Re: [ActiveDir] Getting the Pre Windows 2000 name for a domain
If I understand you correctly you are looking for the Pre Windows 2000 name of computers (not the domain). The property name is sAMAccountName. i.e in order to find the pre Windows 2000 names of object in the DDD ou within domain BBB.CCC the script would be. Set objContainer = GetObject(LDAP://ou=DDD,dc=BBB,dc=CCC) For Each objcomputer In objContainer WScript.Echo objComputer.Name vbTab objComputer.sAMAccountName next The pre Windows 2000 name of the domain has a property called nETBIOSName. Regards Peter Jessop List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Getting the Pre Windows 2000 name for a domain
Title: RE: [ActiveDir] OT:Exchange 2003 SP1 bloat As to the first question: Dim objWSHNetwork Set objWSHNetwork = CreateObject ("WScript.Network")' get the NetBIOS domain namestrNetBIOSDomain = objWSHNetwork.UserDomainSet objWSHNetwork = Nothing As to the second question, see http://www.microsoft.com/technet/scriptcenter/scripts/ad/computer/cptrvb07.mspx and http://msdn.microsoft.com/library/default.asp?url=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SysPro SupportSent: Sunday, August 21, 2005 1:54 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Getting the Pre Windows 2000 name for a domain Hi, I have a requirement to determine themachines that are currently online for a particular domain. I use the Net View command and give it a domain name such as: Net View /Domain:DomName SinceI know the Fully qualified Domain name AAA.BBB.CCC then I use:- Net View /Domain:AAA and it normally works. However I have one client that uses a different Pre Windows 2000 name (don't ask me why). I tried the following bit of code to try and programmatically work out the Pre Windows 2000 name:- Dim Sdou As IADs Dim PropertyValue As Variant Set Sdou = GetObject("LDAP://DC=AAA,DC=BBB,DC=CCC") For Each PropertyValue In Sdou.GetEx("Name") If PropertyValue "" Then MsgBox PropertyValue End If Next but it just returnedAAA. So, is there a property in Active Directory that returns the Pre Windows 2000 name? Alternatively, is there anyway to determine the machines that are online via AD, rather than via the Net View command? Alan Cuthbertson
Re: [ActiveDir] Getting the Pre Windows 2000 name for a domain
Title: RE: [ActiveDir] OT:Exchange 2003 SP1 bloat Hi Michael, Thanks for the response, But it isn't quite what I want. The code you give gives the NetBios name of the logged on user. I am trying to find the NetBios name for another domain. I have tried enumerating all machines on the domain and then pinging them, but it takes too long. We have 20,000 machines, of which 10,000 are offline. Each ping to an offline machine takes 1 sec to time out, so it takes over 3 hours! I was looking a for a quicker way Alan C - Original Message - From: Michael B. Smith To: [EMAIL PROTECTED] Sent: Sunday, August 21, 2005 8:47 PM Subject: RE: [ActiveDir] Getting the Pre Windows 2000 name for a domain As to the first question: Dim objWSHNetwork Set objWSHNetwork = CreateObject ("WScript.Network")' get the NetBIOS domain namestrNetBIOSDomain = objWSHNetwork.UserDomainSet objWSHNetwork = Nothing As to the second question, see http://www.microsoft.com/technet/scriptcenter/scripts/ad/computer/cptrvb07.mspx and http://msdn.microsoft.com/library/default.asp?url=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SysPro SupportSent: Sunday, August 21, 2005 1:54 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Getting the Pre Windows 2000 name for a domain Hi, I have a requirement to determine themachines that are currently online for a particular domain. I use the Net View command and give it a domain name such as: Net View /Domain:DomName SinceI know the Fully qualified Domain name AAA.BBB.CCC then I use:- Net View /Domain:AAA and it normally works. However I have one client that uses a different Pre Windows 2000 name (don't ask me why). I tried the following bit of code to try and programmatically work out the Pre Windows 2000 name:- Dim Sdou As IADs Dim PropertyValue As Variant Set Sdou = GetObject("LDAP://DC=AAA,DC=BBB,DC=CCC") For Each PropertyValue In Sdou.GetEx("Name") If PropertyValue "" Then MsgBox PropertyValue End If Next but it just returnedAAA. So, is there a property in Active Directory that returns the Pre Windows 2000 name? Alternatively, is there anyway to determine the machines that are online via AD, rather than via the Net View command? Alan Cuthbertson
RE: [ActiveDir] Getting the Pre Windows 2000 name for a domain
Title: RE: [ActiveDir] OT:Exchange 2003 SP1 bloat You can get all of the pre-2K names of all domains in a forest by looking at the nETBIOSName attribute of the crossref objects in the partitions container of the configuration container. You want anything with systemflags2. You do not want to pick off the name attribute of the domaindns object because if you have a disjoint namespace going on (DNS name does not match NetBIOS name) then you will not get it right. As for Net View, I believe that uses NetServerEnum which enumerates the machines with server service registered, I think, with the browser service. The browser service being a poor mechanism for finding really anything in a larger environment with multiple subnets especially if you have any multihomed machines or filtering rules. Also anyone that shuts down server on their machine (or it otherwise failed to start) wouldn't show up. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SysPro SupportSent: Sunday, August 21, 2005 1:54 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Getting the Pre Windows 2000 name for a domain Hi, I have a requirement to determine themachines that are currently online for a particular domain. I use the Net View command and give it a domain name such as: Net View /Domain:DomName SinceI know the Fully qualified Domain name AAA.BBB.CCC then I use:- Net View /Domain:AAA and it normally works. However I have one client that uses a different Pre Windows 2000 name (don't ask me why). I tried the following bit of code to try and programmatically work out the Pre Windows 2000 name:- Dim Sdou As IADs Dim PropertyValue As Variant Set Sdou = GetObject("LDAP://DC=AAA,DC=BBB,DC=CCC") For Each PropertyValue In Sdou.GetEx("Name") If PropertyValue "" Then MsgBox PropertyValue End If Next but it just returnedAAA. So, is there a property in Active Directory that returns the Pre Windows 2000 name? Alternatively, is there anyway to determine the machines that are online via AD, rather than via the Net View command? Alan Cuthbertson
RE: [ActiveDir] Getting the Pre Windows 2000 name for a domain
Title: RE: [ActiveDir] OT:Exchange 2003 SP1 bloat You could use some interesting threading ideas. Say pass off machines to be enumerated to one control thread, it spawns up threads (up to x threads which is configurable) to ping, the control thread watches how long each thread runs for, if it exceeds yy ms then you terminate the thread or let it time itself out but in the meanwhile you know the machine isn't out there, the ones that return quick would be positives. You will need very little stack for these threads that you fire up (very little any resources) so tune that down and you could tune the number of threads up. If ~Eric catches this thread he may beat on my idea or add to it. Of course that assumes written code and not scripts. I am not sure there is any good answer for a script here. To positively get good info, a script would be too underpowered unless it is say a perl script which would allow some of the good programmatic things you could do. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SysPro SupportSent: Sunday, August 21, 2005 8:36 AMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] Getting the Pre Windows 2000 name for a domain Hi Michael, Thanks for the response, But it isn't quite what I want. The code you give gives the NetBios name of the logged on user. I am trying to find the NetBios name for another domain. I have tried enumerating all machines on the domain and then pinging them, but it takes too long. We have 20,000 machines, of which 10,000 are offline. Each ping to an offline machine takes 1 sec to time out, so it takes over 3 hours! I was looking a for a quicker way Alan C - Original Message - From: Michael B. Smith To: [EMAIL PROTECTED] Sent: Sunday, August 21, 2005 8:47 PM Subject: RE: [ActiveDir] Getting the Pre Windows 2000 name for a domain As to the first question: Dim objWSHNetwork Set objWSHNetwork = CreateObject ("WScript.Network")' get the NetBIOS domain namestrNetBIOSDomain = objWSHNetwork.UserDomainSet objWSHNetwork = Nothing As to the second question, see http://www.microsoft.com/technet/scriptcenter/scripts/ad/computer/cptrvb07.mspx and http://msdn.microsoft.com/library/default.asp?url=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SysPro SupportSent: Sunday, August 21, 2005 1:54 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Getting the Pre Windows 2000 name for a domain Hi, I have a requirement to determine themachines that are currently online for a particular domain. I use the Net View command and give it a domain name such as: Net View /Domain:DomName SinceI know the Fully qualified Domain name AAA.BBB.CCC then I use:- Net View /Domain:AAA and it normally works. However I have one client that uses a different Pre Windows 2000 name (don't ask me why). I tried the following bit of code to try and programmatically work out the Pre Windows 2000 name:- Dim Sdou As IADs Dim PropertyValue As Variant Set Sdou = GetObject("LDAP://DC=AAA,DC=BBB,DC=CCC") For Each PropertyValue In Sdou.GetEx("Name") If PropertyValue "" Then MsgBox PropertyValue End If Next but it just returnedAAA. So, is there a property in Active Directory that returns the Pre Windows 2000 name? Alternatively, is there anyway to determine the machines that are online via AD, rather than via the Net View command? Alan Cuthbertson
RE: [ActiveDir] hide an attribute
Good good, that is what I like to hear. :o) You will want to buy copies for all your friends too. :o) The chapter may have been clear but it is was off on its examples as it didn't take into account inherited and explicit ACEs. That radically changes whether a delegation (or a denied delegation) will work or not. It still isn't perfect, but IMO, much better. It is a balance of time vs what needs to be done. The example you give is one of the harder things to clean up and no, I personally don't think it should be this hard, but then that is just my opinion. One thing to remember about Exchange, is that some of its access rights for reading attributes can be through Auth Users rights, especially on GCs in a multi-domain environment, I have been bitten by this in the past myself. Consider that permissions are granted to the Exchange Enterprise Servers group which is a domain local group so reading on a GC in another domain would be impacted unless there is some other access mechanism. An alternative would be to convert those DLGs to UGs as previously mentioned by Guido, again, MS PSS may have an issue with it so keep that in mind. The easiest way to handle this is to use the new confidentiality bit capability in SP1. The Exchange attributes shouldn't be Cat 1 attributes (systemflags 16 on their schema definition) so you should be able to lock them up that way. However, you will want to regrant access back to Exchange. Unfortunately, I am not aware of any tools MS has given to allow a good granular way to grant access BACK to this attribute after it is locked down. You will need to grant a CA to the attribute for the Exchange Servers global group in each domain (or grant to the DLGs but convert to UGs) so you maintain read across GCs in each domain. This will have to be done with script because you can't do it via dsacls or the GUI. Also once set, the GUI will have no clue how to display the permission so won't, DSACLS will properly display it. A word of note is that if you have MS Exchange PSS look at your AD, they will probably have a small stroke if they figure out this was done as they get testy when you muck with the visibility of Exchange attributes. However, have the Exchange guy talk to a knowledgable AD PSS guy and things should hopefully be ok though expect to hear lots of grumbles of unsupported. This goes for any solution that does anything to any Exchange attribute. Oh one further note, anyone who has full control or all control access rights to a given object will still be able to see the attribute. The obvious one is full control... Full control is... Well full control. You can't effectively deny someone access to something they have full control to. The all control access rights is a new one though that you have to watch out for. If the confidential bit isn't an option. You are in for some fun. The fact that it is auth users makes things very difficult because everyone that accesses it is an auth user so you can't just actively deny auth users access or else you impact admins and Exchange and everything else. You need to either 1. Invoke a passive deny which means stripping any (explicit or inherited) access permissions granted and regrant the access permissions to Exchange and any anyone else that needs access. It depends here how the access is granted in the first place on what you need to do. 2. Remove any explicit grants and then set up inherited denies for auth users and then explicit grants for Exchange and any other specific groups that need access. The explicit grants will override the inherited denies. For both of these, if the grant is handled through a property set, then you can remove the attribute from the property set (and maybe some others related to exchange you don't to be fully visable to everyone) and add them to a different property set and only grant that to exchange and the admins or whomever else it is that needs to see the info. Overall, before I started doing anything with any of this I would really look at everything and get a great overall plan for security. You need to understand what it is exactly you want and all of the ways things are currently delegated, it isn't unusual to find that there are multiple paths someone has access to something in the directory (i.e. multiple ACEs). I would love to see MS step up with a lockdown guide for AD and especially for Exchange which included such things and removing all of the prop sets that get stuffed into the pre-existing prop sets and placed into separate prop sets and then properly security. AD came out before the security awareness at MS changed the philosophy from enabled by default to disabled by default. I far more like the ADAM idea of everything is locked down and needs to be granted. In the lockdown guide I would love to see the stripping of all of the ACEs out of the default SDs as well. Let us get to a point where most permissions are handled through inheritance so if you need to pick
RE: [ActiveDir] User SIDs...
You got it from winnt.h. ;o) Lines 4039-4041 (at least in the version I am looking at). typedef struct _SID_IDENTIFIER_AUTHORITY { BYTE Value[6]; } SID_IDENTIFIER_AUTHORITY, *PSID_IDENTIFIER_AUTHORITY; :o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, August 19, 2005 9:56 AM To: Send - AD mailing list Subject: RE: [ActiveDir] User SIDs... ... it still doesn't look quite right, I'm thinking the issuing auth. is 48 bits by itself but I've no recollection as to where I'm getting that from. If the precise length constraints remain important (following everything else already posted), I'll see if I can dig it up later when I return. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, August 19, 2005 9:29 AM To: Send - AD mailing list Subject: RE: [ActiveDir] User SIDs... The URL you supplied does not relate to a problem with the length of any one specific SID, it is describing a problem relating to the overall size of all of the SIDs that represent the identity of a particular user, i.e. user SID, group SID, SID history. This identity information is known as the user's token (or PAC) and has a supported maximum (which has been steadily increasing with each iteration of the OS). Beyond (or in some cases, approaching) that maximum, many products utilizing the Windows authorization model will begin to exhibit erratic behavior or fail completely. Regarding SID construct, they're comprised of a number of elements but since I don't have the doc. to hand at the moment (though I'm certain you'll find something through google) I'll offer what I remember of their construct - Example SID - S-1-5-21-2123478354-492892223-854245498-1113 [1] [2][2] [2][3] Breakdown - [1] = I'm a SID, revision, issuing (or identifier) authority, sub-authorities and some additional metadata (don't recollect its size I'm afraid, I'd guess, however, at 32 bits broken down into some kind of ordered grouping to represent the afore mentioned elements) [2] = domain component (96 bits I believe) [3] = relative identifier (RID = 30 bits) In addition, you may want to locate and download a Microsoft tool named tokensz.exe and run something like - C:\tokensz /compute_tokensize Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Friday, August 19, 2005 8:29 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] User SIDs... Hello All, Does anyone know the default length a users SID (Win2K DC's, WinXP SP2clients ) can be before problems such as http://support.microsoft.com/?kbid=327825 http://support.microsoft.com/?kbid=327825 start occuring ? Also, there anyway to determine the actual length of a users SID??? TIA, Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User SIDs...
Well to rule out number of groups or the nesting, start with a single group and see if it works that way and then slowly back up to what you have that is failing. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Friday, August 19, 2005 12:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] User SIDs... Sorry Ppl. Contributors to this list are so helpful that I forget that they aren't quite smart enough to read my mind, they have been able to do everything else ;-) The problem is thus: I have a user in a group, which through 4 levels of nesting is a member of the local administrators group on a server (no restricted groups or anything, just plain simple addition of the group the user is in to the local Administrators group). Call this ServerA. The local administrators group is configured in the setting Impersonate a client after authentication. I have set up a web page in IIS (on ServerB) that attaches to ServerA to perform some folder manipulation (profile and home directory changes and the like). It does this using kerberos to pass the authentication through. The page fails, because their kerberos authentication fails. I have added the same user explicity to the Impersonate a client after authentication setting on ServerA, and presto, it works. Just to reiterate, The user is in less than 50 groups, including netsing results. ServerA and ServerB are both Win2k3. The domain is all Win2K DC's, SP3. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: 19 August 2005 16:36 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] User SIDs... As Dean keeps saying, how about describing the actual problem as you see/experience it. Could be something totally different. I'll bet somebody here would be helpful if they knew what to help with. :) Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Friday, August 19, 2005 10:49 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] User SIDs... Looks like the PAC is intact, and all SIDs are well within the limit. This is done from the user account that is exhibiting the problem. I am at a loss on this one now Tokensz Results: Name: Kerberos Comment: Microsoft Kerberos V1.0 Current PackageInfo-MaxToken: 12000 QueryKeyInfo: Signature algorithm = Encrypt algorithm = RSADSI RC4-HMAC KeySize = 128 Flags = 2081e Signature Algorithm = -138 Encrypt Algorithm = 23 Start:8/19/2005 16:19:12 Expiry:8/20/2005 2:16:44 Current Time: 8/19/2005 16:19:15 MaxToken (complete context) 1790 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 19 August 2005 14:56 To: Send - AD mailing list Subject: RE: [ActiveDir] User SIDs... ... it still doesn't look quite right, I'm thinking the issuing auth. is 48 bits by itself but I've no recollection as to where I'm getting that from. If the precise length constraints remain important (following everything else already posted), I'll see if I can dig it up later when I return. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, August 19, 2005 9:29 AM To: Send - AD mailing list Subject: RE: [ActiveDir] User SIDs... The URL you supplied does not relate to a problem with the length of any one specific SID, it is describing a problem relating to the overall size of all of the SIDs that represent the identity of a particular user, i.e. user SID, group SID, SID history. This identity information is known as the user's token (or PAC) and has a supported maximum (which has been steadily increasing with each iteration of the OS). Beyond (or in some cases, approaching) that maximum, many products utilizing the Windows authorization model will begin to exhibit erratic behavior or fail completely. Regarding SID construct, they're comprised of a number of elements but since I don't have the doc. to hand at the moment (though I'm certain you'll find something through google) I'll offer what I remember of their construct - Example SID - S-1-5-21-2123478354-492892223-854245498-1113 [1] [2][2] [2][3] Breakdown - [1] = I'm a SID, revision, issuing (or identifier) authority, sub-authorities and some additional metadata (don't recollect its size I'm afraid, I'd guess, however, at 32 bits broken down into some kind of ordered grouping to represent the afore mentioned elements) [2] = domain component (96 bits I believe) [3] = relative identifier (RID = 30 bits) In addition, you may want to locate and download a Microsoft tool named tokensz.exe and run something like - C:\tokensz /compute_tokensize Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED]
RE: [ActiveDir] Hidden objects
What type of object? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 16, 2005 10:23 AM To: activedirectory Subject: [ActiveDir] Hidden objects Is there anyway to tell if someone hid an object(s) in AD from a DA? dSHeurstics attrib doesn't have a value set. Does that mean no? After using dscals, it seems Authenticated users have list contents on every object in AD that I checked. Based on these 2 things, is it pretty safe to assume nothing is probably hidden? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] inactive computers
It is the joeware... It makes you so efficient you can practice being clairvoyant. :o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Williams (RRE) Sent: Thursday, August 18, 2005 11:21 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] inactive computers Wow John...according to the combination of times on our computers, you look to be clairvoyant as you answered the question prior to it being asked... That's really not that big of a deal, but the part that impressed me is that you not only knew what he was going to ask, but also worded it exactly the same...now that's a neat trick!! It's really neat sometimes when you get a mail, that according to the time for sent, arrived before it was sent... Ok, I'm done with my dull humor...time to go visit DC Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Singler Sent: Thursday, August 18, 2005 9:53 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] inactive computers OldCmp joeware john Tom Kern wrote: I know win2k AD has no lastlogontimestamp attrib, but is there anyway to find inactive computers in a 2000 domain? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] 2 quick favors
I didn't see anywhere in the thread where anyone said you can't enumerate the settings with scripts. MS hasn't exposed any functionality like that, you could read the text files directly and try to work it out yourself though. The only thing you can get from AD is that the GPOs are linked in certain areas and what files they are linked to. The GPMC script extensions don't do much more, they just wrap up the AD properties into nice titles. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Wednesday, August 10, 2005 9:19 AM To: activedirectory Subject: [ActiveDir] 2 quick favors Does anyone know of a tool to enumerate all GPO's in a domain listing all the specific settings enabled that i can spit out to text file. the enviorment i work in is all win2k pro/server so GPMC is out. Also, gpotool doesn't seem to show specific links and what settings are enabled. Second question is, does anyone have a script that can enumerate all the local accounts and groups on domain memeber servers and workstations? Thanks a lot. I apologize for being so needy. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] cloning DC's
Uh... I hope they brought a lot of pixie dust They will need it and no amount of calls to MS will help out when this blows. Does anyone on this list work for Itsy Bitsy Machine? Go talk to your people! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Wednesday, August 17, 2005 5:03 PM To: activedirectory Subject: [ActiveDir] cloning DC's I know i read this thread before but i can't seem to find it. we are creating a new forest root and the IBM consultants here created the first root dc and now they want to clone it using Disk Image and sysprep to create the other DC's in the root. I think i heard this is a bad idea. Am I right? I can't seem to find any article on this but I do remember this being spoken of on the list and I don't remeber what the conculsion was. thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] csvde issue
LOL. I will consider an autoupdate function for the tools. ;o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, August 15, 2005 7:04 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] csvde issue No wonder I could never get the -nolabel option on my servers (1.25.01)...argh now need to push out ver 1.26 on all the DCs. Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, August 15, 2005 10:29 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] csvde issue adfind -b dc=domain,dc=com -f ((objectCategory=computer)(operatingSystem=Windows 2000 server)) cn -nodn -nolabel -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Monday, August 15, 2005 10:20 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] csvde issue Thanks a lot. My other request is, I'd like to filter the full DN. I just want the cn of the computer object. When i use the -l cn, i still get the dn in quotes and then the cn. Is there anyway to get rid of the full dn from csvde? all i really want is just the comp name. NO dn or samAccount name with the $ appended. just the name based on my filter. thanks On 8/15/05, Cace, Andrew [EMAIL PROTECTED] wrote: Tom, You're missing a closing parentheses ')' at the end. -Andrew -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Monday, August 15, 2005 9:01 AM To: activedirectory Subject: [ActiveDir] csvde issue I'm having a hard time exporting computer objects based on operating system attribute using csvde. this is what i use- C:\csvde -f servers.txt -r ((objectCategory=computer)(operatingSystem=Windows 2000 server) This is the error i get- Search Failed An error has occurred in the program Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Effectively Disable Accounts
Let me guess, the errors were 9548's for disabling accounts that still had active mailboxes? The MS proper way of correcting this is documented here. It is something you can do programmatically. http://support.microsoft.com/Default.aspx?kbid=278966 Basically the issue is an Exchange issue where the Exchange Dev folks figured that the only reason someone would have a live mailbox on a disabled ID would be for a resource mailbox, so they make all sorts of assumptions around disabled user ids that are mailbox enabled. This blows up in their face because if the account is really just a user you no longer want to be able to log on but you don't want to delete the mailbox [1] for many many good reasons you wouldn't normally think to set MSEMAS so it dorks Exchange up and if you get enough of this you start experience Store hangs. This is a huge problem in companies with large Exchange deployments. Hopefully one day MS Exchange Dev will correct this design flaw. I expect Exchange 12 will correct all the current flaws due to bad assumptions and spawn a whole new set based on other bad assumptions to deal with. :o) joe [1] Yes I understand retention store but I also understand that MS didn't give a realistic programmatic reconnect method and doesn't allow disconnected mailboxes to be moved if needed. The reconnect is a half-ass WMI mechanism that I see no reason why they did it the way they did it. Works great in a small environment but reconnects in a small environment isn't usually that great of an issue in the first place. Makes me want to say that the Exchange developers shouldn't be allowed to develop on anything but large 100+ Exchange Server labs and are forced to do support inside of MS on a monthly basis (say 1 week a month) to see how the environments are really managed. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott Sent: Wednesday, August 10, 2005 4:05 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Effectively Disable Accounts I've written a script that we use instead of disabling accounts when people leave. It prevents the account from being used, but also eliminates some errors we had with Exchange when we had a bunch of mailboxes tied to disabled accounts. Here it is, if anyone's interested. Thoughts? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD attribute
This is basically what we were discussing in the last post I responded to earlier today. You need to pick an attribute, determine how the accesses are granted and think of a way to attack it. I would probably look at employeeID or employeeNumber, neither of which I believe are in property sets. The big thing you have to overcome would be the ACE for the Pre-W2K compatability access because you probably have that enabled. Luckily that access is granted through an inherited ACE from the domain root so you can insert a deny at that level to block that access. Now you need to regrant to any groups you want to see it (other than acc op, admins, etc who have explicit FCs anyway) by going to a lower level in the hierarchy and granting an inherited grant to the group you created of who should get access. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Friday, August 19, 2005 1:38 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] AD attribute I'm running win2k in native mode. how would I do this in win2k AD? Thanks On 8/19/05, Marc A. Mapplebeck [EMAIL PROTECTED] wrote: This is a step by step to add the attribute and extend the display specifier to allow it to be modified. http://www.informit.com/articles/article.asp?p=169630rl=1 Hope this helps - Marc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: August 19, 2005 13:55 To: activedirectory Subject: [ActiveDir] AD attribute My org wants to put social security #'s in AD as a user attrib(hidden from users, of course) How would I go about doing this? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Anal retentivity
Yes you can change those in AD without issue. On the machine itself it is somewhere in the registry, you would need to dig it out but should be able to change that as well. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott Sent: Thursday, August 11, 2005 6:34 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Anal retentivity I like to have our computer names in all caps, so naturally I create them upper case and instruct our machine builders to do the same. The problem is that they're just not that attentive - I guess RIS has bred laziness (Its SO much easier now). Is there anyway, I can go back and update AD, changing all the names to upper case? I see about 5 places in ADSI that reflect the name. Would it be a simple matter of just changing those? Is the name stored on the PC? If so, can that be updated as well? Of course, rejoining the machine to the domain would fix it, but it's definitely not worth that, but if I could script it, I'd be all for it. Alternatively, is there anyway to enforce some kind of naming scheme at domain join? Or, optimally a way to use an input mask in the initially RIS screens. Obviously, this is nowhere near important, but it's always just kinda bugged me :) Thanks Scotte List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] EmployeeID AD attribute
Ah, this is a GUI thing though, the forms have to be built to show the info. MS could build a form (or set of forms) that dynamically builds based on a schema attribute or something like that. The only way I could correct this at the moment would be to build my own ADUC tool. If I build any GUI tools in the near time frame, it will be some form of ADAM tool, not AD. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, August 16, 2005 5:34 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] EmployeeID AD attribute Not as far as I know. Maybe Joe will do something similar to his ABE tool, thereby nudging MS to come up with something. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of RM Sent: Tue 8/16/2005 2:12 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] EmployeeID AD attribute Hi, Has anyone discovered a less-kludgy way to turn-on the hidden user attributes in AD, such as EmployeeID? I found several sites that document using Schmmgmt, ADSIedit, and a .vbs script. Is there a cleaner way to implement this? Can this field somehow be added to the nomal properties menu for a user (instead of being accessed only via right-click)? Thx, RM List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] csvde syntax
Unless you have done something smart like indexing objectclass, you will want to convert the query to objectcategory=computer. A quick test on my home test domain showed the following: * Objectclass=computer Statistics = Elapsed Time: 971 (ms) Returned 11 entries of 16743 visited - (0.07%) Used Filter: (objectClass=computer) Used Indices: DNT_index:14022:N Analysis - Hit Rate of 0.07% is Inefficient No dedicated indices used for search, this is inefficient. Indices used: Index Name : DNT_index Record Count: 14022 (estimate) Index Type : Normal Attribute Index Filter Breakdown: (objectClass=computer) * Objectcategory=computer Statistics = Elapsed Time: 0 (ms) Returned 11 entries of 11 visited - (100.00%) Used Filter: (objectCategory=CN=Computer,CN=Schema,CN=Configuration,DC=joe,DC=com) Used Indices: idx_objectCategory:11:N Analysis - Hit Rate of 100.00% is Efficient Indices used: Index Name : idx_objectCategory Record Count: 11 (estimate) Index Type : Normal Attribute Index Filter Breakdown: (objectCategory=CN=Computer,CN=Schema,CN=Configuration,DC=joe,DC=com) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme Sent: Thursday, August 11, 2005 2:30 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] csvde syntax DUMPCOMPUTERS.BAT @echo off set OU=%1 set FileName=%2 ldifde -f %FileName%.ldf -d %OU%,dc=us,dc=ray,dc=com -p SubTree -r (objectClass=computer) -l objectClass,description,name,sAMAccountName echo on the ldifde line is ONE line (watch for word wrap in the email) Call this file as in: DUMPCOMPUTERS.BAT dc=windomain,dc=local computers.txt Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Thursday, August 11, 2005 11:18 AM To: activedirectory Subject: [ActiveDir] csvde syntax what's the ldap filter to use with csvde to just export all computer objects in a domain to a file? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Hidden objects
Well on reflection, the answer to this regardless of objecttype would be to run an enumeration routing as localsystem and as the admin ID you want to find things that may be hidden from and then compare the results. If the object is a user or group you could try using the NET API to see if lets you see it where the LDAP calls won't. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, August 21, 2005 1:48 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Hidden objects What type of object? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 16, 2005 10:23 AM To: activedirectory Subject: [ActiveDir] Hidden objects Is there anyway to tell if someone hid an object(s) in AD from a DA? dSHeurstics attrib doesn't have a value set. Does that mean no? After using dscals, it seems Authenticated users have list contents on every object in AD that I checked. Based on these 2 things, is it pretty safe to assume nothing is probably hidden? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] hide an attribute
Tom Kern said: Say i use one of the custom attribute fields that Exchange creates and put a value in there and hide it from Domain users. what would break? how would i go about hiding that? just as an example [RTK] Hey, joe Just a suggestion. If someone asks you what time it is - don't tell him how to build a frelling Rolex! :oD I think all Tom wanted to know (though the background and technical detail is good) was How do I hide the FRELLING ATTRIBUTE? And, IF I DO, will it BREAK ANYTHING? So, Sparky, what have you got to say now? Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, August 21, 2005 12:37 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] hide an attribute Good good, that is what I like to hear. :o) You will want to buy copies for all your friends too. :o) The chapter may have been clear but it is was off on its examples as it didn't take into account inherited and explicit ACEs. That radically changes whether a delegation (or a denied delegation) will work or not. It still isn't perfect, but IMO, much better. It is a balance of time vs what needs to be done. The example you give is one of the harder things to clean up and no, I personally don't think it should be this hard, but then that is just my opinion. One thing to remember about Exchange, is that some of its access rights for reading attributes can be through Auth Users rights, especially on GCs in a multi-domain environment, I have been bitten by this in the past myself. Consider that permissions are granted to the Exchange Enterprise Servers group which is a domain local group so reading on a GC in another domain would be impacted unless there is some other access mechanism. An alternative would be to convert those DLGs to UGs as previously mentioned by Guido, again, MS PSS may have an issue with it so keep that in mind. The easiest way to handle this is to use the new confidentiality bit capability in SP1. The Exchange attributes shouldn't be Cat 1 attributes (systemflags 16 on their schema definition) so you should be able to lock them up that way. However, you will want to regrant access back to Exchange. Unfortunately, I am not aware of any tools MS has given to allow a good granular way to grant access BACK to this attribute after it is locked down. You will need to grant a CA to the attribute for the Exchange Servers global group in each domain (or grant to the DLGs but convert to UGs) so you maintain read across GCs in each domain. This will have to be done with script because you can't do it via dsacls or the GUI. Also once set, the GUI will have no clue how to display the permission so won't, DSACLS will properly display it. A word of note is that if you have MS Exchange PSS look at your AD, they will probably have a small stroke if they figure out this was done as they get testy when you muck with the visibility of Exchange attributes. However, have the Exchange guy talk to a knowledgable AD PSS guy and things should hopefully be ok though expect to hear lots of grumbles of unsupported. This goes for any solution that does anything to any Exchange attribute. Oh one further note, anyone who has full control or all control access rights to a given object will still be able to see the attribute. The obvious one is full control... Full control is... Well full control. You can't effectively deny someone access to something they have full control to. The all control access rights is a new one though that you have to watch out for. If the confidential bit isn't an option. You are in for some fun. The fact that it is auth users makes things very difficult because everyone that accesses it is an auth user so you can't just actively deny auth users access or else you impact admins and Exchange and everything else. You need to either 1. Invoke a passive deny which means stripping any (explicit or inherited) access permissions granted and regrant the access permissions to Exchange and any anyone else that needs access. It depends here how the access is granted in the first place on what you need to do. 2. Remove any explicit grants and then set up inherited denies for auth users and then explicit grants for Exchange and any other specific groups that need access. The explicit grants will override the inherited denies. For both of these, if the grant is handled through a property set, then you can remove the attribute from the property set (and maybe some others related to exchange you don't to be fully visable to everyone) and add them to a different property set and only grant that to exchange and the admins or whomever else it is that needs to see the info. Overall, before I started doing anything with any of this I would really look at everything and get a great overall plan for security. You need to understand what it is exactly you want and all of the ways things are currently delegated, it isn't unusual to find that there are
RE: [ActiveDir] Hidden objects
Actually better would probably be dumpDatabase. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, August 21, 2005 11:42 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Hidden objects Well on reflection, the answer to this regardless of objecttype would be to run an enumeration routing as localsystem and as the admin ID you want to find things that may be hidden from and then compare the results. If the object is a user or group you could try using the NET API to see if lets you see it where the LDAP calls won't. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, August 21, 2005 1:48 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Hidden objects What type of object? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 16, 2005 10:23 AM To: activedirectory Subject: [ActiveDir] Hidden objects Is there anyway to tell if someone hid an object(s) in AD from a DA? dSHeurstics attrib doesn't have a value set. Does that mean no? After using dscals, it seems Authenticated users have list contents on every object in AD that I checked. Based on these 2 things, is it pretty safe to assume nothing is probably hidden? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] exchange weirdeness
Title: Re: [ActiveDir] exchange weirdeness I think this is fine in a small environment or *maybe* in a large environment if the chances of moving the mailbox are very very slim or the chances of reconnection are very very slim. As mentioned previously, the lack of the ability to move a disconnected mailbox (say you have a server issue and are trying to get mailboxes off of it quickly) and the crappy nasty horrible WMI reconnect programmatic method make this a nightmare to deal with in a large org. If MS published the details for doing a MAPI reconnect I would happily write a command line tool to handle this so it could be done in a realistic way for an enterprise. I have begged for the source to a couple of tools they have that do things like this (such as MBCONNECT) but haven't thus far gotten it. I just recently purchased the supposedly best MAPI book ever (Inside MAPI) that is not available hard copy anymore but got on CD for like $60 so I can hopefully try to work out how to do this. I much prefer moving the object, disabling it, and properly setting the MAS and ACL to self on the mailbox. This is what I push for in the larger Exchange deployments (100k+) but would really recommend it for anyone if they were looking to handle things the easiest programmatically. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Wednesday, August 17, 2005 7:06 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] exchange weirdeness FWIW, I've always been a fan of disassociating the user account from the mailbox and then disabling the user access by disabling the user object from login, moving it to a new OU, removing the groups, marking the object with a time stamp for later use, and logging every action taken to a text file for later review and auditing functions. I can leave a user account that I can associate and disassociate at will if I need access. It's not pretty, but then again, there is no pretty way to make this work. The scripts involved are pretty straightforward; it's a matter of figuring out what the process should be. My $0.04 anyway. Al From: [EMAIL PROTECTED] on behalf of Tom KernSent: Wed 8/17/2005 5:22 PMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] exchange weirdeness thanks a lot!!On 8/17/05, Coleman, Hunter [EMAIL PROTECTED] wrote: For folks who have already left, I'd go with granting "Self" full mailbox access. I haven't tested it, but if the account has already been disabled then I don't think that setting it to expire on a date in the past will restore the necessary mailbox permissions for you to access it. For future departures, I think the ideal thing is to have some sort of deprovisioning utility that handles disabling the account, possibly moving it to a different OU, sets the Self mailbox access, and any other rules that your business processes dictate. You could have that as a script or front-end it with a web page. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, August 17, 2005 2:06 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] exchange weirdeness so, what is a good practice to deal with user's who have left and their mailboxes? Should you just expire the account to a date in the past and then you can access their box? or can you give "Self" full mailbox access to a disabled account and then access the box? which way works? thanks alot On 8/17/05, Coleman, Hunter [EMAIL PROTECTED] wrote: No. You're running into the msExchMasterAccountSID problem. http://support.microsoft.com/default.aspx?scid=kb;en-us;555410 has information, and points to the NoMAS tool. You can also handle this by setting the attributes manually or via script. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, August 17, 2005 12:48 PM To: activedirectory Subject: Re: [ActiveDir] exchange weirdeness update- i enabled the user account about 30mins ago and updated the RUS. stilll i get denied trying to log on via outlook and an event id 9548 gets logged on the exchange server everytime i try logging on, stating that the account is still disabled... replication issue? dns is up and running. the only known issue is no connectivity to the root. but the root has no users or mailservers. strange On 8/17/05, Tom Kern [EMAIL PROTECTED] wrote: I have mailbox enabled users in AD that have been disabled. However inESM, they are not marked as such. When i run the cleanup agent, they are still not marked as disabled. When i try to Exmerge the box, I get an access denied error(i have full exchange admin rights inherited from the org and full mailbox right on the user). Also, i can't open their box via outlook as well. My situation at this firm is as such- we have no network connectivity to the root(for about 2 wks. don't ask,
RE: [ActiveDir] hide an attribute
That's the thing Rick, it isn't some simple easy thing to say how to do. The simplest shortest answer is, it depends. It depends on how it is granted, who has access to the objects and what types of access, etc. Part of that depends is how things should be done overall and for the future, in the end there are lots of ways to hide it and lots of ways you may have to defeat trying to show it. Understanding the ways it could be granted and how it can be hidden are necessary to properly do it. In the end, no matter how it is done, there is a fair chance that PSS is not going to be thrilled about it because it isn't standard and if it isn't standard and documented the first recourse is to say it isn't supported. If you think there is an easy way to do this, I wouldn't mind seeing what your response would be. I guess the simplest that would effectively work would be to block the LDAP port on all DCs and GCs. However I don't think that accomplishes the true desired goal. :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Sunday, August 21, 2005 3:59 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] hide an attribute Tom Kern said: Say i use one of the custom attribute fields that Exchange creates and put a value in there and hide it from Domain users. what would break? how would i go about hiding that? just as an example [RTK] Hey, joe Just a suggestion. If someone asks you what time it is - don't tell him how to build a frelling Rolex! :oD I think all Tom wanted to know (though the background and technical detail is good) was How do I hide the FRELLING ATTRIBUTE? And, IF I DO, will it BREAK ANYTHING? So, Sparky, what have you got to say now? Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, August 21, 2005 12:37 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] hide an attribute Good good, that is what I like to hear. :o) You will want to buy copies for all your friends too. :o) The chapter may have been clear but it is was off on its examples as it didn't take into account inherited and explicit ACEs. That radically changes whether a delegation (or a denied delegation) will work or not. It still isn't perfect, but IMO, much better. It is a balance of time vs what needs to be done. The example you give is one of the harder things to clean up and no, I personally don't think it should be this hard, but then that is just my opinion. One thing to remember about Exchange, is that some of its access rights for reading attributes can be through Auth Users rights, especially on GCs in a multi-domain environment, I have been bitten by this in the past myself. Consider that permissions are granted to the Exchange Enterprise Servers group which is a domain local group so reading on a GC in another domain would be impacted unless there is some other access mechanism. An alternative would be to convert those DLGs to UGs as previously mentioned by Guido, again, MS PSS may have an issue with it so keep that in mind. The easiest way to handle this is to use the new confidentiality bit capability in SP1. The Exchange attributes shouldn't be Cat 1 attributes (systemflags 16 on their schema definition) so you should be able to lock them up that way. However, you will want to regrant access back to Exchange. Unfortunately, I am not aware of any tools MS has given to allow a good granular way to grant access BACK to this attribute after it is locked down. You will need to grant a CA to the attribute for the Exchange Servers global group in each domain (or grant to the DLGs but convert to UGs) so you maintain read across GCs in each domain. This will have to be done with script because you can't do it via dsacls or the GUI. Also once set, the GUI will have no clue how to display the permission so won't, DSACLS will properly display it. A word of note is that if you have MS Exchange PSS look at your AD, they will probably have a small stroke if they figure out this was done as they get testy when you muck with the visibility of Exchange attributes. However, have the Exchange guy talk to a knowledgable AD PSS guy and things should hopefully be ok though expect to hear lots of grumbles of unsupported. This goes for any solution that does anything to any Exchange attribute. Oh one further note, anyone who has full control or all control access rights to a given object will still be able to see the attribute. The obvious one is full control... Full control is... Well full control. You can't effectively deny someone access to something they have full control to. The all control access rights is a new one though that you have to watch out for. If the confidential bit isn't an option. You are in for some fun. The fact that it is auth users makes things very difficult because everyone that accesses it is an auth user so you can't just actively deny auth users access or else you
RE: [ActiveDir] lots of issues
Wow, that outsource firm was being nasty... Is it a large well known firm or some small place? This kind of crap should probably be shouted from the rooftops because it is a real shitty way to do business. I would at least drop a line to the president or CEO of that outsourcing firm. I would also consider publicly documenting the issue so that other companies wouldn't be harmed by them. Of course, get permission from your management to do so but if they say no, tell them that had someone else done that, your company may not be in the bad spot it finds itself in now. I never screw over old customers or employers because you never know when you might be working with them again plus it is just bad business and shows you to be very untrustworthy in a position of responsibility. The times I have been fired, it has been entirely the choice of the company and I happily walked out the door without doing anything, heck if I had been asked for an exit-interview I would have even of done that, I am not out to screw anyone over. This does indeed work, in one case, I was hired back several years later. Had I done anything bad to harm them I am quite sure that offer wouldn't have shown up joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Friday, August 12, 2005 3:00 PM To: activedirectory Subject: [ActiveDir] lots of issues This company is in a jam i've yet to have seen. They outsourced AD/Exchange and when they tried to get it back, the outsource firm demoted their DC's that are phyisically present at the company. some of these former DC's dhcp and dns. now no one knows the local admin password and connectivity between the root has been severed. no one wants to go the linux pw disk route because they can't reboot the server. there's no way i can get local system access to this server that i can think of. is there any other way to change or get the local admin password of what is now essentially a stand alone server? i know this is bodering on hacking so i understand if i get no response. just curious if there is a way to do this without a server reboot. thanks a lot. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] MailBox permissioning
You may have an issue. Microsoft does not support modifying the msExchMailboxSecurityDescriptor attribute directly for a mailbox that is already instantiated. According to the documentation, the only time that attribute is authoritative AND can be set such that it affects the mailbox is when the mailbox is not instantiated. Once the mailbox is instantiated you must use the MailBoxRights property from CDOEXM to manipulate the permissions which supposedly goes to the store directly and makes the changes via MAPI. Outside of that, I have seen odd cases where even setting the mailbox ACL prior to instantiation it STILL doesn't get used. Exchange permissions are a pain in the butt at their best. Now another problem, I could be wrong as I haven't played with it, but I do not believe you can directly write the SDDL format to the security descriptor attribute, you will need to convert it to a binary SD which I am thinking will be a serious pain from UNIX. I know when ADFIND reads a SD, it gets it in as a BLOB (binary octet string) and has to send it through an API call to get it translated to a SDDL format. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh KshirsagarSent: Friday, August 12, 2005 2:32 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] MailBox permissioning Hi All, Found a perl function in laman.pm. which converts sid to string: sub SidToString { return undef unless unpack("C", substr($_[0], 0, 1)) == 1; return undef unless length($_[0]) == 8 + 4 * unpack("C", substr($_[0], 1, 1)); my $sid_str = "S-1-"; $sid_str .= (unpack("C", substr($_[0], 7, 1)) + (unpack("C", substr($_[0], 6, 1)) 8) + (unpack("C", substr($_[0], 5, 1)) 16) + (unpack("C",substr($_[0], 4, 1)) 24)); for $loop (0 .. unpack("C", substr($_[0], 1, 1)) - 1) { $sid_str .= "-" . unpack("I", substr($_[0], 4 * $loop + 8, 4)); } return $sid_str; } Hope this will do the job. What all will be required to do the job, setting mailboxsecurity description and masteraccoundsid is enough? Or do I also need something else. Thanks, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh KshirsagarSent: Thursday, August 11, 2005 7:55 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] MailBox permissioning Thanks for the pointer. Also does anyone know any perl module which converts the binary sid to test sid? The win32 module wont work because the script will be inoked from HP-UX. Regards, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Thursday, August 11, 2005 3:39 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] MailBox permissioning O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCRC;;;S-1-5-21-3308934242-2785796821-2776977491-2370); In the example above, you have a classic output that contains SDDL (Security Descriptor Definition Language) O:sid is the SID of the owner G:sid is the SID of the group D: is a DACL Ill let you look over the rest and determine what you have in your strings.. http://msdn.microsoft.com/library/default.asp?url=""> Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh KshirsagarSent: Thursday, August 11, 2005 11:10 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] MailBox permissioning Using a newer version of ldp I could gather the following things: The mailbox users have the following attribute set. usert - O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCRC;;;S-1-5-21-3308934242-2785796821-2776977491-2370); ZZZFFF - O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCRC;;;S-1-5-21-3308934242-2785796821-2776977491-2372); ZZZGGG - O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCSDRC;;;S-1-5-21-3308934242-2785796821-2776977491-2368); ZZZJJJ - O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCSD;;;S-1-5-21-3308934242-2785796821-2776977491-2369); O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS) This part was common for all entries. S-1-5-21-3308934242-2785796821-2776977491- is the objectSID for the object in the other domain to whom I want to give permissions. Also the attribute msExchMasterAccountSid is set to the value of object sid. But this part *** (A;CI;CCLCRC;;; *** before the objectsid, differs in some entries. What are all these fields? How can I find out these values programmatically and make a single attribute value which I can then give to the meta directory for setting? Regards, Mayuresh From: [EMAIL
RE: [ActiveDir] My endless question day continued- Exchange attri butes
As Rick said, it is tight security or ease of use. These things tend to be mutually exclusive. Good security is rarely easy. You are balancing between locked down and useability. But yes, in answer to your original question, it is not possible to have a completely locked down separation of duties between DAs and Exchange Admins in a single forest deployment. Yes, impossible. Microsoft did not build the products so this was possible. AD is specifically designed so that DAs can take control of anything. The permissions in Exchange and how they are layed out are such that you have to put a painful number of ACEs (including a bunch of denies) that are generally not good AD Practices for SD handling. The bare minimum would be like a 5.5 deployment. You have a NOS forest and you have an Exchange forest, the GAL data goes directly into the Exchange forest and it trusts the NOS forest for security principals. The more data you want in the NOS forest the more syncing that has to start happening. IMO, the Exchange forest should be completely locked down, and all provisioning should be done through good provisioning tools that log everything and people don't do things natively in the domain. As to the other questions, yes, you need to set up a complete test environment. This should exist anyway, you should be testing all changes in it because any change could blow out any aspect of the functionality. While MS is generally pretty good about not blowing your functionality out of the water, it isn't unheard of and it is best to find that in the QA environment or test environment versus production. Further, IMO, anyone who allows auto updates to servers, especially servers with truly critical business functions should NEVER autoupdate for ANYTHING. Everything should be manually pushed after it is fully tested and known to be good and that way you can watch over the server as it updates and reboots or continues on its ways. If after doing 20 or 30 servers of one type and they are going well, you can lighten up a little and mass blast them to the same type of servers but anything else is a bit reckless in my opinion. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Friday, August 12, 2005 4:30 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] My endless question day continued- Exchange attri butes Rick, Thanks for the response and of course you're right. The difficulty though lies with the complexity you refer to. Case in point Exchange Resource Forests. There's a lack of detailed documentation on the MS site. I've been looking at a dual forest solution with an E2k3 forest having an external trust to an account forest and I'm trying to establish what functionality, if any, Exchange-wise, is lost (compared to a normal single forest deployment). I know it's not a particularly common deployment scenario (unless maybe MCS are involved) and that this is an AD group ;-)... but I suspect, short of building a PoC environment or answers from the group, finding out things like mailbox delegation...whether FE/BE topology works etc, means test test test :-) Mylo Rick Kingslan wrote: Mylo, I'll answer this, and when joe gets back online later, I'm sure that he'll correct me. j/k joe! In my mind, you have two choices - a secure and workable solution with separation with a potential of added complexity, or a much less secure, combined environment. I have a saying that goes with this: Security != Easy, or Security and ease of use are diametrically opposed Everyone has to make decisions based upon what their sensitivity to risk is. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Friday, August 12, 2005 11:55 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] My endless question day continued- Exchange attri butes Apologies for jumping into a semi-dead thread with some OT questions .. Joe, you mentioned the following: Exchange never would have been brought into the main production forest, it would have been in a dedicated single domain resource forest that was entirely managed by the Exchange admins. Are you saying that the Resource (Exchange) Forest is the only workable solution in your mind that provides the necessary separation? I can see it from the whole service autonomy and isolation argument, but the fact that you need to throw provisioning into the equation, issues such as potential single points of failure with MIIS/IIFP, added complexity etc surely that single AD forest/domain is more preferable :-) Cheers, Mylo joe wrote: In my last job we sort of did. I say sort of because you get the point where you are going against AD best practices in how many ACEs you are sticking in the directory. The mechanisms we were thinking about to get around some of the issues such as modifying property sets had PSS looking at us and shaking their