RE: [ActiveDir] Bizarre NETSH Behavior - Startup Script on XP
Hi Al Any idea how to report it as a bug? I was kind of hoping Microsoft guys would be monitoring this discussion group and one of them would look into it / address it internally. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] |-+-- | | Mulnick, Al | | | [EMAIL PROTECTED]| | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 01/05/2005 02:03 PM EST| | | Please respond to | | | ActiveDir | |-+-- --| | | | To: ActiveDir@mail.activedir.org | | cc: (bcc: James Day/Contractor/NPS) | | Subject: RE: [ActiveDir] Bizarre NETSH Behavior - Startup Script on XP| --| I haven't seen that and it's not what I would expect. I would have expected a failure instead or replacing the WINS entry. Do you get the same results if you do use an index? add dns [name=]InterfaceName [addr=] DNSAddress [[index=]DNSIndex] It's not listed as 'required' but seems that you should be able to specify a location for the target. Might be worth it to report it as a bug. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, January 05, 2005 1:40 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Bizarre NETSH Behavior - Startup Script on XP Hi All I was wondering if anybody else has ever seen this. We were at a location a few days ago that uses static ip addressing. Initially they had 1 DNS server and 2 WINS servers for their NT domain. We migrated them all to our WIN2K3 Forest and rather then set up DHCP we used the startup script to change the DNS servers. WINS was being left as it already was setup as we are considering a WINS redesign right now. The initial configuration (made up ips) DNS 65.65.108.5 WINS 165.65.10.5 WINS2 65.65.10.6 We used netsh commands to change the addressing. netsh interface ip set dns local area connection static 65.65.150.2 netsh interface ip add dns local area connection 65.65.150.4 When we checked the ip configuration on the machines after the startup script ran we had the following: DNS 65.65.150.2 WINS1 65.65.10.5 WINS2 65.65.150.4 For some reason the secondary DNS entry was overwriting the secondary WINS instead. When we put in a line in the startup script to manipulate WINS netsh interface ip set wins local area connection starti 65.65.10.5 We got the expected results (1 Wins server and the 2 DNS servers we had specified). Has anybody else seen this behavior? Is this a bug in the NETSH command or something else. We tested this on 5 different machines, both running the script via. startup script and manually running it with admin credentials with the same results. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Bizarre NETSH Behavior - Startup Script on XP
Does that mean that you get the same results even if you use the index? I can't speak for the 'softies but if you want to report it as a bug, you either open a case direct off the support pages, else you go through your support rep. An organization your size/stature, likely has a TAM of some sort right? That would be a fair way to submit a bug. Bugs usually result in no-charge service. But I would highly suggest that you verify that it doesn't work with the index option added prior else it *might* work and you'd have a bug to file that would have an expected workaround. http://support.microsoft.com/?LN=en-usscid=fh%3Ben-us%3Bofferprophonex=12; y=4 -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Sent: 1/6/2005 9:29 AM Subject: RE: [ActiveDir] Bizarre NETSH Behavior - Startup Script on XP Hi Al Any idea how to report it as a bug? I was kind of hoping Microsoft guys would be monitoring this discussion group and one of them would look into it / address it internally. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] |-+-- | | Mulnick, Al | | | [EMAIL PROTECTED]| | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 01/05/2005 02:03 PM EST| | | Please respond to | | | ActiveDir | |-+-- --- ---| | | | To: ActiveDir@mail.activedir.org | | cc: (bcc: James Day/Contractor/NPS) | | Subject: RE: [ActiveDir] Bizarre NETSH Behavior - Startup Script on XP| --- ---| I haven't seen that and it's not what I would expect. I would have expected a failure instead or replacing the WINS entry. Do you get the same results if you do use an index? add dns [name=]InterfaceName [addr=] DNSAddress [[index=]DNSIndex] It's not listed as 'required' but seems that you should be able to specify a location for the target. Might be worth it to report it as a bug. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, January 05, 2005 1:40 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Bizarre NETSH Behavior - Startup Script on XP Hi All I was wondering if anybody else has ever seen this. We were at a location a few days ago that uses static ip addressing. Initially they had 1 DNS server and 2 WINS servers for their NT domain. We migrated them all to our WIN2K3 Forest and rather then set up DHCP we used the startup script to change the DNS servers. WINS was being left as it already was setup as we are considering a WINS redesign right now. The initial configuration (made up ips) DNS 65.65.108.5 WINS 165.65.10.5 WINS2 65.65.10.6 We used netsh commands to change the addressing. netsh interface ip set dns local area connection static 65.65.150.2 netsh interface ip add dns local area connection 65.65.150.4 When we checked the ip configuration on the machines after the startup script ran we had the following: DNS 65.65.150.2 WINS1 65.65.10.5 WINS2 65.65.150.4 For some reason the secondary DNS entry was overwriting the secondary WINS instead. When we put in a line in the startup script to manipulate WINS netsh interface ip set wins local area connection starti 65.65.10.5 We got the expected results (1 Wins server and the 2 DNS servers we had specified). Has anybody else seen this behavior? Is this a bug in the NETSH command or something else. We tested this on 5 different machines, both running the script via. startup script and manually running it with admin credentials with the same results. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm
[ActiveDir] OT: DFS across multiple Domains
Can someone send me some information about how to configure a DFS across multiple domains within the same forest, more specifically how to take care of security on the files and folders when setting this up? I will be looking up the info myself as well, but wanted to get a head start by asking the brains here. Thanks Justin A. Salandra MCSE Windows 2000, MCSA Windows 2003 Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: DFS across multiple Domains
Hi Justin, Planning DFS and FRS Security is a good starting point! http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deploy guide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/de ployguide/en-us/sdccc_fsv_ogmn.asp Cheers! John Reijnders -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: donderdag 6 januari 2005 16:54 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: DFS across multiple Domains Can someone send me some information about how to configure a DFS across multiple domains within the same forest, more specifically how to take care of security on the files and folders when setting this up? I will be looking up the info myself as well, but wanted to get a head start by asking the brains here. Thanks Justin A. Salandra MCSE Windows 2000, MCSA Windows 2003 Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] What GC atuthenticated me?
I can tell what DC authenticated my AD client by looking at the value of the environment variable LOGONSERVER. But there isn't an environment variable for which GC was involved. Since we have several sites that have more than one GC, I'd like to be able to tell which GC was used. Does anyone know how to tell? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] expiring accounts
Err I have been meaning to make a tool available like this for some time... Even though I am on hiatus from writing joeware free tools at the moment I decided to do this as it is all based on previously created code and only a couple of hours of work. I will try to release the tool on the website some time tonight. I put most all of it together last night. It is called FindExpAcc. Again, I just had to grab pieces from various other joeware tools and tweak it. It will dump out accounts that are expired (really expired) or it can dump out accounts with expired passwords (including accounts admin flagged as needing a password change). Output will be one of the following Quoted DN list (Expired accounts) Following quoted attribs: DN,cn,displayName,sAMAccountName,accountExpires,mail (Expired passwords) Following quoted attribs: DN,cn,displayName,sAMAccountName,pwdLastSet,pwdAge,mail It will allow you to specify how many days to go out. So like you can say, -days 10 and it will show all accounts that will be expired that day if nothing changes. Note that is a rough attempt since it doesn't calculate hours to midnight and adjusts the hours and searches that way, it simply takes # of days * 24 hours and converts that to hundred nanosecond intervals and builds the int8 value for the search. Overall this will be like unlock and be probably the fastest method out there for pulling these accounts. Note that I added a couple of filters so that it won't return Exchange System Mailbox accounts nor the kerberos TGT account. Many of the standard query options I have in the other tools (such as add to filter, bitwise, search base, search scope, etc) are available as well to custom tweak the resultant filter. Note that those changes can impact speed of the query. I added the mail attribute specifically if someone wants to script notifications to people with passwords that will expire. It isn't completely straightforward but all info needed should be in the query info returned for someone to implement in the script. I expect we will see several magazine and eZine articles pop out about this one and how to script around it like some of the other tools have enjoyed. joe EXAMPLES F:\Dev\CPP\FindExpAccfindexpacc FindExpAcc V01.00.00cpp Joe Richards ([EMAIL PROTECTED]) January 2005 Using server: 2k3dc01.joe.com Directory: Windows Server 2003 Base DN: DC=joe,DC=com Search completed... Records Returned: 0 Command completed successfully F:\Dev\CPP\FindExpAccfindexpacc -h 2k3dc01 -days 3 FindExpAcc V01.00.00cpp Joe Richards ([EMAIL PROTECTED]) January 2005 Using server: 2k3dc01.joe.com Directory: Windows Server 2003 Base DN: DC=joe,DC=com Search completed... DN,cn,displayName,sAMAccountName,accountExpires,mail cn=expuser,ou=testusersou,ou=testou,dc=joe,dc=com,expuser,expuser,exp user,2005/01/09-00:00:00, Records Returned: 1 Command completed successfully F:\Dev\CPP\FindExpAccfindexpacc -pwd FindExpAcc V01.00.00cpp Joe Richards ([EMAIL PROTECTED]) January 2005 Using server: 2k3dc01.joe.com Directory: Windows Server 2003 Base DN: DC=joe,DC=com Search completed... DN,cn,displayName,sAMAccountName,pwdLastSet,pwdAge,mail cn=postmaster,ou=mailusers,ou=joeware2,ou=exchange,dc=joe,dc=com,postmast er,postmaster,postmaster,2004/06/12-20:23:02,0207,[EMAIL PROTECTED] re2.net cn=joetest,cn=users,dc=joe,dc=com,joetest,,joetest,2004/09/22-12:41 :12,0106, cn=normaluser,cn=users,dc=joe,dc=com,normaluser,NormalUser,normaluser ,2004/03/28-19:26:00,0283, SNIP cn=expuser,ou=testusersou,ou=testou,dc=joe,dc=com,expuser,expuser,exp user,/00/00-00:00:00,-0001, Records Returned: 38 Command completed successfully F:\Dev\CPP\FindExpAccfindexpacc -pwd -dsq cn=postmaster,ou=mailusers,ou=joeware2,ou=exchange,dc=joe,dc=com cn=joetest,cn=users,dc=joe,dc=com cn=normaluser,cn=users,dc=joe,dc=com SNIP cn=expuser,ou=testusersou,ou=testou,dc=joe,dc=com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, January 05, 2005 5:09 PM To: ActiveDir (E-mail) Subject: [ActiveDir] expiring accounts when a user quits or leaves, i began expiring the account rather than disabling it because exchange rus keeps querying disabled accounts for exchangeguid attribute and i think that puts a load on exchange and fills up the event log. my question is, when you expire an account, there is no nice reflection of that in the aduc gui. it just looks like a normal account. does anyone know how i can query all the accounts in my domain to see which have expired? thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] GPO for restricting ActiveX controls on XPSP2
I'm attempting to set up a GPO to restrict which browser plugins can run in IE. This new GPO is part of XP SP2 is found in: User Config/Windows Components/Internet Explorer/Security Features/Add-on Management The things I'm trying to stop is the addition of spyware toolbars and other junk that gets mysteriously installed into IE. Also, some of the more privileged users have a tendency to install things like the Yahoo toolbar, which also messes with IE and some of our internal web apps. (don't ask, I can't reduce their privileges) So far I've found class ID strings for common components like Adobe Reader, Microsoft Common Dialog (which we use internally), and a few others... I'd also like to enable thinks like Flash and shockwave but am having a little more trouble locating those CLSID's. I was also hoping for a listing of activex components others have found useful (or harmful). I've googled, and get lots of results, but nothing really matches what I'm looking for. So, the question is: Does someone out there have a listing of the class ID strings for common web component ActiveX plugins? OR am I wasting energy on a security measure that's going to cause more headaches than the problems is solves? Thanks for any insights. Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Forest trusts vs trusts within forests
In real life, you would also want to make use of SID filtering. http://www.microsoft.com/windows2000/techinfo/administration/security/si dfilter.asp While multiple forests will give you security advantages, it will also cause additional administrative overhead. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Thursday, January 06, 2005 12:32 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Forest trusts vs trusts within forests Happy New Year ! I'm having a design discussion with myself about adding a forest vs adding a domain to an existing forest. I understand about the automatic transitive trust between domains in a forest, and how it's possible for a clever domain admin in a subdomain to compromise the entire forest. What I'm shaky on is this: If you had two single-domain forests, and established trusts in both directions between them, do you have the same issues ? I would think not, because the configuration and schema NCs are not shared between them, but I'm looking for some confirmation on that. Also, since we're talking about two single-domain forests, I'm guessing that the 'forest trusts' available in W2K3 FFL don't really come into play here, correct ? In other words, getting the first domain to W2K3 FFL doesn't buy anything with respect to this trust ? Thanks, Dave List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Forest trusts vs trusts within forests
Separate forests should be well protected from each other, with the possible exception of the SID History exploit, which is prevented by enabling SID filtering, which I think is on by default now. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Thursday, January 06, 2005 1:32 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Forest trusts vs trusts within forests Happy New Year ! I'm having a design discussion with myself about adding a forest vs adding a domain to an existing forest. I understand about the automatic transitive trust between domains in a forest, and how it's possible for a clever domain admin in a subdomain to compromise the entire forest. What I'm shaky on is this: If you had two single-domain forests, and established trusts in both directions between them, do you have the same issues ? I would think not, because the configuration and schema NCs are not shared between them, but I'm looking for some confirmation on that. Also, since we're talking about two single-domain forests, I'm guessing that the 'forest trusts' available in W2K3 FFL don't really come into play here, correct ? In other words, getting the first domain to W2K3 FFL doesn't buy anything with respect to this trust ? Thanks, Dave List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Forest trusts vs trusts within forests
Hi David, In addition to SID filtering, you can protect a trust between domains in two forests (either a forest trust or an external trust) by using selective authentication (SA). SA is sometimes called authentication firewall, and the idea is that only listed users can access only listed servers across the trust (in addition to traditional share and NTFS permissions). If the new domain creates a new forest, its domain admins are not subject to the Enterprise Admins of the existing forest. This may or may not be of relevance to you. I'm not sure if I understand your last question, but a forest trust is only possible, if both forest are on the WS2003 FFL. Yours, Sakari -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Thursday, January 06, 2005 10:32 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Forest trusts vs trusts within forests Happy New Year ! I'm having a design discussion with myself about adding a forest vs adding a domain to an existing forest. I understand about the automatic transitive trust between domains in a forest, and how it's possible for a clever domain admin in a subdomain to compromise the entire forest. What I'm shaky on is this: If you had two single-domain forests, and established trusts in both directions between them, do you have the same issues ? I would think not, because the configuration and schema NCs are not shared between them, but I'm looking for some confirmation on that. Also, since we're talking about two single-domain forests, I'm guessing that the 'forest trusts' available in W2K3 FFL don't really come into play here, correct ? In other words, getting the first domain to W2K3 FFL doesn't buy anything with respect to this trust ? Thanks, Dave List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Forest trusts vs trusts within forests
If both domains are single domain forests then a Forest trust isn't as big a deal since it's major selling point is that the trust is transitive. I suppose that you also would be able to use Kerberos for cross forest authentication, which is a nice feature that I don't believe is available in external trusts. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti Sent: Thursday, January 06, 2005 4:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Hi David, In addition to SID filtering, you can protect a trust between domains in two forests (either a forest trust or an external trust) by using selective authentication (SA). SA is sometimes called authentication firewall, and the idea is that only listed users can access only listed servers across the trust (in addition to traditional share and NTFS permissions). If the new domain creates a new forest, its domain admins are not subject to the Enterprise Admins of the existing forest. This may or may not be of relevance to you. I'm not sure if I understand your last question, but a forest trust is only possible, if both forest are on the WS2003 FFL. Yours, Sakari -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Thursday, January 06, 2005 10:32 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Forest trusts vs trusts within forests Happy New Year ! I'm having a design discussion with myself about adding a forest vs adding a domain to an existing forest. I understand about the automatic transitive trust between domains in a forest, and how it's possible for a clever domain admin in a subdomain to compromise the entire forest. What I'm shaky on is this: If you had two single-domain forests, and established trusts in both directions between them, do you have the same issues ? I would think not, because the configuration and schema NCs are not shared between them, but I'm looking for some confirmation on that. Also, since we're talking about two single-domain forests, I'm guessing that the 'forest trusts' available in W2K3 FFL don't really come into play here, correct ? In other words, getting the first domain to W2K3 FFL doesn't buy anything with respect to this trust ? Thanks, Dave List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Forest trusts vs trusts within forests
FWIW, White papers of relevance if you haven't seen them already. The first one will probably answer your questions. What's the underlying motivation for two forests?? Reading between the lines, it sounds like the trust issue may not be the real issue compared to some other service autonomy or data isolation political issue. Windows 2000/2003: Multiple Forests Considerations White Paper http://www.microsoft.com/downloads/details.aspx?FamilyID=b717bfcd-6c1c-4 af6-8b2c-b604e60067baDisplayLang=en Design Considerations for Delegation of Administration in Active Directory http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologie s/activedirectory/plan/addeladm.mspx Best Practices for Delegating Active Directory Administration http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technolog ies/directory/activedirectory/actdid1.mspx -Stuart Fuller -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Thursday, January 06, 2005 1:32 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Forest trusts vs trusts within forests Happy New Year ! I'm having a design discussion with myself about adding a forest vs adding a domain to an existing forest. I understand about the automatic transitive trust between domains in a forest, and how it's possible for a clever domain admin in a subdomain to compromise the entire forest. What I'm shaky on is this: If you had two single-domain forests, and established trusts in both directions between them, do you have the same issues ? I would think not, because the configuration and schema NCs are not shared between them, but I'm looking for some confirmation on that. Also, since we're talking about two single-domain forests, I'm guessing that the 'forest trusts' available in W2K3 FFL don't really come into play here, correct ? In other words, getting the first domain to W2K3 FFL doesn't buy anything with respect to this trust ? Thanks, Dave List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Forest trusts vs trusts within forests
by using selective authentication (SA). Which, in order words, means that SEPARATE FOREST does not in itself protect you from an internal "clever domain admin" in any of the domains/forest. Unless you go through the troubles SID filtering, SA, and other ACLing. And, even with all that in place, "a clever domain admin" will still be hard tokeep out, especially if the admin is clever, malicious and determined at the same time.This goes to show that you don't want to have any "clever domain admin" that you can not completely trust in any part of your infrastructure. This, to me, is your most basic and effective protection. Sincerely,Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP -Directory Services www.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Sakari KoutiSent: Thu 1/6/2005 1:42 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Forest trusts vs trusts within forests Hi David, In addition to SID filtering, you can protect a trust between domains in two forests (either a forest trust or an external trust) by using selective authentication (SA). SA is sometimes called authentication firewall, and the idea is that only listed users can access only listed servers across the trust (in addition to traditional share and NTFS permissions). If the new domain creates a new forest, its domain admins are not subject to the Enterprise Admins of the existing forest. This may or may not be of relevance to you. I'm not sure if I understand your last question, but a forest trust is only possible, if both forest are on the WS2003 FFL. Yours, Sakari -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Thursday, January 06, 2005 10:32 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Forest trusts vs trusts within forests Happy New Year ! I'm having a design discussion with myself about adding a forest vs adding a domain to an existing forest. I understand about the automatic transitive trust between domains in a forest, and how it's possible for a clever domain admin in a subdomain to compromise the entire forest. What I'm shaky on is this: If you had two single-domain forests, and established trusts in both directions between them, do you have the same issues ? I would think not, because the configuration and schema NCs are not shared between them, but I'm looking for some confirmation on that. Also, since we're talking about two single-domain forests, I'm guessing that the 'forest trusts' available in W2K3 FFL don't really come into play here, correct ? In other words, getting the first domain to W2K3 FFL doesn't buy anything with respect to this trust ? Thanks, Dave List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ smime.p7s Description: S/MIME cryptographic signature
RE: [ActiveDir] Forest trusts vs trusts within forests
Hear, hear! -gil From: [EMAIL PROTECTED] on behalf of Deji Akomolafe Sent: Thu 1/6/2005 8:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests by using selective authentication (SA). Which, in order words, means that SEPARATE FOREST does not in itself protect you from an internal clever domain admin in any of the domains/forest. Unless you go through the troubles SID filtering, SA, and other ACLing. And, even with all that in place, a clever domain admin will still be hard to keep out, especially if the admin is clever, malicious and determined at the same time. This goes to show that you don't want to have any clever domain admin that you can not completely trust in any part of your infrastructure. This, to me, is your most basic and effective protection. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Sakari Kouti Sent: Thu 1/6/2005 1:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Hi David, In addition to SID filtering, you can protect a trust between domains in two forests (either a forest trust or an external trust) by using selective authentication (SA). SA is sometimes called authentication firewall, and the idea is that only listed users can access only listed servers across the trust (in addition to traditional share and NTFS permissions). If the new domain creates a new forest, its domain admins are not subject to the Enterprise Admins of the existing forest. This may or may not be of relevance to you. I'm not sure if I understand your last question, but a forest trust is only possible, if both forest are on the WS2003 FFL. Yours, Sakari -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Thursday, January 06, 2005 10:32 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Forest trusts vs trusts within forests Happy New Year ! I'm having a design discussion with myself about adding a forest vs adding a domain to an existing forest. I understand about the automatic transitive trust between domains in a forest, and how it's possible for a clever domain admin in a subdomain to compromise the entire forest. What I'm shaky on is this: If you had two single-domain forests, and established trusts in both directions between them, do you have the same issues ? I would think not, because the configuration and schema NCs are not shared between them, but I'm looking for some confirmation on that. Also, since we're talking about two single-domain forests, I'm guessing that the 'forest trusts' available in W2K3 FFL don't really come into play here, correct ? In other words, getting the first domain to W2K3 FFL doesn't buy anything with respect to this trust ? Thanks, Dave List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat
[ActiveDir] Password Filter DLL and Trust Password
I am facing an issue after installing a custom password filter DLL. Password filter DLL is working fine for user password change. But when I try to create a trust between NT and Windows 2003, it is not accepting any password combinations. I disable the custom password filter DLL, and then it is started accepting the trust passwords. We dont have any code in the password filter DLL to check the trust password. Is it a normal behavior? I know trust is also calling LSA to check the password complexity. Do I need to include trust password checking code in the password filter DLL? Is there anything else I am missing in the Password Filter DLL? How about computer passwords? Any input would be greatly appreciated!
RE: [ActiveDir] Password Filter DLL and Trust Password
Unless something has changed in the Password Filter implementation lately, I believe that Computer password changes do not hit the PasswordFilter. At least, that routine did not get called when using the passfilt I got from MS a long time ago. I haven't used this lately and the behavior may have changed. And the same is true for TRUST password. I believe those call a different routine. I am not completely sure of the intricacies. I would recommend that you get the sample passfilt from MS and work from that trying to figure out what's wrong with your implementation. It is possible, of course, thatI have been snoozing and this has all changed whileI wasn't looking. Sincerely,Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP -Directory Services www.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Santhosh SivarajanSent: Thu 1/6/2005 8:13 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Password Filter DLL and Trust Password I am facing an issue after installing a custom password filter DLL. Password filter DLL is working fine for user password change. But when I try to create a trust between NT and Windows 2003, it is not accepting any password combinations. I disable the custom password filter DLL, and then it is started accepting the trust passwords. We dont have any code in the password filter DLL to check the trust password. Is it a normal behavior? I know trust is also calling LSA to check the password complexity. Do I need to include trust password checking code in the password filter DLL? Is there anything else I am missing in the Password Filter DLL? How about computer passwords? Any input would be greatly appreciated! smime.p7s Description: S/MIME cryptographic signature
RE: [ActiveDir] expiring accounts
FindExpAcc is now posted... http://www.joeware.net/win/free/tools/findexpacc.htm joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, January 06, 2005 1:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] expiring accounts Err I have been meaning to make a tool available like this for some time... Even though I am on hiatus from writing joeware free tools at the moment I decided to do this as it is all based on previously created code and only a couple of hours of work. I will try to release the tool on the website some time tonight. I put most all of it together last night. It is called FindExpAcc. Again, I just had to grab pieces from various other joeware tools and tweak it. It will dump out accounts that are expired (really expired) or it can dump out accounts with expired passwords (including accounts admin flagged as needing a password change). Output will be one of the following Quoted DN list (Expired accounts) Following quoted attribs: DN,cn,displayName,sAMAccountName,accountExpires,mail (Expired passwords) Following quoted attribs: DN,cn,displayName,sAMAccountName,pwdLastSet,pwdAge,mail It will allow you to specify how many days to go out. So like you can say, -days 10 and it will show all accounts that will be expired that day if nothing changes. Note that is a rough attempt since it doesn't calculate hours to midnight and adjusts the hours and searches that way, it simply takes # of days * 24 hours and converts that to hundred nanosecond intervals and builds the int8 value for the search. Overall this will be like unlock and be probably the fastest method out there for pulling these accounts. Note that I added a couple of filters so that it won't return Exchange System Mailbox accounts nor the kerberos TGT account. Many of the standard query options I have in the other tools (such as add to filter, bitwise, search base, search scope, etc) are available as well to custom tweak the resultant filter. Note that those changes can impact speed of the query. I added the mail attribute specifically if someone wants to script notifications to people with passwords that will expire. It isn't completely straightforward but all info needed should be in the query info returned for someone to implement in the script. I expect we will see several magazine and eZine articles pop out about this one and how to script around it like some of the other tools have enjoyed. joe EXAMPLES F:\Dev\CPP\FindExpAccfindexpacc FindExpAcc V01.00.00cpp Joe Richards ([EMAIL PROTECTED]) January 2005 Using server: 2k3dc01.joe.com Directory: Windows Server 2003 Base DN: DC=joe,DC=com Search completed... Records Returned: 0 Command completed successfully F:\Dev\CPP\FindExpAccfindexpacc -h 2k3dc01 -days 3 FindExpAcc V01.00.00cpp Joe Richards ([EMAIL PROTECTED]) January 2005 Using server: 2k3dc01.joe.com Directory: Windows Server 2003 Base DN: DC=joe,DC=com Search completed... DN,cn,displayName,sAMAccountName,accountExpires,mail cn=expuser,ou=testusersou,ou=testou,dc=joe,dc=com,expuser,expuser,exp user,2005/01/09-00:00:00, Records Returned: 1 Command completed successfully F:\Dev\CPP\FindExpAccfindexpacc -pwd FindExpAcc V01.00.00cpp Joe Richards ([EMAIL PROTECTED]) January 2005 Using server: 2k3dc01.joe.com Directory: Windows Server 2003 Base DN: DC=joe,DC=com Search completed... DN,cn,displayName,sAMAccountName,pwdLastSet,pwdAge,mail cn=postmaster,ou=mailusers,ou=joeware2,ou=exchange,dc=joe,dc=com,postmast er,postmaster,postmaster,2004/06/12-20:23:02,0207,[EMAIL PROTECTED] re2.net cn=joetest,cn=users,dc=joe,dc=com,joetest,,joetest,2004/09/22-12:41 :12,0106, cn=normaluser,cn=users,dc=joe,dc=com,normaluser,NormalUser,normaluser ,2004/03/28-19:26:00,0283, SNIP cn=expuser,ou=testusersou,ou=testou,dc=joe,dc=com,expuser,expuser,exp user,/00/00-00:00:00,-0001, Records Returned: 38 Command completed successfully F:\Dev\CPP\FindExpAccfindexpacc -pwd -dsq cn=postmaster,ou=mailusers,ou=joeware2,ou=exchange,dc=joe,dc=com cn=joetest,cn=users,dc=joe,dc=com cn=normaluser,cn=users,dc=joe,dc=com SNIP cn=expuser,ou=testusersou,ou=testou,dc=joe,dc=com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, January 05, 2005 5:09 PM To: ActiveDir (E-mail) Subject: [ActiveDir] expiring accounts when a user quits or leaves, i began expiring the account rather than disabling it because exchange rus keeps querying disabled accounts for exchangeguid attribute and i think that puts a load on exchange and fills up the event log. my question is, when you expire an account, there is no nice reflection of that in the aduc gui. it just looks like a normal account. does anyone know how i can query all the accounts in my domain to see which have expired? thanks List info : http://www.activedir.org/mail_list.htm List FAQ:
RE: [ActiveDir] Password Filter DLL and Trust Password
Did you write the custom filter? If so, have it dump what it is doing to debug and watch it. I would be a little shocked if trust passwords were being sent through the PasswordFilter function. Heh, me guessing wasn't good enough, I just tested it on K3 OEM with one of my own custom filters. Trusts do not hit the PasswordFilter function nor the PasswordChangeNotify function. Interestingly enough, computer password changes hit PasswordChangeNotify which isn't the way it used to be (I don't recall it that way anyway), however they don'thit PasswordFilter which makes sense. So... You need to verify you aren't seeing something different with your filter. Once you do that you can move on to what else it might be. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Santhosh SivarajanSent: Thursday, January 06, 2005 11:14 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Password Filter DLL and Trust Password I am facing an issue after installing a custom password filter DLL. Password filter DLL is working fine for user password change. But when I try to create a trust between NT and Windows 2003, it is not accepting any password combinations. I disable the custom password filter DLL, and then it is started accepting the trust passwords. We dont have any code in the password filter DLL to check the trust password. Is it a normal behavior? I know trust is also calling LSA to check the password complexity. Do I need to include trust password checking code in the password filter DLL? Is there anything else I am missing in the Password Filter DLL? How about computer passwords? Any input would be greatly appreciated!
