmental folder that is on a NTFS network share to their desktop. Has anyone done this before? I'm not sure what GPO I should be using or what proceedure I should follow. Any help with be appriciated. Thanks! List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat
