RE: [ActiveDir] Replication of linked attributes between domain and sub-domain
Thank you all for your responses ! If I understand well: My problem is not due to the Infrastructure Master... You are right, Guido, the DC for titi.com is a GC and the DC for toto.titi.com is not a GC. To correct my problem and see the directReports attribute of usertoto correctly set at usertiti, I must make the DC for toto.titi.com a GC. Right ? Solange Desseignes -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Grillenmeier, Guido Envoyé : vendredi 11 juin 2004 00:57 À : [EMAIL PROTECTED] Objet : RE: [ActiveDir] Replication of linked attributes between domain and sub-domain first of all, if titi.com and toto.titi.com are real names, then I'd switch jobs - this would drive me crazy ;-) Rgd. adding the directReports to the PAS: that would be nice, but isn't possible for the backlinks of linked attribute-pairs - this is the case here for the directReports attribute = it is not a replicated attribute at all (neither cross domain nor within the same domain), as only forward links (here the manager attribute) get replicated between DC/GCs. Instead, the backlink attributes are processed locally on each DC when it receives the forward-link (e.g. a user object's manager attribute) and creates the link between the two respective AD objects via an entry in the local link table on the DC/GC. However, the forward-link will only replicate to DCs hosting the respective naming context. And for attributes (even forward links), which are also in the PAS (configured to replicate to the GC), this means that the information is also replicated to GCs from another domain(s), hosting a read-only partition of the source domain (of an object with a forward link). And the GCs will then again create the respective backlink locally, when making the entry in the linktable, even for cross-domain links. For the given manager/directReport example this means that a user's manager attribute is only replicated to DCs of the same domain and to GCs in the forest - and that only these machines populate the respective directReports attribute (backlink) for a user who is a manager of this other user. As such, you won't see cross-domain directReports information on a DC of a manager's domain, if this DC is not a GC. So here, the DC for titi.com used to lookup the directReports attribute usertiti must have been a GC, while the DC of toto.titi.com used to lookup the directReports attribute usertoto must have been just a normal DC. This is not to be confused with Phantom Records (which are updated via the Infrastructure Master): as the directReports attribute is not the replicated attribute, it is also not updated or replicated as a phantom record via the IM. However, phantom records are created on non-GC DCs to replicate the manager-attribute (forward-link) to other DCs, if e.g. a user's manager-attribute is linked to a user-object outside the own domain. As Dean perfectly described, the IM is then responsible to sync changes to the linked object over time (renames, deletes etc.), but it would not update any backlinks. As a sidenote on the replication of the manager/directReports links you should realize, that if you do leverage these accross domains in a forest and you accidentally delete a manager (with direct-reports in various domains) whom you must then authoritatively restore in AD, the links to the manager's directReports are NOT recovered with the manager... (same issue as with memberships in Universal Groups or Domain Local groups in other Domains of the forest) \Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jimmy Andersson Sent: Donnerstag, 10. Juni 2004 11:17 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Replication of linked attributes between domain and sub-domain If you really want/need it to be replicated to the GCs, you can use the Schema snap-in, and check the box in front of 'Replicate this attribute to the Global Catalog'. Regards, /Jimmy - Jimmy Andersson, Q Advice AB Principal Advisor Microsoft MVP - Directory Services -- www.qadvice.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Thursday, June 10, 2004 11:04 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Replication of linked attributes between domain and sub-domain The manager attribute is replicated between GCs as part of the Partial Attribute Set. The directReports attribute isn't. Whether you see it or not will depend on the domain of the DC you are querying. Tony -- Original Message -- Wrom: BLVLMHAALPTCXLYRWTQTIPWIGYOKSTTZRCLBDXRQBGJSNBO Reply-To: [EMAIL PROTECTED] Date: Thu, 10 Jun 2004 10:02:34 +0200 Hi, I have a domain titi.com with a sub-domain toto.titi.com, a user usertiti on domain titi.com and a user usertoto on domain toto.titi.com. I set
RE: [ActiveDir] Replication of linked attributes between domain and sub-domain
I made the DC of the domain toto.titi.com a GC and the directReports attribute of usertiti has been immediately correctly set ! Magic !!! Thank you all for your help ! -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Solange Desseignes Envoyé : vendredi 11 juin 2004 09:50 À : [EMAIL PROTECTED] Objet : RE: [ActiveDir] Replication of linked attributes between domain and sub-domain Thank you all for your responses ! If I understand well: My problem is not due to the Infrastructure Master... You are right, Guido, the DC for titi.com is a GC and the DC for toto.titi.com is not a GC. To correct my problem and see the directReports attribute of usertoto correctly set at usertiti, I must make the DC for toto.titi.com a GC. Right ? Solange Desseignes -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Grillenmeier, Guido Envoyé : vendredi 11 juin 2004 00:57 À : [EMAIL PROTECTED] Objet : RE: [ActiveDir] Replication of linked attributes between domain and sub-domain first of all, if titi.com and toto.titi.com are real names, then I'd switch jobs - this would drive me crazy ;-) Rgd. adding the directReports to the PAS: that would be nice, but isn't possible for the backlinks of linked attribute-pairs - this is the case here for the directReports attribute = it is not a replicated attribute at all (neither cross domain nor within the same domain), as only forward links (here the manager attribute) get replicated between DC/GCs. Instead, the backlink attributes are processed locally on each DC when it receives the forward-link (e.g. a user object's manager attribute) and creates the link between the two respective AD objects via an entry in the local link table on the DC/GC. However, the forward-link will only replicate to DCs hosting the respective naming context. And for attributes (even forward links), which are also in the PAS (configured to replicate to the GC), this means that the information is also replicated to GCs from another domain(s), hosting a read-only partition of the source domain (of an object with a forward link). And the GCs will then again create the respective backlink locally, when making the entry in the linktable, even for cross-domain links. For the given manager/directReport example this means that a user's manager attribute is only replicated to DCs of the same domain and to GCs in the forest - and that only these machines populate the respective directReports attribute (backlink) for a user who is a manager of this other user. As such, you won't see cross-domain directReports information on a DC of a manager's domain, if this DC is not a GC. So here, the DC for titi.com used to lookup the directReports attribute usertiti must have been a GC, while the DC of toto.titi.com used to lookup the directReports attribute usertoto must have been just a normal DC. This is not to be confused with Phantom Records (which are updated via the Infrastructure Master): as the directReports attribute is not the replicated attribute, it is also not updated or replicated as a phantom record via the IM. However, phantom records are created on non-GC DCs to replicate the manager-attribute (forward-link) to other DCs, if e.g. a user's manager-attribute is linked to a user-object outside the own domain. As Dean perfectly described, the IM is then responsible to sync changes to the linked object over time (renames, deletes etc.), but it would not update any backlinks. As a sidenote on the replication of the manager/directReports links you should realize, that if you do leverage these accross domains in a forest and you accidentally delete a manager (with direct-reports in various domains) whom you must then authoritatively restore in AD, the links to the manager's directReports are NOT recovered with the manager... (same issue as with memberships in Universal Groups or Domain Local groups in other Domains of the forest) \Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jimmy Andersson Sent: Donnerstag, 10. Juni 2004 11:17 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Replication of linked attributes between domain and sub-domain If you really want/need it to be replicated to the GCs, you can use the Schema snap-in, and check the box in front of 'Replicate this attribute to the Global Catalog'. Regards, /Jimmy - Jimmy Andersson, Q Advice AB Principal Advisor Microsoft MVP - Directory Services -- www.qadvice.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Thursday, June 10, 2004 11:04 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Replication of linked attributes between domain and sub-domain The manager attribute is replicated between GCs as part of the Partial Attribute Set. The directReports attribute
RE: [ActiveDir] Replication of linked attributes between domain and sub-domain
True, I typed without thinking (or rather reading closely...) I just saw PAS and typed away a canned answer... I must go on a break and clear my head g /Jimmy - Jimmy Andersson, Q Advice AB Principal Advisor Microsoft MVP - Directory Services -- www.qadvice.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Friday, June 11, 2004 12:57 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Replication of linked attributes between domain and sub-domain first of all, if titi.com and toto.titi.com are real names, then I'd switch jobs - this would drive me crazy ;-) Rgd. adding the directReports to the PAS: that would be nice, but isn't possible for the backlinks of linked attribute-pairs - this is the case here for the directReports attribute = it is not a replicated attribute at all (neither cross domain nor within the same domain), as only forward links (here the manager attribute) get replicated between DC/GCs. Instead, the backlink attributes are processed locally on each DC when it receives the forward-link (e.g. a user object's manager attribute) and creates the link between the two respective AD objects via an entry in the local link table on the DC/GC. However, the forward-link will only replicate to DCs hosting the respective naming context. And for attributes (even forward links), which are also in the PAS (configured to replicate to the GC), this means that the information is also replicated to GCs from another domain(s), hosting a read-only partition of the source domain (of an object with a forward link). And the GCs will then again create the respective backlink locally, when making the entry in the linktable, even for cross-domain links. For the given manager/directReport example this means that a user's manager attribute is only replicated to DCs of the same domain and to GCs in the forest - and that only these machines populate the respective directReports attribute (backlink) for a user who is a manager of this other user. As such, you won't see cross-domain directReports information on a DC of a manager's domain, if this DC is not a GC. So here, the DC for titi.com used to lookup the directReports attribute usertiti must have been a GC, while the DC of toto.titi.com used to lookup the directReports attribute usertoto must have been just a normal DC. This is not to be confused with Phantom Records (which are updated via the Infrastructure Master): as the directReports attribute is not the replicated attribute, it is also not updated or replicated as a phantom record via the IM. However, phantom records are created on non-GC DCs to replicate the manager-attribute (forward-link) to other DCs, if e.g. a user's manager-attribute is linked to a user-object outside the own domain. As Dean perfectly described, the IM is then responsible to sync changes to the linked object over time (renames, deletes etc.), but it would not update any backlinks. As a sidenote on the replication of the manager/directReports links you should realize, that if you do leverage these accross domains in a forest and you accidentally delete a manager (with direct-reports in various domains) whom you must then authoritatively restore in AD, the links to the manager's directReports are NOT recovered with the manager... (same issue as with memberships in Universal Groups or Domain Local groups in other Domains of the forest) \Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jimmy Andersson Sent: Donnerstag, 10. Juni 2004 11:17 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Replication of linked attributes between domain and sub-domain If you really want/need it to be replicated to the GCs, you can use the Schema snap-in, and check the box in front of 'Replicate this attribute to the Global Catalog'. Regards, /Jimmy - Jimmy Andersson, Q Advice AB Principal Advisor Microsoft MVP - Directory Services -- www.qadvice.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Thursday, June 10, 2004 11:04 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Replication of linked attributes between domain and sub-domain The manager attribute is replicated between GCs as part of the Partial Attribute Set. The directReports attribute isn't. Whether you see it or not will depend on the domain of the DC you are querying. Tony -- Original Message -- Wrom: BLVLMHAALPTCXLYRWTQTIPWIGYOKSTTZRCLBDXRQBGJSNBO Reply-To: [EMAIL PROTECTED] Date: Thu, 10 Jun 2004 10:02:34 +0200 Hi, I have a domain titi.com with a sub-domain toto.titi.com, a user usertiti on domain titi.com and a user usertoto on domain toto.titi.com. I set usertiti as manager
RE: [ActiveDir] Non DR migration of AD
Robert, Yep, that is essentially a DR strategy, which does work. I'm looking for a non DR-style method to do this as well. Glenn -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Friday, 11 June 2004 1:21 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Non DR migration of AD Bring up a new DC.. Take it off the production domain and into the lab... Seize the roles? You will have to do some clean up but it's the easiest way if it's not going to be linked to your production domain. Rob -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: 10 June 2004 16:00 To: [EMAIL PROTECTED] Subject: [ActiveDir] Non DR migration of AD All, We are in the process of constructing a Lab to mimic the production AD system as closely as possible. Doing a full DR into this environment is certainly an option, however we have been looking into simply migrating the AD structure and using this as a test bed to cleanup AD (OU's, objects, permissions, policies etc). Is anyone aware of tools or procedures to get the major AD configuration components into a lab using an approach that can be scripted / automated ? (we may want to do this every few months or so). For example, we have used LDIFDE to extract the OU structure, users and groups and re-imported these into the test lab. By and large this has worked very well (took some tweaking of the LDIFDE commands to resolve some constraint violations etc), however items such as OU security and policies is causing a bit more of a headache. Any thoughts ? TIA Glenn List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Non DR migration of AD
Hunter, Agreed, have looked into this, but am waiting for the full release of virtual server before I start doing things like this in the prod environment. This will most likely be the go in the long run, and also affords some really nice flexibility in the production environment with respect to moving DC's around between newer hardware etc (which poses quite an issue at the moment). G. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Friday, 11 June 2004 2:12 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Non DR migration of AD This situation holds a lot of promise for DCs running on virtual servers. I know it's come up on the list before, and we have done some testing but haven't rolled it into production yet. Basically, build a DC on a virtual server; you can set it up with replication latency and other abnormal settings for DR purposes as an added benefit. At any point, you can shut down the virtual DC, copy the disk image to an alternate location (lab), and bring up both the original virtual DC in the production environment as well as the virtual DC in the lab environment. You'll still have to do some cleanup and role seizing in the lab, but from the production environment's standpoint all that happened was a DC shutdown and restarted. Hunter -Original Message- From: Passo, Larry [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 9:34 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Non DR migration of AD But then you should clean up your production AD to remove mention of the DC that isn't there anymore. http://support.microsoft.com/?id=216498 -Original Message- From: Rutherford, Robert [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 8:21 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Non DR migration of AD Bring up a new DC.. Take it off the production domain and into the lab... Seize the roles? You will have to do some clean up but it's the easiest way if it's not going to be linked to your production domain. Rob -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: 10 June 2004 16:00 To: [EMAIL PROTECTED] Subject: [ActiveDir] Non DR migration of AD All, We are in the process of constructing a Lab to mimic the production AD system as closely as possible. Doing a full DR into this environment is certainly an option, however we have been looking into simply migrating the AD structure and using this as a test bed to cleanup AD (OU's, objects, permissions, policies etc). Is anyone aware of tools or procedures to get the major AD configuration components into a lab using an approach that can be scripted / automated ? (we may want to do this every few months or so). For example, we have used LDIFDE to extract the OU structure, users and groups and re-imported these into the test lab. By and large this has worked very well (took some tweaking of the LDIFDE commands to resolve some constraint violations etc), however items such as OU security and policies is causing a bit more of a headache. Any thoughts ? TIA Glenn List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ:
RE: [ActiveDir] OT: Sysprep and workstation images
Title: [ActiveDir] OT: Sysprep and workstation images Try setting a compliant password in the image, and then putting Whatever has to go in the AdminPassword key to prompt the user. Yeah, that's the part the only -sorta- works. The password policy in the image is onlybeing enforced for accounts that aren't the Administrator account. When prompted for a strong admin password, the user can simply cancel out of the dialog box, and setup continues with a blank admin password. Does this mean that I'm out of options, short of generating a home-grown password utility for these boxen? That just seems...odd.But my Googling isn't coming up with anything else of interest either. :-( Laura
RE: [ActiveDir] Non DR migration of AD
Thanks Guido. I'll check out the IADsAccessControlEntry stuff. At the moment we are setting up a replica of the prod environment (same namespace), however the AD design (group layering structure, security) was inherited from the previous owners, and doesn't *quite* fit our security model. What I am trying to do is get the basic structure in, and see how I can recombine this into a more appropiate format. Bringing content (users, groups, security, policies) in selectively allows a lot more flexibility than a full DC grab/dr/clone, and allows the structure to be rebuilt piece by piece until its working much better, then work out how to retrofit it back into prod. Sounds a tedious way to do it I'll grant you, however allows me to build from the ground up, rather than pull down (which would probably miss things). G. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Friday, 11 June 2004 7:44 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Non DR migration of AD you have different options when you're trying to implement the exact same namespace in a physically separated lab, or when you want to integrate your lab into the production network, choosing a different domain name. For the first option you can go the clone DC or grab DC method as described in other posts, but when you want to use a different namespace, it's a little more complicated, especially - as you noted yourself, when you want to grab the security settings as well. If Win2003, you could still do a domain/forest rename after you've cloned/grabbed the DCs from production, but that's still a lot of work. We've decided to go down the scripting/programming path to copy translate the ACLs of one AD forest to another to build lab-environments (only OU permissions). Yes, it is rather tedious, but it can be done - see MSDN IADsAccessControlEntry Property Methods. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn Corbett Sent: Donnerstag, 10. Juni 2004 17:00 To: [EMAIL PROTECTED] Subject: [ActiveDir] Non DR migration of AD All, We are in the process of constructing a Lab to mimic the production AD system as closely as possible. Doing a full DR into this environment is certainly an option, however we have been looking into simply migrating the AD structure and using this as a test bed to cleanup AD (OU's, objects, permissions, policies etc). Is anyone aware of tools or procedures to get the major AD configuration components into a lab using an approach that can be scripted / automated ? (we may want to do this every few months or so). For example, we have used LDIFDE to extract the OU structure, users and groups and re-imported these into the test lab. By and large this has worked very well (took some tweaking of the LDIFDE commands to resolve some constraint violations etc), however items such as OU security and policies is causing a bit more of a headache. Any thoughts ? TIA Glenn List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Security
Sounds like the rebuild is a good thing, given the little angels' propensity to do things they shouldn't. The approach I'd take is to monitor the update sequence number on the Domain Admins, Schema Admins, and Enterprise Admins groups. If the USN changes on any of the groups, then you know that *something* about the group changed, and you can start looking at memberships. Wrap this up in a script that you run frequently, and have it notify you when the USN changes. If you search microsoft.public.* newsgroups for vbscript usnChanged richard mueller (go to http://groups.google.com/advanced_group_search) you'll find some sample vbscript to grab the USN. Hunter -Original Message- From: Aaron Visser [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 10:47 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Security More Details Win2k Servers 1 Root Server with another one for redundancy, 1 ISA Server, 1 Server for Teacher Data, 1 Server for Student Data Win2003 Servers 1 for Office Staff And the fun begins, Well the biggest problem I am faced with is that the users (Students) ON the network are constantly trying to break in or crash the Servers, They are relentless somehow yesterday (I have no idea how) they had managed to add accounts to the Domain Admin Group, the Schema Admins and the Enterprise Admins. The accounts they have added have been removed but again today I encountered two new instances of users being added to the Domain Admin group. I am following this as closely as I can checking the groups every 10 15 minutes but that becomes very tedious and a real pain in the ...so I was wondering if I could be notified of such things happening rather than have to find out the hard way. I did the GPO thing of Restricting Groups and I restricted the mentioned groups but I am pretty sure I shouldn't have done that as now all my Admin groups are Restricted(Domain Admins, Schema Admins, Enterprise Admins) I just want to make it a few more weeks until the end of the School year so I can rebuild the entire network with new servers etc. ,(I inherited it about a month ago). Any help or insight or just thoughts on the whole situation is appreciated Thanks to everyone, Aaron Visser From: Passo, Larry [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 10 Jun 2004 20:37:24 -0700 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security I'm curious, do you have any more details? -Original Message- From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 2:47 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security don't use the Restricted Groups feature on domain groups, especially domain admins. This has caused various issues for companies and thus they've backed away from this approach. However, using restricted groups on member servers and clients works well. \Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry Sent: Donnerstag, 10. Juni 2004 19:38 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security If you want to make sure that no one is added to the group you could make the group a Restricted Group via a GPO. If you want to know when a user is added to the group, you could use a GPO to turn on auditing of Account Management but then you would have to search the audit logs of all of the DCs in the domain to find the activity. Or you could write a script that looked at the group membership and compared it with a pre-determined list. Then execute the script on a schedule of your choice. -Original Message- From: Aaron Visser [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 9:51 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Security I need to know when the Domain Admin Group has a user added to it or at least have that operation audited, is there anyway to perform this with GPO or something built into win2k server. Thanks, Aaron Visser List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ:
RE: [ActiveDir] Non DR migration of AD
VMWare has a couple of fully released products right now ;-) You may have valid reasons for wanting to go with Microsoft's product, though. -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Friday, June 11, 2004 7:04 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Non DR migration of AD Hunter, Agreed, have looked into this, but am waiting for the full release of virtual server before I start doing things like this in the prod environment. This will most likely be the go in the long run, and also affords some really nice flexibility in the production environment with respect to moving DC's around between newer hardware etc (which poses quite an issue at the moment). G. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Friday, 11 June 2004 2:12 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Non DR migration of AD This situation holds a lot of promise for DCs running on virtual servers. I know it's come up on the list before, and we have done some testing but haven't rolled it into production yet. Basically, build a DC on a virtual server; you can set it up with replication latency and other abnormal settings for DR purposes as an added benefit. At any point, you can shut down the virtual DC, copy the disk image to an alternate location (lab), and bring up both the original virtual DC in the production environment as well as the virtual DC in the lab environment. You'll still have to do some cleanup and role seizing in the lab, but from the production environment's standpoint all that happened was a DC shutdown and restarted. Hunter -Original Message- From: Passo, Larry [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 9:34 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Non DR migration of AD But then you should clean up your production AD to remove mention of the DC that isn't there anymore. http://support.microsoft.com/?id=216498 -Original Message- From: Rutherford, Robert [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 8:21 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Non DR migration of AD Bring up a new DC.. Take it off the production domain and into the lab... Seize the roles? You will have to do some clean up but it's the easiest way if it's not going to be linked to your production domain. Rob -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: 10 June 2004 16:00 To: [EMAIL PROTECTED] Subject: [ActiveDir] Non DR migration of AD All, We are in the process of constructing a Lab to mimic the production AD system as closely as possible. Doing a full DR into this environment is certainly an option, however we have been looking into simply migrating the AD structure and using this as a test bed to cleanup AD (OU's, objects, permissions, policies etc). Is anyone aware of tools or procedures to get the major AD configuration components into a lab using an approach that can be scripted / automated ? (we may want to do this every few months or so). For example, we have used LDIFDE to extract the OU structure, users and groups and re-imported these into the test lab. By and large this has worked very well (took some tweaking of the LDIFDE commands to resolve some constraint violations etc), however items such as OU security and policies is causing a bit more of a headache. Any thoughts ? TIA Glenn List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive:
[ActiveDir] spyware(OT)