RE: [ActiveDir] Forest trusts vs trusts within forests
Title: Happy New Year to you as well! In order to make a good decision for yourself whether or not you can and need to protect yourself against clever DomaAdmins, Service Admins and/or people with physical access to your DC's some extra info: Ways to bypass standard security: - Add the Enterprise Admin SID to your token (ex in you SidHistory). This can be done by using a 'improved' version of kerberos.dll, which will add the enterpr adm sid to every service ticket. - You can modify the system software or Directory db to bypass sec checks by: o Changing the default sec.descriptor for an objclass o Add a user to the enterprise adm Univ.Group on a GC o Execute a logon script in a site GPO - Or schedule an AT job which runs under local system credentials. (Partial) solutions to these problems are: Delegation of control Physical protection of ALL DCs SID filtering (enabled by default) Pro active Monitoring (!) Multiple Forests (!!) Some benefits of W2K3 trusts: Transitive (not really a sexy feature in you 2 single dom forest design) You can use kerberos logon in stead of NTLM. You can use both implicit and explicit UPN logon over the trust Selective Authentication (which is disabled by default and applies to external, realm and forest trusts): This option provides a method that you can use to achieve better granularity for authentication requests that come across a trust. When you enable it, all authentication is examined on the service DC. The service DC verifies that the user is explicitly allowed to authenticate to the resource before allowing the authentication request through. Because of this, you need to specify which users who come across the trust can authenticate to which resources in the domain when you enable the SA option across a trust. You can do this if you set up the Allowed to Authenticate control access right on an object for that particular user or group from the other forest or domain. When a user authenticates across a trust with the SA option enabled, a special Other Organization SID is added to the user's authorization data. The presence of this SID triggers a verification on the service domain to ensure that the user is allowed to authenticate to the particular service. After the user is authenticated, the server to which the user authenticates adds another SID, the This Organization SID. You can disable the corresponding DomainInfo record for the domain or the TopLevelName record for the tree in the UI. This method is useful when only a small part (read domain) of the other forest is not trusted. Note that only authentication requests from users in that domain are disabled when you disable a DomainInfo record. When you disable a DomainInfo record, authentication requests are not disabled if those authentication requests are received from users who are in the local forest if those users want to gain access to resources that are in the disabled domain. This is not really applicable in your scenario. If you're going for the multiple forest scenario, consider the security benefits this will give you and compare them to the additional costs (extra hardware, no super GC is available by default unless you start using stuff like MIIS J, extra management, etc.). Let us know what you end up with and ... why ;-) Cheers, John Reijnders -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: donderdag 6 januari 2005 21:32 To: activedir@mail.activedir.org Subject: [ActiveDir] Forest trusts vs trusts within forests Happy New Year ! I'm having a design discussion with myself about adding a forest vs adding a domain to an existing forest. I understand about the automatic transitive trust between domains in a forest, and how it's possible for a clever domain admin in a subdomain to compromise the entire forest. What I'm shaky on is this: If you had two single-domain forests, and established trusts in both directions between them, do you have the same issues ? I would think not, because the configuration and schema NCs are not shared between them, but I'm looking for some confirmation on that. Also, since we're talking about two single-domain forests, I'm guessing that the 'forest trusts' available in W2K3 FFL don't really come into play here, correct ? In other words, getting the first domain to W2K3 FFL doesn't buy anything with respect to this trust ? Thanks, Dave List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete
