RE: [ActiveDir] DC Demotion AD Site Configuration
Some current uses have been listed, I expect we will see more and more uses coming into play as well as folks move from the just getting AD into place to really taking advantage of it. One interesting use I have seen of AD Sites was for an intranet web farm that tracked where internal customers were tying in from. They matched all of the logs to the subnet definitions to sites so they knew exactly who the consumers of various sites were. I believe they were using the info for planning purposes. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stuart Sent: Thursday, March 30, 2006 2:43 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DC Demotion AD Site Configuration I'm interested in this too, because everytime I ask the question do we need a site if there's no DC there? I get a different answer every time. Can anyone list specific services that require sites and why they require those sites? Cheers. On 3/31/06, David Adner [EMAIL PROTECTED] wrote: Not exactly. The point of a site is to help concentrate site-aware type apps and services so that users access their local/closest resources. Authentication to DCs (and getting GPOs and login scripts from them) is just one potential service for this. DFS and SMS are also site-aware. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of matheesha weerasinghe Sent: Thursday, March 30, 2006 4:26 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DC Demotion AD Site Configuration The whole point of a site is to have a DC in it isn't it? Therefore you should cleanup the unnecessary sites and associate subnets with sites you want them to be a part of. The DC locator will only do its job correctly if DNS is right. DNS will be correct if you maintain a nice sites and services plan and clean up all other unnecessary records in DNS. In my opinion a is the way to go. M@ On 30/03/06, James Carter [EMAIL PROTECTED] wrote: Hey guys, Single Windows 2003 Domain. I have 5 core sites and 70 branch offices. Each of the core sites host 2 x dc's and each branch office has a DC. The design is legacy from NT4 whereby we had a BDC at each of the branch offices as they had slow WAN links at the time. During the upgrade, each of the BDC's were made dc's. Each dc is located in it's own AD Site IP Subnet defined. Our concerns are that some of these remote dc's are located in insecure environments, i.e the are just a server sat in an unlocked closet in a business office environment. We've just completed an WAN upgrade and our links are minimum of 1mb to each of the remote offices. This is good news for us, as we can now demote most of the remote dc's (about 60 of them) My question is regarding the cleanup process. We have 75 AD Sites created with a subnet assigned to each site. Once the demotion process takes place, will I need to a) add the IP subnet to the core site so that the branch office is serviced by the dc's located there and then delete the old AD Site which no longer holds a dc. b) leave the AD site in existance with the IP Subnet assigned and let the DC locator service find a DC for the client to authenticate to? (this means I am left with a load of un-needed Sites in AD..I assume) We also use DFS but moving to DFS-R shortly. Thoughts anyone? Jim __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Lingering Objects
You will probably want to look at repadmin /removelingeringobjects, you can find it listed in the expert help of repadmin. I have a utility up on my website that can help find lingering objects as well, including some that repadmin won't find[1]. It is called GCCHK. http://www.joeware.net/win/free/tools/gcchk.htm joe [1] When Jorge' comes back he can speak to this, he has been playing with it quite a bit. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, March 30, 2006 2:15 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Lingering Objects I have many problems with lingering objects. I would like to solve them. I Recive this message when I use repadmin /showreps: HQSite\DC1 via RPC objectGuid: 2521a874-d379-4281-8744-4bd34c792026Last attempt @ 2002-01-21 16:10.54 failed, result 8240:There is no such object on the server.Last success @ (never). I have read this Ms article (http://support.microsoft.com/?id=317097 - Lingering objects prevent Active Directory replication from occurring) How can I discover with object is that and how to delete it? CAN I find a server that does not have the Object to rehost from? Does anyone have anything else about this problem? I have many (about 165) dc´s with about 80 GC´s. I have many problems with replication The Strict replication Consistency 0 is making things better . but tin some of them the problems remains. I wait for your help... Adrião Ferreira Ramos Superintendência de Tecnologia da Informação Depto. de Operações e Infra-estrutura - CII * [EMAIL PROTECTED] ( 11 - 3388-8193 "matheesha weerasinghe" [EMAIL PROTECTED] Enviado Por: [EMAIL PROTECTED] 30/03/2006 07:26 Favor responder aActiveDir@mail.activedir.org Para ActiveDir@mail.activedir.org cc Assunto Re: [ActiveDir] DC Demotion AD Site Configuration The whole point of a site is to have a DC in it isn't it? Therefore you should cleanup the unnecessary sites and associate subnets with sites you want them to be a part of. The DC locator will only do its job correctly if DNS is right. DNS will be correct if you maintain a nice sites and services plan and clean up all other unnecessary records in DNS. In my opinion "a" is the way to go. M@On 30/03/06, James Carter [EMAIL PROTECTED] wrote: Hey guys, Single Windows 2003 Domain. I have 5 core sites and 70 branch offices. Each of the core sites host 2 x dc's and each branch office has a DC. The design is legacy from NT4 whereby we had a BDC at each of the branch offices as they had slow WAN links at the time. During the upgrade, each of the BDC's were made dc's. Each dc is located in it's own AD Site IP Subnet defined. Our concerns are that some of these remote dc's are located in insecure environments, i.e the are just a server sat in an unlocked closet in a business office environment. We've just completed an WAN upgrade and our links are minimum of 1mb to each of the remote offices. This is good news for us, as we can now demote most of the remote dc's (about 60 of them) My question is regarding the cleanup process. We have 75 AD Sites created with a subnet assigned to each site. Once the demotion process takes place, will I need to a) add the IP subnet to the core site so that the branch office is serviced by the dc's located there and then delete the old AD Site which no longer holds a dc. b) leave the AD site in existance with the IP Subnet assigned and let the DC locator service find a DC for the client to authenticate to? (this means I am left with a load of un-needed Sites in AD..I assume) We also use DFS but moving to DFS-R shortly. Thoughts anyone? Jim __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
RE: [ActiveDir] Active Directory Performance for 64-bit Versions of Windows Server 2003
Havent lurked on the list for a while, so apologies if Im asking the answered, however: Bearing in mind the non-goals of the paper, i.e. Finding a precise database size at which the 64-bit version becomes more advantageous than the 32-bit version. Finding a precise amount of RAM to optimize caching the database. Any prescriptive guidance on these bearing in mind that most of our DITs contain more than just user info? Also, how do multiple processors affect 64 bit DC performance? What about DC specific settings in 64bit environments, do these change at all, since larger cache configurations are assumed the thinking is here that you wouldnt bother with 64 bit dcs without the extra memory From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED]] Sent: 02 April 2006 09:58 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory Performance for 64-bit Versions of Windows Server 2003 although nothing official, we've done testing HP internally and were quite comfortable using a single well-sized 64-bit DC (well-sized meaning our whole DIT cached in memory) serving one of our sites with approx.4 Exchange Mbx. servers (I believe all dual-proc) with a total of 20.000 mailboxes. It worked like a charm. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sonntag, 2. April 2006 09:52 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory Performance for 64-bit Versions of Windows Server 2003 And silence swept the community as Microsoft folks dived under desks searching for dropped pens I second this request pleasethankyouverymuch. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeremy Olson Sent: Friday, March 31, 2006 12:30 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Active Directory Performance for 64-bit Versions of Windows Server 2003 Thanks. Looks like a really great white paper. Anything in the works to provide updated DC sizing for exchange ? Thanks again. Jeremy On 3/30/06, Steve Linehan [EMAIL PROTECTED] wrote: Since it has been asked many times on the alias when will a paper be released detailing the scenarios when deploying 64-bit servers for Active Directory makes since and providing detailed analysis and numbers, I thought everyone would be happy to know that the Active Directory Program Management and Development teams have released the following White Paper: Active Directory Performance for 64-bit Versions of Windows Server 2003 http://www.microsoft.com/downloads/details.aspx?FamilyID=52e7c3bd-570a-475c-96e0-316dc821e3e7DisplayLang=en. Thanks, -Steve
Re: [ActiveDir] Empty hostname for a Win 2003 server belonging to an AD domain
Freddy, is there any stadard way (tools included in the W2K3 OS) to verify the SID of a machine? I am not allowed to install or use any external software, such as sysinternals, for instance. Joe, I believe that the application is using the wINSOCK API too. TCP/IP is working fine and the setting are just are they should be... :-/ So I will do a regmon on a good machine and extract the differences with mine. Thank you very much, Best regards, Rodrigo. On 02/04/06, joe [EMAIL PROTECTED] wrote: I believe that tool is using the gethostname WINSOCK API call, I expect you are hitting an error and it isn't handling it gracefully. Is TCP/IP working properly on that machine? Are all of the TCP/IP settings correct? If everything looks ok, I would recommend running regmon on a known good machine and then do the same on the troublesome machine and see what the differences are in the requests, you might get a hint there. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodrigo Blanco Sent: Tuesday, March 28, 2006 6:54 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Empty hostname for a Win 2003 server belonging to an AD domain Hello list, I am currently having a problem with a Windows 2003 server inside a Windows 2003 server-based Active Directory domain. The problem is that when I run the hostname command, it is empty: C:\hostname C:\ I suspect this happened after doing a clone of the VM machine and, by error, starting it and changing its name in the same network of the original one (this should have happened in an off-line network). I have tried to take it out from the domain and register it again in it, but his will not help. There is no conflict between the DNS and the local hosts file on the server. The server is registered in both the direct and inverse DNS lookup zones. If I look in System Properties Computer Name, everything looks fine: hostname and domain are correctly configured. Any help will more than welcome. Thanks in advance and best regards, Rodrigo. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: TechEd 2006 topics
:o) No but I would be curious what they tell people. eg I write tools for non-coders, not set up classes. :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Saturday, March 18, 2006 6:42 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: TechEd 2006 topics Scripting for IT Professionals Who Can't Write Code *Track(s):* Management Operations https://www.msteched.com/content/sessions.aspx Okay who put that one into Teched 2006? Joe? Did you do that one for us non coders? -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] CNF entries and LDIFDE.
Excellent writing buddy - hope you are keeping snippets like this for the forth edition ;-) Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Sunday, April 02, 2006 5:18 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] CNF entries and LDIFDE. Howdy. At DEC I was approached concerning a problem where an admin was having with LDIFDE and importing CNF (conflict) objects, basically LDIFDE hits an error and stops when it processes one of these DNs. That is not generally the result you are looking for. It certainly puts a crimp in your productivity for the day if it keeps happening and you can't stop it. First some background, these objects appear when an object is created with the same DN on multiple DSAs (Directory Service Agents aka DCs or ADAM instances) within the same replication convergence interval. They replicate and eventually collide and following standard collision rules, the loser gets marked with a newline (\0A), the string literal 'CNF:' and the objectGUID value in friendly format. Looking something like CN=collision\0ACNF:efc83ba9-412f-452e-ad49-72f91d31c201,CN=Users,DC=duck,DC=com The winner of the collision is usually determined by the timestamp of the RDN on the various servers because the version of the RDN of both objects is almost always 1 making the version slightly less than helpful for the comparison. Note I was careful not to say the second one created will win, it is the one with the later timestamp, if servers are out of sync in time with each other, it could confuse the situation. However, assuming you have a good time structure, the object created first shouldbe renamed and the object created second will have the "clean" name. So the problem with LDIFDE is related to that darn NEWLINE character. That isn't something you can generally import in for a name and Microsoft specifically used that character to get your attention. When LDIFDE tries to importan object like that the DSA says "No way Jose!". Well it isa little more professional and says NAMING_VIOLATION with an error of 200B which is G:\granamigodelpatoerr 200b# for hex 0x200b / decimal 8203 : ERROR_DS_INVALID_ATTRIBUTE_SYNTAX winerror.h# The attribute syntax specified to the directory service is# invalid.# 1 matches found for "200b" You do occasionally (or more or less often - YMMV) get these objects in your directory. As a general rule, clean them up when you find them. How you do that is very specific to the objects, you will have to use some judgement and try to figure out which is the right object to keep, the non-CNF stamped object or the CNF stamped object. About the only incorrect answer here is to say that you always keep one or the other simply based on whether it has the CNF or not. As the name indicates they are indicative of a collision andthey are a mechanismto protect you from something that could possibly have really hurt. Don't like collision objects you say?? Consider the alternatives which are thatsomething disappears or you get some sort of odd amalgamation of two different objects. Both of those alternatives suck because they aremuch worse than just having a CNF object. With a CNF object at least you have something you can detect and have a fighting chance to correct. So the admin is having troubles importing the objects because he keeps hitting CNF objects. It would be nice if LDIFDE handled this situation gracefully. And guess what... it can. :o) The latest version of LDIFDE which isin the ADAM SP1 or R2 release has a version of LDIFDE dated 2005/11/23 with a file version of 1.1.3790.2075 which has a '-z' option whichtellsldifde to continue importing regardless of errors. Very cool, yet anotherreason for you to download ADAM SP1 or dig it offyour R2 CDs. However Do you really want to always do that? I mean come on, keep on going regardless of errors... That is equivilent to the _vbscript_ ON ERROR RESUME NEXT programming mechanism and we don't even have ERROR levels so we can really check to stop our process midstream and correct. So the "right" solution in my mind if you have CNF objects is to clean them up. If that isn't feasible at the time or you already have the LDIF dump you need to import, clean up the file prior to import. This can be done by hand with notepad or if you have a 600MB LDIF file like the admin in question did you will want to script it. Below is a simple script to do this cleanup. It takes the name of an input LDIF file and the
RE: [ActiveDir] When and how often are EA rights needed?
