[ActiveDir] Richard Mueller's LastLogon.vbs
Has anyone used this? I kicked it off about a half hour ago and I can't tell if it's doing anything. The output.txt is still 0 bytes and the command line hasn't returned to me yet. It's acting hung but I dont know if it just takes a very long time or not. Any experiences with this script?Thanks,Russ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
RE: [ActiveDir] Richard Mueller's LastLogon.vbs
Yeah its building data into a dictionary object. It will pump everything into the text file when its finished. I think it took about 15 minutes with 30,000 users and 4 DCs mc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Friday, March 10, 2006 9:02 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Richard Mueller's LastLogon.vbs Has anyone used this? I kicked it off about a half hour ago and I can't tell if it's doing anything. The output.txt is still 0 bytes and the command line hasn't returned to me yet. It's acting hung but I dont know if it just takes a very long time or not. Any experiences with this script? Thanks, Russ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
RE: [ActiveDir] Richard Mueller's LastLogon.vbs
doh. We have 12,000 users and 79 DCs. Should be interesting. Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Friday, March 10, 2006 8:05 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Richard Mueller's LastLogon.vbs Yeah its building data into a dictionary object. It will pump everything into the text file when its finished. I think it took about 15 minutes with 30,000 users and 4 DCs mc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Friday, March 10, 2006 9:02 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Richard Mueller's LastLogon.vbs Has anyone used this? I kicked it off about a half hour ago and I can't tell if it's doing anything. The output.txt is still 0 bytes and the command line hasn't returned to me yet. It's acting hung but I dont know if it just takes a very long time or not. Any experiences with this script?Thanks,RussThis e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
Re: [ActiveDir] 1025/tcp open NFS-or-IIS
Honestly? I have with servers, but haven't tried a DC in 2000. As noted in the next post, it has been shown to have good results in 2003 + SP1. In 2000 there were all kinds of undone or mostly done features that you'll find work much better in 2003 + SP1. My advice if you need this functionality is to bring it to 2003 + sp1 or don't try real hard to get it done. I know that business reasons can be brought up to get in the way, but I'm sure that reliability obtained through bug fixes is worth the extra effort in every case. 2000 was good, but 2003 is WAY better by far in it's reliability and capabilities. Al On 3/10/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Al, do you have success with that rpc port limitation? With win2k, it did not work as advertised as I recall… :m:dsm:cci:mvp marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Thursday, March 09, 2006 9:42 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] 1025/tcp open NFS-or-IIS 1025/tcp is in the range of ephemeral ports. If it were some versions of BSD, that would be 1025-4999 but for Windows is pretty much 1025-65535 (TCP in this case). RPC endpoints are typically negotiated and pick from the ephemeral ports that Windows has available (above 1024 or implicitly 1025-65535 with some exceptions). If you disable that port on a standalone machine, especially a DC you can easily break it's normal function or at least whatever is based on RPC connectivity. You *could* lock down the ports that the RPC endpoint mapper hands out however, which would allow you to use some other port and thereby disable that port if you really wanted to for some reason. The end result is that when asked, your server would always hand out the same port number to communicate vs. picking one at random. Was there a particularly interesting reason you want to disable that access? From outside your network you certainly do, but any particular reason why you would on the machine? Al On 3/9/06, Ravi Dogra [EMAIL PROTECTED] wrote: Hi,Just wanted to know what is this and how disabling or enabling it canaffect my DC?--Ravi DograList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Richard Mueller's LastLogon.vbs
I've had similar results although I tend to customize after I get it to let me know it's in progress. You should be able to check the stats via taskmanager to see if it's still alive. Al On 3/10/06, Creamer, Mark [EMAIL PROTECTED] wrote: Yeah – it's building data into a dictionary object. It will pump everything into the text file when it's finished. I think it took about 15 minutes with 30,000 users and 4 DCs mc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rimmerman, RussSent: Friday, March 10, 2006 9:02 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Richard Mueller's LastLogon.vbs Has anyone used this? I kicked it off about a half hour ago and I can't tell if it's doing anything. The output.txt is still 0 bytes and the command line hasn't returned to me yet. It's acting hung but I dont know if it just takes a very long time or not. Any experiences with this script? Thanks,Russ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system. ~~
RE: [ActiveDir] Richard Mueller's LastLogon.vbs
In task manager, assuming the script is not hung, cscript should be gradually consuming more and more chunks of memory, shouldnt it? That might be one way to tell. Sure makes the 2003 AD attribute a welcome change, doesnt it J mc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Friday, March 10, 2006 9:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Richard Mueller's LastLogon.vbs doh. We have 12,000 users and 79 DCs. Should be interesting. Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Friday, March 10, 2006 8:05 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Richard Mueller's LastLogon.vbs Yeah its building data into a dictionary object. It will pump everything into the text file when its finished. I think it took about 15 minutes with 30,000 users and 4 DCs mc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Friday, March 10, 2006 9:02 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Richard Mueller's LastLogon.vbs Has anyone used this? I kicked it off about a half hour ago and I can't tell if it's doing anything. The output.txt is still 0 bytes and the command line hasn't returned to me yet. It's acting hung but I dont know if it just takes a very long time or not. Any experiences with this script? Thanks, Russ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
[ActiveDir] Individual admin accounts vs Generic admin account.
Dear collective, In your esteemed opinions, is it better to have one central admin account which every member of the sysadmin team should use, or is it better to give ever member of the team their own admin account? I'm inclined towards giving people their own admin accounts, purely from an audit point of view, but I'm being told that it's better to have one central admin account, as it is easier to track which accounts have admin rights. I would have thought that NET GROUP would make that fairly obvious. Am I missing something here? -- AdamT 'Thank-you for not requesting read receipts' List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] 1025/tcp open NFS-or-IIS
I hadnt tried it since 2000 since we didnt have much success. Basically DCs would fail replication because they were still picking ports out of ranges that were no longer supposed to be used J Well, I have all my DCs to 2003 SP1 I think I may give this a go again. I have a perfect opportunity at something Id like to test. Are there any drawbacks related to this? Performance maybe? :m:dsm:cci:mvp marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Friday, March 10, 2006 9:16 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 1025/tcp open NFS-or-IIS Honestly? I have with servers, but haven't tried a DC in 2000. As noted in the next post, it has been shown to have good results in 2003 + SP1. In 2000 there were all kinds of undone or mostly done features that you'll find work much better in 2003 + SP1. My advice if you need this functionality is to bring it to 2003 + sp1 or don't try real hard to get it done. I know that business reasons can be brought up to get in the way, but I'm sure that reliability obtained through bug fixes is worth the extra effort in every case. 2000 was good, but 2003 is WAY better by far in it's reliability and capabilities. Al On 3/10/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Al, do you have success with that rpc port limitation? With win2k, it did not work as advertised as I recall :m:dsm:cci:mvp marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al Mulnick Sent: Thursday, March 09, 2006 9:42 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 1025/tcp open NFS-or-IIS 1025/tcp is in the range of ephemeral ports. If it were some versions of BSD, that would be 1025-4999 but for Windows is pretty much 1025-65535 (TCP in this case). RPC endpoints are typically negotiated and pick from the ephemeral ports that Windows has available (above 1024 or implicitly 1025-65535 with some exceptions). If you disable that port on a standalone machine, especially a DC you can easily break it's normal function or at least whatever is based on RPC connectivity. You *could* lock down the ports that the RPC endpoint mapper hands out however, which would allow you to use some other port and thereby disable that port if you really wanted to for some reason. The end result is that when asked, your server would always hand out the same port number to communicate vs. picking one at random. Was there a particularly interesting reason you want to disable that access? >From outside your network you certainly do, but any particular reason why you would on the machine? Al On 3/9/06, Ravi Dogra [EMAIL PROTECTED] wrote: Hi, Just wanted to know what is this and how disabling or enabling it can affect my DC? -- Ravi Dogra List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Individual admin accounts vs Generic admin account.
Every user MUST have their own admin account, you have ZERO accountability if you have generic accounts. The builtin admin IDs should be assigned insanely long difficult passwords and locked in an envelope which is locked in an executive's safe. You shouldn't be giving so many people rights that it is hard to keep track of them. In fact, if you are talking about DA/EA accounts, you should be able to count all of the different people in the forest with those rights on one hand. I once had a manager tell me I needed to produce a report of who had used a certain generic application admin ID at different times, I couldn't stop laughing. I wanted to ask him if he had installed the keyboard cam on every machine that was triggered by the attempts to log onto that account. Using generic IDs defeats every possible mechanism for personal accountability built into the OS. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AdamT Sent: Friday, March 10, 2006 9:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Individual admin accounts vs Generic admin account. Dear collective, In your esteemed opinions, is it better to have one central admin account which every member of the sysadmin team should use, or is it better to give ever member of the team their own admin account? I'm inclined towards giving people their own admin accounts, purely from an audit point of view, but I'm being told that it's better to have one central admin account, as it is easier to track which accounts have admin rights. I would have thought that NET GROUP would make that fairly obvious. Am I missing something here? -- AdamT 'Thank-you for not requesting read receipts' List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Individual admin accounts vs Generic admin account.
I take the following approach: 1. Assign admins a secondary account. Primary accounts are used to perform day to day stuff - admin accounts are used to perform priv operations. This allows for audit trails to be created, as you state, which help identify who made what change, when and how etc etc 2. Monitor and manage the memberships of the priv groups. Create a committee or similar who manage the AD from a strategic perspective. They own the priv groups and are responsible for vetting new admins and approving change to the memberships of priv groups. Run regular reports showing who has membership of these groups and action any anomalies. neil ___ Neil Ruston Global Technology Infrastructure Nomura International plc Telephone: +44 (0) 20 7521 3481 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AdamT Sent: 10 March 2006 14:19 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Individual admin accounts vs Generic admin account. Dear collective, In your esteemed opinions, is it better to have one central admin account which every member of the sysadmin team should use, or is it better to give ever member of the team their own admin account? I'm inclined towards giving people their own admin accounts, purely from an audit point of view, but I'm being told that it's better to have one central admin account, as it is easier to track which accounts have admin rights. I would have thought that NET GROUP would make that fairly obvious. Am I missing something here? -- AdamT 'Thank-you for not requesting read receipts' List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Netlogon Service
Run a portqry on ports 1024 and 1025 from the host to your DC's and from the server to the workstation to see if you get blocked responses. I have seen it where Firewall and router jockey's like to block these ports because they are known ports that viruses use. The problem is the MS RPC service hits them first before dynamically selecting a higher port. Todd Myrick From: Ken Schaefer [mailto:[EMAIL PROTECTED] Sent: Fri 3/10/2006 2:07 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Netlogon Service For all we know, someone did exactly what you did (connect remotely using administrative credentials) and disabled the services. Do you have logon auditing enabled? If so, have you checked to see who's logged onto the machine? Cheers Ken From: [EMAIL PROTECTED] on behalf of Aaron Visser Sent: Fri 3/10/2006 4:47 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Netlogon Service Well I know this is a little off topic but I cannot find any answers so I have decided that I need to tap into this huge fountain of knowledge. Computer - Win XP Pro SP2 latest Updates Problem - Computer was working fine and all of a sudden after a reboot today I can no longer login to it via the Domain (it says that the NetLogon Service is not started) So I logged onto another computer and remotely connected to the computer thru the Computer Management MMC Snap-In and checked the Netlogon Service and sure enough it was disabled, so I set it to Auto and then proceeded to start the Service. But it will not start because it says that the RPC Locator Service (to the best of my recollection) needs to be started, so I check that and sure enough it is disabled also. So I try to start that service but it gives me some error that I cannot recall at this time. Anyways trying to make this story short I am pretty sure that the computer in question was targeted from within the LAN remotely. So the big question or questions are is it possible to attack a computer in this manner? If it is possible does anyone have any info on how to accomplish this so that I can try and figure out how or what what used and maybe even nail the person (student) who did this. Thanks, Aaron List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Individual admin accounts vs Generic admin accoun t.
IMO - Individual accounts is the only way to go; this will make your life a whole lot easier when it comes to finding out who performed what and when (depending on what your audit settings). You're just inviting trouble by using one centralized account!! :) Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS -Original Message- From: AdamT [mailto:[EMAIL PROTECTED] Sent: Friday, March 10, 2006 7:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Individual admin accounts vs Generic admin account. Dear collective, In your esteemed opinions, is it better to have one central admin account which every member of the sysadmin team should use, or is it better to give ever member of the team their own admin account? I'm inclined towards giving people their own admin accounts, purely from an audit point of view, but I'm being told that it's better to have one central admin account, as it is easier to track which accounts have admin rights. I would have thought that NET GROUP would make that fairly obvious. Am I missing something here? -- AdamT 'Thank-you for not requesting read receipts' List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Richard Mueller's LastLogon.vbs
OK it finally finished, but it says this error and output.txt is still 0 bytes: C:\Scriptscscript //nologo lastlogon.vbs output.txtC:\Scripts\lastlogon.vbs(143, 7) Provider: This operation returned because the the timeout period expired. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Friday, March 10, 2006 8:18 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Richard Mueller's LastLogon.vbs In task manager, assuming the script is not hung, cscript should be gradually consuming more and more chunks of memory, shouldnt it? That might be one way to tell. Sure makes the 2003 AD attribute a welcome change, doesnt it J mc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Friday, March 10, 2006 9:13 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Richard Mueller's LastLogon.vbs doh. We have 12,000 users and 79 DCs. Should be interesting. Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Friday, March 10, 2006 8:05 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Richard Mueller's LastLogon.vbs Yeah its building data into a dictionary object. It will pump everything into the text file when its finished. I think it took about 15 minutes with 30,000 users and 4 DCs mc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Friday, March 10, 2006 9:02 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Richard Mueller's LastLogon.vbs Has anyone used this? I kicked it off about a half hour ago and I can't tell if it's doing anything. The output.txt is still 0 bytes and the command line hasn't returned to me yet. It's acting hung but I dont know if it just takes a very long time or not. Any experiences with this script?Thanks,Russ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
RE: [ActiveDir] OT: Netlogon Service
Well if they did why wouldn't I be able to restart the services, I am thinking there is more to it than just someone stopped the ports, but I will look into the auditing, just to be sure. Thanks, Aaron -Original Message- From: Ken Schaefer [mailto:[EMAIL PROTECTED] Sent: Thu 3/9/2006 11:07 PM To: ActiveDir@mail.activedir.org Cc: Subject: RE: [ActiveDir] OT: Netlogon Service For all we know, someone did exactly what you did (connect remotely using administrative credentials) and disabled the services. Do you have logon auditing enabled? If so, have you checked to see who's logged onto the machine? Cheers Ken _ From: [EMAIL PROTECTED] on behalf of Aaron Visser Sent: Fri 3/10/2006 4:47 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Netlogon Service Well I know this is a little off topic but I cannot find any answers so I have decided that I need to tap into this huge fountain of knowledge. Computer - Win XP Pro SP2 latest Updates Problem - Computer was working fine and all of a sudden after a reboot today I can no longer login to it via the Domain (it says that the NetLogon Service is not started) So I logged onto another computer and remotely connected to the computer thru the Computer Management MMC Snap-In and checked the Netlogon Service and sure enough it was disabled, so I set it to Auto and then proceeded to start the Service. But it will not start because it says that the RPC Locator Service (to the best of my recollection) needs to be started, so I check that and sure enough it is disabled also. So I try to start that service but it gives me some error that I cannot recall at this time. Anyways trying to make this story short I am pretty sure that the computer in question was targeted from within the LAN remotely. So the big question or questions are is it possible to attack a computer in this manner? If it is possible does anyone have any info on how to accomplish this so that I can try and figure out how or what what used and maybe even nail the person (student) who did this. Thanks, Aaron winmail.dat
RE: [ActiveDir] Individual admin accounts vs Generic admin account.
being told that it's better to have one central admin account I think you are being told by someone who will eventually, through some means obtain a privileged account, and knows that his/her own self has a very good chance of screwing something up or doing something unethical. In cases like those a single admin account is perfect for that person. I have dealt with people like that before. CYA List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Richard Mueller's LastLogon.vbs
Manthats frustrating. I never had that issue, but its probably because I have fewer DCs and theyre all on fast links, 2 LAN and 2 T1 mc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Friday, March 10, 2006 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Richard Mueller's LastLogon.vbs OK it finally finished, but it says this error and output.txt is still 0 bytes: C:\Scriptscscript //nologo lastlogon.vbs output.txt C:\Scripts\lastlogon.vbs(143, 7) Provider: This operation returned because the the timeout period expired. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Friday, March 10, 2006 8:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Richard Mueller's LastLogon.vbs In task manager, assuming the script is not hung, cscript should be gradually consuming more and more chunks of memory, shouldnt it? That might be one way to tell. Sure makes the 2003 AD attribute a welcome change, doesnt it J mc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Friday, March 10, 2006 9:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Richard Mueller's LastLogon.vbs doh. We have 12,000 users and 79 DCs. Should be interesting. Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Friday, March 10, 2006 8:05 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Richard Mueller's LastLogon.vbs Yeah its building data into a dictionary object. It will pump everything into the text file when its finished. I think it took about 15 minutes with 30,000 users and 4 DCs mc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Friday, March 10, 2006 9:02 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Richard Mueller's LastLogon.vbs Has anyone used this? I kicked it off about a half hour ago and I can't tell if it's doing anything. The output.txt is still 0 bytes and the command line hasn't returned to me yet. It's acting hung but I dont know if it just takes a very long time or not. Any experiences with this script? Thanks, Russ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying,
RE: [ActiveDir] OT: Netlogon Service
Did someone link a new GPO or edit a GPO that affects the machine? _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Visser Sent: Friday, March 10, 2006 11:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Netlogon Service Well if they did why wouldn't I be able to restart the services, I am thinking there is more to it than just someone stopped the ports, but I will look into the auditing, just to be sure. Thanks, Aaron -Original Message- From: Ken Schaefer [mailto:[EMAIL PROTECTED] Sent: Thu 3/9/2006 11:07 PM To: ActiveDir@mail.activedir.org Cc: Subject: RE: [ActiveDir] OT: Netlogon Service For all we know, someone did exactly what you did (connect remotely using administrative credentials) and disabled the services. Do you have logon auditing enabled? If so, have you checked to see who's logged onto the machine? Cheers Ken _ From: [EMAIL PROTECTED] on behalf of Aaron Visser Sent: Fri 3/10/2006 4:47 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Netlogon Service Well I know this is a little off topic but I cannot find any answers so I have decided that I need to tap into this huge fountain of knowledge. Computer - Win XP Pro SP2 latest Updates Problem - Computer was working fine and all of a sudden after a reboot today I can no longer login to it via the Domain (it says that the NetLogon Service is not started) So I logged onto another computer and remotely connected to the computer thru the Computer Management MMC Snap-In and checked the Netlogon Service and sure enough it was disabled, so I set it to Auto and then proceeded to start the Service. But it will not start because it says that the RPC Locator Service (to the best of my recollection) needs to be started, so I check that and sure enough it is disabled also. So I try to start that service but it gives me some error that I cannot recall at this time. Anyways trying to make this story short I am pretty sure that the computer in question was targeted from within the LAN remotely. So the big question or questions are is it possible to attack a computer in this manner? If it is possible does anyone have any info on how to accomplish this so that I can try and figure out how or what what used and maybe even nail the person (student) who did this. Thanks, Aaron attachment: winmail.dat
RE: [ActiveDir] Richard Mueller's LastLogon.vbs
Yeah, that is probably an LDAP timeout. Something you may consider is writing your own pair of scripts that calls out to command line tools. Something like this maybe Script 1 1. Script finds all DCs in a domain 2. Dumps list of DCs to a text file for Script2 3. Spawns a separate process for each DC with a query of all user objects and lastlogon attribute in CSV format. Have output redirected or sent to file. After Script1 and all processes completes you run script 2 Script 2 1. Read file from script1 to find out what dc txt files should exist 2. Look for all files, if some are missing flag an error so they can be generated 3. Parse through files and build a hash/dictionary of all users and their lastlogon (plus the DC) 4. Output info. This can be broken up in a couple of ways, one way for instance say you have hundreds or thousands of DCs, have them generate the Script 1 output for themselves and email it to a central location or file copy or ftp or what and then script 2 just parses that out. Running this process in serial really makes no sense for larger environments. You really need to multiprocess it or distribute it. As for what you can parse out to, adfind, dsquery/dsget, ldifde, csvde, you name it. I have a backburner project called OldOBJ that I keep flip flopping on how I want to handle it, I will probably have a combination approach available that lets you run a collector on each DC or run multiple threads to get the info, I haven't worked out all of the details yet. It keeps getting stuck back on the backurner because of so much other stuff being thrown at me at the moment. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Friday, March 10, 2006 11:28 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Richard Mueller's LastLogon.vbs OK it finally finished, but it says this error and output.txt is still 0 bytes: C:\Scriptscscript //nologo lastlogon.vbs output.txtC:\Scripts\lastlogon.vbs(143, 7) Provider: This operation returned because the the timeout period expired. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Friday, March 10, 2006 8:18 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Richard Mueller's LastLogon.vbs In task manager, assuming the script is not hung, cscript should be gradually consuming more and more chunks of memory, shouldnt it? That might be one way to tell. Sure makes the 2003 AD attribute a welcome change, doesnt it J mc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Friday, March 10, 2006 9:13 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Richard Mueller's LastLogon.vbs doh. We have 12,000 users and 79 DCs. Should be interesting. Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Friday, March 10, 2006 8:05 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Richard Mueller's LastLogon.vbs Yeah its building data into a dictionary object. It will pump everything into the text file when its finished. I think it took about 15 minutes with 30,000 users and 4 DCs mc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Friday, March 10, 2006 9:02 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Richard Mueller's LastLogon.vbs Has anyone used this? I kicked it off about a half hour ago and I can't tell if it's doing anything. The output.txt is still 0 bytes and the command line hasn't returned to me yet. It's acting hung but I dont know if it just takes a very long time or not. Any experiences with this script?Thanks,Russ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~ This e-mail
[ActiveDir] Monitoring DC's
We currently run Tivoli for monitoring and software distribution here(No, SMS and MOM are not an option). Right now there are talks about installing Tivoli endpoints on our Win2k3 DC's for monitoring those as well. How do people on this list feel about Tivoli for monitoring, specifically, and installing 3rd party software on a DC for monitoring things like FRS,DNS,DC availability,etc, in general? Thanks
Re: [ActiveDir] 1025/tcp open NFS-or-IIS
Not that I'm aware of. Keep in mind that in normal operation, the rpc negotiation just agrees to the randomly picked port it will talk on (you contact the server and it picks a random port for you to continue conversations on from the range 1024 tcp) butif you hardcode the port, you're telling the negotiation to always pick vs. any random. It's otherwise no different. Al On 3/10/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I hadn't tried it since 2000 since we didn't have much success. Basically DCs would fail replication because they were still picking ports out of ranges that were no longer supposed to be used… J Well, I have all my DCs to 2003 SP1… I think I may give this a go again. I have a perfect opportunity at something I'd like to test. Are there any drawbacks related to this? Performance maybe? :m:dsm:cci:mvp marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Friday, March 10, 2006 9:16 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 1025/tcp open NFS-or-IIS Honestly? I have with servers, but haven't tried a DC in 2000. As noted in the next post, it has been shown to have good results in 2003 + SP1. In 2000 there were all kinds of undone or mostly done features that you'll find work much better in 2003 + SP1. My advice if you need this functionality is to bring it to 2003 + sp1 or don't try real hard to get it done. I know that business reasons can be brought up to get in the way, but I'm sure that reliability obtained through bug fixes is worth the extra effort in every case. 2000 was good, but 2003 is WAY better by far in it's reliability and capabilities. Al On 3/10/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Al, do you have success with that rpc port limitation? With win2k, it did not work as advertised as I recall… :m:dsm:cci:mvp marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Thursday, March 09, 2006 9:42 PMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 1025/tcp open NFS-or-IIS 1025/tcp is in the range of ephemeral ports. If it were some versions of BSD, that would be 1025-4999 but for Windows is pretty much 1025-65535 (TCP in this case). RPC endpoints are typically negotiated and pick from the ephemeral ports that Windows has available (above 1024 or implicitly 1025-65535 with some exceptions). If you disable that port on a standalone machine, especially a DC you can easily break it's normal function or at least whatever is based on RPC connectivity. You *could* lock down the ports that the RPC endpoint mapper hands out however, which would allow you to use some other port and thereby disable that port if you really wanted to for some reason. The end result is that when asked, your server would always hand out the same port number to communicate vs. picking one at random. Was there a particularly interesting reason you want to disable that access? From outside your network you certainly do, but any particular reason why you would on the machine? Al On 3/9/06, Ravi Dogra [EMAIL PROTECTED] wrote: Hi,Just wanted to know what is this and how disabling or enabling it canaffect my DC?--Ravi DograList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Monitoring DC's
Never used Tivoli. We run an open-source solution: OpenNMS on Linux. Provides real-time monitoring of services along with availability and bandwidth charts. Asset management. Paging, text and e-mail notification with escalation. Very customizable, very CHEAP and reliable. -Original Message- From: Tom Kern [mailto:[EMAIL PROTECTED] Sent: Friday, March 10, 2006 1:19 PM To: activedirectory Subject: [ActiveDir] Monitoring DC's We currently run Tivoli for monitoring and software distribution here(No, SMS and MOM are not an option). Right now there are talks about installing Tivoli endpoints on our Win2k3 DC's for monitoring those as well. How do people on this list feel about Tivoli for monitoring, specifically, and installing 3rd party software on a DC for monitoring things like FRS,DNS,DC availability,etc, in general? Thanks
RE: [ActiveDir] Individual admin accounts vs Generic admin account.
There's no way you should use a single admin account. You have no way to track who did what. Managing admin accounts and their group memberships is not difficult, certainly not as difficult as trying to figure out who screwed something up when the audit logs all say Administrator. You shouldn't have that many admins to worry about anyway. I know several very large AD installations (100K users, 100s of sites, a few domains) and they have 2 or at most 3 domain admins per domain. Most organizations I've worked with give admins two accounts, a regular everyday account and an admin account that they use only when they need the extra privs. The admin account doesn't have email, and in some envs is restricted to logging in on a handful of highly locked-down workstations. This reduces the possibility of malware running under admin privs. And I've worked with a couple of companies that use shared accounts (not just admin accounts), and it is a complete and utter nightmare from an administration and auditing standpoint. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AdamT Sent: Friday, March 10, 2006 7:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Individual admin accounts vs Generic admin account. Dear collective, In your esteemed opinions, is it better to have one central admin account which every member of the sysadmin team should use, or is it better to give ever member of the team their own admin account? I'm inclined towards giving people their own admin accounts, purely from an audit point of view, but I'm being told that it's better to have one central admin account, as it is easier to track which accounts have admin rights. I would have thought that NET GROUP would make that fairly obvious. Am I missing something here? -- AdamT 'Thank-you for not requesting read receipts' List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Monitoring DC's
Never used Tivoli Nagios (open source) and MOM are a good combination for me. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Garrett Sent: Friday, March 10, 2006 4:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Monitoring DC's Never used Tivoli. We run an open-source solution: OpenNMS on Linux. Provides real-time monitoring of services along with availability and bandwidth charts. Asset management. Paging, text and e-mail notification with escalation. Very customizable, very CHEAP and reliable. -Original Message- From: Tom Kern [mailto:[EMAIL PROTECTED] Sent: Friday, March 10, 2006 1:19 PM To: activedirectory Subject: [ActiveDir] Monitoring DC's We currently run Tivoli for monitoring and software distribution here(No, SMS and MOM are not an option). Right now there are talks about installing Tivoli endpoints on our Win2k3 DC's for monitoring those as well. How do people on this list feel about Tivoli for monitoring, specifically, and installing 3rd party software on a DC for monitoring things like FRS,DNS,DC availability,etc, in general? Thanks
RE: [ActiveDir] Monitoring DC's
Ran Nagios for awhile but then found out OpenNMS runs circles around it in terms of capabilities. (No, I dont have any financial stake in pushing OpenNMSjust finally found something free that works better and is more reliable and customizable than most high-dollar apps) -Original Message- From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: Friday, March 10, 2006 1:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Monitoring DC's Never used Tivoli Nagios (open source) and MOM are a good combination for me. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Garrett Sent: Friday, March 10, 2006 4:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Monitoring DC's Never used Tivoli. We run an open-source solution: OpenNMS on Linux. Provides real-time monitoring of services along with availability and bandwidth charts. Asset management. Paging, text and e-mail notification with escalation. Very customizable, very CHEAP and reliable. -Original Message- From: Tom Kern [mailto:[EMAIL PROTECTED] Sent: Friday, March 10, 2006 1:19 PM To: activedirectory Subject: [ActiveDir] Monitoring DC's We currently run Tivoli for monitoring and software distribution here(No, SMS and MOM are not an option). Right now there are talks about installing Tivoli endpoints on our Win2k3 DC's for monitoring those as well. How do people on this list feel about Tivoli for monitoring, specifically, and installing 3rd party software on a DC for monitoring things like FRS,DNS,DC availability,etc, in general? Thanks
RE: [ActiveDir] Monitoring DC's
Never used Tivoli. From an RFP that an IBM vendor presented usa couple of years ago, I thought it was excessively complex, at least for our environment. Regardless of the product, if it installs an agent on your DCs and you don't control the monitoring framework, then you're creating an opportunity for a non-domain admin to become one. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Friday, March 10, 2006 2:19 PMTo: activedirectorySubject: [ActiveDir] Monitoring DC's We currently run Tivoli for monitoring and software distribution here(No, SMS and MOM are not an option). Right now there are talks about installing Tivoli endpoints on our Win2k3 DC's for monitoring those as well. How do people on this list feel about Tivoli for monitoring, specifically, and installing 3rd party software on a DC for monitoring things like FRS,DNS,DC availability,etc, in general? Thanks
Re: [ActiveDir] 1025/tcp open NFS-or-IIS
Hi, I will preffer not to play with this one. Actually what i was doing is to restrict a server to open only the required ports as per its role. and in this case i was not so sure about this Port. Actually i have been given the task to harden the servers we have. :: Kinldy update me if you have any suggestions to harden the servers. what all topics i should cover? etc. Thanks and Regards Ravi Dogra List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Monitoring DC's
PersonallyI hate Tivoli, big giant overly complex POS which seems to do a lot of things poorly instead of any one thing well. One company I was at tried it, tossed it out and sued IBM for their money back (millions) and got it; unfortunately they couldn't sue for time the analysts spent trying to integrate it over several years, it would have been millions more. A fewyears later with an ex-IBM sales managernow as CTO they started integrating it again. It was being integrated about as successfully as it was the first time even though it was supposed to be "completely better now". I fought the adding of it to the domain controllers at every step. It never got on them while I was there. The software delivery was installed at one point because it was part of the load, I simply disabled that after the folks running Software Delivery decided to run an audit against all of our DCs looking for disk space of the spinning disks that was requested by someone not in the Enterprise Admin group. I had been looking for an excuse and that was all I needed because it proved the point I had been arguing which I will expand on below. In general, I don't recommend any applications being installed on DCs that run as admin or localsystem that the Domain Admins do not completely and utterly control. Be it monitoring, software delivery, asset management, AV, Directory Synch (assuming the synch ID runs as admin or localsystem on DCs), etc. It makes no sense to run those things on DCs from a security standpoint. The moment you put the Tivoli agent (or MOM or SMS or AV or whatever) on a single DC, whomever admins the foreign application is now effectively a domain/enterprise admin as well. Any attack vectors into their monitoring servers, etc are now all vectors into the core of your security for the Enterprise. Basically you could have the greatest security practices in the world (barring this one) for your DCs and then some bonehead move over on the monitoring platform (because it isn't quite as critical to be secure, it is ONLY watching...) and bam you can be utterly compromised. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Friday, March 10, 2006 4:19 PMTo: activedirectorySubject: [ActiveDir] Monitoring DC's We currently run Tivoli for monitoring and software distribution here(No, SMS and MOM are not an option). Right now there are talks about installing Tivoli endpoints on our Win2k3 DC's for monitoring those as well. How do people on this list feel about Tivoli for monitoring, specifically, and installing 3rd party software on a DC for monitoring things like FRS,DNS,DC availability,etc, in general? Thanks
RE: [ActiveDir] FYI: W2K3 SP1 VMWARE issue
Title: FYI: W2K3 SP1 VMWARE issue Sorry to revive this one from the archives, but it's been haunting me. I've experienced the same issue when trying to promote a standalone W2K3 SP1 server to a domain controller. In an attempt to further uncover the root cause of this nuisance I would like to add the following. This problem seems to affect Windows Server 2003 SP1 VM's running on VMware Workstation and ESX, even though ESX doesn't use shared folders (haven't tested on GSX). If the VMware Tools Shared Folders component is installed on a VM running on ESX (not default VMware Tools installation on ESX hosted VM's) the issue still raises its ugly head. Also, a Windows Server 2003 (no SP1) standalone server with the Shared Folders option installed does not experience this symptom. So, the question is what changed in Windows Server 2003 SP1 that is causing this symptom/problem? And is it Shared Folders or something in Windows Server 2003 SP1 that is incompatible with Shared Folders. Regards, Chuck From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, January 17, 2006 11:16 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FYI: W2K3 SP1 VMWARE issue Hi Everyone, As you all may know a few months ago I posted two issues with Vmware and W2K3SP1 DCs. The issues described are: * Adding additional W2K3SP1 DCs to the forest * Creating trusts from a W2K3SP1 forest to another forest (does not matter which OS) Both the issues are described here: http://blogs.dirteam.com/blogs/jorge/archive/2005/11/14/60.aspx http://blogs.dirteam.com/blogs/jorge/archive/2005/12/18/297.aspx http://www.activedir.org/article.aspx?aid=75 This time a was setting up an environment with a w2k forest and a w2k3 sp1 forest. When setting up the trust I received the error we discussed a while ago (see articles above). A few days ago someone posted which component caused this issue. The component in error seems to be the Shared Folder component from Vmware (at least in Vmware Workstation). This time instead of changing the password of the administrator account, I deinstalled the Shared Folder component and rebooted the DC. After that I was able to create the trust without any problem. So, the Shared Folder component from Vmware does seem to be the root cause of this. Cheers, Jorge Met vriendelijke groet / Kind regards, Jorge de Almeida Pinto Infrastructure Consultant BLOG http://blogs.dirteam.com/blogs/jorge/default.aspx __ LogicaCMG Nederland B.V. (BU SD/AT) Division Industry, Distribution and Transport (IDT) Kennedyplein 248, 5611 ZT, Eindhoven . Postbus 7089 5605 JB Eindhoven ( Tel : +31-(0)40-29.57.777 2 Fax : +31-(0)40-29.57.709 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : [EMAIL PROTECTED] http://www.logicacmg.com/ - Solutions that matter - This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
Re: [ActiveDir] FYI: W2K3 SP1 VMWARE issue
Chuck, Is it still an issue in 2.5.2? Mark -Original Message- From: Robinson, Chuck [EMAIL PROTECTED] Date: Fri, 10 Mar 2006 18:21:38 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FYI: W2K3 SP1 VMWARE issue Sorry to revive this one from the archives, but it's been haunting me. I've experienced the same issue when trying to promote a standalone W2K3 SP1 server to a domain controller. In an attempt to further uncover the root cause of this nuisance I would like to add the following. This problem seems to affect Windows Server 2003 SP1 VM's running on VMware Workstation and ESX, even though ESX doesn't use shared folders (haven't tested on GSX). If the VMware Tools Shared Folders component is installed on a VM running on ESX (not default VMware Tools installation on ESX hosted VM's) the issue still raises its ugly head. Also, a Windows Server 2003 (no SP1) standalone server with the Shared Folders option installed does not experience this symptom. So, the question is what changed in Windows Server 2003 SP1 that is causing this symptom/problem? And is it Shared Folders or something in Windows Server 2003 SP1 that is incompatible with Shared Folders. Regards, Chuck From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, January 17, 2006 11:16 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FYI: W2K3 SP1 VMWARE issue Hi Everyone, As you all may know a few months ago I posted two issues with Vmware and W2K3SP1 DCs. The issues described are: * Adding additional W2K3SP1 DCs to the forest * Creating trusts from a W2K3SP1 forest to another forest (does not matter which OS) Both the issues are described here: http://blogs.dirteam.com/blogs/jorge/archive/2005/11/14/60.aspx http://blogs.dirteam.com/blogs/jorge/archive/2005/12/18/297.aspx http://www.activedir.org/article.aspx?aid=75 This time a was setting up an environment with a w2k forest and a w2k3 sp1 forest. When setting up the trust I received the error we discussed a while ago (see articles above). A few days ago someone posted which component caused this issue. The component in error seems to be the Shared Folder component from Vmware (at least in Vmware Workstation). This time instead of changing the password of the administrator account, I deinstalled the Shared Folder component and rebooted the DC. After that I was able to create the trust without any problem. So, the Shared Folder component from Vmware does seem to be the root cause of this. Cheers, Jorge Met vriendelijke groet / Kind regards, Jorge de Almeida Pinto Infrastructure Consultant BLOG agrave; http://blogs.dirteam.com/blogs/jorge/default.aspx __ LogicaCMG Nederland B.V. (BU SD/AT) Division Industry, Distribution and Transport (IDT) Kennedyplein 248, 5611 ZT, Eindhoven . Postbus 7089 5605 JB Eindhoven ( Tel: +31-(0)40-29.57.777 2 Fax : +31-(0)40-29.57.709 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : [EMAIL PROTECTED] http://www.logicacmg.com/ - Solutions that matter - This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Monitoring DC's
Irrespective of what you choose, I suggest you choose something and actually implement and use it. That'll put you in the top 1% (my guestimate based on personal experience) of AD environments out there. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Friday, March 10, 2006 3:18 PMTo: activedirectorySubject: [ActiveDir] Monitoring DC's We currently run Tivoli for monitoring and software distribution here(No, SMS and MOM are not an option). Right now there are talks about installing Tivoli endpoints on our Win2k3 DC's for monitoring those as well. How do people on this list feel about Tivoli for monitoring, specifically, and installing 3rd party software on a DC for monitoring things like FRS,DNS,DC availability,etc, in general? Thanks
Re: [ActiveDir] Richard Mueller's LastLogon.vbs
I haven't used that particular script, but I second modifying the script to break the task up into smaller chunks. On another not my company has just launched the beta for our new software which adds another tab in Active Directory Users and Computers to display accurate last logon information. The website is still in its infancy, but the beta is available for download. I'm looking for some beta users in larger environments. Leroy List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Richard Mueller's LastLogon.vbs
---BeginMessage--- Richard Mueller ended up helping me fix it. I had to change one line of code to say: objCommand.Properties(Timeout) = 120 It increased the timeout value. Thanks to all From: [EMAIL PROTECTED] on behalf of Leroy Clark Sent: Fri 3/10/2006 6:49 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Richard Mueller's LastLogon.vbs I haven't used that particular script, but I second modifying the script to break the task up into smaller chunks. On another not my company has just launched the beta for our new software which adds another tab in Active Directory Users and Computers to display accurate last logon information. The website is still in its infancy, but the beta is available for download. I'm looking for some beta users in larger environments. Leroy List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat---End Message--- ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
RE: [ActiveDir] FYI: W2K3 SP1 VMWARE issue
Yes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Friday, March 10, 2006 6:42 PM To: ActiveDir.org Subject: Re: [ActiveDir] FYI: W2K3 SP1 VMWARE issue Chuck, Is it still an issue in 2.5.2? Mark -Original Message- From: Robinson, Chuck [EMAIL PROTECTED] Date: Fri, 10 Mar 2006 18:21:38 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FYI: W2K3 SP1 VMWARE issue Sorry to revive this one from the archives, but it's been haunting me. I've experienced the same issue when trying to promote a standalone W2K3 SP1 server to a domain controller. In an attempt to further uncover the root cause of this nuisance I would like to add the following. This problem seems to affect Windows Server 2003 SP1 VM's running on VMware Workstation and ESX, even though ESX doesn't use shared folders (haven't tested on GSX). If the VMware Tools Shared Folders component is installed on a VM running on ESX (not default VMware Tools installation on ESX hosted VM's) the issue still raises its ugly head. Also, a Windows Server 2003 (no SP1) standalone server with the Shared Folders option installed does not experience this symptom. So, the question is what changed in Windows Server 2003 SP1 that is causing this symptom/problem? And is it Shared Folders or something in Windows Server 2003 SP1 that is incompatible with Shared Folders. Regards, Chuck From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, January 17, 2006 11:16 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FYI: W2K3 SP1 VMWARE issue Hi Everyone, As you all may know a few months ago I posted two issues with Vmware and W2K3SP1 DCs. The issues described are: * Adding additional W2K3SP1 DCs to the forest * Creating trusts from a W2K3SP1 forest to another forest (does not matter which OS) Both the issues are described here: http://blogs.dirteam.com/blogs/jorge/archive/2005/11/14/60.aspx http://blogs.dirteam.com/blogs/jorge/archive/2005/12/18/297.aspx http://www.activedir.org/article.aspx?aid=75 This time a was setting up an environment with a w2k forest and a w2k3 sp1 forest. When setting up the trust I received the error we discussed a while ago (see articles above). A few days ago someone posted which component caused this issue. The component in error seems to be the Shared Folder component from Vmware (at least in Vmware Workstation). This time instead of changing the password of the administrator account, I deinstalled the Shared Folder component and rebooted the DC. After that I was able to create the trust without any problem. So, the Shared Folder component from Vmware does seem to be the root cause of this. Cheers, Jorge Met vriendelijke groet / Kind regards, Jorge de Almeida Pinto Infrastructure Consultant BLOG agrave; http://blogs.dirteam.com/blogs/jorge/default.aspx __ LogicaCMG Nederland B.V. (BU SD/AT) Division Industry, Distribution and Transport (IDT) Kennedyplein 248, 5611 ZT, Eindhoven . Postbus 7089 5605 JB Eindhoven ( Tel: +31-(0)40-29.57.777 2 Fax : +31-(0)40-29.57.709 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : [EMAIL PROTECTED] http://www.logicacmg.com/ - Solutions that matter - This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] FYI: W2K3 SP1 VMWARE issue
I haven't experienced any problems promoting W2K3 servers to DCs on VMWare's new free VMWare server product. I think I'll take a look at it on ESX next week. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Securing that DC ( the physical question)
http://blogs.technet.com/steriley/archive/2006/03/10/421782.aspx (The Seattle Riley clan) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/