My users are inundated with spyware and adware, what are the ways you guys deal with this? do you change the zone settings in I.E via gpo? can you turn spybot/spyblaster into an msi and push it out? Its hard for me to block access to web sites via an application firewall as we're a liquor ditribution company and our sales staff has to go to liqour sites that may have links to gambling or porn. i'd love to hear any ideas. thanks alot List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Security
Additionally, it would be helpful to know how they did what they did and what account they used to do it. I can think of many ways it's possible, but it would be good to know what avenue they are using. You should be able to correlate the change of USN with the Event log entry (audit) of the change. EventcombMT is a useful tool for this and is available at the Microsoft web site as a security tool. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Friday, June 11, 2004 10:07 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security Sounds like the rebuild is a good thing, given the little angels' propensity to do things they shouldn't. The approach I'd take is to monitor the update sequence number on the Domain Admins, Schema Admins, and Enterprise Admins groups. If the USN changes on any of the groups, then you know that *something* about the group changed, and you can start looking at memberships. Wrap this up in a script that you run frequently, and have it notify you when the USN changes. If you search microsoft.public.* newsgroups for vbscript usnChanged richard mueller (go to http://groups.google.com/advanced_group_search) you'll find some sample vbscript to grab the USN. Hunter -Original Message- From: Aaron Visser [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 10:47 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Security More Details Win2k Servers 1 Root Server with another one for redundancy, 1 ISA Server, 1 Server for Teacher Data, 1 Server for Student Data Win2003 Servers 1 for Office Staff And the fun begins, Well the biggest problem I am faced with is that the users (Students) ON the network are constantly trying to break in or crash the Servers, They are relentless somehow yesterday (I have no idea how) they had managed to add accounts to the Domain Admin Group, the Schema Admins and the Enterprise Admins. The accounts they have added have been removed but again today I encountered two new instances of users being added to the Domain Admin group. I am following this as closely as I can checking the groups every 10 15 minutes but that becomes very tedious and a real pain in the ...so I was wondering if I could be notified of such things happening rather than have to find out the hard way. I did the GPO thing of Restricting Groups and I restricted the mentioned groups but I am pretty sure I shouldn't have done that as now all my Admin groups are Restricted(Domain Admins, Schema Admins, Enterprise Admins) I just want to make it a few more weeks until the end of the School year so I can rebuild the entire network with new servers etc. ,(I inherited it about a month ago). Any help or insight or just thoughts on the whole situation is appreciated Thanks to everyone, Aaron Visser From: Passo, Larry [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 10 Jun 2004 20:37:24 -0700 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security I'm curious, do you have any more details? -Original Message- From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 2:47 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security don't use the Restricted Groups feature on domain groups, especially domain admins. This has caused various issues for companies and thus they've backed away from this approach. However, using restricted groups on member servers and clients works well. \Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry Sent: Donnerstag, 10. Juni 2004 19:38 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security If you want to make sure that no one is added to the group you could make the group a Restricted Group via a GPO. If you want to know when a user is added to the group, you could use a GPO to turn on auditing of Account Management but then you would have to search the audit logs of all of the DCs in the domain to find the activity. Or you could write a script that looked at the group membership and compared it with a pre-determined list. Then execute the script on a schedule of your choice. -Original Message- From: Aaron Visser [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 9:51 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Security I need to know when the Domain Admin Group has a user added to it or at least have that operation audited, is there anyway to perform this with GPO or something built into win2k server. Thanks, Aaron Visser List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List
RE: [ActiveDir] spyware(OT)
You can do a combination of your suggestions. We will change the IE zones for problem users; so far that's worked OK for us. I'll lock down the internet zone so nothing much will run at all. We use Spybot and Ad-Aware to clean up when needed. You can also use Websense (or maybe another filtering product?) and block access selectively; i.e., allow less restrictive access for a group of users that need to get to those sites. Google toolbar also helps to block popups. For us it's about taking care of most of it so that our one-off work is minimized. It's really hard to prevent it all. ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Friday, June 11, 2004 7:16 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] spyware(OT) My users are inundated with spyware and adware, what are the ways you guys deal with this? do you change the zone settings in I.E via gpo? can you turn spybot/spyblaster into an msi and push it out? Its hard for me to block access to web sites via an application firewall as we're a liquor ditribution company and our sales staff has to go to liqour sites that may have links to gambling or porn. i'd love to hear any ideas. thanks alot List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Roaming Profile Permissions
I would like to be able to view the files contained within a users roaming profile but keep getting a permission denied error. I have a Windows 2003 DC and testing on a Windows XP machine. I have enabled Computer Configuration\Administrative Templates\System\User Profiles\Add the Administrators Security Group to the roaming user profiles but that only allows be to go into the root directory of the user profile but not into other directories such as the Desktop or My Documents. I know that I can update the NTFS permissions to the sub directories but I am not sure if this is wise to where it may affect the user. I am sure that there have been required investigations in the past by an Administrator. What is the recommended solution for this without affecting the user? Thank you all for your responses in advance. Edwin
RE: [ActiveDir] spyware(OT)
I distributed AdAware (http://www.lavasoftusa.com/software/adaware/) and made my users use it in a regular basis (once a week, at least) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: sexta-feira, 11 de Junho de 2004 15:16 To: [EMAIL PROTECTED] Subject: [ActiveDir] spyware(OT) My users are inundated with spyware and adware, what are the ways you guys deal with this? do you change the zone settings in I.E via gpo? can you turn spybot/spyblaster into an msi and push it out? Its hard for me to block access to web sites via an application firewall as we're a liquor ditribution company and our sales staff has to go to liqour sites that may have links to gambling or porn. i'd love to hear any ideas. thanks alot List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] spyware(OT)
can you distribute ad-aware and spybot via a gpo? also, for internet zones, what are some good things to disable without losing too much functionality. should i disable all active x(is most adware activex and javascript?)? thanks -Original Message- From: Manuel Santos [mailto:[EMAIL PROTECTED] Sent: Friday, June 11, 2004 10:49 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] spyware(OT) I distributed AdAware (http://www.lavasoftusa.com/software/adaware/) and made my users use it in a regular basis (once a week, at least) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: sexta-feira, 11 de Junho de 2004 15:16 To: [EMAIL PROTECTED] Subject: [ActiveDir] spyware(OT) My users are inundated with spyware and adware, what are the ways you guys deal with this? do you change the zone settings in I.E via gpo? can you turn spybot/spyblaster into an msi and push it out? Its hard for me to block access to web sites via an application firewall as we're a liquor ditribution company and our sales staff has to go to liqour sites that may have links to gambling or porn. i'd love to hear any ideas. thanks alot List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] spyware(OT)
I have SpyBot (http://www.safer-networking.org/) installed on all PC's and it runs as part of the local machine's Friday night routine (A/V, SpyBot etc.) using the AT / scheduler some .bat files. If you don't have SpyBot installed already then I would just push out what ever program you choose. Just my 10 BITs. Rick -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Friday, June 11, 2004 9:16 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] spyware(OT) My users are inundated with spyware and adware, what are the ways you guys deal with this? do you change the zone settings in I.E via gpo? can you turn spybot/spyblaster into an msi and push it out? Its hard for me to block access to web sites via an application firewall as we're a liquor ditribution company and our sales staff has to go to liqour sites that may have links to gambling or porn. i'd love to hear any ideas. thanks alot List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] spyware(OT)
Another option would be to make the shift from IE to another browser like Mozilla. Better pop-up stopper, too. We've had issues with AdAware causing more problems than it cures. Al -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Friday, June 11, 2004 7:16 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] spyware(OT) My users are inundated with spyware and adware, what are the ways you guys deal with this? do you change the zone settings in I.E via gpo? can you turn spybot/spyblaster into an msi and push it out? Its hard for me to block access to web sites via an application firewall as we're a liquor ditribution company and our sales staff has to go to liqour sites that may have links to gambling or porn. i'd love to hear any ideas. thanks alot List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] spyware(OT)
There was an interesting article the other day : http://searchwin2000.techtarget.com/tip/0,289483,sid1_gci969259,00.html?track=NL-120ad=484520 Because of licensing issues we try to not let our users download adaware etc John |-+-- | | Kern, Tom| | | [EMAIL PROTECTED]| | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 06/11/2004 09:16 AM| | | Please respond to | | | ActiveDir | | | | |-+-- | | | | To: [EMAIL PROTECTED] | | cc: | | Subject: [ActiveDir] spyware(OT) | | My users are inundated with spyware and adware, what are the ways you guys deal with this? do you change the zone settings in I.E via gpo? can you turn spybot/spyblaster into an msi and push it out? Its hard for me to block access to web sites via an application firewall as we're a liquor ditribution company and our sales staff has to go to liqour sites that may have links to gambling or porn. i'd love to hear any ideas. thanks alot List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Roaming Profile Permissions
You can take ownership of those files and change the permissions to include your account, as long as you don't remove the user's ACE or the localSystem ACE,without affecting their behavior. The only caveat here is described in http://support.microsoft.com/default.aspx?scid=kb;en-us;327462 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of EdwinSent: Friday, June 11, 2004 7:46 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Roaming Profile Permissions I would like to be able to view the files contained within a users roaming profile but keep getting a permission denied error. I have a Windows 2003 DC and testing on a Windows XP machine. I have enabled Computer Configuration\Administrative Templates\System\User Profiles\Add the Administrators Security Group to the roaming user profiles but that only allows be to go into the root directory of the user profile but not into other directories such as the Desktop or My Documents. I know that I can update the NTFS permissions to the sub directories but I am not sure if this is wise to where it may affect the user. I am sure that there have been required investigations in the past by an Administrator. What is the recommended solution for this without affecting the user? Thank you all for your responses in advance. Edwin
RE: [ActiveDir] spyware(OT)
how would you go pushing out the kill bit .reg file for active x? gpo? batch? i would like to push this out silently with no user intervention or even knowldge if possible. thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, June 11, 2004 11:00 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] spyware(OT) There was an interesting article the other day : http://searchwin2000.techtarget.com/tip/0,289483,sid1_gci969259,00.html?track=NL-120ad=484520 Because of licensing issues we try to not let our users download adaware etc John |-+-- | | Kern, Tom| | | [EMAIL PROTECTED]| | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 06/11/2004 09:16 AM| | | Please respond to | | | ActiveDir | | | | |-+-- | | | | To: [EMAIL PROTECTED] | | cc: | | Subject: [ActiveDir] spyware(OT) | | My users are inundated with spyware and adware, what are the ways you guys deal with this? do you change the zone settings in I.E via gpo? can you turn spybot/spyblaster into an msi and push it out? Its hard for me to block access to web sites via an application firewall as we're a liquor ditribution company and our sales staff has to go to liqour sites that may have links to gambling or porn. i'd love to hear any ideas. thanks alot List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] spyware(OT)
In case no one has mentioned it, this solution works great: http://www.mvps.org/winhelp2002/hosts.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manuel Santos Sent: Friday, June 11, 2004 10:49 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] spyware(OT) I distributed AdAware (http://www.lavasoftusa.com/software/adaware/) and made my users use it in a regular basis (once a week, at least) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: sexta-feira, 11 de Junho de 2004 15:16 To: [EMAIL PROTECTED] Subject: [ActiveDir] spyware(OT) My users are inundated with spyware and adware, what are the ways you guys deal with this? do you change the zone settings in I.E via gpo? can you turn spybot/spyblaster into an msi and push it out? Its hard for me to block access to web sites via an application firewall as we're a liquor ditribution company and our sales staff has to go to liqour sites that may have links to gambling or porn. i'd love to hear any ideas. thanks alot List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] spyware(OT)
Been using it for quite some time myself. This, in conjunction with the SpyBot Resident have kept me free for months -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rod Trent Sent: Friday, June 11, 2004 11:33 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] spyware(OT) In case no one has mentioned it, this solution works great: http://www.mvps.org/winhelp2002/hosts.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manuel Santos Sent: Friday, June 11, 2004 10:49 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] spyware(OT) I distributed AdAware (http://www.lavasoftusa.com/software/adaware/) and made my users use it in a regular basis (once a week, at least) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: sexta-feira, 11 de Junho de 2004 15:16 To: [EMAIL PROTECTED] Subject: [ActiveDir] spyware(OT) My users are inundated with spyware and adware, what are the ways you guys deal with this? do you change the zone settings in I.E via gpo? can you turn spybot/spyblaster into an msi and push it out? Its hard for me to block access to web sites via an application firewall as we're a liquor ditribution company and our sales staff has to go to liqour sites that may have links to gambling or porn. i'd love to hear any ideas. thanks alot List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] spyware(OT)
We use spybot along with the resident program that came out in the 1.3 release. So far it's been pretty good. I was wondering, what did you do to get it to run with the scheduler and bat files? I haven't been able to get it to cooperate yet. -Chris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dale, Rick Sent: Friday, June 11, 2004 7:59 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] spyware(OT) I have SpyBot (http://www.safer-networking.org/) installed on all PC's and it runs as part of the local machine's Friday night routine (A/V, SpyBot etc.) using the AT / scheduler some .bat files. If you don't have SpyBot installed already then I would just push out what ever program you choose. Just my 10 BITs. Rick -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Friday, June 11, 2004 9:16 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] spyware(OT) My users are inundated with spyware and adware, what are the ways you guys deal with this? do you change the zone settings in I.E via gpo? can you turn spybot/spyblaster into an msi and push it out? Its hard for me to block access to web sites via an application firewall as we're a liquor ditribution company and our sales staff has to go to liqour sites that may have links to gambling or porn. i'd love to hear any ideas. thanks alot List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] spyware(OT)
SpybotSD.exe /AUTOCHECK /AUTOFIX /AUTOCLOSE is the command I run in the scheduler file. It runs off of a local account. I am not sure if it would work running as system or not though. If you use the advanced features of SpybotSD there is a scheduler option under Settings/Scheduler that helps out a bit. Hope that helps ya, good luck. Rick -Original Message- From: Christopher Hummert [mailto:[EMAIL PROTECTED] Sent: Friday, June 11, 2004 10:48 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] spyware(OT) We use spybot along with the resident program that came out in the 1.3 release. So far it's been pretty good. I was wondering, what did you do to get it to run with the scheduler and bat files? I haven't been able to get it to cooperate yet. -Chris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dale, Rick Sent: Friday, June 11, 2004 7:59 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] spyware(OT) I have SpyBot (http://www.safer-networking.org/) installed on all PC's and it runs as part of the local machine's Friday night routine (A/V, SpyBot etc.) using the AT / scheduler some .bat files. If you don't have SpyBot installed already then I would just push out what ever program you choose. Just my 10 BITs. Rick -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Friday, June 11, 2004 9:16 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] spyware(OT) My users are inundated with spyware and adware, what are the ways you guys deal with this? do you change the zone settings in I.E via gpo? can you turn spybot/spyblaster into an msi and push it out? Its hard for me to block access to web sites via an application firewall as we're a liquor ditribution company and our sales staff has to go to liqour sites that may have links to gambling or porn. i'd love to hear any ideas. thanks alot List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OT: Samba guest access?
The only other idea I can think of is to create a user account on the samba box with the exact same name / password as the user on the windows box. Then use smbpasswd -a to grant them access to smb. Sure there is a better way, but I can not think of one at the moment. - Original Message - From: Kirk Marple To: [EMAIL PROTECTED] Sent: Friday, June 11, 2004 11:50 AM Subject: RE: [ActiveDir] OT: Samba guest access? yep, it has "guest ok = 1". this was put in by the Workgroup Manager, not by hand. mine looks like this... i added relevant pieces of the [global] section, just in case the problem would be there instead. [global] security = ADS guest account = unknown auth methods = guest opendirectory use spnego = yes map to guest = Bad User allow trusted domains = no preferred master = no client ntlmv2 auth= no domain logons = no domain master = yes and for the file share: [AppStorage] oplocks = 0 map archive = no path = /Volumes/[...] read > inherit permissions = 1 strict locking = 1 create mask = 0644 guest ok = 1 directory mask = 0755 thanks for the help! Kirk From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob FreemanSent: Friday, June 11, 2004 9:35 AMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] OT: Samba guest access? Do you have guest ok = yes in your smb.conf file for that share? [share] available = yes browseable = yes comment = install files create mask = 777 guest ok = yes path = /share/ read > Rob - Original Message - From: Kirk Marple To: [EMAIL PROTECTED] Sent: Friday, June 11, 2004 11:30 AM Subject: [ActiveDir] OT: Samba guest access? (Sorry for the OT post, i just don't know anywhere elseto find people that might know the answer to this. Thanks!) I've attached an Apple XServe to our Windows domain, and have successfully setup all the Active Directory integration. I've been able to expose a file share to Windows via Samba from the XServe, but it's still requring a guest account login. For example, when i try and open \\xserve\Storagefrom Windows, it shows a username/pwd dialog. If i type in 'guest', it lets me in. Problem is, i want to use a file share from a .NET app, and can't do authentication on the UNC path. I know the account info gets cached, but this all has to happen automagically w/o user input. Anybody know if there's a way to not require that authentication popup, and just default to 'guest' access? Is it a Samba issue or a Windows issue? Thanks for any help/pointers! Kirk -~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~ Kirk MarpleCTO/VP of EngineeringAgnostic Media, Inc.e: [EMAIL PROTECTED]w: www.agnostic-media.com You can get my Digital ID here: https://digitalid.verisign.com/services/client/index.html
RE: [ActiveDir] spyware(OT)
You could probably put it into a gpo, might be a lot of work maintaining... Probably a login script, using vbs or something...You can set them to run silently in the GPO. I was looking at the reg.exe command, doesn't seem to be a silent switch on import. I'm sure one of the scripters would have an easy way to do this. John |-+-- | | Kern, Tom| | | [EMAIL PROTECTED]| | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 06/11/2004 10:28 AM| | | Please respond to | | | ActiveDir | | | | |-+-- --| | | | To: [EMAIL PROTECTED] | | cc: | | Subject: RE: [ActiveDir] spyware(OT) | --| how would you go pushing out the kill bit .reg file for active x? gpo? batch? i would like to push this out silently with no user intervention or even knowldge if possible. thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, June 11, 2004 11:00 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] spyware(OT) There was an interesting article the other day : http://searchwin2000.techtarget.com/tip/0,289483,sid1_gci969259,00.html?track=NL-120ad=484520 Because of licensing issues we try to not let our users download adaware etc John |-+-- | | Kern, Tom| | | [EMAIL PROTECTED]| | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 06/11/2004 09:16 AM| | | Please respond to | | | ActiveDir | | | | |-+-- | | | | To: [EMAIL PROTECTED] | | cc: | | Subject: [ActiveDir] spyware(OT) | | My users are inundated with spyware and adware, what are the ways you guys deal with this? do you change the zone settings in I.E via gpo? can you turn spybot/spyblaster into an msi and push it out? Its hard for me to block access to web sites via an application firewall as we're a liquor ditribution company and our sales staff has to go to liqour sites that may have links to gambling or porn. i'd love to hear any ideas. thanks alot List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Security
Thanks for the details, but I was hoping that Guido would provide some of the reasons whay Restricted Groups was a bad idea. Although, I would consider having all of the Domain groups be locked out to not be a graet idea. -Original Message- From: Aaron Visser [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 9:47 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Security More Details Win2k Servers 1 Root Server with another one for redundancy, 1 ISA Server, 1 Server for Teacher Data, 1 Server for Student Data Win2003 Servers 1 for Office Staff And the fun begins, Well the biggest problem I am faced with is that the users (Students) ON the network are constantly trying to break in or crash the Servers, They are relentless somehow yesterday (I have no idea how) they had managed to add accounts to the Domain Admin Group, the Schema Admins and the Enterprise Admins. The accounts they have added have been removed but again today I encountered two new instances of users being added to the Domain Admin group. I am following this as closely as I can checking the groups every 10 15 minutes but that becomes very tedious and a real pain in the ...so I was wondering if I could be notified of such things happening rather than have to find out the hard way. I did the GPO thing of Restricting Groups and I restricted the mentioned groups but I am pretty sure I shouldn't have done that as now all my Admin groups are Restricted(Domain Admins, Schema Admins, Enterprise Admins) I just want to make it a few more weeks until the end of the School year so I can rebuild the entire network with new servers etc. ,(I inherited it about a month ago). Any help or insight or just thoughts on the whole situation is appreciated Thanks to everyone, Aaron Visser From: Passo, Larry [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 10 Jun 2004 20:37:24 -0700 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security I'm curious, do you have any more details? -Original Message- From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 2:47 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security don't use the Restricted Groups feature on domain groups, especially domain admins. This has caused various issues for companies and thus they've backed away from this approach. However, using restricted groups on member servers and clients works well. \Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry Sent: Donnerstag, 10. Juni 2004 19:38 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security If you want to make sure that no one is added to the group you could make the group a Restricted Group via a GPO. If you want to know when a user is added to the group, you could use a GPO to turn on auditing of Account Management but then you would have to search the audit logs of all of the DCs in the domain to find the activity. Or you could write a script that looked at the group membership and compared it with a pre-determined list. Then execute the script on a schedule of your choice. -Original Message- From: Aaron Visser [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 9:51 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Security I need to know when the Domain Admin Group has a user added to it or at least have that operation audited, is there anyway to perform this with GPO or something built into win2k server. Thanks, Aaron Visser List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Kerberos Delegation
Can anyone share an end-to-end business process or a listing of security controls used to manage Kerberos Delegation in Windows 2000 Advanced Server or Windows Server 2003? Thanks, - Alan
RE: [ActiveDir] spyware(OT)
Personally I like using VB for any registry manipulation, and I usually do sneaky things (Read: things that keep the users from doing what they shouldn't be doing anyways) at log off or shutdown through GPO. Just my $.02 Thanks, Raymond -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, June 11, 2004 10:24 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] spyware(OT) You could probably put it into a gpo, might be a lot of work maintaining... Probably a login script, using vbs or something...You can set them to run silently in the GPO. I was looking at the reg.exe command, doesn't seem to be a silent switch on import. I'm sure one of the scripters would have an easy way to do this. John |-+-- | | Kern, Tom| | | [EMAIL PROTECTED]| | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 06/11/2004 10:28 AM| | | Please respond to | | | ActiveDir | | | | |-+-- --- ---| | | | To: [EMAIL PROTECTED] | | cc: | | Subject: RE: [ActiveDir] spyware(OT) | --- ---| how would you go pushing out the kill bit .reg file for active x? gpo? batch? i would like to push this out silently with no user intervention or even knowldge if possible. thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, June 11, 2004 11:00 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] spyware(OT) There was an interesting article the other day : http://searchwin2000.techtarget.com/tip/0,289483,sid1_gci969259,00.html?trac k=NL-120ad=484520 Because of licensing issues we try to not let our users download adaware etc John |-+-- | | Kern, Tom| | | [EMAIL PROTECTED]| | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 06/11/2004 09:16 AM| | | Please respond to | | | ActiveDir | | | | |-+-- --- -| | | | To: [EMAIL PROTECTED] | | cc: | | Subject: [ActiveDir] spyware(OT) | --- -| My users are inundated with spyware and adware, what are the ways you guys deal with this? do you change the zone settings in I.E via gpo? can you turn spybot/spyblaster into an msi and push it out? Its hard for me to block access to web sites via an application firewall as we're a liquor ditribution company and our sales staff has to go to liqour sites that may have links to gambling or porn. i'd love to hear any ideas. thanks alot List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] spyware(OT)
So you are saying that liquor leads to porn and gambling? - Original Message - From: Kern, Tom [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, June 11, 2004 7:16 AM Subject: [ActiveDir] spyware(OT) My users are inundated with spyware and adware, what are the ways you guys deal with this? do you change the zone settings in I.E via gpo? can you turn spybot/spyblaster into an msi and push it out? Its hard for me to block access to web sites via an application firewall as we're a liquor ditribution company and our sales staff has to go to liqour sites that may have links to gambling or porn. i'd love to hear any ideas. thanks alot List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] spyware(OT)
It always has for me :-) I'm kidding. No Really. mc -Original Message- From: Doug Hampshire [mailto:[EMAIL PROTECTED] Sent: Friday, June 11, 2004 4:09 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] spyware(OT) So you are saying that liquor leads to porn and gambling? - Original Message - From: Kern, Tom [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, June 11, 2004 7:16 AM Subject: [ActiveDir] spyware(OT) My users are inundated with spyware and adware, what are the ways you guys deal with this? do you change the zone settings in I.E via gpo? can you turn spybot/spyblaster into an msi and push it out? Its hard for me to block access to web sites via an application firewall as we're a liquor ditribution company and our sales staff has to go to liqour sites that may have links to gambling or porn. i'd love to hear any ideas. thanks alot List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] spyware(OT)
always. isn't that the point? -Original Message- From: Doug Hampshire [mailto:[EMAIL PROTECTED] Sent: Friday, June 11, 2004 4:09 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] spyware(OT) So you are saying that liquor leads to porn and gambling? - Original Message - From: Kern, Tom [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, June 11, 2004 7:16 AM Subject: [ActiveDir] spyware(OT) My users are inundated with spyware and adware, what are the ways you guys deal with this? do you change the zone settings in I.E via gpo? can you turn spybot/spyblaster into an msi and push it out? Its hard for me to block access to web sites via an application firewall as we're a liquor ditribution company and our sales staff has to go to liqour sites that may have links to gambling or porn. i'd love to hear any ideas. thanks alot List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Replication of linked attributes between domain and sub-domain
glad you got it working - how I love this magic, although at times it is difficult to explain to folks how certain things in AD really work... now all that's left to do is to rename those domains ;-)) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Solange Desseignes Sent: Freitag, 11. Juni 2004 10:16 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Replication of linked attributes between domain and sub-domain I made the DC of the domain toto.titi.com a GC and the directReports attribute of usertiti has been immediately correctly set ! Magic !!! Thank you all for your help ! -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Solange Desseignes Envoyé : vendredi 11 juin 2004 09:50 À : [EMAIL PROTECTED] Objet : RE: [ActiveDir] Replication of linked attributes between domain and sub-domain Thank you all for your responses ! If I understand well: My problem is not due to the Infrastructure Master... You are right, Guido, the DC for titi.com is a GC and the DC for toto.titi.com is not a GC. To correct my problem and see the directReports attribute of usertoto correctly set at usertiti, I must make the DC for toto.titi.com a GC. Right ? Solange Desseignes -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Grillenmeier, Guido Envoyé : vendredi 11 juin 2004 00:57 À : [EMAIL PROTECTED] Objet : RE: [ActiveDir] Replication of linked attributes between domain and sub-domain first of all, if titi.com and toto.titi.com are real names, then I'd switch jobs - this would drive me crazy ;-) Rgd. adding the directReports to the PAS: that would be nice, but isn't possible for the backlinks of linked attribute-pairs - this is the case here for the directReports attribute = it is not a replicated attribute at all (neither cross domain nor within the same domain), as only forward links (here the manager attribute) get replicated between DC/GCs. Instead, the backlink attributes are processed locally on each DC when it receives the forward-link (e.g. a user object's manager attribute) and creates the link between the two respective AD objects via an entry in the local link table on the DC/GC. However, the forward-link will only replicate to DCs hosting the respective naming context. And for attributes (even forward links), which are also in the PAS (configured to replicate to the GC), this means that the information is also replicated to GCs from another domain(s), hosting a read-only partition of the source domain (of an object with a forward link). And the GCs will then again create the respective backlink locally, when making the entry in the linktable, even for cross-domain links. For the given manager/directReport example this means that a user's manager attribute is only replicated to DCs of the same domain and to GCs in the forest - and that only these machines populate the respective directReports attribute (backlink) for a user who is a manager of this other user. As such, you won't see cross-domain directReports information on a DC of a manager's domain, if this DC is not a GC. So here, the DC for titi.com used to lookup the directReports attribute usertiti must have been a GC, while the DC of toto.titi.com used to lookup the directReports attribute usertoto must have been just a normal DC. This is not to be confused with Phantom Records (which are updated via the Infrastructure Master): as the directReports attribute is not the replicated attribute, it is also not updated or replicated as a phantom record via the IM. However, phantom records are created on non-GC DCs to replicate the manager-attribute (forward-link) to other DCs, if e.g. a user's manager-attribute is linked to a user-object outside the own domain. As Dean perfectly described, the IM is then responsible to sync changes to the linked object over time (renames, deletes etc.), but it would not update any backlinks. As a sidenote on the replication of the manager/directReports links you should realize, that if you do leverage these accross domains in a forest and you accidentally delete a manager (with direct-reports in various domains) whom you must then authoritatively restore in AD, the links to the manager's directReports are NOT recovered with the manager... (same issue as with memberships in Universal Groups or Domain Local groups in other Domains of the forest) \Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jimmy Andersson Sent: Donnerstag, 10. Juni 2004 11:17 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Replication of linked attributes between domain and sub-domain If you really want/need it to be replicated to the GCs, you can use the Schema snap-in, and check the box in front of 'Replicate this attribute to the Global Catalog'. Regards, /Jimmy - Jimmy Andersson, Q Advice AB Principal
RE: [ActiveDir] spyware(OT)
Don't know about the rest of the list server folks. But I'm all for a field trip to test out that theory. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Friday, June 11, 2004 4:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] spyware(OT) always. isn't that the point? -Original Message- From: Doug Hampshire [mailto:[EMAIL PROTECTED] Sent: Friday, June 11, 2004 4:09 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] spyware(OT) So you are saying that liquor leads to porn and gambling? - Original Message - From: Kern, Tom [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, June 11, 2004 7:16 AM Subject: [ActiveDir] spyware(OT) My users are inundated with spyware and adware, what are the ways you guys deal with this? do you change the zone settings in I.E via gpo? can you turn spybot/spyblaster into an msi and push it out? Its hard for me to block access to web sites via an application firewall as we're a liquor ditribution company and our sales staff has to go to liqour sites that may have links to gambling or porn. i'd love to hear any ideas. thanks alot List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message is confidential, intended only for the named recipient(s) and may contain information that is privileged or exempt from disclosure under applicable law. Any patient health information must be delivered immediately to intended recipient(s). If you are not the intended recipient(s), you are notified that the dissemination, distribution or copying of this message is strictly prohibited. If you receive this message in error, or are not the named recipient(s), please notify the sender at either the e-mail address or telephone number above and discard this e-mail. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT MS automated deployment systems (ADS)
Anyone using MS ADS? I've run into an odd issue... I'm trying to PXE-boot a Dell dimension into the deployment agent. When it gets to loading Ramdisk image it seems to load it but then tosses a windows could not start because the following file is missing or corrupt windows root\system32\ntoskrnl.exe. Please reinstall a copy of the above file. Rebooting in 5 seconds... This is a bare metal machine; fdisked. MBA software was updated to 4.11; Bios is at current A14. It's almost like something's missing from the ramdisk image, but that works on another machine. Anyone spent time with this system and run into this? I can't find a lot of info on it yet... Thanks! ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Problem adding child domain machine accounts to SQL logins
(All servers running Windows 2003 Standard. Domain/forest functional levels all set to Windows 2003.) I have a two-level domain structure, like this: DOMAIN - DOMAIN-CHILD1 - DOMAIN-CHILD2 My SQL Server lives in DOMAIN, and i'm trying to add the machine account for a machine in DOMAIN-CHILD1 to the SQL logins list. In the SQL login property dialog, i browse for an account name, and go into the Domain Computers members list for DOMAIN-CHILD1. I see the computers in there, and i pick one and add it: DOMAIN-CHILD1\MACHINE. I give it permissions to a specific database in the default 'user' role. But, when i press OK, it gives me an error dialog stating: "Error 15401: Windows NT or group 'DOMAIN-CHILD1\MACHINE$' not found. Check the name again." But it definitely does exist, because it just browsed for it. Other weird error is if i try and look at the members of the DOMAIN\Domain Computers group (via the SQL login browse dialog), it gives me an error dialog stating: "The global group is in a domain which is not in the list of trusted domains. Have more trusted domains been added while new users were being selected?" But, i'm looking at a global group in the *same* domain as the SQL server. Weird, eh? I've checked the two-way trusts between the parent-child domains and they all validate correctly. I've successfully done this before on another set of servers, where i've added machine accounts for servers that live in another domain, which is a peer to the domain which contains the SQL server. (multiple domains in a forest, no parent-child relationships). Any ideas? Thanks! Kirk -~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~ Kirk MarpleCTO/VP of EngineeringAgnostic Media, Inc.e: [EMAIL PROTECTED]w: www.agnostic-media.com You can get my Digital ID here: https://digitalid.verisign.com/services/client/index.html
Re: [ActiveDir] OT: Samba guest access?
Title: Re: [ActiveDir] OT: Samba guest access? I can put it in the lab on Tuesday and probably have you an answer by that afternoon. I just need a little time. From: Kirk Marple [EMAIL PROTECTED] Organization: Agnostic Media, Inc. Reply-To: [EMAIL PROTECTED] Date: Fri, 11 Jun 2004 09:30:28 -0700 To: [EMAIL PROTECTED] Subject: [ActiveDir] OT: Samba guest access? (Sorry for the OT post, i just don't know anywhere else to find people that might know the answer to this. Thanks!) I've attached an Apple XServe to our Windows domain, and have successfully setup all the Active Directory integration. I've been able to expose a file share to Windows via Samba from the XServe, but it's still requring a guest account login. For example, when i try and open \\xserve\Storage file://\\xserve\Storage from Windows, it shows a username/pwd dialog. If i type in 'guest', it lets me in. Problem is, i want to use a file share from a .NET app, and can't do authentication on the UNC path. I know the account info gets cached, but this all has to happen automagically w/o user input. Anybody know if there's a way to not require that authentication popup, and just default to 'guest' access? Is it a Samba issue or a Windows issue? Thanks for any help/pointers! Kirk -~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~ Kirk Marple CTO/VP of Engineering Agnostic Media, Inc. e: [EMAIL PROTECTED] w: www.agnostic-media.com You can get my Digital ID here: https://digitalid.verisign.com/services/client/index.html https://digitalid.verisign.com/services/client/index.html
Re: [ActiveDir] spyware(OT)
There was a thread about this on another forum. Some guy figured out how to do this and run scheduled scans without user intervention. It was one of the security forums, securityfocus, perhaps. One thing I have noticed, at least for me, is SpyBot hasn't released any updates for a while now, a couple of months at least, while adware has an update almost every other day. It was reversed in the past. -- I searched all their forums and i can't find anything on scripting a network wide remote (silent?) install of spybotSD. Is this possible? thanks Robert List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Security
Why not create a group and modify the default rights to it (allow interactive logon and the like) then set as the default group for the people in question. I have done this for questionable users in the past with decent results. Thanks, Raymond -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Friday, June 11, 2004 2:12 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security sure: 1. replication of changes and applying the GPO will cause undesireable results at times. 2. the AdminSDholder process of the domain controlls the sensitive groups in AD (e.g. Domain Enterprise Schema Admin, Account Operators, Server Operators etc.) and periodically checks permissions on these groups and for those accounts that need to be in this group have not been removed etc. (could also be impacted negatively by the GPO) 3. there are a couple of hidden group memberships in AD that you don't know about and thus not adding them via restricted groups could cause replication problems: e.g. each DC is a member of the local domain administrators group using the NT Authority\Enterprise Domain Controllers group - but you don't see this group as a member in the group. If this member is missing, DCs can't replicate successfully. I don't have a complete list of hidden memberships (this one could or could not be all), so that I wouldn't risk breaking things in AD using this GPO on domain groups (mainly the administrative groups). \Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry Sent: Freitag, 11. Juni 2004 05:37 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security I'm curious, do you have any more details? -Original Message- From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 2:47 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security don't use the Restricted Groups feature on domain groups, especially domain admins. This has caused various issues for companies and thus they've backed away from this approach. However, using restricted groups on member servers and clients works well. \Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry Sent: Donnerstag, 10. Juni 2004 19:38 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security If you want to make sure that no one is added to the group you could make the group a Restricted Group via a GPO. If you want to know when a user is added to the group, you could use a GPO to turn on auditing of Account Management but then you would have to search the audit logs of all of the DCs in the domain to find the activity. Or you could write a script that looked at the group membership and compared it with a pre-determined list. Then execute the script on a schedule of your choice. -Original Message- From: Aaron Visser [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 9:51 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Security I need to know when the Domain Admin Group has a user added to it or at least have that operation audited, is there anyway to perform this with GPO or something built into win2k server. Thanks, Aaron Visser List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Phone list
Late to the Party, as usual. Better late than never, uh? Someone asked this same question on this list about a month or so ago and I responded that I would post some code snippets of how I do this in some of my environments. I never really got around to contacting that person. I have a demo of this on www.akomolafe.com/phonebook. I swear this is not a troll :) Take a look at it, and if it looks like what you are looking for, have your people call my people. I mean, have one of your developers contact me and I'd try to explain the logic and some of the coding to her/him. For a quick test, start by choosing "london" from the "Site Location" list and clicking "Search". Then, when you get the general idea ofthe names in the Domain, you can start searching by name or departments. To be fair, a fair amount of the coding was done by my developer/coder. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP -Directory Services www.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Jason BenwaySent: Thu 6/10/2004 7:53 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] AD Phone list I talked our web developers into moving the phone list from sql to AD. They are asking me for any resources I have to get them started. For example the user and contact schema. They are also looking for any good sites to get them started pulling from AD. Thanks,jb List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