During the writing/reviewing of the AD Delegation whitepaper there was a considerable amount of discussion amongst those of us involved around the logic of delegating EA rights. It has been awhile but I believe that the general consensus came down to exactly what neil is describing. It is better to manage these permissions by having a very small very trusted group than trying to parse the permissions out because in the end, you will probably end up parsing those permissions out to the same few people anyway. Allowing folks not absolutely responsible for replication/etc to manipulate the sites and subnets is a pretty perverted way to get your kicks, at least in my book. Back in the old days when I did AD ops... ;o) We had three engineers and one manager, each of whom had an admin ID in each domain of the forest. These same folks all had normal user IDs as well and preferably the passwords were not in sync. The proper ID was used for the task at hand, generally, the normal userids were used a majority of the time right up until something needed to be modified. Other than that there was VERY limited delegation for such things as setting descriptions or membership on groups and setting descriptions on server computer accounts. Most object creates was either handled by the domain admins or the provisioning system. Workstations created their own accounts during the scripted build process. As an aside, with every passing DEC which is obviously fresh in my mind right now I see delegation becoming less and less important as using provisioning becomes more and more important. The delegation model while cool, has too many other shortcomings which proper provisioning handles. I am pretty vocal in my dislike of MIIS/IIFP due to its SQL requirements (I would like black box ESE please) but during the MVP RoundTable at DEC even I thought the answer to the first several questions was MIIS which gave me a start. I don't see direct delegation dropping off the map tomorrow as a viable protection mechanism, but as I mention above I truly see its usefulness (and consequently, its use) in the future becoming more and more limited. The easier the provisioning gets to configure and manage, the faster this will occur. Personally I would like to see more power in AD delegation and triggering and rules but if I am honest with myself visualize IIFP/MIIS getting more closely integrated into AD and practically running itself to provide those functions. I actually told Stuart Kwan of the Ottawa Kwan Clan up on the stage that I finally realized I needed to seriously start playing with MIIS. He chuckled. But I still want ESE in the backend. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, March 15, 2006 3:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] When and how often are EA rights needed? Granted, they do not come close. My point is that if you can manage sites and subnets and replication etc, then you are acting as tho you were an EA and the custodian of the forest. I would rather have a dedicated team of EA people and that the enterprise wide components (such as the above) are managed by these folk and *no others*. That's why I consider anyone with the rights to change sites/subnets/replication to be an EA equivalent. Thanks for all the comments - even though I didn't receive too much backing and extra ammo :) neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 15 March 2006 01:00 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] When and how often are EA rights needed? IMHO, if you have rights to do all the above, you are an EA equivalent any way :) These rights do not even come close to equaling EA in any sense. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Tue 3/14/2006 9:00 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] When and how often are EA rights needed? Case study: One client of mine (100k employees) has only three accounts in the EA group, which in their case is in a dedicated forest root. I don't believe they've used the accounts on over a year. Another client (global financial services company) has ONLY the default Administrator account in EA, and that account has had a three-way password created: three admins each entered PART of a password, the password pieces were put into an envelope in a physically secure location in Europe and another in N.America. AFAIK they haven't used it since they locked the account down. So how do they manage and t.shoot
RE: [ActiveDir] When and how often are EA rights needed?
Title: When and how often are EA rights needed?
Rocky you are like a pit bull with the whole Dedicated
Forest Root Topic.
I love it, keep it up.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rocky
HabeebSent: Tuesday, March 14, 2006 12:28 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] When and how
often are EA rights needed?
Dan,
Thanks for posting this.
Now ... could you spend just a minute giving us the top three reasons (if there
are any at all) on why one would have a Dedicated Forest Root domain versus just
a single domain.
I personally, would appreciate
it ...
Thank you
again.
RH
___
-Original Message-From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]On Behalf Of Dan
HolmeSent: Tuesday, March 14, 2006 11:51 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] When and how
often are EA rights needed?
EA rights, once a
forest is deployed and delegated, are needed only for in case of emergency
break glass i.e. pretty much never. When youre talking EA, youre
pretty much talking the Administrator account of the forest root domain (first
domain installed), so think of them one and the sameyou will be locking down
that Administrator account to lock down EA. Either its the ONLY account
in the EA group (default) or any other account in EA should be locked down
pretty much equivalently.
The break glass
scenario is, particularly in a multi-domain forest, someone does some nasty
delegation (ACL modification) that effectively locks out an OU. Just
like you could, theoretically, lock yourself out of an NTFS folder.
Just like an NTFS folder, the owner of the folder ALWAYS can change
the ACL, and open it back up again. In AD the owner is EA it owns the
forest. So, one container at a time, EA will be able to dig down and
unblock.
Case study: One
client of mine (100k employees) has only three accounts in the EA group, which
in their case is in a dedicated forest root. I dont believe theyve
used the accounts on over a year. Another client (global financial
services company) has ONLY the default Administrator account in EA, and that
account has had a three-way password created: three admins each entered
PART of a password, the password pieces were put into an envelope in a
physically secure location in Europe and another in N.America. AFAIK
they havent used it since they locked the account
down.
Read the MS doc Best
practices for AD Delegation to effectively delegate your forest, PARTICULARLY
if you have more than one domain in your forest. The things that tend to
get missed that impact day-to-day or even occasional operations are things
like delegating the creation of sites, subnets, and site links; the ability to
kick off replication (not recommended but); and authorize new DHCP Servers.
Im sure that others on the list will have other tips as
well.
Dan
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of
[EMAIL PROTECTED]Sent: Tuesday, March 14, 2006 9:29
AMTo:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] When and how often
are EA rights needed?
We're trying to understand when EA
rights are needed within a multi domain forest, where each domain represents a
fairly autonomous region.
Mgmt have suggested that the
following is true : - EA not needed on
daily basis - EA rights rarely
needed after initial deployment
Can anyone please throw a few
reasons at me why you would need EA rights on a daily basis? Troubleshooting?
Diagnosis?
How would you be impacted if you
had to request access to a EA account each time it was required?
I'd like to build a case whereby
we have permanent EAs and would like some additional ammo from you guys
:)
***Feel free to argue against my
views and explain to me how/why you *could* manage a forest such as the above,
without access to an EA account on a daily basis.
Thanks, neil
PLEASE READ: The information
contained in this email is confidential and
intended for the named
recipient(s) only. If you are not an intended
recipient of this email please
notify the sender immediately and delete your
copy from your system. You must
not copy, distribute or take any further
action in reliance on it. Email is
not a secure method of communication and
Nomura International plc ('NIplc')
will not, to the extent permitted by law,
accept responsibility or liability
for (a) the accuracy or completeness of,
or (b) the presence of any virus,
worm or similar malicious or disabling
code in, this message or any
attachment(s) to it. If verification of this
email is sought then please
request a hard
RE: [ActiveDir] Securing that DC ( the physical question)
I probably shouldn't respond as I haven't read what Steve said (I prefer him live versus memorex) but I can "see" geographic forests as an implementation design. Not sure I like it a lot but I can see the angle. Exchange I would then pull out into its own separate resource forest that trusted all of the geographic forests. Multiforest Exchange within a single company isn't something I would consider optimal with the current design. If you have a heavily distributed Exchange environment that probably won't work so well but if centralized to main data centers it could be quite decent. Depending on the size, I would say my first choice is single forest single domain assuming the DAs are also in charge of Exchange. If you need separate admins for Exchange (outsourced, too much workload, etc) then multiple forest with an Exchange Resource forest starts getting tasty quickly. The geographic forest thing would come from only if there was so much political posturing and infighting that I couldn't get the admins locked down to a small single management chainset. I would rather have multiple forests with different admins than multiple domains in a single forest with different admins. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Tuesday, March 14, 2006 4:15 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Securing that DC ( the physical question) I guess you're right that trying to talk to sriley via written comm is klunky. This was his last response === I guess I'm having difficulty understanding the specific scenarios you've got in mind. In my own world (Microsoft corpnet), I live with multiple forests just fine. And I've known customers for whom multi-forest deployments work smoothly. Regarding my 60-second design, many of the customers I work with tend to manage environments regionally -- it's their business model and administrative model. Like I said, it's one suggestion among many, one that's worked well for some organizations. === That's a lot different than what he wrote. Maybe we should have him meet bpuhl and find out how they manage those mutliple forests, the custom code that goes into it, the lack of folder sharing in Exchange and any other issues that multi-forests bring up? Maybe not. Maybe we should just believe that sriley means well but is misunderstood (as am I apparently; so who am I to pick? ) :) Interesting though. On 3/13/06, Steve Evans [EMAIL PROTECTED] wrote: Yeah I forget about the geography == forest sentence. I read the blog post a few days ago and didn't go back in read it before I chimed in. I have heard him say several times, in several different contexts's (sp?), his 30 second version of how to migrate from NT4 to AD, and then goes on about how much better AD is and everyone has to just get over the hump, etc, etc. Steve is much better giving a presentation than the written word (at least short written word). His ideas usually take a good 20 minutes to get across. ~5 minutes reading a blog post usually ends up with a bunch of people arguing about what he was really trying to say. Steve Evans From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Al Mulnick Sent: Monday, March 13, 2006 12:02 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Securing that DC ( the physical question) Interesting. They've (Microsoft) said for years not to use your internally protected AD forest for external usage. (side note: Steve has in the past maintained that network boundaries are useless and that there should the trusted network and the internet without any of this DMZ stuff. In short, I think differently. This is not the first time I"ve had to ask questions to fully understand what Steve is getting at. He's a very smart individual and it pays to listen to what he has to say.). They've also mentioned many times that the forest is the security boundary. I did read Steve's blog to indicate that he is suggesting a security boundary per geographic boundary might make more sense. I read that in contrast to the way you see it as " there may be some good reasons to have multiple forests." They've said that for years. Trust me on that. Keep in mind that when Windows 2000 came out, Microsoft honestly believed that everyone would work from a single directory and would discard all other directories in favor of Windows 2000 Active Directory. They heavily sold the idea of reduced administration as one reason you would want this single directory. They also built one of their flagship applications (Exchange) on top of this single directory. They've done a stellar job of accomplishing that vision (which by the way has been a goal of the messaging industry for
RE: [ActiveDir] CNF entries and LDIFDE.
Glad you like it Ulf. I keep everything I write so I can go back and read how silly I was. :o) I don't know about a fourth edition, but it will definitely reappear somewhere at some point. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-WeidnerSent: Sunday, April 02, 2006 6:08 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] CNF entries and LDIFDE. Excellent writing buddy - hope you are keeping snippets like this for the forth edition ;-) Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Sunday, April 02, 2006 5:18 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] CNF entries and LDIFDE. Howdy. At DEC I was approached concerning a problem where an admin was having with LDIFDE and importing CNF (conflict) objects, basically LDIFDE hits an error and stops when it processes one of these DNs. That is not generally the result you are looking for. It certainly puts a crimp in your productivity for the day if it keeps happening and you can't stop it. First some background, these objects appear when an object is created with the same DN on multiple DSAs (Directory Service Agents aka DCs or ADAM instances) within the same replication convergence interval. They replicate and eventually collide and following standard collision rules, the loser gets marked with a newline (\0A), the string literal 'CNF:' and the objectGUID value in friendly format. Looking something like CN=collision\0ACNF:efc83ba9-412f-452e-ad49-72f91d31c201,CN=Users,DC=duck,DC=com The winner of the collision is usually determined by the timestamp of the RDN on the various servers because the version of the RDN of both objects is almost always 1 making the version slightly less than helpful for the comparison. Note I was careful not to say the second one created will win, it is the one with the later timestamp, if servers are out of sync in time with each other, it could confuse the situation. However, assuming you have a good time structure, the object created first shouldbe renamed and the object created second will have the "clean" name. So the problem with LDIFDE is related to that darn NEWLINE character. That isn't something you can generally import in for a name and Microsoft specifically used that character to get your attention. When LDIFDE tries to importan object like that the DSA says "No way Jose!". Well it isa little more professional and says NAMING_VIOLATION with an error of 200B which is G:\granamigodelpatoerr 200b# for hex 0x200b / decimal 8203 : ERROR_DS_INVALID_ATTRIBUTE_SYNTAX winerror.h# The attribute syntax specified to the directory service is# invalid.# 1 matches found for "200b" You do occasionally (or more or less often - YMMV) get these objects in your directory. As a general rule, clean them up when you find them. How you do that is very specific to the objects, you will have to use some judgement and try to figure out which is the right object to keep, the non-CNF stamped object or the CNF stamped object. About the only incorrect answer here is to say that you always keep one or the other simply based on whether it has the CNF or not. As the name indicates they are indicative of a collision andthey are a mechanismto protect you from something that could possibly have really hurt. Don't like collision objects you say?? Consider the alternatives which are thatsomething disappears or you get some sort of odd amalgamation of two different objects. Both of those alternatives suck because they aremuch worse than just having a CNF object. With a CNF object at least you have something you can detect and have a fighting chance to correct. So the admin is having troubles importing the objects because he keeps hitting CNF objects. It would be nice if LDIFDE handled this situation gracefully. And guess what... it can. :o) The latest version of LDIFDE which isin the ADAM SP1 or R2 release has a version of LDIFDE dated 2005/11/23 with a file version of 1.1.3790.2075 which has a '-z' option whichtellsldifde to continue importing regardless of errors. Very cool, yet anotherreason for you to download ADAM SP1 or dig it offyour R2 CDs. However Do you really want to always do that? I mean come on, keep on going regardless of errors... That is equivilent to the _vbscript_ ON ERROR RESUME NEXT programming mechanism and we don't even have ERROR levels so we can really check to stop our
RE: [ActiveDir] Active Directory Performance for 64-bit Versions of Windows Server 2003
Finding a precise database size at which the 64-bit version becomes more advantageous than the 32-bit version. Actually I believe that a 64-bit version is more advantegeous immediatelly, however if the better memory handling and higher performance will be human recognizable depends on other settings, such as your applications and their LDAP-Queries, your GPOs and Logon-Scripts (Client/User-Logon), administrative behavior a.s.o. Finding a precise amount of RAM to optimize caching the database. LSASS is only able to consume 512MB by default in a 32-bit environment. How much memory is consumed by your LSASS depends on the DIT-Size and on other settings such as indexing, forest infrastructure and GC placement,... You are able to monitor the memory LSASS consumes by cmd (tasklist), perfmon or other monitoring tools (Process\LSASS\Working set size or max working set size) or just taskmon. If LSASS gets closer to conuming 512MB you should put the /3GB Switch in place or run it on 64-bit Hardware/OS. However to figure out the right size of RAM you need to keep monitoring and trying at least on one server (or one DC and one GC) in your domain since memory usage adjusts on windows depending on the availability of memory. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nicolas BlankSent: Sunday, April 02, 2006 10:21 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Active Directory Performance for 64-bit Versions of Windows Server 2003 Havent lurked on the list for a while, so apologies if Im asking the answered, however: Bearing in mind the non-goals of the paper, i.e. Finding a precise database size at which the 64-bit version becomes more advantageous than the 32-bit version. Finding a precise amount of RAM to optimize caching the database. Any prescriptive guidance on these bearing in mind that most of our DITs contain more than just user info? Also, how do multiple processors affect 64 bit DC performance? What about DC specific settings in 64bit environments, do these change at all, since larger cache configurations are assumed the thinking is here that you wouldnt bother with 64 bit dcs without the extra memory From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED]] Sent: 02 April 2006 09:58 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Active Directory Performance for 64-bit Versions of Windows Server 2003 although nothing official, we've done testing HP internally and were quite comfortable using a single well-sized 64-bit DC (well-sized meaning our whole DIT cached in memory) serving one of our sites with approx.4 Exchange Mbx. servers (I believe all dual-proc) with a total of 20.000 mailboxes. It worked like a charm. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Sonntag, 2. April 2006 09:52To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Active Directory Performance for 64-bit Versions of Windows Server 2003 And silence swept the community as Microsoft folks dived under desks searching for dropped pens I second this request pleasethankyouverymuch. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeremy OlsonSent: Friday, March 31, 2006 12:30 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Active Directory Performance for 64-bit Versions of Windows Server 2003 Thanks. Looks like a really great white paper. Anything in the works to provide updated DC sizing for exchange ?Thanks again.Jeremy On 3/30/06, Steve Linehan [EMAIL PROTECTED] wrote: Since it has been asked many times on the alias when will a paper be released detailing the scenarios when deploying 64-bit servers for Active Directory makes since and providing detailed analysis and numbers, I thought everyone would be happy to know that the Active Directory Program Management and Development teams have released the following White Paper: "Active Directory Performance for 64-bit Versions of Windows Server 2003" http://www.microsoft.com/downloads/details.aspx?FamilyID=52e7c3bd-570a-475c-96e0-316dc821e3e7DisplayLang=en. Thanks, -Steve
RE: [ActiveDir] Active Directory Performance for 64-bit Versions of Windows Server 2003
Umm. Did you read the whitepaper this thread is talking about? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nicolas BlankSent: Sunday, April 02, 2006 3:21 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Active Directory Performance for 64-bit Versions of Windows Server 2003 Havent lurked on the list for a while, so apologies if Im asking the answered, however: Bearing in mind the non-goals of the paper, i.e. Finding a precise database size at which the 64-bit version becomes more advantageous than the 32-bit version. Finding a precise amount of RAM to optimize caching the database. Any prescriptive guidance on these bearing in mind that most of our DITs contain more than just user info? Also, how do multiple processors affect 64 bit DC performance? What about DC specific settings in 64bit environments, do these change at all, since larger cache configurations are assumed the thinking is here that you wouldnt bother with 64 bit dcs without the extra memory From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED]] Sent: 02 April 2006 09:58 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Active Directory Performance for 64-bit Versions of Windows Server 2003 although nothing official, we've done testing HP internally and were quite comfortable using a single well-sized 64-bit DC (well-sized meaning our whole DIT cached in memory) serving one of our sites with approx.4 Exchange Mbx. servers (I believe all dual-proc) with a total of 20.000 mailboxes. It worked like a charm. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Sonntag, 2. April 2006 09:52To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Active Directory Performance for 64-bit Versions of Windows Server 2003 And silence swept the community as Microsoft folks dived under desks searching for dropped pens I second this request pleasethankyouverymuch. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeremy OlsonSent: Friday, March 31, 2006 12:30 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Active Directory Performance for 64-bit Versions of Windows Server 2003 Thanks. Looks like a really great white paper. Anything in the works to provide updated DC sizing for exchange ?Thanks again.Jeremy On 3/30/06, Steve Linehan [EMAIL PROTECTED] wrote: Since it has been asked many times on the alias when will a paper be released detailing the scenarios when deploying 64-bit servers for Active Directory makes since and providing detailed analysis and numbers, I thought everyone would be happy to know that the Active Directory Program Management and Development teams have released the following White Paper: "Active Directory Performance for 64-bit Versions of Windows Server 2003" http://www.microsoft.com/downloads/details.aspx?FamilyID=52e7c3bd-570a-475c-96e0-316dc821e3e7DisplayLang=en. Thanks, -Steve
RE: [ActiveDir] Active Directory Performance for 64-bit Versions of Windows Server 2003
512MB is for Windows 2000. And you'd only use /3GB if you had 2000 Advanced Server, at which point you'd cache around 1GB. Without /3GB on Windows 2003 the default is around 1.5GB, with /3GB it's around 2.6GB. /3GB is supported on both Standard and Enterprise Edition with respect to DCs. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-WeidnerSent: Sunday, April 02, 2006 6:07 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Active Directory Performance for 64-bit Versions of Windows Server 2003 Finding a precise database size at which the 64-bit version becomes more advantageous than the 32-bit version. Actually I believe that a 64-bit version is more advantegeous immediatelly, however if the better memory handling and higher performance will be human recognizable depends on other settings, such as your applications and their LDAP-Queries, your GPOs and Logon-Scripts (Client/User-Logon), administrative behavior a.s.o. Finding a precise amount of RAM to optimize caching the database. LSASS is only able to consume 512MB by default in a 32-bit environment. How much memory is consumed by your LSASS depends on the DIT-Size and on other settings such as indexing, forest infrastructure and GC placement,... You are able to monitor the memory LSASS consumes by cmd (tasklist), perfmon or other monitoring tools (Process\LSASS\Working set size or max working set size) or just taskmon. If LSASS gets closer to conuming 512MB you should put the /3GB Switch in place or run it on 64-bit Hardware/OS. However to figure out the right size of RAM you need to keep monitoring and trying at least on one server (or one DC and one GC) in your domain since memory usage adjusts on windows depending on the availability of memory. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nicolas BlankSent: Sunday, April 02, 2006 10:21 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Active Directory Performance for 64-bit Versions of Windows Server 2003 Havent lurked on the list for a while, so apologies if Im asking the answered, however: Bearing in mind the non-goals of the paper, i.e. Finding a precise database size at which the 64-bit version becomes more advantageous than the 32-bit version. Finding a precise amount of RAM to optimize caching the database. Any prescriptive guidance on these bearing in mind that most of our DITs contain more than just user info? Also, how do multiple processors affect 64 bit DC performance? What about DC specific settings in 64bit environments, do these change at all, since larger cache configurations are assumed the thinking is here that you wouldnt bother with 64 bit dcs without the extra memory From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED]] Sent: 02 April 2006 09:58 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Active Directory Performance for 64-bit Versions of Windows Server 2003 although nothing official, we've done testing HP internally and were quite comfortable using a single well-sized 64-bit DC (well-sized meaning our whole DIT cached in memory) serving one of our sites with approx.4 Exchange Mbx. servers (I believe all dual-proc) with a total of 20.000 mailboxes. It worked like a charm. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Sonntag, 2. April 2006 09:52To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Active Directory Performance for 64-bit Versions of Windows Server 2003 And silence swept the community as Microsoft folks dived under desks searching for dropped pens I second this request pleasethankyouverymuch. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeremy OlsonSent: Friday, March 31, 2006 12:30 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Active Directory Performance for 64-bit Versions of Windows Server 2003 Thanks. Looks like a really great white paper. Anything in the works to provide updated DC sizing for exchange ?Thanks again.Jeremy On 3/30/06, Steve Linehan [EMAIL PROTECTED] wrote: Since it has been
RE: [ActiveDir] Monitoring DC's
Yes that should be scary. Did you guys change anything as a result? -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of matheesha weerasinghe Sent: Monday, March 13, 2006 5:31 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Monitoring DC's No kidding. Here at my work place we once needed access to the enterprise admin password but the safe was not accessible as the building was damaged and not safe to enter. The chap remotely connected to the network and used IBM Director to reset the password of the root administrator account! I didnt know such a feature existed (I think the agent runs as local system), and he was only a domain admin of the child domain but hey that was scary! M@ On 10/03/06, joe [EMAIL PROTECTED] wrote: The moment you put the Tivoli agent (or MOM or SMS or AV or whatever) on a single DC, whomever admins the foreign application is now effectively a domain/enterprise admin as well. Any attack vectors into their monitoring servers, etc are now all vectors into the core of your security for the Enterprise. Basically you could have the greatest security practices in the world (barring this one) for your DCs and then some bonehead move over on the monitoring platform (because it isn't quite as critical to be secure, it is ONLY watching...) and bam you can be utterly compromised. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Script not working thru GPO
Usually how I handle that particular problem is have a share somewhere that all the clients can get to and give them rights to write to the share and they just make some file %computername%.log or something and thats what this scripts talk to. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, April 02, 2006 4:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Script not working thru GPO One comment I thought of when looking at that is how well does it handle multiple machines trying to run it at the same time? As a general rule, it is very difficult to have multiple computers all trying to write to the same flat file. This could get ugly in a production environment. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern, Jeffrey D Mr CTR USSOCOM HQ Sent: Thursday, March 30, 2006 2:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Script not working thru GPO Thanks for all your help. I finally got the script working and doing everything I want it to do. If anyone wants the script let me know. Jeff From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, March 29, 2006 12:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Script not working thru GPO Is there any reason youre not just expanding the %ComputerName% environment variable in your script? As far as searching the file: Dim line Dim found found = false While Not objServerList.EOF Line = objServerList.ReadLine If line = strComputerName Then found = true End If Wend If found then Do stuff Else Do other stuff End If Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern, Jeffrey D Mr CTR USSOCOM HQ Sent: Wednesday, March 29, 2006 11:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Script not working thru GPO Foudn that problem and the other which was with objShell Here is the working script.Now to find a way to have it check if the server name is already in the serverlist.txt file and if so skip to the end. Dim regComputerName Dim strComputerName Dim Serverlist Dim objShell Dim objServerlist DIM objFSO DIM strCurrenLine DIM intIsComment Const ForAppending = 8 Serverlist = \\fileserver\serverlist.txt regComputerName = HKLM\SYSTEM\CurrentControlSet\Control \ComputerName\ComputerName\ComputerName Set objFSO = CreateObject(Scripting.FileSystemObject) Set objServerlist = objFSO.OpenTextFile(Serverlist, ForAppending) Set objShell = CreateObject(WScript.Shell) strComputerName = objShell.RegRead(regComputerName) objServerlist.WriteLine (strComputerName) objShell.RegWriteHKLM\System\CurrentControlSet\Services\Eventlog\Application\AutoBackupLogFiles, 1, REG_DWORD objShell.RegWriteHKLM\System\CurrentControlSet\Services\Eventlog\Security\AutoBackupLogFiles, 1, REG_DWORD objShell.RegWriteHKLM\System\CurrentControlSet\Services\Eventlog\System\AutoBackupLogFiles, 1, REG_DWORD From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, March 29, 2006 9:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Script not working thru GPO Whats objFile being set to? Set WshShell = WScript.CreateObject(WScript.Shell) ComputerName = objShell.RegRead(regComputerName) objfile.Write ComputerName Hmm maybe Im missing something entirely because I dont see where objShell is being set to anything either ? :m:dsm:cci:mvp| marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern, Jeffrey D Mr CTR USSOCOM HQ Sent: Wednesday, March 29, 2006 8:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Script not working thru GPO Thank you That fixed that line.. Now to another line. As I mentioned before this script works fine outside of GPO. Do you see anything wrong with ComputerName = From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Tuesday, March 28, 2006 12:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Script not working thru GPO Good catch Kamlesh. Jeff, check out: http://msdn.microsoft.com/library/default.asp?url=""> for an example of this. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh Parmar Sent: Tuesday, March 28, 2006 8:59 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Script not working thru GPO If this is the exact script then Where have you defined
RE: [ActiveDir] Bulk Import
Sorry for the delay, as may be obvious, I am digging myself out. I have been in a fog of craziness the last few months up until about yesterday when I finally started seeing light and my head started clearing and going back to old joe mode; amazing what sleep and no current responsibilities can do for you. :o) Consequently... joe-valanch, err at least I think that is what someone called it before. :) -- Yes, admod will allow you to create an enableduser with the password on create. You can even use it to mail or mailbox enable user objects but it is "unsupported"[1] by MS as is any mechanism that updates Exchange objects without going through CDOEXM. Various versions of Exchange may have slightly different issues with it. For example the following command would create amailbox enabled ACTIVE account in my joe.com test domain. You can use msexchhomeserver, homemdb, or homeMTA combined with mailnickname. Note that this is against Exchange 2003 SP2. G:\admod -b CN=pato,CN=Users,DC=joe,DC=com -add objectclass::user samaccountname::pato mailnickname::pato msexchhomeservername::"/o=joeware/ou=First AdministrativeGroup/cn=Configuration/cn=Servers/cn=2K3EXC01" unicodepwd::!SoFamiliar2Me! useraccountcontrol::512 -kerbenc AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005 DN Count: 1Using server: 2k3dc01.joe.comAdding specified objects... DN: CN=pato,CN=Users,DC=joe,DC=com... The command completed successfully joe [1] I think this is wrong wrong wrong wrong. I feel it is more about the Exchange Devs not doing good data validation of attributes set in AD than anything else. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Wednesday, March 08, 2006 4:37 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Bulk Import I was going to user csvde, but read that it did not support password creation. Is this supported under ADMod? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Wednesday, March 08, 2006 4:22 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Bulk Import I suppose it really depends on your input data. What have you got to work with and what is the decision criteria for the OU differences? Creating the objects in a particular OU and mailbox enabling them would not be terribly difficult depending on the information you have and want to put in there. Jim's way would work, but I think I prefer to put them where they belong at creation vs. later. For that reason either one of Joe's tools (admod for example) or script would be my preference. Script would be mine but that's just because I'm funny like that. Joe's tools are faster though both at runtime and to get working if you don't have scripts laying around. Al On 3/8/06, Kennedy, Jim [EMAIL PROTECTED] wrote: Ok, I skipped a step, sounds like you need these 200 to go to separate OU's. Mass create them in one OU, mass right click them and create the mailbox then mass send them an email. The script the move if that is faster/easier than a manual drag and drop. So your spreadsheet of users is: firstname lastname password targetOU convert that to comma text for your script and use the first three for the creation and then the first two and last for the move. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Kennedy, JimSent: Wednesday, March 08, 2006 2:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Bulk Import Delegate it to HR. Short of that get HR or someone to give you a list of the names and script it, provide a default password of their SS number perhaps...must be changed on first log on. After they are created, in the same OU...mass select them in ADUC and right click them and send them a test email to create the mailbox. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Harding, DevonSent: Wednesday, March 08, 2006 2:02 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Bulk Import What's the fast way for me to create 200 user accounts in specific OU's and create Exchange mailboxes? Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 __This message and any attachments are solely for the intendedrecipient and may contain confidential or privileged information.If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and anyattachments is prohibited. If you have received this communicationin error, please notify us by reply e-mail and immediately andpermanently delete this message and any attachments. Thank You.
RE: [ActiveDir] Script not working thru GPO
Exactly, I have seen whole software delivery mechanisms
designed around that mehtod. A couple ofother options:
1. Some sort of DB type functionality which handles
multiple connections easily likeLDAP or SQL.
2. SMTP messages
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian
DesmondSent: Sunday, April 02, 2006 3:18 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Script not
working thru GPO
Usually
how I handle that particular problem is have a share somewhere that all the
clients can get to and give them rights to write to the share and they just make
some file %computername%.log or something and thats what this scripts talk
to.
Thanks,Brian
Desmond
[EMAIL PROTECTED]
c -
312.731.3132
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of joeSent: Sunday, April 02, 2006 4:19
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Script not working
thru GPO
One comment I thought
of when looking at that is how well does it handle multiple machines trying to
run it at the same time? As a general rule, it is very difficult to have
multiple computers all trying to write to the same flat file. This could get
ugly in a production environment.
joe
--
O'Reilly Active
Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Cothern, Jeffrey D Mr
CTR USSOCOM HQSent: Thursday,
March 30, 2006 2:37 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Script not working
thru GPO
Thanks for all your
help. I finally got the script working and doing everything I want
it to do. If anyone wants the script let me know.
Jeff
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Brian DesmondSent: Wednesday, March 29, 2006 12:06
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Script not working
thru GPO
Is
there any reason youre not just expanding the %ComputerName% environment
variable in your script?
As
far as searching the file:
Dim
line
Dim
found
found
= false
While
Not objServerList.EOF
Line = objServerList.ReadLine
If line = strComputerName Then
found = true
End If
Wend
If
found then
Do stuff
Else
Do other stuff
End
If
Thanks,Brian
Desmond
[EMAIL PROTECTED]
c -
312.731.3132
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Cothern, Jeffrey D Mr
CTR USSOCOM HQSent: Wednesday,
March 29, 2006 11:55 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Script not working
thru GPO
Foudn that problem and the other
which was with objShell
Here is the working script.Now
to find a way to have it check if the server name is already in the
serverlist.txt file and if so skip to the end.
Dim regComputerNameDim
strComputerNameDim ServerlistDim objShellDim objServerlistDIM
objFSODIM strCurrenLineDIM intIsCommentConst ForAppending =
8
Serverlist = "\\fileserver\serverlist.txt"regComputerName
= "HKLM\SYSTEM\CurrentControlSet\Control"
"\ComputerName\ComputerName\ComputerName"Set objFSO =
CreateObject("Scripting.FileSystemObject")Set objServerlist =
objFSO.OpenTextFile(Serverlist, ForAppending)
Set objShell =
CreateObject("WScript.Shell")strComputerName =
objShell.RegRead(regComputerName)objServerlist.WriteLine
(strComputerName)
objShell.RegWrite"HKLM\System\CurrentControlSet\Services\Eventlog\Application\AutoBackupLogFiles",
1,
"REG_DWORD"objShell.RegWrite"HKLM\System\CurrentControlSet\Services\Eventlog\Security\AutoBackupLogFiles",
1,
"REG_DWORD"objShell.RegWrite"HKLM\System\CurrentControlSet\Services\Eventlog\System\AutoBackupLogFiles",
1, "REG_DWORD"
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of
[EMAIL PROTECTED]Sent: Wednesday, March 29, 2006 9:20
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Script not working
thru GPO
Whats objFile being
set to?
Set WshShell =
WScript.CreateObject("WScript.Shell")ComputerName =
objShell.RegRead(regComputerName)objfile.Write "ComputerName"
Hmm maybe Im missing
something entirely because I dont see where objShell is being set to anything
either ?
:m:dsm:cci:mvp|
marcusoh.blogspot.com
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Cothern, Jeffrey D Mr
CTR USSOCOM HQSent: Wednesday,
March 29, 2006 8:45 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Script not working
thru GPO
Thank
you
That fixed that line.. Now to
another line. As I mentioned before this script works fine outside of
GPO.
Do you see anything wrong with
ComputerName =
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Darren
Mar-EliaSent: Tuesday, March
28, 2006 12:16 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Script not working
thru GPO
Good catch Kamlesh.
Jeff, check out:
RE: [ActiveDir] Automatically generated replication links
I would also say look closely at the defined topology. There is a reason the KCC is setting things up that way. If it isn't doing what you expect, you probably dont have sites/subnets configured properly or possibly have a misunderstanding on replication connection fundamentals. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, March 08, 2006 12:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Automatically generated replication links Russ, you are making a big deal out of nothing. Stop worrying yourself sick. IF KCC built a CO for this DC, KCC thinks that's the most optimal CO possible at that point. It is not mandatory that the CO should be reciprocal. If you are not please with what KCC did, then delete its work and create your own. KCC will not mess with creating another one if the DC is replicating optimally. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Rimmerman, Russ Sent: Wed 3/8/2006 7:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Automatically generated replication links It's odd, the replicate FROM is different than the replicate TO on these two DCs. Every other DC we've deployed to date is the same DC for both from and two (always the same DC for all) and these two decided to pick something different. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Wednesday, March 08, 2006 9:27 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Automatically generated replication links yes... on the DC that needs the CO to replicate from. remember when looking on another DC, that object (including the old deleted CO) still needs to replicate to the other DCs From: [EMAIL PROTECTED] on behalf of Rimmerman, Russ Sent: Wed 2006-03-08 16:22 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Automatically generated replication links I see the problem, this remote DC has a replicate from correctly but the replicate to was a different DC. I deleted the replication link to that DC and now there's nothing in the Replicate to blank for that DC. So it will repopulate within 15 minutes? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Wednesday, March 08, 2006 8:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Automatically generated replication links Hi Russ, The KCC runs 5 mins after the DC boots and after that each 15 min.. The KCC creates CO as it sees fit (and that depends on the site and replication topology, partitions to replicate and replicas hosting partitions). If you remove the CO manually, it will recreate them during the next KCC cycle. The creation of auto COs also depends on what manual COs have been created. Manual created COs will never be touched by the KCC So, why do you think it is wrong or what do you mean with If you promote a new domain controller and it doesn't automatically generate the right replication links jorge From: [EMAIL PROTECTED] on behalf of Rimmerman, Russ Sent: Wed 2006-03-08 15:50 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Automatically generated replication links If you promote a new domain controller and it doesn't automatically generate the right replication links, is it safe or recommended to delete the link it generated and manually create the replication link? Or if you delete it will it try to automatically generate it again? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ ~~ This e-mail is confidential, may contain
RE: [ActiveDir] How Secure is a Domain Controller?
Nope, not I. I was the one that stood up and started clapping a couple of years ago when Stuart announced that Longhorn would have Server Core (at the time Server Foundation) DCs as an available sku with no GUI. I would like to see more services be able to run on that core, it makes no sense to me that ASP.NET servers and other items can't run on it because they offer enhanced user experiences; sounds like a lack in the capability versus a feature. Why should the ability to run a GUI locally impact what a user sees remotely in a web browser, it isn't like the web browser is shadowing the console. Anyways, I don't use applications on servers that are well known for being attack vectors. Email/Web Browsers/etc... Honestly, DCs are your auth point, why are you doing much interactive work on them at all? I mean sure, say you are in the datacenter and you want a little chicken and broccoli with brown sauce or a bit of tandoori chicken or some vindaloo dish, no one is going to fault you for pulling up a browser and ordering from Wok To Yu or Shingara Goochi Kitchen but other than that, are there any good reasons to be using those applications directly on a DC? Personally I like to wrap the updates into scripts that can be fired through rcmd or psexec, etc. I slowly fire them off to dog food and then ramp up as the need arises and can easily do from 1 to 400 with little change in effort and with full control and no concern that something went off and did something I didn't expect. Wrapping updates into scripts usually doesn't take much work to do once you have a framework in place and it sort of assists you in looking closer at what is there when it gets released versus clicking a button and saying, yeah shoot that out there everywhere. I am very particular about updates on DCs though, I have massive trust issues in that realm. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Tuesday, March 07, 2006 8:18 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] How Secure is a Domain Controller? Myrick, Todd (NIH/CC/DNA) [E] wrote: Okay for you Susan, I will modify my statement... Add IPsec filter that only allows http traffic to update.microsoft.com. Also, in the future MS will probably bake in the spyware service into the product, so it will be there anyway. I think I helped flush out the KB article on AV way back. Do folks really use Windows/Microsoft Update for patching DCs? I realize I'm a bit paranoid but you're still running a web browser on a DC. al From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [mailto:[EMAIL PROTECTED] Sent: Mon 3/6/2006 2:27 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] How Secure is a Domain Controller? Question? On a DC ...why do you need anti spyware? If spyware enters via web browsing and email...and IE should never be used/launched on a DC... why do you need it? If the enhanced IE lockdown is still in place that shuts off scripting and what not. Is it on my TS box and all workstations? Yup. On my DC. No. the only site that that box surfs to is Microsoft Update (I mean I don't even go to Joewear on that DC) Why introduce another thing that might introduce new code and new false positives? (see Spybot that flagged Microsoft's remote desktop control for RWW as spyware, see Microsoft's Antispyware that flagged Symantec as a trojan) And if you do a/v ensure that the needed folders and files are excluded (see prior posts in this forum about the KB articles regarding how to set up a/v on a domain controller and Exchange servers) Myrick, Todd (NIH/CC/DNA) [E] wrote: To add my 2 cents. 1. Add Anti-virus and Anti-Spywear detection. 2. Configure and backup your event logs. At remote sites, I would recommend collecting the event logs on a faster rotation. 3. Add monitoring, You want to monitor account lockout events and have notification when excessive amounts of authentications are occurring. (Tips you off to possible brute force attacks, and up/down situations). 4. Use IPSEC Policies to not allow outside traffic to your DC's. (I haven't tried this, but the theory seems pretty solid) 5. Use GPO's to enforce group memberships for EA and Domain Admins. 6. When possible do not have child domains, allows you to use tighter security policies. 7. Enforce all registry changes using GPO's. Things like DNS record weight, fixed ports for NTDS and FRS replication, etc should be set this way to avoid mis-configuration. 8. At a minimum have a MFT backup of the AD system state done at a central site each night. If you should lose objects, etc. Having this will give you options for restore. Not having it
Re: [ActiveDir] How Secure is a Domain Controller?
Good thing you don't work at my office. No Kung Pao Chicken has ever been ordered from my SBS box, thank you very much. Use your Windows Mobile 5 phone and put the food place on speed dial, dude. Right now I'm using MU on two beta boxes to confirm and track what the integrated WSUS (SBS 2003 r2) is saying that I need on those boxes. I use it more for another confirmation method...but down here we are MUing and soon to be WSUSing. I'd love to use MBSA 2.0 to scan my entire network.. but I'm still having issues with the dcom communication (I'm convinced that everyone is still using MBSA 1.2 to scan an XP sp2 firewall on network because they gave up on 2.0) joe wrote: Nope, not I. I was the one that stood up and started clapping a couple of years ago when Stuart announced that Longhorn would have Server Core (at the time Server Foundation) DCs as an available sku with no GUI. I would like to see more services be able to run on that core, it makes no sense to me that ASP.NET servers and other items can't run on it because they offer enhanced user experiences; sounds like a lack in the capability versus a feature. Why should the ability to run a GUI locally impact what a user sees remotely in a web browser, it isn't like the web browser is shadowing the console. Anyways, I don't use applications on servers that are well known for being attack vectors. Email/Web Browsers/etc... Honestly, DCs are your auth point, why are you doing much interactive work on them at all? I mean sure, say you are in the datacenter and you want a little chicken and broccoli with brown sauce or a bit of tandoori chicken or some vindaloo dish, no one is going to fault you for pulling up a browser and ordering from Wok To Yu or Shingara Goochi Kitchen but other than that, are there any good reasons to be using those applications directly on a DC? Personally I like to wrap the updates into scripts that can be fired through rcmd or psexec, etc. I slowly fire them off to dog food and then ramp up as the need arises and can easily do from 1 to 400 with little change in effort and with full control and no concern that something went off and did something I didn't expect. Wrapping updates into scripts usually doesn't take much work to do once you have a framework in place and it sort of assists you in looking closer at what is there when it gets released versus clicking a button and saying, yeah shoot that out there everywhere. I am very particular about updates on DCs though, I have massive trust issues in that realm. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Tuesday, March 07, 2006 8:18 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] How Secure is a Domain Controller? Myrick, Todd (NIH/CC/DNA) [E] wrote: Okay for you Susan, I will modify my statement... Add IPsec filter that only allows http traffic to update.microsoft.com. Also, in the future MS will probably bake in the spyware service into the product, so it will be there anyway. I think I helped flush out the KB article on AV way back. Do folks really use Windows/Microsoft Update for patching DCs? I realize I'm a bit paranoid but you're still running a web browser on a DC. al From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [mailto:[EMAIL PROTECTED] Sent: Mon 3/6/2006 2:27 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] How Secure is a Domain Controller? Question? On a DC ...why do you need anti spyware? If spyware enters via web browsing and email...and IE should never be used/launched on a DC... why do you need it? If the enhanced IE lockdown is still in place that shuts off scripting and what not. Is it on my TS box and all workstations? Yup. On my DC. No. the only site that that box surfs to is Microsoft Update (I mean I don't even go to Joewear on that DC) Why introduce another thing that might introduce new code and new false positives? (see Spybot that flagged Microsoft's remote desktop control for RWW as spyware, see Microsoft's Antispyware that flagged Symantec as a trojan) And if you do a/v ensure that the needed folders and files are excluded (see prior posts in this forum about the KB articles regarding how to set up a/v on a domain controller and Exchange servers) Myrick, Todd (NIH/CC/DNA) [E] wrote: To add my 2 cents. 1. Add Anti-virus and Anti-Spywear detection. 2. Configure and backup your event logs. At remote sites, I would recommend collecting the event logs on a faster rotation. 3. Add monitoring, You want to monitor account lockout events and have notification when excessive amounts of authentications are occurring. (Tips you off to possible brute force attacks, and up/down situations). 4. Use IPSEC
RE: [ActiveDir] Where's Deji.. (was Quiet? DEC? Related?)
Deji had to bail at the last minute. Something about work or some other similarly lame excuse. Its about as silly as Where's Tony? Sure NZ is like really far away and stuff, but come on! These are your peeps, Tony! Now that I have at least tacit acceptance from DJ for DEC 2007, its time for me to start twisting Tony's arm. I will not be denied! Muwah hah hah hah! -g -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Fontana Sent: Friday, March 31, 2006 11:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quiet? DEC? Related? Definitely a huge thanks to everyone for making this an awesome first DEC for me! It was great matching up faces to the email addresses I see daily. The DR, Security and Interopt sessions were a couple of my favorites. The DJ show was awesome! For those not able to attend this year, make it a priority next year. I was told I could take a class this quarter...I've taken enough AD and Exchange classes over the years so I chose to attend DEC because of the praise given to it by the folks on this list. It was well worth the trip...didn't hurt that red 9 kept hitting either ;-) So the only mystery left is where was Deji? Cheers, Alex -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 31, 2006 5:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quiet? DEC? Related? Absolutely. Very entertained. I had a near permanent smile from the point I directed a question to Stuart asking him where he was from so I could give him a copy of AD3E. The funny part was him thinking I was trying to set him up for something... As soon as I saw him in the audience I intended on giving him a copy to say thanks from all of us for the work he has done on this stuff and his lack of failure in listening to our feedback. The way it all played out though was great and added to the fun. To those who sadly didn't attend we gave out copies of Active Directory Third Edition to folks who were answering questions we tossed out into the open. I said the next question is for Stuart alone and said Stuart, where are you from? knowing that most of the folks in the audience would know exactly where he was from having seen his keynote abt Identity Management I figured most people would yell it out so I said it was just for him. His response was priceless... Now or originally? The audience howled. Great fun. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Friday, March 31, 2006 7:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quiet? DEC? Related? That's cool. I can go with that. As long as you're entertained. Let's just say it's not my kind of entertainment, unlike the joe and Dean show. Hey, joe and Dean, aren't you the guys who sing Little Old Lady From Pasadena? Or was that Little Old Attr Caused PAS Expansion? :) Wook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 31, 2006 4:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quiet? DEC? Related? Well it really depends on their attitude. What Guido I did wasn't gambling though I stated it as such previously. Wee were being entertained. You don't really gamble when you play the slots, you have no control over the outcome. If someone goes in thinking they will walk away with more money than they started with, I would argue they should not be doing it at all. I personally figure out how much money I am spending on entertainment and then spend it be it on slots, meals, drinks, or cool little rubber duckies at the hotel airport. Thinking that way, I lost $0 as well, though I spent about $500 on entertainment. Best money spent IMO. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Friday, March 31, 2006 3:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quiet? DEC? Related? I've always thought that gambling in general was a tax on those who don't understand probability by those who do understand brain chemistry. I lost $0. Though it was sometimes fun watching other people support the Las Vegas economy. What's lost in Lost Wages stays in Lost Wages. :) Wook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Friday, March 31, 2006 11:37 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quiet? DEC? Related? $20 of it was spent showing Guido how US slot machines worked in the Belagio. and that was so complicated to learn :-) Obviously I lost all of what I've put into the machines as well (hadn't expected anything else) - a whopping $12!
RE: [ActiveDir] Monitoring DC's
Guess what. Not yet! But its out of my hands and the security team will decide how to pursue this. M@ From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Monitoring DC's Date: Sun, 2 Apr 2006 14:54:23 -0400 Yesthatshouldbescary.Didyouguyschangeanythingasaresult? -- O'ReillyActiveDirectoryThirdEdition- http://www.joeware.net/win/ad3e.htm -OriginalMessage- From:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]OnBehalfOfmatheesha weerasinghe Sent:Monday,March13,20065:31AM To:ActiveDir@mail.activedir.org Subject:Re:[ActiveDir]MonitoringDC's Nokidding.Hereatmyworkplaceweonceneededaccesstotheenterprise adminpasswordbutthesafewasnotaccessibleasthebuildingwasdamaged andnotsafetoenter.Thechapremotelyconnectedtothenetworkandused IBMDirectortoresetthepasswordoftherootadministratoraccount!I didntknowsuchafeatureexisted(Ithinktheagentrunsaslocalsystem), andhewasonlyadomainadminofthechilddomainbutheythatwasscary! M@ On10/03/06,joe[EMAIL PROTECTED]wrote: ThemomentyouputtheTivoliagent(orMOMorSMSorAVorwhatever) onasingleDC,whomeveradminstheforeignapplicationisnow effectivelyadomain/enterpriseadminaswell.Anyattackvectorsinto theirmonitoringservers,etcarenowallvectorsintothecoreof yoursecurityfortheEnterprise.Basicallyyoucouldhavethe greatestsecuritypracticesintheworld(barringthisone)foryour DCsandthensomeboneheadmoveoveronthemonitoringplatform (becauseitisn'tquiteascriticaltobesecure,itisONLYwatching...) andbamyoucanbeutterlycompromised. joe -- O'ReillyActiveDirectoryThirdEdition- http://www.joeware.net/win/ad3e.htm Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/ Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/Express yourself instantly with MSN Messenger! MSN Messenger
RE: [ActiveDir] How Secure is a Domain Controller?
I know SBS and Datacenter are mutually exclusive, but, being able to talk on the phone and hear the other party while in a datacenter are also mutually exclusive. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sunday, April 02, 2006 4:49 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] How Secure is a Domain Controller? Good thing you don't work at my office. No Kung Pao Chicken has ever been ordered from my SBS box, thank you very much. Use your Windows Mobile 5 phone and put the food place on speed dial, dude. Right now I'm using MU on two beta boxes to confirm and track what the integrated WSUS (SBS 2003 r2) is saying that I need on those boxes. I use it more for another confirmation method...but down here we are MUing and soon to be WSUSing. I'd love to use MBSA 2.0 to scan my entire network.. but I'm still having issues with the dcom communication (I'm convinced that everyone is still using MBSA 1.2 to scan an XP sp2 firewall on network because they gave up on 2.0) joe wrote: Nope, not I. I was the one that stood up and started clapping a couple of years ago when Stuart announced that Longhorn would have Server Core (at the time Server Foundation) DCs as an available sku with no GUI. I would like to see more services be able to run on that core, it makes no sense to me that ASP.NET servers and other items can't run on it because they offer enhanced user experiences; sounds like a lack in the capability versus a feature. Why should the ability to run a GUI locally impact what a user sees remotely in a web browser, it isn't like the web browser is shadowing the console. Anyways, I don't use applications on servers that are well known for being attack vectors. Email/Web Browsers/etc... Honestly, DCs are your auth point, why are you doing much interactive work on them at all? I mean sure, say you are in the datacenter and you want a little chicken and broccoli with brown sauce or a bit of tandoori chicken or some vindaloo dish, no one is going to fault you for pulling up a browser and ordering from Wok To Yu or Shingara Goochi Kitchen but other than that, are there any good reasons to be using those applications directly on a DC? Personally I like to wrap the updates into scripts that can be fired through rcmd or psexec, etc. I slowly fire them off to dog food and then ramp up as the need arises and can easily do from 1 to 400 with little change in effort and with full control and no concern that something went off and did something I didn't expect. Wrapping updates into scripts usually doesn't take much work to do once you have a framework in place and it sort of assists you in looking closer at what is there when it gets released versus clicking a button and saying, yeah shoot that out there everywhere. I am very particular about updates on DCs though, I have massive trust issues in that realm. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Tuesday, March 07, 2006 8:18 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] How Secure is a Domain Controller? Myrick, Todd (NIH/CC/DNA) [E] wrote: Okay for you Susan, I will modify my statement... Add IPsec filter that only allows http traffic to update.microsoft.com. Also, in the future MS will probably bake in the spyware service into the product, so it will be there anyway. I think I helped flush out the KB article on AV way back. Do folks really use Windows/Microsoft Update for patching DCs? I realize I'm a bit paranoid but you're still running a web browser on a DC. al From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [mailto:[EMAIL PROTECTED] Sent: Mon 3/6/2006 2:27 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] How Secure is a Domain Controller? Question? On a DC ...why do you need anti spyware? If spyware enters via web browsing and email...and IE should never be used/launched on a DC... why do you need it? If the enhanced IE lockdown is still in place that shuts off scripting and what not. Is it on my TS box and all workstations? Yup. On my DC. No. the only site that that box surfs to is Microsoft Update (I mean I don't even go to Joewear on that DC) Why introduce another thing that might introduce new code and new false positives? (see Spybot that flagged Microsoft's remote desktop control for RWW as spyware, see Microsoft's Antispyware that flagged Symantec as a trojan) And if you do a/v ensure that the needed
RE: [ActiveDir] Photos in AD
The same question applies to any non-NOS data you want to throw into the directory, where will the info be consumed? Why is it needed? In general, when people want photos it is for some address book type application that usually runs as a web app. In that case, I see no point in that data going into AD, it is unnecessary bloat. As Guido points out, users directly populating photos or any data can be less than optimal for you. Say you have 100k users and they all get this cool new app that lets them upload pics, how well will your replication infrastructure and DCs handle an influx of 20,000 50,000 80,000 or even 100,000 photos in a short period of time? I know I know, you would control the uploading of that info. But what if some handy dandy intern figures it out, writes a short little program and starts handing it out? Do figure it out because DCs start running out of space, because DCs start slowing down, because DCs start replicating more slowly, or because customers call because they can't authenticate? What if that intern is an intern for "Hack and Bang Em Up Enterprises" and simply knows who to send email to you in your org? There are of course other attributes to be concerned with. Locking down is good but at the same time you need to be very aware of what you are locking down. A complete lockdown will have unexpected results say on your ability to modify your public delegates or mail certs for Exchange for instance... Obviously Guido is on the same page here. Understand before you change. Want to figure out your most dangerous attributes in terms of what users can hurt you with (or alternatively some application that does things on their behalf at their behest or because they opened the wrong email)? You need to find which attributes a user can write on their own object that lets you write large amounts of data. In general you can quickly focus in on Unicode attributes (attributeSyntax=2.5.5.12) that don't have a rangeUpper value. For bonus points look at whether or not they are multivalued or not[1]. If a user has write access to amultivalued unicode attribute with no rangeUpper they could theoretically, if I understand this stuff properly, write approximately 1300*10MB (~12.7GB) of information to a K3 directory for that one attribute without any help from an admin. I say theoretically because I haven't sat down and written anything to try it and possibly there is some admin limit you will encounter. I hope so, but wouldn't be terribly surprised if it worked. Imagine, if you will, someone who chooses to attack AD who knows how to and is smart enough to write their bad app to look at what the current user has access to modify and calculates what can cause the most damage and does it. This could be devastating whether that user is an admin or a normal user (maybe a 13GB increase in your DIT in less than an hour wouldn't hurt you... would you at least notice it occurred?). They then combine that with a delivery system like "SeeJessica AlbaNude!" and how many users do you have and how big can your DIT grow until you hear that pop of the impending implosion of your disk subsystem? Let's see if we can find a bad attribute that users have access to... 1. Look at the ACL set ona user. Look for what SELF has access to. K:\adfind -b CN=pato,CN=Users,DC=joe,DC=com -sddl+ ntsecuritydescriptor -resolvesids |grep -i self AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006 File STDIN:nTSecurityDescriptor: [DACL] OA;;CR;Change Password;;NT AUTHORITY\SELFnTSecurityDescriptor: [DACL] OA;;CR;Send As;;NT AUTHORITY\SELFnTSecurityDescriptor: [DACL] OA;;CR;Receive As;;NT AUTHORITY\SELFnTSecurityDescriptor: [DACL] OA;;RPWP;Personal Information;;NT AUTHORITY\SELFnTSecurityDescriptor: [DACL] OA;;RPWP;Phone and Mail Options;;NT AUTHORITY\SELFnTSecurityDescriptor: [DACL] OA;;RPWP;Web Information;;NT AUTHORITY\SELFnTSecurityDescriptor: [DACL] A;;LCRPLORC;;;NT AUTHORITY\SELF 2. You see that you have three property sets involved: Personal Information, Phone and Mail Options, and Web Information. So then look up what attributes are involved. You can use the scripts that were previously posted by Sakari and/or myself to this very list or use adfind. We will start with Web Information as that seems innocuous. First you need to get the rightsGuid to chase across schema objects with... K:\adfind -sc findpropsetrg:"Web Information" AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006 Using server: 2k3dc01.joe.com:389Directory: Windows Server 2003Base DN: cn=extended-rights,CN=Configuration,DC=joe,DC=com dn:CN=Web-Information,CN=Extended-Rights,CN=Configuration,DC=joe,DC=comrightsGuid: E45795B3-9455-11d1-AEBD-F80367C1 1 Objects returned 3. Now we want to use that rightsGUID and pull all attributes that have that GUID, are unicode (2.5.5.12) and are multivalued with no range upper as those are the most
RE: [ActiveDir] Where's Deji.. (was Quiet? DEC? Related?)
Yes, Tony should have been there. That was part of my idea about Sydney. If he was still not present we could take a puddle jumper over to NZ and drag him out kicking and screaming. Plus I have a lot of friends I made in NZ and Australia from back when I worked with XYZ Widget company that really want me to come down for beers. I figure I could get a multimonth vacation out of it until the Aussie authorities chased me down and booted me out. :o) Would also like to see physical presence of -ajm, ~Eric, Garage Door clicker, DmitriG, and several others that I can't bring to mind this exact second. Yes tacit acceptance, that would be pretty accurate. :o) Start talking about First Class airfare, suites, and also flying in our posse's and we could move up to just about maybe[1]. BFEG Watch out Tony, Gil can certainly twist an arm, I still can't use chopsticks with my right hand thankyouverymuch and you do NOT want to see me eating with chopsticks with my left hand, Yum Talay flying all over the place g I guess that also brings up the topic of if people had Dean and I in a room together again what would you want to hear about? I saw several comments of doing the pre-session but again, what would you want to see and/or hear about? One of the big things that slowed Dean and I down on this was the fact that we couldn't think of anything we thought people would be interested in hearing about. Maybe we should just pick up with where we left of with our slide deck from this year? Seriously though, folks should be pretty familiar by now with Dean and I and what we talk about in posts etc, what things would you want to hear from us in a presentation? I think the presentation name will have to be something like Humour, Opinions, and Serious Tech 2007 but what goes into it? I expect the other speakers wouldn't mind this kind of feedback as well. Well except for maybe Wook, not sure anyone could be as creative as Wook in topic selection for his technical session. joe [1] Of course I am sort of kidding around here. :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Sunday, April 02, 2006 4:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Where's Deji.. (was Quiet? DEC? Related?) Deji had to bail at the last minute. Something about work or some other similarly lame excuse. Its about as silly as Where's Tony? Sure NZ is like really far away and stuff, but come on! These are your peeps, Tony! Now that I have at least tacit acceptance from DJ for DEC 2007, its time for me to start twisting Tony's arm. I will not be denied! Muwah hah hah hah! -g -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Fontana Sent: Friday, March 31, 2006 11:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quiet? DEC? Related? Definitely a huge thanks to everyone for making this an awesome first DEC for me! It was great matching up faces to the email addresses I see daily. The DR, Security and Interopt sessions were a couple of my favorites. The DJ show was awesome! For those not able to attend this year, make it a priority next year. I was told I could take a class this quarter...I've taken enough AD and Exchange classes over the years so I chose to attend DEC because of the praise given to it by the folks on this list. It was well worth the trip...didn't hurt that red 9 kept hitting either ;-) So the only mystery left is where was Deji? Cheers, Alex -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 31, 2006 5:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quiet? DEC? Related? Absolutely. Very entertained. I had a near permanent smile from the point I directed a question to Stuart asking him where he was from so I could give him a copy of AD3E. The funny part was him thinking I was trying to set him up for something... As soon as I saw him in the audience I intended on giving him a copy to say thanks from all of us for the work he has done on this stuff and his lack of failure in listening to our feedback. The way it all played out though was great and added to the fun. To those who sadly didn't attend we gave out copies of Active Directory Third Edition to folks who were answering questions we tossed out into the open. I said the next question is for Stuart alone and said Stuart, where are you from? knowing that most of the folks in the audience would know exactly where he was from having seen his keynote abt Identity Management I figured most people would yell it out so I said it was just for him. His response was priceless... Now or originally? The audience howled. Great fun. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From:
RE: [ActiveDir] How Secure is a Domain Controller?
I was once in a datacenter overseas where cell phones weren't allowed in the datacenter. I can't recall if they purposely scrambled the frequencies or if they detected them and chased you and beat you with sticks. I just recall receiving a stern warning about it and that the datacenter seemed like a bunker and they had armed guards at the gates so I was less pioneering in my ways than I normally find myself. In general I have found that DataCenters (or DataCentres if you prefer) outside of the US can be quite interesting experiences. Of course the food ordering from the DC was facetious to overly emphasize a point. :o) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Sunday, April 02, 2006 6:19 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How Secure is a Domain Controller? I know SBS and Datacenter are mutually exclusive, but, being able to talk on the phone and hear the other party while in a datacenter are also mutually exclusive. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sunday, April 02, 2006 4:49 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] How Secure is a Domain Controller? Good thing you don't work at my office. No Kung Pao Chicken has ever been ordered from my SBS box, thank you very much. Use your Windows Mobile 5 phone and put the food place on speed dial, dude. Right now I'm using MU on two beta boxes to confirm and track what the integrated WSUS (SBS 2003 r2) is saying that I need on those boxes. I use it more for another confirmation method...but down here we are MUing and soon to be WSUSing. I'd love to use MBSA 2.0 to scan my entire network.. but I'm still having issues with the dcom communication (I'm convinced that everyone is still using MBSA 1.2 to scan an XP sp2 firewall on network because they gave up on 2.0) joe wrote: Nope, not I. I was the one that stood up and started clapping a couple of years ago when Stuart announced that Longhorn would have Server Core (at the time Server Foundation) DCs as an available sku with no GUI. I would like to see more services be able to run on that core, it makes no sense to me that ASP.NET servers and other items can't run on it because they offer enhanced user experiences; sounds like a lack in the capability versus a feature. Why should the ability to run a GUI locally impact what a user sees remotely in a web browser, it isn't like the web browser is shadowing the console. Anyways, I don't use applications on servers that are well known for being attack vectors. Email/Web Browsers/etc... Honestly, DCs are your auth point, why are you doing much interactive work on them at all? I mean sure, say you are in the datacenter and you want a little chicken and broccoli with brown sauce or a bit of tandoori chicken or some vindaloo dish, no one is going to fault you for pulling up a browser and ordering from Wok To Yu or Shingara Goochi Kitchen but other than that, are there any good reasons to be using those applications directly on a DC? Personally I like to wrap the updates into scripts that can be fired through rcmd or psexec, etc. I slowly fire them off to dog food and then ramp up as the need arises and can easily do from 1 to 400 with little change in effort and with full control and no concern that something went off and did something I didn't expect. Wrapping updates into scripts usually doesn't take much work to do once you have a framework in place and it sort of assists you in looking closer at what is there when it gets released versus clicking a button and saying, yeah shoot that out there everywhere. I am very particular about updates on DCs though, I have massive trust issues in that realm. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Tuesday, March 07, 2006 8:18 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] How Secure is a Domain Controller? Myrick, Todd (NIH/CC/DNA) [E] wrote: Okay for you Susan, I will modify my statement... Add IPsec filter that only allows http traffic to update.microsoft.com. Also, in the future MS will probably bake in the spyware service into the product, so it will be there anyway. I think I helped flush out the KB article on AV way back. Do folks really use Windows/Microsoft Update for patching DCs? I realize I'm a bit paranoid but you're still running a web browser on a DC. al
RE: [ActiveDir] Link single GPO to multiple OUs using script or something
Yeah I do something like this with about 650 sites SiteTypeA SiteName-Code gg-SiteName-Tech (group) Computers gg-SiteName-DesktopAdmins (group) Workstations Laptops Servers Users gg-SiteName-UserAdmins (group) userTypeA userTypeB Groups SiteTypeB SiteName-Code gg-SiteName-Tech (group) Computers gg-SiteName-DesktopAdmins (group) Workstations Laptops Servers Users gg-SiteName-UserAdmins (group) userTypeA userTypeB Groups Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, April 02, 2006 9:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Link single GPO to multiple OUs using script or something LInking a single GPO to multiple OUs is a good valid design, have seen this several times myself and really liked it. Best layout I have seen used it in fact. Consider BuildingCode Group - buildingcode-admins Workstations Group - buildingcode-wsadmins Level0100 Workstation - c1 Workstation - c2 Workstation - c3 Workstation - c(n) Level0200 Workstation - c1 Workstation - c2 Workstation - c3 Workstation - c(n) Level0300 etc Servers Group - buildingcode-srvadmins FilePrint Group - buildingcode-FilePrint-Admins Group - buildingcode-FilePrint-Group1 Group - buildingcode-FilePrint-Group2 Group - buildingcode-FilePrint-Group(n) Server - S1 Server - S2 Server - S(n) SomeApp Group - buildingcode-SomeApp-Admins Group - buildingcode-SomeApp-Group1 Group - buildingcode-SomeApp-Group2 Group - buildingcode-SomeApp-Group(n) Server - S1 Server - S2 Server - S(n) etc With hundreds of building codes in a domain or across multiple domains in a forest. You want the same GPO levels for the workstations in each of the subou's. So you link the Level0100 GPO to the Level0100 OUs. You don't have the mess and possible issues with group filtering where the computer gets added to multiple groups (or the ACL used to filter gets dorked up or reset) and local WS-ADMINS can control the GPO applied to the machines at their site. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, March 01, 2006 3:27 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Link single GPO to multiple OUs using script or something I may have missed earlier parts to this thread, but have you considered adding all laptops to a group and then applying a laptops GPO at some higher level in the OU hierarchy, filtered by the group just mentioned? I would also re-assess the OU hierarchy and whether it is relevant and appropriate. If you encounter the need to link the same GPO in 50+ places, then perhaps the OU hierarchy needs to be revamped / re-designed. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: 01 March 2006 08:11 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Link single GPO to multiple OUs using script or something Should be working - just create a example OU with the specific settings, adfind gPLink and gPOptions into variables (actually gPOptions: read it once and set it statically without reading in a variable) and use admod to write the gPLink and gPOptions-attributes of the other OUs. Ulf From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh Parmar Sent: Wednesday, March 01, 2006 8:55 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Link single GPO to multiple OUs using script or something Thanx, I will test it out :-) moreover, I will see if I can create a combination of adfind and admod to achieve this. -- Kamlesh ~ Be the change you want to see in the World ~ On 2/28/06, Ulf B. Simon-Weidner [EMAIL PROTECTED] wrote: You can do this with a simple VBS, LDIF-Fileor whatever is convenientfor you tochange ADsince you only need to modify the gPLink- and gPOptions-Attributes. Look at the following example from the Technet Scriptcenter: http://www.microsoft.com/technet/scriptcenter/scripts/ad/ous/adouvb01.mspx Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kamlesh Parmar Sent: Monday, February 27, 2006 11:12 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Link single GPO to multiple OUs using script or something Basically, we have 50 Location OUs each having different sub OUs for servers, desktops, laptops. My problem is I want to apply
Re: [ActiveDir] Where's Deji.. (was Quiet? DEC? Related?)
Hmmm, trying to figure out how to make the logistics of a Sydney junket work. The European contingent would be flying east via Heathrow/Frankfurt/deGaulle--Hong Kong--Sydney or something, while the damn Yankees would fly west via LAXI suppose we could all meet up in Hong Kong and start from there, but oh -my- would that be an exercise in herding cats. :-) As for what to talk about? It may sound like a cop-out to say The stuff you talked about in the slide deck, but it's not, really. The people who were dazed by jadonex talking a mile a minute about group caching and app partitions and what not would probably have a big collective AHA! Gestalt moment if we rolled up some corresponding VPC exercises where everyone could see the stuff in action. Example: do a lab where you actually get to see the creation of the phantom objects that are managed by the IM, and maybe you get half the room saying Wow, I've been reading about the IM/GC interaction for 3 years...but never really grokked it until now. That's just a hip-shot first thought, anyway. - Laura On 4/2/06, joe [EMAIL PROTECTED] wrote: Yes, Tony should have been there. That was part of my idea about Sydney. If he was still not present we could take a puddle jumper over to NZ and drag him out kicking and screaming. Plus I have a lot of friends I made in NZ and Australia from back when I worked with XYZ Widget company that really want me to come down for beers. I figure I could get a multimonth vacation out of it until the Aussie authorities chased me down and booted me out. :o) Would also like to see physical presence of -ajm, ~Eric, Garage Door clicker, DmitriG, and several others that I can't bring to mind this exact second. Yes tacit acceptance, that would be pretty accurate. :o) Start talking about First Class airfare, suites, and also flying in our posse's and we could move up to just about maybe[1]. BFEG Watch out Tony, Gil can certainly twist an arm, I still can't use chopsticks with my right hand thankyouverymuch and you do NOT want to see me eating with chopsticks with my left hand, Yum Talay flying all over the place g I guess that also brings up the topic of if people had Dean and I in a room together again what would you want to hear about? I saw several comments of doing the pre-session but again, what would you want to see and/or hear about? One of the big things that slowed Dean and I down on this was the fact that we couldn't think of anything we thought people would be interested in hearing about. Maybe we should just pick up with where we left of with our slide deck from this year? Seriously though, folks should be pretty familiar by now with Dean and I and what we talk about in posts etc, what things would you want to hear from us in a presentation? I think the presentation name will have to be something like Humour, Opinions, and Serious Tech 2007 but what goes into it? I expect the other speakers wouldn't mind this kind of feedback as well. Well except for maybe Wook, not sure anyone could be as creative as Wook in topic selection for his technical session. joe [1] Of course I am sort of kidding around here. :) -- List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Where's Deji.. (was Quiet? DEC? Related?)
Talk about kicking a man when he's down! I would have loved to have been there - and not only for the vats of single malt you guys seem to have had without me. Alas, my employer failed to be persuaded by my forceful argument [1] for attending. Perhaps I need one of those roving evangelist roles at HP :-) Tony [1] Not to mention the begging and unseemly weeping. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Monday, 3 April 2006 8:53 a.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Where's Deji.. (was Quiet? DEC? Related?) Deji had to bail at the last minute. Something about work or some other similarly lame excuse. Its about as silly as Where's Tony? Sure NZ is like really far away and stuff, but come on! These are your peeps, Tony! Now that I have at least tacit acceptance from DJ for DEC 2007, its time for me to start twisting Tony's arm. I will not be denied! Muwah hah hah hah! -g -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Fontana Sent: Friday, March 31, 2006 11:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quiet? DEC? Related? Definitely a huge thanks to everyone for making this an awesome first DEC for me! It was great matching up faces to the email addresses I see daily. The DR, Security and Interopt sessions were a couple of my favorites. The DJ show was awesome! For those not able to attend this year, make it a priority next year. I was told I could take a class this quarter...I've taken enough AD and Exchange classes over the years so I chose to attend DEC because of the praise given to it by the folks on this list. It was well worth the trip...didn't hurt that red 9 kept hitting either ;-) So the only mystery left is where was Deji? Cheers, Alex -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 31, 2006 5:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quiet? DEC? Related? Absolutely. Very entertained. I had a near permanent smile from the point I directed a question to Stuart asking him where he was from so I could give him a copy of AD3E. The funny part was him thinking I was trying to set him up for something... As soon as I saw him in the audience I intended on giving him a copy to say thanks from all of us for the work he has done on this stuff and his lack of failure in listening to our feedback. The way it all played out though was great and added to the fun. To those who sadly didn't attend we gave out copies of Active Directory Third Edition to folks who were answering questions we tossed out into the open. I said the next question is for Stuart alone and said Stuart, where are you from? knowing that most of the folks in the audience would know exactly where he was from having seen his keynote abt Identity Management I figured most people would yell it out so I said it was just for him. His response was priceless... Now or originally? The audience howled. Great fun. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Friday, March 31, 2006 7:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quiet? DEC? Related? That's cool. I can go with that. As long as you're entertained. Let's just say it's not my kind of entertainment, unlike the joe and Dean show. Hey, joe and Dean, aren't you the guys who sing Little Old Lady From Pasadena? Or was that Little Old Attr Caused PAS Expansion? :) Wook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 31, 2006 4:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quiet? DEC? Related? Well it really depends on their attitude. What Guido I did wasn't gambling though I stated it as such previously. Wee were being entertained. You don't really gamble when you play the slots, you have no control over the outcome. If someone goes in thinking they will walk away with more money than they started with, I would argue they should not be doing it at all. I personally figure out how much money I am spending on entertainment and then spend it be it on slots, meals, drinks, or cool little rubber duckies at the hotel airport. Thinking that way, I lost $0 as well, though I spent about $500 on entertainment. Best money spent IMO. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Friday, March 31, 2006 3:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quiet? DEC? Related? I've always thought that gambling in general was a tax on those who don't understand probability by those who
[ActiveDir] ADAM - logging inefficient and expensive searches
Hi all Has anyone had any success with logging inefficient and/or expensive searches in ADAM? Ive tried following the suggestions shown in the link below, but substituting NTDS with the name of the ADAM instance in the registry settings (e.g. ADAM_Instance1). http://msdn.microsoft.com/library/default.asp?url=""> It didnt work. L Any thoughts? Tony This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.
RE: [ActiveDir] ADAM - logging inefficient and expensive searches
Tony what exactly are you trying to accomplish and what exactly are you setting? If, for instance, you want to enable logging of all queries then you want to set the Diagnostics\15 Field Engineering to 5 and then set parameters\Expensive Search Results Threshold to 1 and parameters\Inefficient Search Results Threshold to 1. If you don't set the field engineering to 5 or if you set the threshholds to say 0 you won't get anything. I have enabled this logging on ADAM SP1/R2 and it has worked fine. I nevertried it on the original version but would be surprised if it didn't work for that as well. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony MurraySent: Sunday, April 02, 2006 11:59 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] ADAM - logging inefficient and expensive searches Hi all Has anyone had any success with logging inefficient and/or expensive searches in ADAM? Ive tried following the suggestions shown in the link below, but substituting NTDS with the name of the ADAM instance in the registry settings (e.g. ADAM_Instance1). http://msdn.microsoft.com/library/default.asp?url=""> It didnt work. L Any thoughts? Tony This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.
RE: [ActiveDir] ADAM - logging inefficient and expensive searches
Hi Joe I wanted to log all LDAP searches and therefore set the Expensive Search Results Threshold to 0. This works on DCs, so I assumed it would on ADAM. Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, 3 April 2006 4:22 p.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADAM - logging inefficient and expensive searches Tony what exactly are you trying to accomplish and what exactly are you setting? If, for instance, you want to enable logging of all queries then you want to set the Diagnostics\15 Field Engineering to 5 and then set parameters\Expensive Search Results Threshold to 1 and parameters\Inefficient Search Results Threshold to 1. If you don't set the field engineering to 5 or if you set the threshholds to say 0 you won't get anything. I have enabled this logging on ADAM SP1/R2 and it has worked fine. I nevertried it on the original version but would be surprised if it didn't work for that as well. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Sunday, April 02, 2006 11:59 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ADAM - logging inefficient and expensive searches Hi all Has anyone had any success with logging inefficient and/or expensive searches in ADAM? Ive tried following the suggestions shown in the link below, but substituting NTDS with the name of the ADAM instance in the registry settings (e.g. ADAM_Instance1). http://msdn.microsoft.com/library/default.asp?url=""> It didnt work. L Any thoughts? Tony This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.
RE: [ActiveDir] ADAM - logging inefficient and expensive searches
Mmm, Ive just tested on a DC and the 0 setting for Expensive Search Results Threshold doesnt work, whereas the 1 setting does. I was going by the tip in Robbies AD Cookbook, but I guess it doesnt work on a 2003 DC. Perhaps the behaviour has changed since 2000. I would ask for a refund on the Cookbook, but seeing that a) I didnt pay for my copy and b) I was one of the tech reviewers, I would not be coming from a position of strength J Thanks Joe. Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Monday, 3 April 2006 4:31 p.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADAM - logging inefficient and expensive searches Hi Joe I wanted to log all LDAP searches and therefore set the Expensive Search Results Threshold to 0. This works on DCs, so I assumed it would on ADAM. Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, 3 April 2006 4:22 p.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADAM - logging inefficient and expensive searches Tony what exactly are you trying to accomplish and what exactly are you setting? If, for instance, you want to enable logging of all queries then you want to set the Diagnostics\15 Field Engineering to 5 and then set parameters\Expensive Search Results Threshold to 1 and parameters\Inefficient Search Results Threshold to 1. If you don't set the field engineering to 5 or if you set the threshholds to say 0 you won't get anything. I have enabled this logging on ADAM SP1/R2 and it has worked fine. I nevertried it on the original version but would be surprised if it didn't work for that as well. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Sunday, April 02, 2006 11:59 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ADAM - logging inefficient and expensive searches Hi all Has anyone had any success with logging inefficient and/or expensive searches in ADAM? Ive tried following the suggestions shown in the link below, but substituting NTDS with the name of the ADAM instance in the registry settings (e.g. ADAM_Instance1). http://msdn.microsoft.com/library/default.asp?url=""> It didnt work. L Any thoughts? Tony This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.
RE: [ActiveDir] ADAM - logging inefficient and expensive searches
I think you need to set it to 1 on DCs as well Tony, been a while since I looked but I seem to recall an issue setting it to 0 and just automatically use 1. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony MurraySent: Monday, April 03, 2006 12:31 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADAM - logging inefficient and expensive searches Hi Joe I wanted to log all LDAP searches and therefore set the Expensive Search Results Threshold to 0. This works on DCs, so I assumed it would on ADAM. Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, 3 April 2006 4:22 p.m.To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADAM - logging inefficient and expensive searches Tony what exactly are you trying to accomplish and what exactly are you setting? If, for instance, you want to enable logging of all queries then you want to set the Diagnostics\15 Field Engineering to 5 and then set parameters\Expensive Search Results Threshold to 1 and parameters\Inefficient Search Results Threshold to 1. If you don't set the field engineering to 5 or if you set the threshholds to say 0 you won't get anything. I have enabled this logging on ADAM SP1/R2 and it has worked fine. I nevertried it on the original version but would be surprised if it didn't work for that as well. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony MurraySent: Sunday, April 02, 2006 11:59 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] ADAM - logging inefficient and expensive searches Hi all Has anyone had any success with logging inefficient and/or expensive searches in ADAM? Ive tried following the suggestions shown in the link below, but substituting NTDS with the name of the ADAM instance in the registry settings (e.g. ADAM_Instance1). http://msdn.microsoft.com/library/default.asp?url=""> It didnt work. L Any thoughts? Tony This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.
RE: [ActiveDir] Dynamic Groups
Hahaha While reading the very first sentence in the last paragraph I was thinking to myself, what was that app that our Engineers used to use (prior company) that wanted all of the users to have this_special_group as primary Clearcase...they are notorious. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, April 02, 2006 6:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Dynamic Groups I am feeling fiesty and have a desire to write a lot and am actuallyhaving fun writing tech stuff so I willdebate this a little. :o) I am not assuming what you do or don't know here Ulf, just using your note as a platform to document something for some folks who may not be aware because the actual functionality deviates from the commonly accepted/explained functionality. --- Logging off and logging on is the most obvious way to get the new token with the new groups however if the domain group isn't needed for access ON the localmachine but instead for network connections you can possibly getbenefit from updating the memberships even in the middle of the day depending on the circumstances. Obviously the first benefit is that people CAN actually log off and log on and get the access needed. However In reality the whole thing is only SEEMINGLY onlytied to logging off and logging on. Why you ask? Because people like me have spent years tryingtotie the logoff/logon to getting a new token together for support folks on the help desk and the users so they don't have to try and worry out the various intricacies of the whole token generation process because it is confusing and trying to do that on a regular basis is just going to confuse most of your L1 people when they could simply say log off and log on and get around the whole thing. It is *much* easier and faster and consistent to tell someone, yeah log off and log after a group changeversus asking them if they have connections or tickets to specific resources already and then doping out if they will get immediate access (or lose it) or not. And if they expect it will but it doesn't then all of a sudden you have a problem that you probably really don't have other than someone doesn't completely understand token generation and use and I am not even saying I understand all of it, in fact I am sure I don't. Plus you don't have to explain to management why it works sometimes but not others which is even more important than explaining to users because if it isn't explained properly it could mean a lot of extra make work for you when the manager thinks there is something that can be done there when in actuality it probably can't. So you have something that is inconsistent unless you follow a very specific process at which point it becomes far more consistent and predicatable... What is the solution there? Architects/Integratorsin the house? You document the process and tell people you HAVE to follow this or it won't work right and whap them when they don't follow it. This is usually enough to get people to follow the process (unless they feel they know better) and things work in a more predictable manner. It isusually the case that it is far more important that things be consistent and predictable for the L1 help desk folks and users than accurate to 30 decimal places and they understand all of it. If shooting for the latter, good luck, L1 isn't paid enough to try and learn token generation nor to care how it works. Some may want to but that isn't the norm from my experience. So, solution there, the simple statement from Level 2/3/4 or whatever that you need to log of and log on to get your new token and hope that everything has replicated to where it needs to get to. Now if someone gets access before that log off and log on it can generate a question of hey, I got access and didn't log off and log on or I lost access and didn't log of and log on but those are generallyeasy questions to duck out on as that is the final goal of the change anyway and the L2/3/4 person being asked can say I don't know, how odd, scratch their chin, then duck out hastily looking for someone flailing with another problem that appears to be tough but is actually just a PC that isn't turned on. :) So anyway, everyone knows that you carry your creds and token around with you like a little keyring that you get when you present your initial credentials, the various popular security gurus all say so.So it really isn't worth trying totell folks that that is just the very very high (say 37k and blue skies) viewpoint and not what ishappening in its entirety. If you told them that every time you toucheda newmachine you get another key ring to attach to your belt it starts to confuse the situation and the simple analogy breaks down for folks (but wait, how does that machine know what keys to give me, only the DC should know and he/she should give them to me right off, etc etc etc). So after all of that, it is
