Re: [ActiveDir] remove orphan DC from the domain
It should be removed. We have the same situation on our site in the past and used the same article. We did a search on the AD later and found the odd piece of data hanging around in AD which we tidied up. Which domain controllers held which FSMO roles? Were any on the DC that you have lost? Have you managed to transfer these to another DC? Cheers, Matt Duguid Microsoft Systems Engineer Information and Technology Group - Identity Services The Department of Internal Affairs Te Tari Taiwhenua Direct Dial: +64 4 4748028 x8028 Fax: +64 4 4748894 Mobile: +64 21 1713290 Address: Level 4, 47 Boulcott Street, Wellington, New Zealand Internet: http://www.dia.govt.nz/ |-+-- | | | | | | | | | | | senthil Kumar| | | [EMAIL PROTECTED]| | | com | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 26/01/2007 12:14 p.m. | | | Please respond to | | | ActiveDir | | | | |-+-- --| | | |To: ActiveDir@mail.activedir.org | |cc: | |Subject: [ActiveDir] remove orphan DC from the domain | --| Hi, We already had 3 Dcs in out network. Suddenly one Dc gone down permanently. That wont come live back. Right now we want to remove that orphan dc completely. I have seen Microsoft article 1. Click Start, point to Programs, point to Accessories, and then click Command Prompt. 2. At the command prompt, type ntdsutil, and then press ENTER. 3. Type metadata cleanup, and then press ENTER. Based on the options given, the administrator can perform the removal, but additional configuration parameters must be specified before the removal can occur. 4. Type connections and press ENTER. This menu is used to connect to the specific server where the changes occur. If the currently logged on user does not have administrative permissions, different credentials can be supplied by specifying the credentials to use before making the connection. To do this, type set creds DomainNameUserNamePassword, and then press ENTER. For a null password, type null for the password parameter. 5. Type connect to server servername, and then press ENTER. You should receive confirmation that the connection is successfully established. If an error occurs, verify that the domain controller being used in the connection is available and the credentials you supplied have administrative permissions on the server. Note If you try to connect to the same server that you want to delete, when you try to delete the server that step 15 refers to, you may receive the following error message: Error 2094. The DSA Object cannot
RE: [ActiveDir] AD Schema - adding an attribute
Hi, Thanks for the replies. birthDate already exists - can you take advantage of it? Where would I find this? If it already exists I think I'd be better off using that one. Thanks, -- Matt Brown [EMAIL PROTECTED] Sr. Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, January 09, 2007 9:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Schema - adding an attribute Well, first off - birthDate already exists - can you take advantage of it? Second you need to register a prefix and OID tree with Microsoft on MSDN. This is how you will get a starting point for OIDs. You'll also get a prefix so it would be ewu-birthMonth or something. Don't use oidgen. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Tuesday, January 09, 2007 10:56 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Schema - adding an attribute How do I add an attribute to AD? I'd like to add birthMonth, birthDay, birthYear to my Active Directory Schema for extra data to store for my users. Looking in MMC - Schema, I see I can add an attribute, but it wants an Object ID (OID). I know there's a oidgen program somewhere (haven't found it yet). but is that the best way to do it? Thanks, -- Matt Brown [EMAIL PROTECTED] Sr. Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] AD Schema - adding an attribute
I can't seem to find the birthDate attribute in any of my classes. Looking in MMC-ActiveDirectorySchema. Thanks, -- Matt Brown [EMAIL PROTECTED] Sr. Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 10, 2007 8:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Schema - adding an attribute It's an attribute of the user class. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Wednesday, January 10, 2007 8:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Schema - adding an attribute Hi, Thanks for the replies. birthDate already exists - can you take advantage of it? Where would I find this? If it already exists I think I'd be better off using that one. Thanks, -- Matt Brown [EMAIL PROTECTED] Sr. Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, January 09, 2007 9:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Schema - adding an attribute Well, first off - birthDate already exists - can you take advantage of it? Second you need to register a prefix and OID tree with Microsoft on MSDN. This is how you will get a starting point for OIDs. You'll also get a prefix so it would be ewu-birthMonth or something. Don't use oidgen. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Tuesday, January 09, 2007 10:56 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Schema - adding an attribute How do I add an attribute to AD? I'd like to add birthMonth, birthDay, birthYear to my Active Directory Schema for extra data to store for my users. Looking in MMC - Schema, I see I can add an attribute, but it wants an Object ID (OID). I know there's a oidgen program somewhere (haven't found it yet). but is that the best way to do it? Thanks, -- Matt Brown [EMAIL PROTECTED] Sr. Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
[ActiveDir] AD Schema - adding an attribute
How do I add an attribute to AD? I'd like to add birthMonth, birthDay, birthYear to my Active Directory Schema for extra data to store for my users. Looking in MMC - Schema, I see I can add an attribute, but it wants an Object ID (OID). I know there's a oidgen program somewhere (haven't found it yet). but is that the best way to do it? Thanks, -- Matt Brown [EMAIL PROTECTED] Sr. Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] Built in Security groups
From what you're saying here, it doesn't sound like you need to basically... well... completely f*ck up your environment, you just need to remove the nesting of the Administrators group from the other groups. Auditors saying that you need to delete a built-in group really need to get a clue, just to be honest. If you have to give it to them, then that shouldn't be an issue. Don't view an auditors request as a You must do this statement, because it isn't. They are basing their recommendations off incomplete understanding of the Windows environment, fill in the missing information and there is a really good chance that they'll go Oh It really sounds like what you need is appropriate auditing to make sure that you have your sensitive group memberships monitored for membership changes. On 12/26/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Nope, we haven't delegated the rights to anyone else. We are a single forest farm that hasn't done a schema update with the current staff so I doubt they even know what the groups are for. They saw that Administrator was a member of those groups, didn't know what they were for, and said to disable them. This is the problem with SOX and similar setups, the auditors and people making decisions based on their findings are often not the people best equipped to make the decisions from a technical standpoint. Regardless I found the list of built in accounts and groups and a reference from an outside authority (article in ITPro) stating that the built in groups can not be deleted, so I think I have enough ammo to push back =) Thanks, Andrew Fidel *joe [EMAIL PROTECTED]* Sent by: [EMAIL PROTECTED] 12/23/2006 01:49 PM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] Built in Security groups Yep the reference is Error Code 0x55B (1371) in winerror.h ERROR_SPECIAL_ACCOUNT # Cannot perform this operation on built-in accounts. An alternate reference is isCriticalSystemObject: TRUE Send back up to the above that they should be setting overall generic security policies and the technical people should be figuring out how to interpret them. Telling you to delete certain groups is deeper into the details than they likely should be based on this requirement. Course my response probably would have been a chuckle or two and Yeah I'll get right on that ;o) The basic concept is silly. Correct me if I am wrong but I am guessing you have delegated the same rights to other groups so they feel that leaving the original groups is a security issue? Obviously this is silly on the surface and actually at any level. Any group that has the same rights represents the same security risk. I wouldn't even bother taking the schema admins group and delegated those rights to some other group I made, I don't see the point and I could visualize tools that will actually break if you did that because they may look at the token or directory to verify someone is a member of that group directly to continue on. joe -- O'Reilly Active Directory Third Edition - * http://www.joeware.net/win/ad3e.htm* http://www.joeware.net/win/ad3e.htm -- *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of [EMAIL PROTECTED] Sent:* Friday, December 22, 2006 11:14 AM* To:* [EMAIL PROTECTED] Subject:* [ActiveDir] Built in Security groups Does anyone have a reference (preferably from MS) showing that you should not remove the Built in Security groups such as Schema Admins, Enterprise Admins, etc. It has come down from above that we should be removing these groups and while I know better I need some ammunition to back me up. Thanks, Andrew Fidel
Re: [ActiveDir] Built in Security groups
Technically, he could remove those group objects from having the ability to manage whatever items. Any user members of these groups could simply 'take it back', but that requires a decent amount of knowledge. My recommendation: Restrict those group memberships by GPO on the DC GPO. This will end up with the user list being very small and the chance that someone hacks both the group membership and goes to check and/or edit the GPO in the time that it would take before the GPO refreshes on a DC (and that change gets replicated out) to be relatively small. It's not vanishingly, but small enough to where it's a manageable risk, as opposed to a non-manageable one. The groups are there for very good reasons and some of the capabilities can't be moved to another group without some serious work (if at all). Basically, there has to be some form of 'emergency' fixing and lacking some of these groups, you'd lose that capability, which might not seem important until you need to have it, then you're in a world of hurt. On 12/22/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote: Not putting any users in the groups is basically the same effect as removing them from an operational perspective. If you don't have a user in the group, nobody has the rights to change things that only these groups have rights to. That's probably what your mgmt wants to achieve. You'd then populate the groups on a as-needed basis to perform specific tasks. The reason why you don't want to remove them (which you could technically) is pretty easy: these groups are there for a purpose, i.e. they have been granted specific rights in AD to perform special tasks. This includes schema mgmt and administration of the config NC. If you don't like the groups, you'd have to ACL AD to allow another group to perform the tasks – doesn't really make any sense ... /Guido *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of [EMAIL PROTECTED] *Sent:* Freitag, 22. Dezember 2006 17:14 *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Built in Security groups Does anyone have a reference (preferably from MS) showing that you should not remove the Built in Security groups such as Schema Admins, Enterprise Admins, etc. It has come down from above that we should be removing these groups and while I know better I need some ammunition to back me up. Thanks, Andrew Fidel
Re: [ActiveDir] Strange Lock Out Issue
Try this... http://support.microsoft.com/kb/182918 Windows NT generates an account lockout event (Event ID: 539) on the workstation where the failed logon attempts occurred if the audit policy on that workstation enables auditing of failed logon/logoff events. However, no event is logged at the domain controller. Administrators must search the event logs of all client systems to locate the computer where the bad password attempts originated. Cheers, Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |-+-- | | | | | | | | | | | Salandra, Justin A. | | | [EMAIL PROTECTED]| | | | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 19/12/2006 08:34 a.m. | | | Please respond to | | | ActiveDir | | | | |-+-- --| | | |To: ActiveDir@mail.activedir.org | |cc: | |Subject: [ActiveDir] Strange Lock Out Issue | --| I have a user, who is not logged in anywhere else, and while surfing the web or access a program is getting locked out of her account for no reason. I have checked the logs on all three domain controllers and nothing is showing a failed logon attempt or bad password. It doesn’t even show when the account got locked. Any ideas on how to rectify this? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 646.505.3681 - office 917.455.0110 - cell [EMAIL PROTECTED]
Re: [ActiveDir] Bulk of client going to PDC
I'm curious whether there is some consistency in the clients and whether they're the latest version of the OS, what kind of DNS you have, WINS, etc Also, you might want to look at your DHCP and see where the DNS server is that the clients are bouncing against, but that doesn't seem to be the issue, since it's not consistent (that's the thing that seems to be strangest, that the issue seems to hop from site to site) Probably the best place to start is to track back to when the issue started and see if there were some changes that occured around that time, whether it be part of the physical network or something on the clients/servers On 12/2/06, joe [EMAIL PROTECTED] wrote: I would recommend doing a trace of one of the problem clients logging on and watch the whole referral process, etc. Actually I would probably just turn on a sniffer and let it watch everything from one of those machines from boot up for some time so you catch refreshes and everything else. At least then you should be able to nail down whether the clients are being referred to something incorrectly or they are off making their own incorrect decisions. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -- *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of *Kamlesh Parmar *Sent:* Saturday, December 02, 2006 1:55 PM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Bulk of client going to PDC Yes checked the correct subnets are attached to correct sites. All clients are connected via Ethernet 100/Full Duplex. Its like mass exodus of swarm of computers, going to PDCe, and in turn choking the WAN links. It happened like once a day.. and everyday it would be random site. Have asked different site people to install netmon on some PCs and keep it running..on Monday..hoping that one of those sites.. and in them.. one of those PCs misbehaves. Anything else, I should look at? -- Kamlesh On 12/2/06, Al Mulnick [EMAIL PROTECTED] wrote: Site definitions - are your site definitions up to date? How are your clients connected - Are they ethernet, 802.11x, tokenring, ?? On 12/2/06, Kamlesh Parmar [EMAIL PROTECTED] wrote: Am sorry, I didn't follow what you are asking.. could you be more specific. On 12/2/06, Al Mulnick [EMAIL PROTECTED] wrote: How are your clients connected? Site definitions? On 12/1/06, Kamlesh Parmar [EMAIL PROTECTED] wrote: Appreciate the efforts taken. AFAIK, this would be more of a DFS issue then authentication, as clients are pulling policies and files from PDCe. When I look into details of DFS link targets for sysvol or netlogon, PDCe is listed as distance 9th in the list of servers which clients should contact in case there primary link target failed. And this happens so randomly, from clients that I am not able to setup a network trace also. -- Kamlesh On 12/1/06, Thomas Michael Heß [EMAIL PROTECTED] wrote: Hi Kamlesh, first of all, iwould enable the logging of the Netlogon Service. I ve found an article in the WindowsITPro *The Netlogon service is one of the key Local Security Authority (LSA) processes that run on every Windows domain controller. When you troubleshoot authentication problems, analyzing the Netlogon service log files can be useful. How do I turn Netlogon service logging on and off, and how do I analyze the content of the Netlogon log files? * To turn on Netlogon service logging, type the following Nltest command at the command line: *nltest /dbflag:2080* Enabling Netlogon service logging requires that you restart the Netlogon service. To do so, use the Net Stop Netlogon and Net Start Netlogon commands. To disable netlogon service logging, type: *nltest /dbflag:0* Then, restart the Netlogon service again. The Netlogon service stores log data in a special log file called netlogon.log, in the %Windir%\debug folder. Two utilities are useful in querying the Netlogon log files: Nlparse.exe and Findstr.exe. Nlparse.exe is a GUI tool that comes with Microsoft Account Lockout tools. You can download Account Lockout tools for free from the Microsoft Web site as part of the Account Lockout and Management Tools ALTools.exe file at http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9Edisplaylang=en. Figure 1 http://www.winnetmag.com/Files/42850/Figure_01.gif shows the Nlparse GUI, which contains the most common Netlogon error codes and their meaning. Nlparse stores the output of its queries in two files in the %Windir%\debug folder: netlogon.log-out.scv and netlogon.log-summaryout.txt. *. . .* HtH Thomas
Re: [ActiveDir] Script to delete unwanted profiles form desktop
If you use roaming profiles it would be easier, as you can simply delete all profiles on bootup/shutdown and it would still keep the 'owner' profile, though if the computer is a laptop you wouldn't want that obviously On 12/3/06, Darren Mar-Elia [EMAIL PROTECTED] wrote: Check out delprof.exe. Its either in the reskit or part of suppor tools or part of the OS, depending upon which version of the OS you have. You would have to run it in a GPO-based computer startup script so that it runs when no users are logged on. Darren *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of *Mohan Rajput *Sent:* Sunday, December 03, 2006 4:30 PM *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Script to delete unwanted profiles form desktop Hi guys, I need a Script, which deletes unwanted profiles from the desktops and I need to run that script through Domain Policy for computers? -- Thanks Regards Mohan Kumar Mob:- (+91)981-195-7926 [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: [ActiveDir] OT: Possessed PCs
There are some wireless mice/keyboards that can potentially support hundreds of non-interfering devices - if they want to have wireless, make them use what has been 'approved' or nothing at all :) On 12/1/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Happens with my father and watches as well. The man cannot wear a watch without it dying within weeks. But thats another story. If you can isolate the symptoms to time of day or even the remote chance its a bad ballast (flouresent lighting used to cause occasional problems with old CRTs), etc. Atleast you can start to wittle things down a bit. But in this case it sounds like RF overlap. Perhaps there is one mouse that is emitting too strong a signal. I was a bit thrown this morning though when I thought I read that this was happening with corded devices as well. Brent Eads Employee Technology Solutions, Inc. Office: (312) 762-9224 Fax: (312) 762-9275 The contents contain privileged and/or confidential information intended for the named recipient of this email. ETSI (Employee Technology Solutions, Inc.) does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email in error, please reply to us immediately and delete the document. Viruses, Malware, Phishing and other known and unknown electronic threats: It is the recipient/client's duties to perform virus scans and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect. Any loss/damage incurred by using this material is not the sender's responsibility. Liability will be limited to resupplying the material. Message scanned by TrendMicro
Re: [ActiveDir] Granting rights to 'Manage GPOs'
You might want to set the account to have non-interactive rights, since I'm assuming that it runs a service that actually handles all the changes - then grant it membership within the Domain Admins group - that would fix the issue once and for all, unless you've changed Domain Admins to not have the ability to edit GPOs, though it's automatically granted every time a new GPO is created, regardless of what permissions were before. On 11/25/06, Darren Mar-Elia [EMAIL PROTECTED] wrote: Neil- Assuming the setgpocreationpermissions script didn't fail in some way, I think the next step would be to check the perms on the various objects that should get this right. Namely, the service account you're granting access to should have the Create GroupPolicyContainer right over the cn=policies,cn=system container in AD and, similarly on the SYSVOL Policies folder, it should have Change rights over that container. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guidehttp://www.amazon.com/gp/product/0735622175/qid=1122367169/sr=8-1/ref=pd_bbs_1/104-1133146-9411929?v=glancen=283155, the definitive resource for Group Policy information. Group Policy Management solutions at SDM Softwarehttp://www.sdmsoftware.com/ *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of * [EMAIL PROTECTED] *Sent:* Friday, November 24, 2006 6:57 AM *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Granting rights to 'Manage GPOs' I am attempting to assign rights to a service account [sys-zzz], used by a Group Policy Management tool (3rd party) so that the service account has the necessary rights to 'manage' all GPOs in the domain. Aside from app specific rights, I have assigned the following rights using GPMC scripts [scripts shown below]: 1. Create/edit GPO links at the root of the domain and all child containers cscript %programfiles%\gpmc\scripts\SetSOMPermissions.wsf xxx.yyyxxx\sys-zzz /Permission:linkgpos /Inherit /Domain: xxx.yyy 2. Create new GPOs in the domain cscript %programfiles%\gpmc\scripts\SetGPOCreationPermissions.wsf xxx\sys-zzz /Domain:xxx.yyy 3. Edit, delete and mod security rights to all existing GPOs in the domain cscript %programfiles%\gpmc\scripts\GrantPermissionOnAllGPOs.wsf xxx\sys-zzz /Permission:fulledit /Domain:xxx.yyy To cut a long story short, step 2 does not appear to grant the required 'create' right [GP mgmt tool complains of an access denied issue]. However, if I manually (using GPMC) add the service account to the list of objects permitted to create GPOs in the domain [instead of using the script in step 2], then the GP Management app functions fine. Has anyone encountered a similar issues? Are there newer version of the GPMC scripts? [I have GPMC with SP1] Just to add to the strangeness of this issue, if I execute the same scripts above but against a different domain (same service account) the 3rd party app functions fine in that other domain :/ Any comments? Thanks, neil PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
[ActiveDir] Enterprise Domain Controllers group missing...
- We recently upgraded the schema in one forest from Windows 2000 to Windows 2003. - We now receive the following error when trying to access group policies, The Enterprise Domain Controllers group does not have read access to this GPO. The Enterprise Domain Controllers group must have read access on all GPO's in the domain in order for Group Policy Modelling to function properly. To learn more about this issue and how you can correct it, click Help.. - I can confirm we do not have an Enterprise Domain Controllers group in any of the domains. - I have found the following article http://technet2.microsoft.com/WindowsServer/en/library/b44ba1b5-9f85-4bee-84c9-1994921658cd1033.mspx?mfr=true which shows how to fix the GPO issue using GrantPermissionOnAllGPOs.wsf...but this assumes we actually have the group Enterprise Domain Controllers available. From further reading I see this group has a specific SID of S-1-5-9 so I can not simply create a new group. - Does anyone have any idea how the group Enterprise Domain Controllers can be recreated with the correct SID of S-1-5-9 so that we can run the script GrantPermissionOnAllGPOs.wsf to fix the group policy problem? Thanks in advance, Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] Enterprise Domain Controllers group missing...
Hi there, I read that in another article as well... http://groups.google.co.nz/group/microsoft.public.windows.server.active_directory/browse_thread/thread/37eb3a91907d3f4e/4173fe072f7269b9?lnk=stq=The+Enterprise+Domain+Controllers+group+does+not+have+read+access+to+this+GPOrnum=2hl=en#4173fe072f7269b9 ...but we have nothing under foreign security princpals which matches the SID we are after. Does anyone know how to create a group that uses a well known SID or how this group is created initially so we can repeat the process? Thanks, Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |-+-- | | | | | | | | | | | Susan Bradley, CPA aka| | | Ebitz - SBS Rocks | | | [MVP] | | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 22/11/2006 03:16 p.m. | | | Please respond to | | | ActiveDir | | | | |-+-- --| | | |To: ActiveDir@mail.activedir.org | |cc: | |Subject: Re: [ActiveDir] Enterprise Domain Controllers group missing... | --| View Advanced Features Look in Foreign Security Principles that I recall? [EMAIL PROTECTED] wrote: - We recently upgraded the schema in one forest from Windows 2000 to Windows 2003. - We now receive the following error when trying to access group policies, The Enterprise Domain Controllers group does not have read access to this GPO. The Enterprise Domain Controllers group must have read access on all GPO's in the domain in order for Group Policy Modelling to function properly. To learn more about this issue and how you can correct it, click Help.. - I can confirm we do not have an Enterprise Domain Controllers group in any of the domains. - I have found the following article http://technet2.microsoft.com/WindowsServer/en/library/b44ba1b5-9f85-4bee-84c9-1994921658cd1033.mspx?mfr=true which shows how to fix the GPO issue using GrantPermissionOnAllGPOs.wsf...but this assumes we actually have the group Enterprise Domain Controllers available. From further reading I see this group has a specific SID of S-1-5-9 so I can not simply create a new group. - Does anyone have any idea how the group Enterprise Domain Controllers can be recreated with the correct SID of S-1-5-9 so that we can run the script GrantPermissionOnAllGPOs.wsf to fix the group policy problem? Thanks in advance, Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Enterprise Domain Controllers group missing...
;-)yip sure did..sorry I should have elaborated further Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |-+-- | | | | | | | | | | | Akomolafe, Deji | | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 22/11/2006 03:26 p.m. | | | Please respond to | | | ActiveDir | | | | |-+-- --| | | |To: ActiveDir@mail.activedir.org | |cc: | |Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... | --| I can confirm we do not have an Enterprise Domain Controllers group in any of the domains. Really? How did you confirm that? In ADUC (with Advanced Features enabled in View) and doing a custom search for enterprise, simply looking in the Foreign Security Principals containers? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] Sent: Tue 11/21/2006 6:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Enterprise Domain Controllers group missing... - We recently upgraded the schema in one forest from Windows 2000 to Windows 2003. - We now receive the following error when trying to access group policies, The Enterprise Domain Controllers group does not have read access to this GPO. The Enterprise Domain Controllers group must have read access on all GPO's in the domain in order for Group Policy Modelling to function properly. To learn more about this issue and how you can correct it, click Help.. - I can confirm we do not have an Enterprise Domain Controllers group in any of the domains. - I have found the following article http://technet2.microsoft.com/WindowsServer/en/library/b44ba1b5-9f85-4bee-84c9-1994921658cd1033.mspx?mfr=true which shows how to fix the GPO issue using GrantPermissionOnAllGPOs.wsf...but this assumes we actually have the group Enterprise Domain Controllers available. From further reading I see this group has a specific SID of S-1-5-9 so I can not simply create a new group. - Does anyone have any idea how the group Enterprise Domain Controllers can be recreated with the correct SID of S-1-5-9 so that we can run the script GrantPermissionOnAllGPOs.wsf to fix the group policy problem? Thanks in advance, Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Enterprise Domain Controllers group missing...
Awesome thanks will check it out... ;-) Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |-+-- | | | | | | | | | | | Steve Linehan | | | [EMAIL PROTECTED]| | | | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 22/11/2006 03:17 p.m. | | | Please respond to | | | ActiveDir | | | | |-+-- --| | | |To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org| |cc: | |Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... | --| You have to upgrade or install one of the servers in each domain to Windows Server 2003 and then transfer the PDC Emulator role to the upgraded or added Windows Server 2003 box. When a Windows Server 2003 box takes over the PDC Emulator FSMO role it will create these new security principals. This is documented under the section titled Windows Server 2003 Well Known Security Principals in the following link: http://technet2.microsoft.com/WindowsServer/en/library/795229a5-8a74-4edb-a2f4-d5794d31c2a71033.mspx . Thanks, -Steve From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] [EMAIL PROTECTED] Sent: Tuesday, November 21, 2006 8:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Enterprise Domain Controllers group missing... - We recently upgraded the schema in one forest from Windows 2000 to Windows 2003. - We now receive the following error when trying to access group policies, The Enterprise Domain Controllers group does not have read access to this GPO. The Enterprise Domain Controllers group must have read access on all GPO's in the domain in order for Group Policy Modelling to function properly. To learn more about this issue and how you can correct it, click Help.. - I can confirm we do not have an Enterprise Domain Controllers group in any of the domains. - I have found the following article http://technet2.microsoft.com/WindowsServer/en/library/b44ba1b5-9f85-4bee-84c9-1994921658cd1033.mspx?mfr=true which shows how to fix the GPO issue using GrantPermissionOnAllGPOs.wsf...but this assumes we actually have the group Enterprise Domain Controllers available. From further reading I see this group has a specific SID of S-1-5-9 so I can not simply create a new group. - Does anyone have any idea how the group Enterprise Domain Controllers can be recreated with the correct SID of S-1-5-9 so that we can run the script GrantPermissionOnAllGPOs.wsf to fix the group policy problem? Thanks in advance, Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Enterprise Domain Controllers group missing...
Hi there, I finally found out where this group was...it is available from Windows 2000 AD forwards and is found at CN=Enterprise Domain Controllers,CN=WellKnown Security Principals,CN=Configuration,DC=x,DC=x,DC=x. Its not viewable/searchable under ADUC even with advanced features turned on but you can use it to apply security on an AD object. Cheers everyone for your assistance... ;-) Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |-+-- | | | | | | | | | | | Steve Linehan | | | [EMAIL PROTECTED]| | | | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 22/11/2006 03:33 p.m. | | | Please respond to | | | ActiveDir | | | | |-+-- --| | | |To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org| |cc: | |Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... | --| Sorry read and responded to this to fast you should have an Enterprise Domain Controllers group however it becomes a member of Windows Authorization Access group after the PDC upgrade. You will be missing some of the other Groups and Security Principals listed in that section until the PDC is upgraded. Thanks, -Steve From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Steve Linehan [EMAIL PROTECTED] Sent: Tuesday, November 21, 2006 8:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... You have to upgrade or install one of the servers in each domain to Windows Server 2003 and then transfer the PDC Emulator role to the upgraded or added Windows Server 2003 box. When a Windows Server 2003 box takes over the PDC Emulator FSMO role it will create these new security principals. This is documented under the section titled Windows Server 2003 Well Known Security Principals in the following link: http://technet2.microsoft.com/WindowsServer/en/library/795229a5-8a74-4edb-a2f4-d5794d31c2a71033.mspx . Thanks, -Steve From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] [EMAIL PROTECTED] Sent: Tuesday, November 21, 2006 8:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Enterprise Domain Controllers group missing... - We recently upgraded the schema in one forest from Windows 2000 to Windows 2003. - We now receive the following error when trying to access group policies, The Enterprise Domain Controllers group does not have read access to this GPO. The Enterprise Domain Controllers group must have read access on all GPO's in the domain in order for Group Policy Modelling to function properly. To learn more about this issue and how you can correct it, click Help.. - I can confirm we do not have an Enterprise Domain Controllers group in any of the domains. - I have found the following article http://technet2.microsoft.com/WindowsServer/en/library/b44ba1b5-9f85-4bee-84c9-1994921658cd1033.mspx?mfr=true which shows how to fix the GPO issue using GrantPermissionOnAllGPOs.wsf...but this assumes we actually have the group Enterprise Domain Controllers available. From further reading I see this group has a specific SID of S-1-5-9 so I can not simply create a new group. - Does anyone have any idea how the group Enterprise Domain Controllers can be recreated with the correct SID of S-1-5-9 so that we can run the script GrantPermissionOnAllGPOs.wsf to fix the group policy problem? Thanks in advance, Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http
RE: [ActiveDir] Enterprise Domain Controllers group missing...
Then correct it so people can learn rather than simply point out that its wrong which really gets no one anywhere... Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |-+-- | | | | | | | | | | | Akomolafe, Deji | | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 22/11/2006 07:12 p.m. | | | Please respond to | | | ActiveDir | | | | |-+-- --| | | |To: ActiveDir@mail.activedir.org | |cc: | |Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... | --| Its not viewable/searchable under ADUC even with advanced features turned on That is an incorrect statement. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] Sent: Tue 11/21/2006 9:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... Hi there, I finally found out where this group was...it is available from Windows 2000 AD forwards and is found at CN=Enterprise Domain Controllers,CN=WellKnown Security Principals,CN=Configuration,DC=x,DC=x,DC=x. Its not viewable/searchable under ADUC even with advanced features turned on but you can use it to apply security on an AD object. Cheers everyone for your assistance... ;-) Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |-+-- | | | | | | | | | | | Steve Linehan | | | [EMAIL PROTECTED]| | | | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 22/11/2006 03:33 p.m. | | | Please respond to | | | ActiveDir | | | | |-+-- --| | | |To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org| |cc: | |Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... | --| Sorry read and responded to this to fast you should have an Enterprise Domain Controllers group however it becomes a member of Windows Authorization Access group after the PDC upgrade. You will be missing some of the other Groups and Security Principals listed in that section until the PDC is upgraded. Thanks, -Steve From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Steve Linehan [EMAIL PROTECTED] Sent: Tuesday, November 21, 2006 8:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... You have
[ActiveDir] Matt Duguid/DIA is out of the office.
I will be out of the office starting 13/11/2006 and will not return until 17/11/2006. Hi there, I am away from the office this week on training and will be back on Monday 20/05/2006. In my absence please contact either Sean White/Michael Chen or the Helpdesk on x8081. Thanks, Matt D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] Security-enable all your distribution lists?
I don't usually think of these as security-enabled distribution lists, but as mail-enabled security groups that users can manage in the same manner as they do distribution lists. When you think of them that way, it's not quite so painfully stupid. Don't get me wrong, turning all your DLs into security-enabled DLs and then sticking resources in them isn't exactly what I'd call brilliant, as Al alluded to - just because you're turning some of your DLs into security groups doesn't mean that you should do it with all of them. Hell, I'd argue that you shouldn't do it with any of them - that you should do it the other way around, mail-enable a small portion of your security groups and have the users pick which ones while reminding them that they are still *Security* groups and they need to manage their memberships with the same diligence they did before (yeah, yeah, I know - they didn't really take that good of care of them before). If you make sure that the DLs that stay DLs have something in the name that designate them as a DL, it will make it easier. That being said, data on a share is no less sensitive than data in an e-mail. Companies lose secrets in e-mails, get sued because of what has been said in an e-mail. The fact that the majority of us sit here going NO!! NOT MY SECURITY GROUPS!!! DON'T LET THEM HAVE SECURITY GROUPS tells me that, regardless of the fact that 99% of all leaks occur through e-mail, we still don't 'get it' that e-mail is where most of this information sneaks between the cracks and it's not the 'grunts' that have the patent-holding information, it's the higher-up muckity mucks that are leaking data (SEC sensitive information most of the time). But to summarize - I'd recommend that you don't change the role of your DLs, but change the role of your security groups to fulfill this new need. Then you're not granting access to data based upon pre-existing groups that don't have access to data, you're simply allowing groups that already have access to data to fulfill an additional task. Mail exclusive DLs serve a number of purposes, one of them being to keep the higher-up muckity mucks out of the data that there is a *very* good chance that they don't understand anyway, but still allow them to be 'in the loop' on information that they do understand (well, kinda anyway). On 10/27/06, Al Mulnick [EMAIL PROTECTED] wrote: Assume. Hmm.. That's been over done so I'll pass this time :)Harvey, I just replied to a similar thread on this with my thoughts. I won't bore you with repetition. But I'm curious what makes you want to assume anything when it comes to security issues like this? I think it's way to unpredictable to assume that users will understand that concept. That's me though. I'm not your user. On 10/27/06, Harvey Kamangwitz [EMAIL PROTECTED] wrote:Thanks for the doc, Jorge; I'd missed that in my searches. And my initial reaction was not only no, but hell no! to the request. But when I examine it logically it's harder to reject out of hand. A little while ago, we did change the default for new DL group requests to be security enabled. And it seems to me that one would implicitly assume that if one were setting access to a resource like sharepoint, they would use the same thought process as when they're sending mail: Do I want everyone in this group to get this mail | have this access? - Harvey On 10/21/06, Al Mulnick [EMAIL PROTECTED] wrote: My first reaction is, NOOO don't do that. That's silly. I absolutely abhor the concept of convenience to this level when it comes to access to secured resources. Saying that, DG's are often created by default as a security group. I'd actually be surprised, and I would applaud the person that made that choice in your organization. From my perspective, the worst thing ever done by Microsoft was to allow DG's to be security groups. Made it easier to transition PF's sure, but the layer8 contingent doesn't understand the subtle differences between a distribution list and a security-enabled-distribution-group. This loosely translates into people that want to include somebody on their regular mail lists, but don't want them to necessarily have access to the same data shares. They do NOT understand the difference in most cases. I don't know sharepoint well enough to say, but I would be completely floored if they did not have a way to revert behavior. I also would be totally surprised if your information security people were OK with this concept for the reasons I mentioned above. TokenBloat is not the only concern you have here, Harvey. On 10/20/06, Harvey Kamangwitz [EMAIL PROTECTED] wrote: Hi all, I'm interested in your opinion here, and perhaps a heads-up on requirements that may be coming your way. We have a request from the sharepoint team to security-enable all of our 18,000 distribution lists. Our concern, naturally, is token size. What will this do to Joe User's access token? The issue is tied in to Sharepoint.
Re: [ActiveDir] Security-enable all your distribution lists?
I can understand your arguments, but the larger the organization, the more likelihood that the groups are controlled by users (in one way or another) anyway. When you've got 100k groups, you have someone listed as a group owner or someone authorized to approve new members of the group and the only people who even know what the group is for are either members of that group or in the direct management chain - definitely not the IT people who 'manage' the groups. Even with smaller organizations, are the IT people the ones who should be saying who needs to have access to the CFOs information or should it be the CFO? Just to be honest, there are a lot of areas within a company that the IT people aren't qualified enough to even hazard a guess as to who should and shouldn't have access to. I think that the biggest difference between security-enabling distribution lists and enabling mail on security lists is the way that users think of them. The same people are managing them and if they're going to screw up their security in a DL, they're probably going to screw it up by rubber-stamp approvals too. The Security groups that you enable mail on aren't going to be big mail usage lists and the distribution lists aren't going to be used 90% of the time for security. Personally, I'd rather keep mail/security hybrids to the RBS groups and avoid it for the ABS (access/task-based security) groups. If someone wants to enable his/her ABS group for mail though, I'm not one to say what they can/can't do with their group/data. This way, your RBS groups have a built-in e-mail group to communicate with, but the mail/security overlap isn't so extreme that your company's security is a nightmarish web of DL/security groups. One important thing though, your privileged groups that grant special access to servers should always be managed by the IT persons, never let them turn into a mail-enabled security group. On 11/7/06, Al Mulnick [EMAIL PROTECTED] wrote: You do make a strong argument, but I'm not sold. The part I can't get past is that the users have the control over adding a sec-prin to be able to pull the data. Vs. pushing the protected data via email. The subtlety is important in my opinion. The only issue I have with the convenience of adding users to sec-enabled-dg's is the lack of controls to prevent the mis-use (either intentional or unintentional). Outside of that, I'm all for the concept. :) On 11/7/06, Matt Hargraves [EMAIL PROTECTED] wrote: I don't usually think of these as security-enabled distribution lists, but as mail-enabled security groups that users can manage in the same manner as they do distribution lists. When you think of them that way, it's not quite so painfully stupid. Don't get me wrong, turning all your DLs into security-enabled DLs and then sticking resources in them isn't exactly what I'd call brilliant, as Al alluded to - just because you're turning some of your DLs into security groups doesn't mean that you should do it with all of them. Hell, I'd argue that you shouldn't do it with any of them - that you should do it the other way around, mail-enable a small portion of your security groups and have the users pick which ones while reminding them that they are still *Security* groups and they need to manage their memberships with the same diligence they did before (yeah, yeah, I know - they didn't really take that good of care of them before). If you make sure that the DLs that stay DLs have something in the name that designate them as a DL, it will make it easier. That being said, data on a share is no less sensitive than data in an e-mail. Companies lose secrets in e-mails, get sued because of what has been said in an e-mail. The fact that the majority of us sit here going NO!! NOT MY SECURITY GROUPS!!! DON'T LET THEM HAVE SECURITY GROUPS tells me that, regardless of the fact that 99% of all leaks occur through e-mail, we still don't 'get it' that e-mail is where most of this information sneaks between the cracks and it's not the 'grunts' that have the patent-holding information, it's the higher-up muckity mucks that are leaking data (SEC sensitive information most of the time). But to summarize - I'd recommend that you don't change the role of your DLs, but change the role of your security groups to fulfill this new need. Then you're not granting access to data based upon pre-existing groups that don't have access to data, you're simply allowing groups that already have access to data to fulfill an additional task. Mail exclusive DLs serve a number of purposes, one of them being to keep the higher-up muckity mucks out of the data that there is a *very* good chance that they don't understand anyway, but still allow them to be 'in the loop' on information that they do understand (well, kinda anyway). On 10/27/06, Al Mulnick [EMAIL PROTECTED] wrote: Assume. Hmm.. That's been over done so I'll pass this time :)Harvey, I just replied to a similar thread on this with my thoughts. I won't bore
Re: [ActiveDir] OT: Exchange Question
Can't remember offhand if you can do this on a per-site basis or not, but you might be able to stick them in a site and have that site set to a max of 1MB e-mail, then the only way that they'll receive any e-mail is if they delete everything. On 11/7/06, Navroz Shariff [EMAIL PROTECTED] wrote: Apologies if this has already been answered; cleaning out my mailbox ;-) Larry, you can use the ADUC and Exchange tools where you will find the 'Exchange General' tab. From there, you can fine tune the account for delivery restrictions. -Shariff From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Larry Wahlers Sent: Wednesday, November 01, 2006 9:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Exchange Question And, you can even turn the mailbox into a honeypot of sorts, by logging into it via Outlook and creating a rule that deletes all email sent to it! -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Steve Comeau Sent: Wednesday, November 01, 2006 8:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Exchange Question You can also make their incoming email addresses something obnoxious. Steve Comeau IT Manager Rutgers Athletics 83 Rockefeller Road Piscataway, NJ 08854 732-445-7802 732-445-4623 (fax) www.scarletknights.com From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Daash, Amr Sent: Wednesday, November 01, 2006 8:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Exchange Question Well there are a lot of things that could be done, 1- u can modify the user delivery restriction tab 2- u can create a security group add the user names to this group then open THE ESM navigate to the your default SMTP virtual server Access tab, the authentication, add the group u created The job now is done Amr EL Daash System Administrator, ITS Egypt KPMG Egypt, Hazem Hassan Pyramid Heights Office Park Km22 Cairo-Alex Desert Road, Giza Egypt Tel +20 (2)536 22 00 / 11 Fax +20 (2)536 23 01 / 05 Mobile +20 (10) 1925369 Email: [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan DeStefano Sent: Wednesday, November 01, 2006 3:01 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Exchange Question I have a client who would like certain users to no longer receive e-mail, while still being able to access their mailboxes. Is there a way to do this other than exporting their mailbox to PST and mailbox-disabling the users? Thank you in advance, The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing KPMG client engagement letter. *** This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Rutgers University - DIA, 83 Rockafeller Road, Piscataway, NJ www.scarletknights.com *** Dan DeStefano Info-lution Corporation [EMAIL PROTECTED] http://www.info-lution.com Office: 727 546-9143 FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession.
Re: [ActiveDir] problem in changing the default password setting
Password policies only work from the domain level and are ignored at all other OU levels.If you want this to be in effect, add that setting into the domain-level GPO, if you don't want it set for everyone in the organization, accept that you're going to have to do it manually (or with a script) on the user objects within the appropriate OU. On 11/6/06, Sri [EMAIL PROTECTED] wrote: Hi List, I am using AD on Win2k3 server. I have a requirement to disable the option User must change password at next login while adding a user to AD from AD Users Computers console and enable password never expires checkbox. While adding a user to a container, User must change password at next login is checked defaultly.To disable this option, the cmd line option -pwdneverexpires yes is working from AD machine's cmd prompt. To do the same from AD U C console, i created a group policy and set the max and min password ages in Account Settings -- password policies. But still the option User must change password at next login is checked and not checking the password never expires. Pls help me in this.Thanks in Advance.Sri
Re: [ActiveDir] list lastlogontime for every user script
I have one that I have coded and I have sent it to your email address. You can modify it easily to email you. Cheers, Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |-+-- | | | | | | | | | | | Ramon Linan | | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 27/10/2006 09:59 a.m. | | | Please respond to | | | ActiveDir | | | | |-+-- --| | | |To: ActiveDir@mail.activedir.org | |cc: | |Subject: [ActiveDir] list lastlogontime for every user script | --| Hi, I am trying to do an script or something that will list lastlogontime for all users so I can receive an email when someone has not use the account for more than 30 days. I have seen a couple of examples of half built scripts that don't work, I get lost when they start dealing with the converting the number to a date... Does anyone has a script will do some similar? does Joe ware has something similar? Thanks Ramon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] List Groups I'm In?
You can also use a _vbscript_ from the scripting center URL below and follow the path below the URL.http://www.microsoft.com/technet/scriptcenter/scripts/default.mspx?mfr=true Script Center Home Script Repository Active Directory GroupstnxmmOn 10/25/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: http://www.joeware.net/win/free/tools/memberof.htm I don't believe there's any builtin tool that will provide this information. Thanks, Andrew Fidel Michael B Allen [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 10/25/2006 12:46 PM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject [ActiveDir] List Groups I'm In? Was is the easiest way for a user (say on a stock XP client) to list what groups they're in? Specifically I'd like the user to be able to just type a command like 'net user list groups' or some such and get a list of NT Account names for tokenGroups. Or if there is a dialog somewhere that's good too. Ideas? Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] Blocking IE7
You could be correct, it's been about 7 or 8 years since I worked with government institutions. I know that for K12 they were able to filter, but he's at a university and I didn't notice until later that it's (probably) a private institution that probably doesn't get money from the federal government. I know that when I worked for a library though, they were not able to filter at all (I asked what software they used and they said that they couldn't filter because they received government funds).. I assume that it's the same at a university, where everyone is expected to be an adult. Again though, he appears to be at a private institution, where those rules wouldn't apply. On 10/19/06, Brian Desmond [EMAIL PROTECTED] wrote: You might want to check on that again. To even qualify for erate funds as a K12 you need to be doing web content filtering. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Thursday, October 19, 2006 1:49 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Blocking IE7 I believe that disabling the Automatic Updates service via GPO will block them from installing it, not 100% sure though. Since you're in an educational environment, things can be a little dicey there. You can't restrict the internet (government funds thing) and I don't know offhand whether the IE7 installs through Windows Update are running as Local System or as the user that is logged in. If it's running as the user account, you can simply deny them the right to install software, but if it's running as the local System, things are a little more ugly. On 10/19/06, Lucas, Bryan [EMAIL PROTECTED] wrote: I see how to block IE7 from deploying through WSUS, but what I don't see is a way to block a user from manually installing it. ( http://www.microsoft.com/downloads/details.aspx?FamilyID=4516A6F7-5D44-482B-9DBD-869B4A90159Cdisplaylang=en) Our users are 90% XP SP2 and managed through GP. What about building a restricted software GPO that has a hash of iesetup7.exe (if that even exists)? I want to restrict them from getting it through microsoftupdate.com as well. Bryan Lucas Server Administrator Texas Christian University
Re: [ActiveDir] Blocking IE7
I believe that disabling the Automatic Updates service via GPO will block them from installing it, not 100% sure though.Since you're in an educational environment, things can be a little dicey there. You can't restrict the internet (government funds thing) and I don't know offhand whether the IE7 installs through Windows Update are running as Local System or as the user that is logged in. If it's running as the user account, you can simply deny them the right to install software, but if it's running as the local System, things are a little more ugly. On 10/19/06, Lucas, Bryan [EMAIL PROTECTED] wrote: I see how to block IE7 from deploying through WSUS, but what I don't see is a way to block a user from manually installing it. ( http://www.microsoft.com/downloads/details.aspx?FamilyID=4516A6F7-5D44-482B-9DBD-869B4A90159Cdisplaylang=en) Our users are 90% XP SP2 and managed through GP. What about building a restricted software GPO that has a hash of iesetup7.exe (if that even exists)? I want to restrict them from getting it through microsoftupdate.com as well. Bryan Lucas Server Administrator Texas Christian University
[ActiveDir] ADAM / AD Sync
Hi, I have an Active Directory environment with an account for all my users. I am also in the process of setting up ADAM to store more information about those users and have a X.500 style DN. I would like to be able to use some sort of pass-through authentication to Active Directory, is this possible and if so, How? What I'm trying to do is set it up so that if somebody try's to authenticate to the ADAM LDAP it passes authentication to the Active Directory Servers. Thanks, -- Matt Brown Information Technology System Specialist V Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] I'm shareing the Best Kept Secret I know.
See, after being married, I have found a few things are consistent:1) You are always wrong.2) If you think you might say something the wrong way, then it's DEFINITELY going to go badly - VERY badly.3) Always assume that she didn't mean it in the horrible way she phrased it. 4) She will always assume that you meant it in a much worse way then how you phrased it.5) You will hear about your mistakes for years, so try not to make any of them.6) You're mean, she's just upset. 7) Those aren't rhetorical questions, she really does want an answer.8) Logic is your way of saying that she's stupid.9) Pointing out inconsistencies between actions and statements is just changing the subject 10) No matte how much empirical evidence backs you up, see rule #1.On 10/17/06, Daniel Gilbert [EMAIL PROTECTED] wrote:Something tells me you should be ducking and running Original Message Subject: [ActiveDir] I'm shareing the Best Kept Secret I know. From: Fleming, Dave (DotComm) [EMAIL PROTECTED] Date: Tue, October 17, 2006 6:29 am To:Top Ten Things Men Understand About Women 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Dave Fleming Network Administrator Douglas-Omaha Technology Commission 408 So. 18th St. Omaha NE 68102 [EMAIL PROTECTED] (402) 444-6290List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] The remote computer has ended the connection.
I read this and all I can think is that something happend to your Terminal Server mode on this server. Sometimes settings get changed when you install a security patch, you might want to verify your TS settings and make sure that it's in application mode (non-app mode means that only admins can connect). Also, go into Terminal Services Configuration and make sure that RDP isn't restricted to the local Administrators group. Is there anything else special about this server? Is it a DC? Does it have Exchange or something else installed on it?On 10/17/06, Technical Support [EMAIL PROTECTED] wrote: Hi, I am trying to access one of my servers using Remote Connection. I am using mstsc but its not connecting me to the server. error The remote computer has ended the connection.However if i am using mstsc /v:IP Address /console it lets me connect to it. Problem is in this mode i can use only admin id when connected like this. I want my engineers (who dont have administrator priviledges) to access this. its not possible in this mode. This all happened when i rebooted my server. Please suggest what can be done to normalize the things. Thanks!!! Ravi
Re: [ActiveDir] Seperating Database and logs on seperate disks
Yeah, just to be honest, as long as you have 3+ DCs, there isn't much reason not to do it though. Even if you lose one, you just rebuild it and repromote it - never restore btw - that can make all kinds of messy issues about replication show up that nobody wants to deal with. On 10/16/06, Brian Desmond [EMAIL PROTECTED] wrote: No not that I can think of. If one raid group fails and corrupts thedata you're still screwed so it's not going to save you there.Thanks,Brian Desmond[EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED]] On Behalf Of AD Sent: Monday, October 16, 2006 11:29 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Seperating Database and logs on seperate disks Is there any other reason other then performance to have the Active Directory log files and database on separate disks? Opinions are welcome. Thanks Yves List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Account becomes disabled by DCs when it logs in.
This is a non-interactive account, but when the service that uses the account goes to login to the PDC emulators, the account gets deleted.This is only happening to 1 account, we have deleted and recreated the account, have created a new account with the same name (and rights) after renaming the old account, no matter what we do the account (call it disableduser for simplicity's sake), it gets disabled every time it tries to do what it does. Oh yeah, the account was running for well over a year without a problem. The PDC emulators are Win2k running in a 2003 mixed mode environment (our backup and auditing tools don't support our 64-bit 2003 DCs yet, waiting on those to be updated before moving the roles over to a 2003 DC) and the GPOs on the Domain Controllers OU haven't changed in quite some time (or at the domain level). The account hasn't expired and every time the account logs in (non-interactively), the DC Service account (servername$) disables the account with a 642 event and *not* a 629 event. I've banged my head against this for a day or so and figured I'd fire off something here before calling MS. This is a service-type account and changing the name would take a lot of time adjusting the environment to reflect the new name. Is there some MS patch that might be biting us in the rear that may have been applied in the last 2-3 weeks? I'm just kinda baffled on this, never seen a DC disable an account for apparently no reason.
Re: [ActiveDir] RealVNC removal
I'd go with just disabling the service and setting it so that only Domain Admins and System can even manage and/or see the service. This is a 10-minute solution, whereas the others could take quite a bit of time to research how to do correctly. On 10/2/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:Return Receipt Your RE: [ActiveDir] RealVNC removal document: wasJustin Leney/US/DCI received by: at:10/02/2006 04:08:38 PMNEW! COSMEO, THE ONLINE HOMEWORK HELP TOOL BROUGHT TO YOU BY DISCOVERY CHANNEL.FREE TRIAL AT HTTP://WWW.COSMEO.COMThis e-mail, and any attachment, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, copying, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. The contents of this message may contain personal views which are not the views of Discovery Communications, Inc. (DCI). List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] ip problem
There's any number of 'easy' problems that you could be running into.1) Your router isn't set as the default gateway.2) Your router's routing table is messed up.3) You've got your network all messed up (example, you're trying to route to/from a 83.161.118.x/24 subnet to your 83.161.118.XXX/28 address)If your problem is #1 then you need to set your router as the default gateway and it *should* fix your problem.If your problem is #2, then you need to fix the routing table to have your local subnet routed to the internal port and everything else routed to the external port (and whatever the IP address of what it's connected to). If your problem is #3, then you need to fix your 2 subnets. It sounds like you've got a Class A overall (or are part of a Class A), you need to make sure that whatever you're connected to on the other side has it's routing tables and subnet correct or it won't be able to connect to you. If you're talking from a 83.161.118.XXX/28 network to a 83.161.118.XXX/24 network then what you're running into is that the /24 side won't route to you because they think your addresses are on the LAN (no need to route anything on a LAN). I'm not a router guru though, there might be ways to set this up on your router so that it will route, though I'm not thinking that's the case, as I don't think that a client tries to go to the default gateway unless something isn't on the local subnet. As others alluded, it could also be a proxy/firewall issue. If your firewall and/or proxy are set to block ping/tracert, then you won't see it. If you don't have the ACLs set right, you won't get in or out (possibly). If you're going from a trusted network to a trusted network, then you need to make sure you've got everything setup appropriately. If you're not, it may be that you need to set up a DMZ (where your proxy/firewall go usually and maybe a web/e-mail server) and then setup certain protocols to pass to other addresses. If all of these addresses are config'd on your side (you own the 83.x.x.x A class), then I'd bet that it's either #2 or #3. If you got your /28 subnet from an ISP, then I'd bet the problem is at your firewall/router (#1 or bad/missing ACLs on your proxy/firewall). On 10/8/06, Quatro Info [EMAIL PROTECTED] wrote: There is a router: funkwerk bintec r1200.All proper configured through a external company.What do youmean with layer 3 domains?Gr. J-Oorspronkelijk bericht-Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Namens Brian DesmondVerzonden: maandag 9 oktober 2006 5:45Aan: ActiveDir@mail.activedir.orgOnderwerp: RE: [ActiveDir] ip problemWell you need a router to cross subnets ... routers connect layer 3domains.I'm not sure if you're expecting this to be classfully routed or something ... the Internet hasn't worked that way for a very long time.Thanks,Brian Desmond[EMAIL PROTECTED]c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] ] On Behalf Of Quatro Info Sent: Sunday, October 08, 2006 11:36 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ip problem Hi all, I have a weird issue, which seems a mask problem. I have a routed subnet at 83.161.118.XXX range, with a subnet 255.255.255.240 . 16 ip addresses. Problem is that I cant connect to this 83 range from the outside froma same 83 address like 83.98.244.148 Furthermore I cant connect from this same 83 address to a external 83 address. So both ways is locked. Tried changing all subnets in every which way but no result. You folks got a clue? All input is appreciated. Thx Jorre List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] ip problem
Oh yeah, if you're getting your IP addresses from an ISP, it could very well be #2. That's where I'd start either way, make sure that the routing tables are setup correctly on your router. Your ISP (or someone who knows what they're doing on the other side) should be able to verify that they can ping the backside address on your router (usually a 10.x.x.x address) from their router (and vice-versa). If they can, and a tracert to one of the addresses on the other side of the 83.161.118.XXX Class C stops at your router, then odds on are that your routing table is messed up or that theirs is. On 10/8/06, Matt Hargraves [EMAIL PROTECTED] wrote: There's any number of 'easy' problems that you could be running into.1) Your router isn't set as the default gateway.2) Your router's routing table is messed up.3) You've got your network all messed up (example, you're trying to route to/from a 83.161.118.x/24 subnet to your 83.161.118.XXX/28 address)If your problem is #1 then you need to set your router as the default gateway and it *should* fix your problem.If your problem is #2, then you need to fix the routing table to have your local subnet routed to the internal port and everything else routed to the external port (and whatever the IP address of what it's connected to). If your problem is #3, then you need to fix your 2 subnets. It sounds like you've got a Class A overall (or are part of a Class A), you need to make sure that whatever you're connected to on the other side has it's routing tables and subnet correct or it won't be able to connect to you. If you're talking from a 83.161.118.XXX/28 network to a 83.161.118.XXX/24 network then what you're running into is that the /24 side won't route to you because they think your addresses are on the LAN (no need to route anything on a LAN). I'm not a router guru though, there might be ways to set this up on your router so that it will route, though I'm not thinking that's the case, as I don't think that a client tries to go to the default gateway unless something isn't on the local subnet. As others alluded, it could also be a proxy/firewall issue. If your firewall and/or proxy are set to block ping/tracert, then you won't see it. If you don't have the ACLs set right, you won't get in or out (possibly). If you're going from a trusted network to a trusted network, then you need to make sure you've got everything setup appropriately. If you're not, it may be that you need to set up a DMZ (where your proxy/firewall go usually and maybe a web/e-mail server) and then setup certain protocols to pass to other addresses. If all of these addresses are config'd on your side (you own the 83.x.x.x A class), then I'd bet that it's either #2 or #3. If you got your /28 subnet from an ISP, then I'd bet the problem is at your firewall/router (#1 or bad/missing ACLs on your proxy/firewall). On 10/8/06, Quatro Info [EMAIL PROTECTED] wrote: There is a router: funkwerk bintec r1200.All proper configured through a external company.What do youmean with layer 3 domains?Gr. J-Oorspronkelijk bericht-Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Namens Brian Desmond Verzonden: maandag 9 oktober 2006 5:45Aan: ActiveDir@mail.activedir.orgOnderwerp: RE: [ActiveDir] ip problemWell you need a router to cross subnets ... routers connect layer 3domains.I'm not sure if you're expecting this to be classfully routed or something ... the Internet hasn't worked that way for a very long time.Thanks,Brian Desmond [EMAIL PROTECTED]c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto: ActiveDir- [EMAIL PROTECTED] ] On Behalf Of Quatro Info Sent: Sunday, October 08, 2006 11:36 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ip problem Hi all, I have a weird issue, which seems a mask problem. I have a routed subnet at 83.161.118.XXX range, with a subnet 255.255.255.240 . 16 ip addresses. Problem is that I cant connect to this 83 range from the outside froma same 83 address like 83.98.244.148 Furthermore I cant connect from this same 83 address to a external 83 address. So both ways is locked. Tried changing all subnets in every which way but no result. You folks got a clue? All input is appreciated. Thx Jorre List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] OT: wikis
I wonder if you realize that what you posted was incorrect:1 (-1+1) (-1+1) ...turns into:1*0*0*0So in the end 0 = 0:)On 10/6/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Very good altho dividing by zero (last step) is not permitted and (asper the below) causes an issue if permitted.How about this:(1-1) + (1-1) + (1-1) + ... = 0Re-write left hand side by moving brackets one place to the right: 1 (-1+1) (-1+1) ...Or simplified:1 + 0 + 0 + ... = 1So 1 = 0 !neilPS Glad to see I managed to get the list talking about stuff other thanIT/Windows/AD/Exch/Jet/ESE...-Original Message- From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Crawford, Scott Sent: 05 October 2006 23:27To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: wikisFrom: http://www.jimloy.com/algebra/two.htm a = x[true for some a's and x's] a+a = a+x[add a to both sides]2a = a+x[a+a = 2a] 2a-2x = a+x-2x [subtract 2x from both sides]2(a-x) = a+x-2x [2a-2x = 2(a-x)] 2(a-x) = a-x[x-2x = -x] 2 = 1[divide both sides by a-x]-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of joeSent: Thursday, October 05, 2006 1:22 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: wikisCareful, I recall a math professor in my differential equations class ormaybe it was higher throwing a proof up on the board showing that 1 + 1 != 2 and it wasn't a numberical base trickI didn't follow through it, I just closed my eyes and shook my head andthought forward to my communications class as the sights were easier onthe eyes... I still wonder why I went into a field with such a high ratio of men towomen... :)--O'Reilly Active Directory Third Edition -http://www.joeware.net/win/ad3e.htm -Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] ] On Behalf Of Laura A.RobinsonSent: Thursday, October 05, 2006 12:55 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: wikis999,998 + 2 = 1,000,000, not 100,000. ;-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of Greg Nims Sent: Thursday, October 05, 2006 11:49 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: wikis It's funny how we quote wikis as definitive sources of information, when they can be edited by anyone and everyone :) Who vets the edits and how much does that person know about the subject matter?? Anyone can edit, which is why they are generally correct. When 100,000 people view a record, and 2 people want to change it to be incorrect, 999,998 will want to correct it. I wouldn't use a wiki as a great historical or technical source.But for encyclopedia entries, which give a good summation of a subject, they are great. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspxPLEASE READ: The information contained in this email is confidential andintended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete yourcopy from your system. You must not copy, distribute or take any furtheraction in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law,accept responsibility or liability for (a) the accuracy or completeness of,or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of thisemail is sought then please request a hard copy. Unless otherwise statedthis email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those ofthe author and do not necessarily represent those of NIplc; (3) is intendedfor informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments.NIplcdoes not provide investment services to private customers.Authorised andregulated by the Financial Services Authority.Registered in England no. 1550505 VAT No. 447 2492 35.Registered Office: 1 St Martin's-le-Grand,London, EC1A 4NP.A member of the Nomura group of companies.List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] RE: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now
Security a goal? It's more of a journey where the destination is we didn't get hacked this week (month/year)BTW, I wasn't saying that it's the worst idea ever to put e-mail on a DC (if it's a GC it will save you the journey for authentication), but in an organization where you have 2+ sites (and probably more than 500 users), I would tend to recommend putting Exchange on a separate server. I know that SBS isn't the *worst* tool ever (well... if you used it back in 1997 - which I did - it was), in fact, I've set up my sister/brother-in-law's network with an SBS box. Of course, they don't have 500+ users, they have 4. It's a matter of scale I guess. On 10/6/06, Al Mulnick [EMAIL PROTECTED] wrote: Hmm... I'm becoming more and more convinced that security on any platform is more of a goal than a destination anyway :) Putting other apps on a server that is designed to be a security server is not best practice on any platform SBS or not.SBS exists because it makes more economic sense thanmom's75 person company buying one server per person to run Microsoft software. It's still aFrankensteinin myopinion. I have a slanted view of course, but I alsoknow some of what goes on to make those apps magically work on the same machine. Security is not my concern in that arena. Availability also comes to mind as something that's at risk if you mix applications with your authentication services. Sadly, I saw this just the other day when a DC that's also a file/print server sigh crashed due to lack of disk space. Somebody got those picturesdown beforeI got to it darn it. I bet they were some good ones ;) Steve, I suggested the othertools because you need an accurate and up to date picture of what's going on. Sites andServices is not going to give you what you need in thiscase. Use ADUC and use the other tools I mentioned. Oh, and don't worry about those on*this* list when it comes to sending yourcompany's private information: we're mostly honest. Those that troll the groups with googMSNSearch on the other hand might be less trustworthy. If you feel you'd like a second set of eyes, I'm happy to help. You can send to me directly and I'll respond directly as well. If you don't trust me, please giveMicrosoft support a call else find somebody who's more familiarwith AD and your situation that can give you that second set of eyes. You're not screwed yet based on the information you've presented. That could change though Al On 10/6/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: Granted external FTP isn't one that SBSers recommend either and we'refreaking out going WHAT ARE YOU THINKING? as well. As we say down here we don't get hacked... we get stupid.Tim Vander Kooi wrote: It's not speed or resources that scare most of us when it comes to sharing DC space with other apps, it's security. With SBS Microsoft has (at least in theory) covered most of those security bases for the admin. The last time I allowed another admin to install FTP on a server he inadvertently put no security on it whatsoever and the company I was with at the time ended up serving up 200 GB of German p0rn. He had lots of fun explaining why our new server had crashed due to lack of diskspace. -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Steve Egan (Temp) Sent: Friday, October 06, 2006 6:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now Well, the servers running the DC, mail, PDC, etc. are quad-processor SuperMicros, so they aren't even sweatin' hard.I'm watching them, they're golden.(Thanks, Susan - we think alike.) (Ahem... don't look now, but we already have 8 IBM e-Business servers (quad xeon) and are getting more.Don' neeed no steeenkin' SBS's!;P ) (Let me just unequivocally state right here that SAP is a 10,000lb gorilla...) Steve Egan Purcell Systems System/Network Administrator desk 509 755-0341 x110 cell 509 475-7682 fax 509 755-0345 -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, October 06, 2006 3:55 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now Yeah next they'll be SBS servers being installed there. (For some of us having our DCs do other things doesn't freak us out as much as it does you big serverland guys) Matt Hargraves wrote: I know you probably haven't been there very long, but what in the heck are they thinking, making DCs mail servers and FTP servers.Might as well load them up with web services next. BTW, you probably shouldn't be posting your infrastructure in a message list. On 10/6/06, *Steve Egan (Temp)* [EMAIL PROTECTED] mailto: [EMAIL PROTECTED] wrote: Al, will do.I tucked FTPSERVER under a desk and forgot about it.Experience has taught
Re: [ActiveDir] Assign User rights overs computers with AD
Just to cover some things:GPOs can make adjustments to computer *or* user object policies. The only way to override these settings is to use the 'loopback processing' option (this can be ugly and I prefer to avoid it). If you have computer settings set on a GPO on an OU, it will only apply to computer objects within that OU, user settings only apply to users within that OU (again, excepting loopback processing within that GPO). This is one of the big reasons why people usually only put computer *or* user objects within a particular OU. It allows you to disable the portion of the GPO that isn't going to get applied to the objects within the OU (disable user settings on GPOs for computer OUs - unless you're using loopback processing and disable computer settings for GPOs on user OUs). There's really no reason to have a computer downloading user settings when it's not necessary and vice-versa. This way, you end up with managing your computer settings separately from your user settings. Common computer settings: Disabling security-related settings, adjusting auditing (event logs, etc) ACLing directories. Common user settings: Setting environmental variables (default home page, home directory, application settings like Office settings, etc...). Usually the only time you want to put user settings on a computer OU (and enable loopback processing) is for kiosk type computers and then you probably want to make sure that you do something to make sure that it doesn't apply for Administrators. It's usually easier to put these settings on an OU for accounts that will be used for that type of workstation though, so you don't have to worry about loopback. As many other people stated though, trying to restrict administrators on workstations will as often as not end up with a series of headaches because of applications that require the user to be a local administrator on the computer. Whether this is because of poor programming on the part of the application developers or something else, it doesn't matter. Unless you know that your users won't need to be local admins, you may want to handle this in a very controlled and well tested manner, possibly testing all of your applications with a non-admin account before pushing this setting out to the users. On 9/29/06, Dave Wade [EMAIL PROTECTED] wrote: I know its over a week since I sent this, but on thinking its probably worth expanding on this. The OU structure is in place to provide two functions:- 1) Delegation of management and administration. 2) Application of Group Policy Now because the OU structure is the ONLY way unless you use some added value tool to provide delegated admin, that needs to be the Primary driver when designing the OU Structure. Soif youwant different people managing Computer and Users, and like me.you like to keep the user and computer policies separate, it makes sense to have Computers and Users in separate OU trees. Because you can't apply a GPO to the Users and Computers containers it also makes sense not to use these OU.s. On the other hand if you have a very devolved management structure, and you are happy with devolved management of the users and computers, then it might make sense to have an OU tree where the top levels represent management units and you store both computers and users in these trees. Personally I don't like this approach, but for some organization structures itmay bebetter... Dave. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dave WadeSent: 23 September 2006 20:50To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Assign User rights overs computers with AD I usually move them out as you can't apply GPO at the computers level... From: [EMAIL PROTECTED] on behalf of Alberto OviedoSent: Fri 22/09/2006 22:40To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Assign User rights overs computers with AD Hey Dave. Do you mean separate trees under root computers? or Create different OU's for computers? On 9/22/06, Al Mulnick [EMAIL PROTECTED] wrote: Separate Trees? That seems a little excessive. Or are we just mixing terms? On 9/21/06, Dave Wade [EMAIL PROTECTED] wrote: I prefer to keep them in seperate trees. In fact we are just doing that at present... From: [EMAIL PROTECTED] on behalf of Alberto Oviedo Sent: Thu 21/09/2006 17:50To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Assign User rights overs computers with ADThanks for your help. really useful.Is it a good practice to move computer objects to OU where the user of the computer resides? On 9/20/06, Dave Wade [EMAIL PROTECTED] wrote:Alberto, Even though we made our users PowerUsers we found that we needed to make a number of tweaks to cater for poorly written applications. I think we now have about a dozen settings for various ill-behaved applications. The majority of these are to
Re: [ActiveDir] User account deletion
>From Microsoft's website: Event ID: 630 Type: Success AuditDescription: User Account Deleted: Target Account Name: %1Target Domain: %2 Target Account ID: %3 Caller User Name: %4 Caller Domain: %5 Caller Logon ID: %6 Privileges: %7Check the security logs on your DCs for 630 events.On 10/6/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: by, you really cannot find it anymore when querying AD ;-) jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Chris PohlschneiderSent: Friday, October 06, 2006 14:34To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] User account deletion Is there a way to tell if a user account has been deleted? Thanks, Chris This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
Re: [ActiveDir] User account deletion
Just an FYI, this event will only be on the DC that the user was connected to when they deleted the account, it won't show up on all DCs, so this could be a relatively daunting task, mattering on your environment (or impossible, if your event logs roll over frequently and you don't save them off to another server or have software that saves them) On 10/6/06, Matt Hargraves [EMAIL PROTECTED] wrote: >From Microsoft's website: Event ID: 630 Type: Success AuditDescription: User Account Deleted: Target Account Name: %1Target Domain: %2 Target Account ID: %3 Caller User Name: %4 Caller Domain: %5 Caller Logon ID: %6 Privileges: %7Check the security logs on your DCs for 630 events. On 10/6/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: by, you really cannot find it anymore when querying AD ;-) jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Chris PohlschneiderSent: Friday, October 06, 2006 14:34To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] User account deletion Is there a way to tell if a user account has been deleted? Thanks, Chris This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
Re: [ActiveDir] Assign User rights overs computers with AD
Yeah, I guess it's one of those If you don't need it, get rid of it things for me.Not going to use it? Just disable it and get rid of the excuse for some half-informed admin from going in and putting settings on there (we all know who they are and probably were him at some point in time, I'm sure I was ;) ) On 10/6/06, Darren Mar-Elia [EMAIL PROTECTED] wrote: Minor nit below. Otherwise, spot on observations. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: Friday, October 06, 2006 7:56 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Assign User rights overs computers with AD Just to cover some things:GPOs can make adjustments to computer *or* user object policies. The only way to override these settings is to use the 'loopback processing' option (this can be ugly and I prefer to avoid it). If you have computer settings set on a GPO on an OU, it will only apply to computer objects within that OU, user settings only apply to users within that OU (again, excepting loopback processing within that GPO). This is one of the big reasons why people usually only put computer *or* user objects within a particular OU. It allows you to disable the portion of the GPO that isn't going to get applied to the objects within the OU (disable user settings on GPOs for computer OUs - unless you're using loopback processing and disable computer settings for GPOs on user OUs). There's really no reason to have a computer downloading user settings when it's not necessary and vice-versa. This won't happen regardless.A computer account would neverdownload user settings, even if the user side of a GPO is enabled. Disabling a GPO side is somewhat meaningless because if the side has no policy in it (i.e. its version is 0) then it won't be processed anyway. The only time this is useful is if you have settings on a side and you, for whatever reason, don't want them to be processed. Its kind of a way of blocking settings that would otherwise be applied by disabling them. This way, you end up with managing your computer settings separately from your user settings. Common computer settings: Disabling security-related settings, adjusting auditing (event logs, etc) ACLing directories. Common user settings: Setting environmental variables (default home page, home directory, application settings like Office settings, etc...). Usually the only time you want to put user settings on a computer OU (and enable loopback processing) is for kiosk type computers and then you probably want to make sure that you do something to make sure that it doesn't apply for Administrators. It's usually easier to put these settings on an OU for accounts that will be used for that type of workstation though, so you don't have to worry about loopback. As many other people stated though, trying to restrict administrators on workstations will as often as not end up with a series of headaches because of applications that require the user to be a local administrator on the computer. Whether this is because of poor programming on the part of the application developers or something else, it doesn't matter. Unless you know that your users won't need to be local admins, you may want to handle this in a very controlled and well tested manner, possibly testing all of your applications with a non-admin account before pushing this setting out to the users. On 9/29/06, Dave Wade [EMAIL PROTECTED] wrote: I know its over a week since I sent this, but on thinking its probably worth expanding on this. The OU structure is in place to provide two functions:- 1) Delegation of management and administration. 2) Application of Group Policy Now because the OU structure is the ONLY way unless you use some added value tool to provide delegated admin, that needs to be the Primary driver when designing the OU Structure. Soif youwant different people managing Computer and Users, and like me.you like to keep the user and computer policies separate, it makes sense to have Computers and Users in separate OU trees. Because you can't apply a GPO to the Users and Computers containers it also makes sense not to use these OU.s. On the other hand if you have a very devolved management structure, and you are happy with devolved management of the users and computers, then it might make sense to have an OU tree where the top levels represent management units and you store both computers and users in these trees. Personally I don't like this approach, but for some organization structures itmay bebetter... Dave. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Dave WadeSent: 23 September 2006 20:50To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Assign User rights overs computers with AD I usually move them out as you can't apply GPO at the computers level
Re: [ActiveDir] Folder Redirection Issue
If you're using a transform file to deploy, you should be able to define the default file location, either as a variable (%homedrive%) or alternatively, you can install the GPO extensions for MS Office and set the item via GPO and stop worrying, as long as you test it a little bit before deploying it out to everyone. On 10/4/06, Kennedy, Jim [EMAIL PROTECTED] wrote: "Office was deployed to the workstations via group policy using an AIP and MST transform." Bet you will find something in that MST that is pointing to the wrong location. Blow out an Outlook profile on one as a test. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan DeStefano Sent: Wednesday, October 04, 2006 11:02 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Folder Redirection Issue I am having a weird problem with folder redirection. I have set the My Documents redirection to the subfolder of the root drive option and set the path to the homefolders directory (\\servername\homefolders$). This is supposed to redirect users my documents to \\servername\homefolders$\%username%\my documents and it does. The users log onto their PCs and open their My Documents folder fine – and looking at the properties of their my documents folder confirms that the redirection is working properly. The problem is that in certain applications, namely Outlook 2003 (all latest patches and SPs applied). When a user goes to save an attachment, for example, and clicks on my documents in the save dialog, they receive the error "cannot access \\servername\homefolders$, which makes sense since the users do not have access to the homefolders$ share, just to their subfolder. So Outlook, for some reason, is not drilling down into the users my documents in the home folder, but instead is trying to access the root of the homefolders$ share. In other Office apps, the my documents works fine. There are also no event log entries that reference this issue. I am stuck here as I am unable to find any KB articles that discuss this. Does anyone have any suggestions? I have not yet reinstalled Outlook because all other Office apps work fine. Office was deployed to the workstations via group policy using an AIP and MST transform. Any help would be greatly appreciated. Dan DeStefano Info-lution Corporation [EMAIL PROTECTED] http://www.info-lution.com Office: 727 546-9143 FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession.
Re: [ActiveDir] Folder Redirection Issue
Sorry, didn't read thoroughly first (oops). Yeah, it sounds like a perms issue, I usually set the root of my user shares directory to have Read/Traverse perms for users in case of an emergency and/or troubleshooting. It's an administrative share anyway, I can understand the paranoia of also setting it to basically be unbrowsable, but it sounds like you're going 1/2 a step too far (at least for the purposes of the applications in your environment). On 10/5/06, Matt Hargraves [EMAIL PROTECTED] wrote: If you're using a transform file to deploy, you should be able to define the default file location, either as a variable (%homedrive%) or alternatively, you can install the GPO extensions for MS Office and set the item via GPO and stop worrying, as long as you test it a little bit before deploying it out to everyone. On 10/4/06, Kennedy, Jim [EMAIL PROTECTED] wrote: Office was deployed to the workstations via group policy using an AIP and MST transform. Bet you will find something in that MST that is pointing to the wrong location. Blow out an Outlook profile on one as a test. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan DeStefano Sent: Wednesday, October 04, 2006 11:02 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Folder Redirection Issue I am having a weird problem with folder redirection. I have set the My Documents redirection to the subfolder of the root drive option and set the path to the homefolders directory (\\servername\homefolders$). This is supposed to redirect users my documents to \\servername\homefolders$\%username%\my documents and it does. The users log onto their PCs and open their My Documents folder fine – and looking at the properties of their my documents folder confirms that the redirection is working properly. The problem is that in certain applications, namely Outlook 2003 (all latest patches and SPs applied). When a user goes to save an attachment, for example, and clicks on my documents in the save dialog, they receive the error cannot access \\servername\homefolders$, which makes sense since the users do not have access to the homefolders$ share, just to their subfolder. So Outlook, for some reason, is not drilling down into the users my documents in the home folder, but instead is trying to access the root of the homefolders$ share. In other Office apps, the my documents works fine. There are also no event log entries that reference this issue. I am stuck here as I am unable to find any KB articles that discuss this. Does anyone have any suggestions? I have not yet reinstalled Outlook because all other Office apps work fine. Office was deployed to the workstations via group policy using an AIP and MST transform. Any help would be greatly appreciated. Dan DeStefano Info-lution Corporation [EMAIL PROTECTED] http://www.info-lution.com Office: 727 546-9143 FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession.
Re: [ActiveDir] OT: wikis
What's funny is that actual encyclopedias have almost the same level of accuracy as Wikipedia on any particular subject. Part of that is the fact that they're always 1-3+ years out of date when they are published and the other part is that many 'facts' are actually just theories and there are commonly conflicting theories or theories that have been around for 10+ years are assumed correct because the research that proved it wrong hadn't been made widely available to those who were part of the writing of the encyclopedia (or they don't trust the new evidence). Either way, you should try and find multiple sources of information for any subject that you're not familiar with.On 10/5/06, Ramon Linan [EMAIL PROTECTED] wrote:Right, and remember there is not absolute truth!! :) -Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] ] On Behalf Of Greg NimsSent: Thursday, October 05, 2006 11:49 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: wikis It's funny how we quote wikis as definitive sources of information, when they can be edited by anyone and everyone :) Who vets the edits and how much does that person know about the subject matter??Anyone can edit, which is why they are generally correct.When 100,000 people view a record, and 2 people want to change it to be incorrect,999,998 will want to correct it.I wouldn't use a wiki as a great historical or technical source.Butfor encyclopedia entries, which give a good summation of a subject, they are great.List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] OT: wikis
I thought it was 9A:DOn 10/5/06, Laura A. Robinson [EMAIL PROTECTED] wrote: 999,998 + 2 = 1,000,000, not 100,000. ;-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Greg Nims Sent: Thursday, October 05, 2006 11:49 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: wikis It's funny how we quote wikis as definitive sources of information, when they can be edited by anyone and everyone :) Who vets the edits and how much does that person know about the subject matter?? Anyone can edit, which is why they are generally correct. When 100,000 people view a record, and 2 people want to change it to be incorrect, 999,998 will want to correct it. I wouldn't use a wiki as a great historical or technical source.But for encyclopedia entries, which give a good summation of a subject, they are great. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Who keeps creating this folder files?
Turn on security auditing.On 10/5/06, J B [EMAIL PROTECTED] wrote: Argh! On one of our file servers, there is a public directory that allows any authenticated user to do anything within it (minus changing permissions). MP3 files and folders appear there every so often and are removed soon thereafter. Is there some way for me to tell who has created these folders and MP3 files? Every time I check, no one is currently accessing the files - which would be an easy way for me to know...
Re: [ActiveDir] Who keeps creating this folder files?
Magic 8 ball?Security event logs are great things, learning how to search them for the right data can be invaluable and increase the security at your company drastically. It will mean that instead of saying Who did this?, you will know who did it. Instead of going When did that happen?, you'll know when it happened. Unfortunately, you end up having to almost export your event logs to another location to make them searchable on active systems. The only bad part is that, once you get the data, you find yourself sitting there going Oh, that script did it... or worse - I did it?! or something similar. 95% of the time something where you're going Oh yeah, I'm gonna get them this time, you realize that there isn't anyone to get. After a little while you'll stop expecting to 'get them' this time and go OK, what do I need to fix this time and kinda dread the idea of it being someone doing something wrong and hope it's just something that you can fix in 10 minutes because it someone did something wrong, then you have to spend 2-4 hours in meetings discussing why they did it, how they did it, how to avoid it happening again, etc On 10/5/06, J B [EMAIL PROTECTED] wrote: I was hoping that there was some way to see who created it rather than wait until it happened again, or wait until someone accessed it... I'll have to settle for the auditing though. Thanks! - Original Message - From: Brian Desmond To: ActiveDir@mail.activedir.org Sent: Thursday, October 05, 2006 11:14 AM Subject: RE: [ActiveDir] Who keeps creating this folder files?! Set some auditing on the folder that this is happening in and watch the security log for the relevant audits… Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of J BSent: Thursday, October 05, 2006 12:57 PMTo: ActiveDir@mail.activedir.org Subject: [ActiveDir] Who keeps creating this folder files?! Argh! On one of our file servers, there is a public directory that allows any authenticated user to do anything within it (minus changing permissions). MP3 files and folders appear there every so often and are removed soon thereafter. Is there some way for me to tell who has created these folders and MP3 files? Every time I check, no one is currently accessing the files - which would be an easy way for me to know...
Re: [ActiveDir] OT: Volume licensing activation
I can completely understand Microsoft's point, don't get me wrong.I guess it just kinda gets my goat that they're so tired of people using VLE keys as the new favorite of license violators that they're going to put the onus on the business owners to pay for a new server just to manage Microsoft's licenses. Also, Vista is one thing, but Longhorn? Do they really have that many server instances running with VLE keys that it justifies a company having to pay for 1-10 licensing servers (remember, not everyone is 100% in a single global region) to keep not only my workstations up and running, but the servers too? I just kinda feel like if they're going to go this far, they should provide me with a license appliance to handle every x number of stations. Enough people are paying for software assurance where it seems like it would be a good business move to keep people happy, a little good with the bad I guess. The scary part that I'm wondering about is what they're going to do with the retail/OEM versions of the software. There are enough people out there who will buy a computer but not have an internet connection (yes, I know it's not a *huge* number, the internet is half the reason a lot of people get computers), what are they going to have to do, call MS every 180 days to 'reactivate' their computer? Talk about a pain. My father would just end up giving his computer away if it came to that. Granted, he's 60 and doesn't know a tenth what most people under the age of 30 know about computers, but those are the people who need everything more convenient and less of a hassle. On 10/4/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: Microsoft's Software Protection Platform: Protecting Software andCustomers from Counterfeiters: The company announces innovativetechnology in Windows Vista and Windows Server "Longhorn" to reduce therisk of piracy and software tampering while improving software licensing.: http://www.microsoft.com/presspass/features/2006/oct06/10-04SoftwareProtection.mspxWindows Genuine Advantage : New technology to protect Windows Vista and other products:http://blogs.msdn.com/wga/archive/2006/10/04/New-technology-to-protect-Windows-Vista-and-other-products.aspx Whitepaperhttp://download.microsoft.com/download/c/2/9/c2935f83-1a10-4e4a-a137-c1db829637f5/10-03-06SoftwareProtectionWP.doc As long as it works and works well, and when it's updated it getsdisclosed so that tinfoil folks won't be shutting off auto updatesbecause that's what's happening now.Brian Desmond wrote: *I read through the docs on this vl activation and it's not as bad as it sounds. They're really just trying to protect the keys.* * * *Thanks,* *Brian Desmond* [EMAIL PROTECTED] * * *c - 312.731.3132* * * *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] *On Behalf Of *Matt Hargraves *Sent:* Tuesday, October 03, 2006 1:34 PM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] OT: Volume licensing activation Yeah... MS is going to get really high levels of adoption on this product... Gotta wonder what in the heck they're thinking sometimes. On 10/2/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: http://blogs.zdnet.com/microsoft/?p=26 Mary Jo Foley reports that the next version of Vista will have Volume licensing activation. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx http://www.activedir.org/ml/threads.aspx --Letting your vendors set your risk analysis these days?http://www.threatcode.comIf you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbsList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] OT: Volume licensing activation
Yeah... MS is going to get really high levels of adoption on this product...Gotta wonder what in the heck they're thinking sometimes.On 10/2/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: http://blogs.zdnet.com/microsoft/?p=26Mary Jo Foley reports that the next version of Vista will have Volumelicensing activation.List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Move all OU and USERS from one forest to another forest
I'm not sure if I was going to test for an Exchange environment that I wouldn't want to make sure that, at the very least, I still had the extensions in place for Exchange in the schema. On 10/3/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: Have a look at:http://blogs.dirteam.com/blogs/jorge/archive/2005/11/19/105.aspx http://blogs.dirteam.com/blogs/jorge/archive/2005/11/19/107.aspxjorge-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Ramon LinanSent: Tuesday, October 03, 2006 16:38To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Move all OU and USERS from one forestto another forestHi,I am trying to build a testing environment. I have the production forest and the testing forest, notconnected at all.Is there an easy way of creating all the same OUs and usersfrom one forest to the other?, each forest only have one domain, also, I only interested in moving some of theattributes,i.e. there is no MS exchange in the testingenvironment so I don't care about exchange attributes. I was going to build an script that will read fromproduction LDAP and create objects in the other one, but isthere is already something that, like a tool or script itwill prefer to use it to save time. Can I use ADAM for this?RezumaList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] OT: Volume licensing activation
When you've got 100k workstations in your environment and it takes 2-3 minutes to run through the activation and then however much time to manage the server...100k*2.5 ends up equalling about 2 year's worth of wages for a single employee (call it $120k total). I don't mind them trying to protect keys, but it's not the companies with 1k+ workstations, it's the companies with 50 workstations and 'computer geniuses' (don't you dread it when you hear that phrase - you know something's *really* screwed up) who are using invalid or stolen keys. I know that 120k might be 'beans' to a large company, but reality is that you just increased the deployment cost for a new tool. If I can run XP for an extra 2 years and use the version after Vista, then I just saved my company $120k.. I just paid my salary for the next year probably. This is how management personnel think - that's why we call them 'bean counters' because that 120k means something to them. They know that not using legit versions is not a valid solution, but they also know that saving $120k means something after you do it 10 times (and just saved the company 0.1% off their costs - every little bit counts for accountants).On 10/3/06, Brian Desmond [EMAIL PROTECTED] wrote: I read through the docs on this vl activation and it's not as bad as it sounds. They're really just trying to protect the keys. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Tuesday, October 03, 2006 1:34 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Volume licensing activation Yeah... MS is going to get really high levels of adoption on this product... Gotta wonder what in the heck they're thinking sometimes. On 10/2/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: http://blogs.zdnet.com/microsoft/?p=26 Mary Jo Foley reports that the next version of Vista will have Volume licensing activation. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] ADAM with Domain
How does ADAM integrate with a domain? Will they be completely separate directories or can they somehow be joined together? I'm wanting to use an X.500 name for the ADAM instance. Thanks in advanced for the help provided, -- Matt Brown IT System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] SID History.
OK, I think that I pretty much had it figured out, just wanted to get some level of validation.Thanks for all the help.On 9/26/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Matt, I went through a similar 'thought experiment' a few years ago. Whilst I didn't actually test my conclusions, I arrived at the decision that the original domain could actually be completely removed and the SID history data would still be valid and usable to access resources. i.e. there is no need to 'talk' to the DCs in the resource domain(s). Does that help? neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: 25 September 2006 20:55To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] SID History. Yeah, read that document before. It doesn't say whether it's going to go scanning domains for SID History memberships, so I have to assume that unless I have a group that points to a user's SID History SID within that AD environment (or in that authentication chain), then it's not going to add in more SIDs to the user's token. Example: I have a group that points a user's SID history as a ForeignSecurityPrinciple, then it will add in that object.In other words, if user addomain\user1234 is accessing a file that is on server fileserver.addomain.com and only ACLs to groups that are within the local domain that are AD native and those groups only have memberships for the local domain, then is his token going to include his memberships from NTResourcedomain42 and NTResourcedomain78 or just his memberships which reside within addomain.com? On 9/25/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: to read on how the access token is build see: http://download.microsoft.com/download/8/f/3/8f36dfe4-47d0-4775-ad5a-5614384921aa/AccessTokenLimitation.docauthentication across domains depends if NTLM is used (external trusts) or kerberos is used (forest trusts and intra-forest transitive trusts) sIDHistory just adds SIDs to the access token, after that the process is the samejorgeMet vriendelijke groeten / Kind regards,Ing. Jorge de Almeida PintoSenior Infrastructure Consultant MVP Windows Server - Directory ServicesLogicaCMG Nederland B.V. (BU RTINC Eindhoven)( Tel : +31-(0)40-29.57.777( Mobile : +31-(0)6-26.26.62.80* E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Matt HargravesSent: Mon 2006-09-25 19:38To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] SID History.Unfortunately that's not even close to what I was having issues with Joe.I'm more concerned with how tokens are created and whether they will by default query the old resource domains that haven't been migrated into the AD environment. Theoretical situtation:I am a member of 50 groups in my user domain, I'm accessing something in my user domain.We have 150 trusted resource domains where I have 6 group memberships in each through SID history.Is the GC/DC going to query all trusted domains for my memberships through SID history?(resource domains are all NT4 domains) I'm assuming that it's not going to, because of how the authentication path works (resource server - user domain DC - user domain GC - resource server DC, resource server), but everything I've seen never really talks about SID History much. On 9/24/06, joe [EMAIL PROTECTED] wrote:I would recommend poking through the MSDN security docs. It sounds like there is a break in understanding of how the SIDs are used in combination with the DACLS. Start here: http://msdn.microsoft.com/library/default.asp?url="" but poke around that whole area. joe--O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: Thursday, September 21, 2006 4:59 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] SID History. Conceptual situation:User domainResource domain (s)I bring all users into a single AD environment, bringing over SID History information.Now I start moving over file servers from the resource domain to the AD environment.One of the file servers has groups ACL'd from the resource domain.When the server goes to check for access rights, will it pull over *all* group memberships from the appropriate resource domain or simply pull over the single group membership and append that to the user's token? Mostly just looking at SID history impact between semi-active resource domains that are being decomissioned and current domains.Microsoft's site mostly seems to point to groups that are pointing to SID history objects that are within the AD environment, not cross-domain SID history impact. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain p
Re: [ActiveDir] DNS entry won't delete
Any chance you can edit the setting so that it points to something not in your network? (ex. you have a 10.x.x.x network, so you reset it to be a 192.168.x.x IP)On 9/26/06, Clingaman, Bruce [EMAIL PROTECTED] wrote: My two DCs are Windows 2003 servers, DNS integrated, Primary,The resiliant entries are from Mac OS X clients and one OS X server. Thedomain name of the entries are from a domain that was renamed. Bruce ClingamanInformation Technology DepartmentPensacola Christian College850.478.8496 ext. 2198[EMAIL PROTECTED]-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Tuesday, September 26, 2006 3:18 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DNS entry won't deleteBruce, try the command that Andrew posted and see what results you get.Other things to check:Are the domains integrated? Primary? How are the reverse and forward zones configured?I'm surprised to hear the record is not in WINS.I assume then thatit's not a Windows server then?What type of server is it? What is theOS?AlOn 9/26/06, Clingaman, Bruce [EMAIL PROTECTED] wrote:I got object not found error. The following script shouldenumerateall the zones on both my DCs: =WScript.Echo Now vbCrLfDCs = Array(dc1,dc2)for i = 0 to UBound(DCs) strDN =CN=MicrosoftDNS,DC=DomainDNSZones,DC=mydomain,DC=intset objColl = GetObject(LDAP:// DCs(i) / strDN) WScript.Echo Entries in DCs(i)WScript.Echo String(30, -)EnumColl objCollWScript.Echo nextSub EnumColl(objColl) for each objEntry in objCollWScript.Echo objEntry.NamenextEnd Sub ==It does not display all the zones, one of which has the entiesinquestion.Bruce ClingamanInformation Technology DepartmentPensacola Christian College 850.478.8496 ext. 2198[EMAIL PROTECTED]-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of AndrewCaceSent: Tuesday, September 26, 2006 9:27 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS entry won't deleteYou can run the following command to see where an update isoriginating.Then, if you have auditing enabled for that operation, you can check theoriginating DC to see who made the change.repadmin /showobjmeta yourdcdc=recordname,dc=yourzone.com,cn=MicrosoftDNS,dc=DomainDNSZones,dc=your domain,dc=comReplace yourdc, etc with appropriate values for your domain.For areverse lookup zone, recordname will be the last octet of the IPaddressand dc= yourzone.com will be something likedc=2.1.10.in-addr.arpa, where2.1.10 is the reverse notation of the first three octets of yourIPaddress.Be sure that you have the partition where the zone is storedcorrect, whether it's DomainDNSZones, ForestDNSZones, or thedomainpartition.The dnsRecord attribute is the one that you areinterestedin.-Andrew From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf OfClingaman,BruceSent: Tuesday, September 26, 2006 8:19 AMTo: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS entry won't deleteI have three DNS entries in my Reverse lookup zone that were forstaticaddresses that won't go away. The problem is one of them shares theaddress and hostname (different domain name, domain was renamed)assigned to anotherserver. When I delete it, it immediatelyreappears.I am unable to determine what is putting these entries back in. Theywere for OS X machines, one is a client, the other was a server.Theclient has been changed to DHCP. The server was reinstalled andgiven adifferent IP address.I have a single level domain with two DCs, one is a WINS server, AD/DNSintegrated.List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] SID History.
Unfortunately that's not even close to what I was having issues with Joe.I'm more concerned with how tokens are created and whether they will by default query the old resource domains that haven't been migrated into the AD environment. Theoretical situtation: I am a member of 50 groups in my user domain, I'm accessing something in my user domain. We have 150 trusted resource domains where I have 6 group memberships in each through SID history. Is the GC/DC going to query all trusted domains for my memberships through SID history? (resource domains are all NT4 domains) I'm assuming that it's not going to, because of how the authentication path works (resource server - user domain DC - user domain GC - resource server DC, resource server), but everything I've seen never really talks about SID History much. On 9/24/06, joe [EMAIL PROTECTED] wrote: I would recommend poking through the MSDN security docs. It sounds like thereis a break in understanding of how the SIDs are used in combination with the DACLS. Start here: http://msdn.microsoft.com/library/default.asp?url=""> but poke around that whole area. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: Thursday, September 21, 2006 4:59 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] SID History. Conceptual situation:User domainResource domain (s)I bring all users into a single AD environment, bringing over SID History information.Now I start moving over file servers from the resource domain to the AD environment. One of the file servers has groups ACL'd from the resource domain. When the server goes to check for access rights, will it pull over *all* group memberships from the appropriate resource domain or simply pull over the single group membership and append that to the user's token? Mostly just looking at SID history impact between semi-active resource domains that are being decomissioned and current domains. Microsoft's site mostly seems to point to groups that are pointing to SID history objects that are within the AD environment, not cross-domain SID history impact.
Re: [ActiveDir] SID History.
Yeah, read that document before. It doesn't say whether it's going to go scanning domains for SID History memberships, so I have to assume that unless I have a group that points to a user's SID History SID within that AD environment (or in that authentication chain), then it's not going to add in more SIDs to the user's token. Example: I have a group that points a user's SID history as a ForeignSecurityPrinciple, then it will add in that object.In other words, if user addomain\user1234 is accessing a file that is on server fileserver.addomain.com and only ACLs to groups that are within the local domain that are AD native and those groups only have memberships for the local domain, then is his token going to include his memberships from NTResourcedomain42 and NTResourcedomain78 or just his memberships which reside within addomain.com?On 9/25/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote:to read on how the access token is build see: http://download.microsoft.com/download/8/f/3/8f36dfe4-47d0-4775-ad5a-5614384921aa/AccessTokenLimitation.docauthentication across domains depends if NTLM is used (external trusts) or kerberos is used (forest trusts and intra-forest transitive trusts) sIDHistory just adds SIDs to the access token, after that the process is the samejorgeMet vriendelijke groeten / Kind regards,Ing. Jorge de Almeida PintoSenior Infrastructure Consultant MVP Windows Server - Directory ServicesLogicaCMG Nederland B.V. (BU RTINC Eindhoven)( Tel : +31-(0)40-29.57.777( Mobile : +31-(0)6-26.26.62.80* E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Matt HargravesSent: Mon 2006-09-25 19:38To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] SID History.Unfortunately that's not even close to what I was having issues with Joe.I'm more concerned with how tokens are created and whether they will by default query the old resource domains that haven't been migrated into the AD environment. Theoretical situtation:I am a member of 50 groups in my user domain, I'm accessing something in my user domain.We have 150 trusted resource domains where I have 6 group memberships in each through SID history.Is the GC/DC going to query all trusted domains for my memberships through SID history?(resource domains are all NT4 domains) I'm assuming that it's not going to, because of how the authentication path works (resource server - user domain DC - user domain GC - resource server DC, resource server), but everything I've seen never really talks about SID History much. On 9/24/06, joe [EMAIL PROTECTED] wrote:I would recommend poking through the MSDN security docs. It sounds like there is a break in understanding of how the SIDs are used in combination with the DACLS. Start here:http://msdn.microsoft.com/library/default.asp?url="" but poke around that whole area. joe--O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: Thursday, September 21, 2006 4:59 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] SID History. Conceptual situation:User domainResource domain (s)I bring all users into a single AD environment, bringing over SID History information.Now I start moving over file servers from the resource domain to the AD environment.One of the file servers has groups ACL'd from the resource domain.When the server goes to check for access rights, will it pull over *all* group memberships from the appropriate resource domain or simply pull over the single group membership and append that to the user's token? Mostly just looking at SID history impact between semi-active resource domains that are being decomissioned and current domains.Microsoft's site mostly seems to point to groups that are pointing to SID history objects that are within the AD environment, not cross-domain SID history impact. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
[ActiveDir] SID History.
Conceptual situation:User domainResource domain (s)I bring all users into a single AD environment, bringing over SID History information.Now I start moving over file servers from the resource domain to the AD environment. One of the file servers has groups ACL'd from the resource domain. When the server goes to check for access rights, will it pull over *all* group memberships from the appropriate resource domain or simply pull over the single group membership and append that to the user's token? Mostly just looking at SID history impact between semi-active resource domains that are being decomissioned and current domains. Microsoft's site mostly seems to point to groups that are pointing to SID history objects that are within the AD environment, not cross-domain SID history impact.
Re: [ActiveDir] 3rd party vendor and AD for auth
Hi there, We recently faced the same scenario... Do they need to use your internal AD because they require access to your staff accounts? If not they could quite happily use ADAM. If they do require access to your staff accounts you could get them to perform DEV/TST/QA on ADAM as proof of concept and then give them delegated access to the AD via a specific user or group which is what we ended up doing. We made it very clear that all code must be tested on ADAM first before we let them anywhere near our live environment. Cheers, Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |-+-- | | | | | | | | | | | John Singler | | | [EMAIL PROTECTED]| | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 20/09/2006 05:23 a.m. | | | Please respond to | | | ActiveDir | | | | |-+-- --| | | |To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org| |cc: | |Subject: [ActiveDir] 3rd party vendor and AD for auth | --| Greetings - We have a 3rd party vendor who wants to tie their web app into our AD for authentication and authorization. (This is an app that has already been purchased and is in-house but uses a local db for AAA). What, specifically, should I be asking them about their application so as to keep our environment in its secure and stable state? AFAIK, all they have 'asked' for is a U/P with read access to users and groups. Obviously, they aren't getting anything until we work out the details. Curious as to what other orgs consider when in similar circumstances. Environment (FWIW): Single forest, single domain. All DCs w2k3 SP1, FFL/DFL are w2k3. tia, john List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] different version of R2 available?
I have both versions here...one for standard and one for enterprise...so yes two CD's ;-) Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |-+-- | | | | | | | | | | | Thommes, Michael M. | | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 21/09/2006 10:57 a.m. | | | Please respond to | | | ActiveDir | | | | |-+-- --| | | |To: ActiveDir@mail.activedir.org | |cc: | |Subject: [ActiveDir] different version of R2 available? | --| My officemate and I were discussing whether there are different versions of the R2 CD depending on whether you’re running Server 2003 Standard or Server 2003 Enterprise. Or is there only one version of R2? TIA! Mike Thommes [EMAIL PROTECTED])
Re: [ActiveDir] VBScript Container Security
Try starting with this document...one ohe preferred methods is to create the System container and manally assign permissions to it... http://www.microsoft.com/technet/prodtechnol/sms/smssp2/spsecurity/3df7a6e2-e173-4def-a81a-5bd90fbbf9d8.mspx?mfr=true Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |-+-- | | | | | | | | | | | Joe McNicholas | | | [EMAIL PROTECTED]| | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 15/09/2006 09:53 p.m. | | | Please respond to | | | ActiveDir | | | | |-+-- --| | | |To: ActiveDir@mail.activedir.org | |cc: | |Subject: [ActiveDir] VBScript Container Security | --| I'm trying to create and secure the LDAP://cn=System Management,cn=System,dc=mydomain,dc=com container, as required for SMS[1]. I'm able to create the container successfully, but haven't found any examples of how to assign security to an OU or Container in the AD. MS Script Centre and a quick google have come up blank, can anyone point me to any examples? Thanks Joe [1] Ref: https://www.microsoft.com/technet/prodtechnol/sms/smssp2/spsecurity/3df7a6e2-e173-4def-a81a-5bd90fbbf9d8.mspx?mfr=true List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Elevating privileges from DA to EA
I agree with the people who are saying Either trust all of them or none of them. Realistically, unless you have a large environment (BTW, some people argue that all but maybe 10 Fortune 100 companies are 'medium' sized and the other 99.% of organizations are 'small'), there should only be a handful of people (3-7?) and some service accounts that require that level of rights.Domain/Enterprise Admins are a tricky bunch and no matter what you do to us, we can take back whatever rights you took away from us very easily, then lock you and everyone else in the world out, destroy the on-site backups and demolish the environment to where it's going to take a major effort to get back to operational status. This would take all take significantly less time than it would take for someone to figure out who is doing what. I like Joe's recommendation of taking everyone that you don't need out of the admins groups and simply granting them various levels of rights with their account. Possibly give everyone a user and admin account (user1234567 and user1234567a), heaven knows it would make troubleshooting a lot easier. That being said, someone asking for their own regional forest? Fine, as long as the person saying that it's necessary is willing to come up with the budget for the additional servers and additional personnel to support that forest and that they understand that they will have 0 admin level rights on anything in the 'main' forest, it wouldn't bother me, just one less thing that I have to worry about managing. Oh yeah, and they have to pay for yearly audits to validate that they are meeting the corporate standards for security at all levels. Then again, most of those items aren't usually my concern. Thank God I'm not in management :DOn 9/15/06, Paul Williams [EMAIL PROTECTED] wrote: Neil, Try a re-read of the first couple of chapters of the first part of the deployment guide book designing and deploying directory and security services. Obviously it doesn't spell out how to do this -it doesn't even allude to how this is done- but does emphasise when and when not to go with the regional domain model. I'm not disputing what anyone is saying here -I agree. I just happen to think the regional model can be a good one, and that if done properly works. Even from a security stand point. The main thing with the regional design is that there's a central group of service admins, or a true delegated model. If you have multiple groups of service admins it can still work, but the issue that has been raised is very real and you probably need to implement processes and monitor against it (if you're forced into such a design by the needs of the business or obtuse upper management ;-). Although it does seem to be possible to implement disparate groups of service admins if you follow the delegation whitepaper (you'll need to improvide, but most of the info. is pertinent), which should put you in a much stronger position from a security stand point. If you can achieve a very small number of people who are actually members of the builtin\Administrators group, and the rest only have delegated permissions and privileges (and preferably very few privileges on the DCs, i.e. no logon locally) you can achieve what you want. Joe's been there and done it... --Paul - Original Message - From: Almeida Pinto, Jorge de To: ActiveDir@mail.activedir.org Sent: Friday, September 15, 2006 8:48 AM Subject: RE: [ActiveDir] Elevating privileges from DA to EA Al - we are designing a forest with regional domains (don't ask!) and one region has suggested it needs to split from this forest since elevating rights in any regional domain from DA to EA (forest wide) is 'simple' [and this would break the admin / support model]. What is being said is very very true. Either you trust ALL Domain Admins (no matter the domain those are in) or you do not trust ANY! Every Domain Admin or ANY person with physical access to a DC has the possibility to turn the complete forest into crap! Because if that was NOT the case the DOMAIN would be the security boundary. Unfortunately it is not! The Forest is the security boundary, whereas EVERY single DC in the forest MUST be protected and EVERY Domain Admin MUST be trusted! I am arguing that it is not simple and am looking for methods which may be used to elevate rights as per the above When you know HOW, it is as easy as taking candy from a baby jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED]Sent: Friday, September 15, 2006 09:36To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Elevating privileges from DA to EA Thanks for responses, all. Al - we are designing a forest with regional domains (don't ask!) and one region has suggested it needs to split from this forest since
Re: [ActiveDir] Specifying builtin accounts in GPO settings.
I think we discovered the problem... things were just locked down a *tad* too much.On 9/13/06, Akomolafe, Deji [EMAIL PROTECTED] wrote: Look at your default recipient policy. What's set there? Just curious. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Matt HargravesSent: Wed 9/13/2006 8:58 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. Non-Exchange privileged users can't access OWA. I thought it was related to the fact that they had removed the M: drive, but that was only a small number of servers, the rest (that also aren't working) are having accessability issues to OWA (though they can still access their mailbox through Outlook). On 9/13/06, Brian Desmond [EMAIL PROTECTED] wrote: On W2000 running OWA on a DC this was an issue … only case I know of. What are the issues you're having? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Wednesday, September 13, 2006 10:49 PM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. We're having some issues with Exchange OWA and MS said something about IWAM when we called them. We're not granting them 'logon via terminal services', just testing 'log on locally', but if it works, that just creates an entire mess that we'd like to avoid. On 9/13/06, Brian Desmond [EMAIL PROTECTED] wrote: No it wouldn't. Why are you giving an IWAM account access to a remote machine? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: mailto:[EMAIL PROTECTED] [mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Wednesday, September 13, 2006 9:35 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. Would something like IWAM_%servername% or something like that work? I really don't want to go throuh and specify 45 account names in the Log on locally right for an OU if I can do it with a more simple command. I'll try just about anything :) Thanks,Matt On 9/12/06, Brian Desmond [EMAIL PROTECTED] wrote: And if you think about it they couldn't – if you have two DCs running IIS they both have IUSR and IWAM accounts in AD, so SIDs have to be different. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: mailto:[EMAIL PROTECTED] [mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Darren Mar-Elia Sent: Tuesday, September 12, 2006 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Specifying builtin accounts in GPO settings. Matt- I don't think these accounts have well-known SIDs, so I'm not sure that's going to help.You can easily verify using psgetsid from Sysinternals. I checked a couple accounts here (though they were domain accounts) and they were not well-knownSIDs. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out http://www.gpoguy.com/-- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide ,the definitiveresource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: Tuesday, September 12, 2006 10:00 AMTo: ActiveDir@mail.activedir.org Subject: [ActiveDir] Specifying builtin accounts in GPO settings. I am trying to specify the builtin IWAM/IUSR accounts in GPO settings. We have a set of servers within an OU where they require the account to have rights on the local servers, call them Server1, Server2, Server3. We obviously don't want to create the setting for IWAM_Server1, IWAM_Server2, etc I believe that this account has a common SID, if I simply do a browse for the account on one machine, will it resolve to SID and apply the setting for all accounts, or is there another way to do this (like specifying Builtin\Administrator would work for the builtin Administrator account) no matter what the name happens to be on a local machine?
[ActiveDir] Active Directory Cookbooks...
Hi there, I have already read and use the Active Directory Cookbook for Windows 2003 and Windows 2000 and see there are 2nd and 3rd editions. Is there anywhere on the net which lists the contents of each so I can have a look before purchase? Thanks in advance, Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Active Directory Cookbooks...
hahaha no worries cheers for that i'll just swim around the fish bowl one more time...;-) Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |-+-- | | | | | | | | | | | David Adner | | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 15/09/2006 02:21 p.m. | | | Please respond to | | | ActiveDir | | | | |-+-- --| | | |To: ActiveDir@mail.activedir.org | |cc: | |Subject: RE: [ActiveDir] Active Directory Cookbooks... | --| *points at joe's signature...* And in case that was too vague, try here. http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, September 14, 2006 9:13 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Active Directory Cookbooks... Hi there, I have already read and use the Active Directory Cookbook for Windows 2003 and Windows 2000 and see there are 2nd and 3rd editions. Is there anywhere on the net which lists the contents of each so I can have a look before purchase? Thanks in advance, Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Active Directory Cookbooks...
I have just purchased the 2nd one and will be on to the 3rd one as soon as I have finished that... Cheers, Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |-+-- | | | | | | | | | | | joe | | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 15/09/2006 03:14 p.m. | | | Please respond to | | | ActiveDir | | | | |-+-- --| | | |To: ActiveDir@mail.activedir.org | |cc: | |Subject: RE: [ActiveDir] Active Directory Cookbooks... | --| Actually I did the Active Directory Third Edition. The Active Directory Cookbook is in the Second Edition now and that was done by Laura Hunter. My book you can find in my signature, the Cookbook you can find at http://www.amazon.com/gp/product/059610202X/ref=pd_cp_b_title/002-4991631-48 70433?ie=UTF8 -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, September 14, 2006 10:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory Cookbooks... hahaha no worries cheers for that i'll just swim around the fish bowl one more time...;-) Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |-+-- | | | | | | | | | | | David Adner | | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 15/09/2006 02:21 p.m. | | | Please respond to | | | ActiveDir | | | | |-+-- --- ---| | | |To: ActiveDir@mail.activedir.org | |cc: | |Subject: RE: [ActiveDir] Active Directory Cookbooks... | --- ---| *points at joe's signature...* And in case that was too vague, try here. http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, September 14, 2006 9:13 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Active Directory Cookbooks... Hi there, I have already read and use the Active Directory Cookbook for Windows 2003 and Windows 2000 and see there are 2nd and 3rd editions. Is there anywhere on the net which lists the contents of each so I can have a look before purchase? Thanks in advance, Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org
Re: [ActiveDir] Isolating a DC
Isolating via site will still leave the DC available in case of emergencies (your authentication DCs go down), whereas IPSec makes them completely unavailable for any purposes for clients. I've actually never heard of anyone doing this and would consider it a very bad idea unless you have significant redundancy in your 'normal' environment. BTW, from a Microsoft presentation a little over a year ago, they have 4 Exchange server sites, only 1 of them (Redmond) isolates their DCs from authentication and reserves it for Exchange, the other 3 use their Exchange (a *very* DC/GC intensive app) servers for authentication also. Site is only a logical separation. IPSec might as well be a physical barrier. Unless there is a serious reason why you would rather have none of your clients to be able to authenticate instead of authenticating against these DCs (as I said, in case of an emergency), then you should probably avoid putting a IP filter on these boxes. If you isolate via site, then the only way that clients are going to authenticate against them is if all DCs are down in their site, which since you're a single physical site org, means that all of the authentication DCs are down, which is probably a more serious problem than OMG, a (gasp) *user* authenticated against my application DC. On 9/13/06, Lucas, Bryan [EMAIL PROTECTED] wrote: Thanks to all for the responses.This (isolating via ipsec) is probably the right direction for me.We're a single site, single domain at a single physical location, butthe idea of building another site isn't appealing from a keep it simple perspective.Are there any technical reasons why a separate site would be better thanisolation through IPSec?Will I cause clients/apps, who initially don'tknow they are denied, delays when they try to access the ipsec isolated DC?Bryan LucasServer AdministratorTexas Christian University-Original Message-From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of James Eaton-LeeSent: Wednesday, September 13, 2006 5:39 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Isolating a DCAkomolafe, Deji wrote: I highly recommend that you read http://www.windowsitpro.com/articles/print.cfm?articleid=37935 Then, as a fall-back option, look for the isolation using IPSec whitepapers on Microsoft site. I can't find them now, but I know that they exist. They show you how to restrict communication with aspecific server or network using IPSec.I think what you're referring to is the excellent Server and DomainIsolation using IPSec content, at: http://www.microsoft.com/technet/security/topics/architectureanddesign/ipsec/default.mspxIf all you're looking for is host-based firewalling, however, there's other content online that'll explain this a little moreconcisely, such as this presentation from the Virginia Tech WindowsUsers Group: http://vtwug.w2k.vt.edu/pdf/w2k_ipsec_firewall.pdf#search=%22using%20ipsec%20as%20a%20firewall%22And also Using IPSec to Lock Down a Server from technet.. http://www.microsoft.com/technet/itsolutions/network/security/ipsecld.mspxHope that helps!- James.-- James (njan) Eaton-Lee | 10807960 | http://www.jeremiad.org Semper Monemus Sed Non Audiunt, Ergo Lartus - (Jean-Croix)sites: https://www.bsrf.org.uk ~ http://www.security-forums.com ca: https://www.cacert.org/index.php?id=3List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Isolating a DC
Yeah, I didn't mean to sound so negative it just seems like isolating by site (which is a logical, not physical barrier) is a more holistic solution which provides the isolation required, while allowing the DCs to continue to potentially (in an emergency situation) perform the duties of user authentication without having to change anything. The IPSec solution just seems like serious overkill that's unnecessary.On 9/13/06, Akomolafe, Deji [EMAIL PROTECTED] wrote: I thought his original request was to make sure that no other client talks to the isolated server except those permitted. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Matt HargravesSent: Wed 9/13/2006 7:26 AM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Isolating a DC Isolating via site will still leave the DC available in case of emergencies (your authentication DCs go down), whereas IPSec makes them completely unavailable for any purposes for clients. I've actually never heard of anyone doing this and would consider it a very bad idea unless you have significant redundancy in your 'normal' environment. BTW, from a Microsoft presentation a little over a year ago, they have 4 Exchange server sites, only 1 of them (Redmond) isolates their DCs from authentication and reserves it for Exchange, the other 3 use their Exchange (a *very* DC/GC intensive app) servers for authentication also. Site is only a logical separation. IPSec might as well be a physical barrier. Unless there is a serious reason why you would rather have none of your clients to be able to authenticate instead of authenticating against these DCs (as I said, in case of an emergency), then you should probably avoid putting a IP filter on these boxes. If you isolate via site, then the only way that clients are going to authenticate against them is if all DCs are down in their site, which since you're a single physical site org, means that all of the authentication DCs are down, which is probably a more serious problem than OMG, a (gasp) *user* authenticated against my application DC. On 9/13/06, Lucas, Bryan [EMAIL PROTECTED] wrote: Thanks to all for the responses.This (isolating via ipsec) is probably the right direction for me. We're a single site, single domain at a single physical location, butthe idea of building another site isn't appealing from a keep it simple perspective.Are there any technical reasons why a separate site would be better than isolation through IPSec?Will I cause clients/apps, who initially don'tknow they are denied, delays when they try to access the ipsec isolated DC?Bryan LucasServer AdministratorTexas Christian University -Original Message-From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of James Eaton-LeeSent: Wednesday, September 13, 2006 5:39 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Isolating a DCAkomolafe, Deji wrote: I highly recommend that you read http://www.windowsitpro.com/articles/print.cfm?articleid=37935 Then, as a fall-back option, look for the isolation using IPSec whitepapers on Microsoft site. I can't find them now, but I know that they exist. They show you how to restrict communication with aspecific server or network using IPSec.I think what you're referring to is the excellent Server and DomainIsolation using IPSec content, at: http://www.microsoft.com/technet/security/topics/architectureanddesign/i psec/default.mspxIf all you're looking for is host-based firewalling, however, there's other content online that'll explain this a little moreconcisely, such as this presentation from the Virginia Tech Windows Users Group:http://vtwug.w2k.vt.edu/pdf/w2k_ipsec_firewall.pdf#search=%22using%20ips ec%20as%20a%20firewall%22And also Using IPSec to Lock Down a Server from technet.. http://www.microsoft.com/technet/itsolutions/network/security/ipsecld.mspxHope that helps!- James.--James (njan) Eaton-Lee | 10807960 | http://www.jeremiad.org/Semper Monemus Sed Non Audiunt, Ergo Lartus - (Jean-Croix)sites: https://www.bsrf.org.uk/ ~ http://www.security-forums.com/ca: https://www.cacert.org/index.php?id=3List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] DNS Entries --Laptop Users--
I'm not s huge DNS geek, so I'm not sure whether you can do this, but can't you just set the DHCP to have a short expiration (1 hour?) and it will unregister the 'old' entry for a machine? There would be a small amount of vulnerability, but it would go away after the client's reservation expires. On 9/13/06, Ravi Dogra [EMAIL PROTECTED] wrote: No, Laptop Users are getting IP Addresses from my VPN Box and whenthey are on site its DHCP.On machines Register in DNS option Is checked, hence machines areattempting to register its own records in DNS. Although i have made my LAN DHCP to register only its Clients in DNS.Credentials used are abviously my Administrator Account.But Al,The Issue we had is laptop users are using LAN DHCP as well as usingVPN Connection from home. Both are getting registered in My DNS with different IP. Which is obvious.But the thing is SOPHOS gave us this as one of the reasons for mylaptop machines not showing in Sophos Enterprise Console because ituses DNS to build existing machines list. Now everything is working fine and this reason was totally not applicable.but still there are other machines which are only in our network usingonly my LAN DHCP and are not showing up in EC.Sophos Support team is working on this. Thanks and RegardsRavi DograOn 9/13/06, Al Mulnick [EMAIL PROTECTED] wrote: I swear this is the last question and then I'll make a suggestion. :) Is the DHCP server that the remote clients are getting their ip addr's from the same as the one that you are using for lan connected clients? You are obviously allowing the user's machine to update it's own records, but is that consistent or is the DHCP server on the lan registering the records for you possibly under a different set of credentials or in a different zone? On 9/11/06, Ravi Dogra [EMAIL PROTECTED] wrote: yes its correct. No we have mobile users.. On 9/11/06, Al Mulnick [EMAIL PROTECTED] wrote: Besides the obvious of telling Sophos to adjust their management to deal with this, here's what I understand of your problem to date. VPN clients that are also trusted network clients (i.e. mobile users that traverse both trusted and non-trusted networks can end up with seemingly duplicate entries for the same device but different ip addresses. This confuses some antivirus management applications and presumably some management applications such as SMS or similar class of app, that rely on reverse name resolution. Is that correct? Do you have workers that are remote-based only? Al On 9/8/06, Ravi Dogra [EMAIL PROTECTED] wrote:According to Sophos Support if one host has 2 DNS Entries, SophosEnterprise Manager might not be able to detect this Host and auto update will also dont work. As you know jolly;- We are in process of migration from Trend toSophos as our Antivirus Solution. Working on a solution will update soon. ThanksRavi Dogra On 9/8/06, Jaspreet Singh [EMAIL PROTECTED] wrote: Ravi, As Rob said, If your VPN box is forwarding requests to your internal network the your DNS will automatically update the records according to the new IP which in your case is x.x.5.x. Can you explain exactly what is the problem that you are facing due to this? Regards, Jaspreet Singh Jolly On 9/7/06, Al Mulnick [EMAIL PROTECTED] wrote:1. I Didnt understand what exactly u r asking? 2. Yes DHCP Is configured properly. That's not what I asked.I asked if it's updating the records for the device or is it letting the devices update their own? Al On 9/6/06, Ravi Dogra [EMAIL PROTECTED] wrote:1. I Didnt understand what exactly u r asking? 2. Yes DHCP Is configured properly. 3. Yes it is running on DC 4. No, not running any other credential. 5. VPN Machine is entirely a different BOX on other site. 6. It doesnt register in my DNS. (Will extract other information from Site B Admin) update you very soon... Thanks RD List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- Regards, Jaspreet Singh Jolly --Ravi Dogra 9899647200This e-mail, together with any attachments, is confidential. It may beread, copied and used only by the intended recipient. If you have received it in error, please notify the sender immediately by e-mailor telephone. Please then delete it from your computer without makingany copies or disclosing it to any other person. List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- Ravi Dogra
Re: [ActiveDir] Specifying builtin accounts in GPO settings.
Would something like IWAM_%servername% or something like that work? I really don't want to go throuh and specify 45 account names in the Log on locally right for an OU if I can do it with a more simple command. I'll try just about anything :) Thanks,MattOn 9/12/06, Brian Desmond [EMAIL PROTECTED] wrote: And if you think about it they couldn't – if you have two DCs running IIS they both have IUSR and IWAM accounts in AD, so SIDs have to be different. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Darren Mar-Elia Sent: Tuesday, September 12, 2006 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Specifying builtin accounts in GPO settings. Matt- I don't think these accounts have well-known SIDs, so I'm not sure that's going to help.You can easily verify using psgetsid from Sysinternals. I checked a couple accounts here (though they were domain accounts) and they were not well-knownSIDs. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide,the definitiveresource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Tuesday, September 12, 2006 10:00 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Specifying builtin accounts in GPO settings. I am trying to specify the builtin IWAM/IUSR accounts in GPO settings. We have a set of servers within an OU where they require the account to have rights on the local servers, call them Server1, Server2, Server3. We obviously don't want to create the setting for IWAM_Server1, IWAM_Server2, etc I believe that this account has a common SID, if I simply do a browse for the account on one machine, will it resolve to SID and apply the setting for all accounts, or is there another way to do this (like specifying Builtin\Administrator would work for the builtin Administrator account) no matter what the name happens to be on a local machine?
Re: [ActiveDir] Specifying builtin accounts in GPO settings.
We're having some issues with Exchange OWA and MS said something about IWAM when we called them. We're not granting them 'logon via terminal services', just testing 'log on locally', but if it works, that just creates an entire mess that we'd like to avoid. On 9/13/06, Brian Desmond [EMAIL PROTECTED] wrote: No it wouldn't. Why are you giving an IWAM account access to a remote machine? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Wednesday, September 13, 2006 9:35 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. Would something like IWAM_%servername% or something like that work? I really don't want to go throuh and specify 45 account names in the Log on locally right for an OU if I can do it with a more simple command. I'll try just about anything :) Thanks, Matt On 9/12/06, Brian Desmond [EMAIL PROTECTED] wrote: And if you think about it they couldn't – if you have two DCs running IIS they both have IUSR and IWAM accounts in AD, so SIDs have to be different. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Darren Mar-Elia Sent: Tuesday, September 12, 2006 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Specifying builtin accounts in GPO settings. Matt- I don't think these accounts have well-known SIDs, so I'm not sure that's going to help.You can easily verify using psgetsid from Sysinternals. I checked a couple accounts here (though they were domain accounts) and they were not well-knownSIDs. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com -- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide ,the definitiveresource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Tuesday, September 12, 2006 10:00 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Specifying builtin accounts in GPO settings. I am trying to specify the builtin IWAM/IUSR accounts in GPO settings. We have a set of servers within an OU where they require the account to have rights on the local servers, call them Server1, Server2, Server3. We obviously don't want to create the setting for IWAM_Server1, IWAM_Server2, etc I believe that this account has a common SID, if I simply do a browse for the account on one machine, will it resolve to SID and apply the setting for all accounts, or is there another way to do this (like specifying Builtin\Administrator would work for the builtin Administrator account) no matter what the name happens to be on a local machine?
Re: [ActiveDir] Specifying builtin accounts in GPO settings.
Non-Exchange privileged users can't access OWA. I thought it was related to the fact that they had removed the M: drive, but that was only a small number of servers, the rest (that also aren't working) are having accessability issues to OWA (though they can still access their mailbox through Outlook). On 9/13/06, Brian Desmond [EMAIL PROTECTED] wrote: On W2000 running OWA on a DC this was an issue … only case I know of. What are the issues you're having? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Wednesday, September 13, 2006 10:49 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. We're having some issues with Exchange OWA and MS said something about IWAM when we called them. We're not granting them 'logon via terminal services', just testing 'log on locally', but if it works, that just creates an entire mess that we'd like to avoid. On 9/13/06, Brian Desmond [EMAIL PROTECTED] wrote: No it wouldn't. Why are you giving an IWAM account access to a remote machine? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Wednesday, September 13, 2006 9:35 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. Would something like IWAM_%servername% or something like that work? I really don't want to go throuh and specify 45 account names in the Log on locally right for an OU if I can do it with a more simple command. I'll try just about anything :) Thanks, Matt On 9/12/06, Brian Desmond [EMAIL PROTECTED] wrote: And if you think about it they couldn't – if you have two DCs running IIS they both have IUSR and IWAM accounts in AD, so SIDs have to be different. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Darren Mar-Elia Sent: Tuesday, September 12, 2006 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Specifying builtin accounts in GPO settings. Matt- I don't think these accounts have well-known SIDs, so I'm not sure that's going to help.You can easily verify using psgetsid from Sysinternals. I checked a couple accounts here (though they were domain accounts) and they were not well-knownSIDs. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com -- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide ,the definitiveresource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Tuesday, September 12, 2006 10:00 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Specifying builtin accounts in GPO settings. I am trying to specify the builtin IWAM/IUSR accounts in GPO settings. We have a set of servers within an OU where they require the account to have rights on the local servers, call them Server1, Server2, Server3. We obviously don't want to create the setting for IWAM_Server1, IWAM_Server2, etc I believe that this account has a common SID, if I simply do a browse for the account on one machine, will it resolve to SID and apply the setting for all accounts, or is there another way to do this (like specifying Builtin\Administrator would work for the builtin Administrator account) no matter what the name happens to be on a local machine?
[ActiveDir] Specifying builtin accounts in GPO settings.
I am trying to specify the builtin IWAM/IUSR accounts in GPO settings. We have a set of servers within an OU where they require the account to have rights on the local servers, call them Server1, Server2, Server3. We obviously don't want to create the setting for IWAM_Server1, IWAM_Server2, etc I believe that this account has a common SID, if I simply do a browse for the account on one machine, will it resolve to SID and apply the setting for all accounts, or is there another way to do this (like specifying Builtin\Administrator would work for the builtin Administrator account) no matter what the name happens to be on a local machine?
Re: [ActiveDir] Isolating a DC
Your best bet is to place it in a separate site within AD Sites and Services I believe.This is the method that MS recommends for segregating DCs that are used for Exchange servers. On 9/12/06, Lucas, Bryan [EMAIL PROTECTED] wrote: I'd like to isolate a DC from regular user authentication. I only want certain applications/processes using it. Obviously it will need to replicate with the other DC's. I don't have an interface on the firewall to use, so I would probably have to do something software based on the DC itself. Any recommendations on what to read, how to isolate it and what ports are required? Bryan Lucas Server Administrator Texas Christian University
Re: [ActiveDir] Locking Down Wireless
I think this is one of those Why in the heck things. Like Why in the heck would you give someone a laptop with wireless if you don't want them connecting anywhere other than work? and Why in the heck are you giving them a laptop in the first place?. There are some ways to do this, none of them are pretty.1) Specify DNS Server and WINS settings. This is only a little ugly and after a few tries, they'll give up on connecting to anything other than the local network. 2) Disable DHCP and specify everything manually. In a smallish environment this isn't too much of a problem, the larger the environment, the more of a nightmare this becomes. This is really ugly though because now they can't connect to anything that isn't local to their local site. The most obvious solution is to stop giving people laptops. If you don't want them doing things outside of your network, give them desktop computers and you won't have to worry about spending twice as much on hardware and then spending twice as much managing the items also. Lock down the desktop with a lockdown device and forget about this problem. Alternatively, I think you could ACL the directory (or executable) where the application runs from and only allow SYSTEM to run it (this might break it though, so you'd want to do some testing first obviously). I haven't messed with the wireless connection wizard much and you might end up with people installing the wireless connection wizard for their particular wireless card, which would completely defeat the purpose of whatever you're doing anyway, unless they're not local admins. Also, if they are using PC wireless cards, they can simply change PC card ports and they'll get a new device that they can probably configure however they want.On 9/12/06, Dave Wade [EMAIL PROTECTED] wrote: Folks, Have I missed something in the new XPSP2 wireless configuration stuff. As far as I can see you can't prevent users connecting to non-preferred networks, even with Policy lockdown. Even if you hide the networks page on the adaptor, when the user is in a location where this no network, the connection wizard still pops up. Any one any solution to this? Dave Wade Stockport MBC ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you. http://www.stockport.gov.uk **
Re: [ActiveDir] OT: Management Solutions
Yeah, I was thinking a combination of RIS, GPO deployed applications and LANDesk. I've been on projects where we utilized a combination of those methods to manage and deploy software. Worked great and unlike wonderful solutions like SMS, we could put in scripts as part of the application installation that would check to see if the app (patch, service pack, whatever) was installed first. The nice thing about this is that it would allow you to patch up a computer and then put it on the network if you wanted or just stick the box on the network and let the GPO do the work for you. LANDesk does have some weaknesses though, mostly due to information overload.On 9/12/06, Tim Vander Kooi [EMAIL PROTECTED] wrote: Have you looked at the beta for System Center Essentials from Microsoft? I think it would do a lot of what you are looking at. And for far less money than Altiris. Altiris makes a great product, but it is very much on the high end price-wise. Another product I would recommend looking at would be LANDesk, last time I checked they were quite a bit cheaper than Altiris. Tim From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Alan J. Gendron Sent: Tuesday, September 12, 2006 7:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Management Solutions Thanks for the suggestions. I'll go look around further. We're only around a 100+ user shop and while a full-featured solution would be nice, I'm very concerned it would be over-kill and not money well-spent. I want to be a "good steward" of the church's money. Alan Alan J. Gendron Senior Network Specialist Lutheran Church Extension Fund Sunset Corporate Center 10733 Sunset Office Drive St. Louis, MO 63127-1219 314.885.6596 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Brian Desmond Sent: Monday, September 11, 2006 10:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Management Solutions Never used/heard of Kace. Looks like a kind of limited use appliance? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Patrick Paul Sent: Monday, September 11, 2006 10:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Management Solutions Have you tried HelpStar – works great. Inventory - use Kace box running FreeBSD. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Brian Desmond Sent: Monday, September 11, 2006 9:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Management Solutions I use WSUS for patching in some decent size places. My strategy has been to combine a variety of free products into a single system – I've gotten good at it and I've also written glue when I need to. My overall feeling is that I get more flexibility just gluing things together than with a single baked product. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Robert Rutherford Sent: Monday, September 11, 2006 6:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Management Solutions I agree with Brian that Ghost does tend to be the front runner for imaging (IMHO).. I've tested and used many but Ghost is a mature project which does what it says on the tin. You'll be surprised how forgiving it is and how much you can do with varying software and hardware with a little work. In terms of helpdesk… well it's a minefield and a road of I have travelled many times. I have actually found that most of the time it's actually easier to get a dev guy to come in and build a system which actually meets your requirements. I have found this to be cheaper (most of the time) in the larger organisations as every organisation has different SLA's, contracts, processes, methods, etc. I just recommend going onto sourceforge.net and typing 'helpdesk' initially. This should get you going and you may find something that suits your needs or something you can amend to fit. Yes, you can go for the bigger boys, i.e. Hornbill but you'll pay for it….. have a sniff around and see what fits your requirements. In terms of patch deployment… I do like Patchlink. It will give you patch deployment across most applications with good reporting. You also get software and hardware inventory included in the price. Cheers, Rob Robert Rutherford QuoStar Solutions Limited T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Brian Desmond Sent: 11 September 2006 20:26 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Management Solutions I have a lot of experience using Ghost for all of that but helpdesk. Helpdesk I have worked with Peregrine (will empty your
[ActiveDir] Active Directory DN for new setup
Hi, I'm wondering if it's possible to make the Active Directory DN like an LDAP DN? something like: o=company,st=wa,c=us instead of: dc=mydomain,dc=edu I've been tasked with converting our OpenLDAP system over to an Active Directory system and it help the programmers out if I didn't change the DN on them. Although I'm sure some of the things may change. Thanks, -- Matt Brown Information Technology System Specialist V Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Converting OpenLDAP to Active Directory
Anybody seen any good resources or info on converting OpenLDAP to Active Directory? Thanks, -- Matt Brown Information Technology System Specialist V Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] W. in hell [List owner]
In case nobody figured it out, this was a mistake. Brandon hasn't been receiving anything from the activedir list. Apparently he's been banned or something. (in case you didn't figure the rest out, I know him and asked if he was the same OP Brandon, which he confirmed) He accidentally added the activedir list to a DL. I can understand blocking someone from sending until something like this is resolved, but he hasn't been receiving anything from the list either. Apparently this is a zero tolerance zone. Oddly enough, that's not in the FAQ, maybe it should be added. MattOn 9/3/06, Tony Murray [EMAIL PROTECTED] wrote: Hey BrandonAmusing though it is, the list is not really the place for this.Tony (list owner)-- Original Message --From: Brandon Pierce [EMAIL PROTECTED]Reply-To: ActiveDir@mail.activedir.orgDate:Sat, 2 Sep 2006 23:13:41 -0600George Bush has a heart attack and dies.He goes to hell, where the Devil is waiting for him.I'm not sure what to do, says the Devil.You're on my list, but I haveno room for you.As you definitely have to stay here, I'm going to have tolet someone else go.I've got three folks here who weren't quite as bad as you.I'll let you decide who leaves.George thought that sounded pretty good, so he agreed.The Devil opened the first room.In it were Richard Nixon and a large poolof hot water.He kept diving in and climbing out, over and over.Such was his fate in hell.No! said George.I don't think so, I'm not a good swimmer and don'tthink I could stay in hot water all day.The Devil led him to the next room.In it was Tony Blair with a sledgehammer and a room full of rocks.All he did was swing the hammer,time after time.No! I've got this problem with my shoulder.I would be in constant agony ifall I could do was break rocks all day. commented George. The Devil opened the third door.In it, George saw Bill Clinton lying onthe floor with his arms staked over his head, and his legs staked in aspread-eagle pose.Bent over him was Monica Lewinsky, doing what she does best.George Bush looked at this in disbelief for a while, and finally said Yeah,I can handle this.The Devil smiled and said, OK, Monica, you're free to go! List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspxSent via the WebMail system at mail.activedir.orgList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] [OT]The last departmental picnic [list owner]
Yeah, I just let him know he messed up on this one. Can't argue with banning him after 2 messups. :(On 9/5/06, Tony Murray [EMAIL PROTECTED] wrote:Not sure what's going on so I have temporarily suspended his subscription. TonyList owner and humourless [EMAIL PROTECTED]Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Exclude from GPO
Yeah, it's called creating a GPO that has that setting disabled (not not defined, disabled).You could always look at it as having to create a whole new GPO because they want to define whatever that object is on everything else. If they didn't want to define that, you'd be golden and wouldn't have to do it. In other words: Remove the setting from everything or you get to create a GPO to disable that setting.On 8/23/06, Harding, Devon [EMAIL PROTECTED] wrote: Is it possible to exclude a group of computers from ONE setting from a particular GPO, but apply everything else in that GPO? I'd have to create a whole new GPO just for one setting. -Devon --- This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
Re: [ActiveDir] Restoring RID
I always recommend transferring FSMO roles from a box before upgrading it, then moving it back after the upgrade is completed successfully.If you've got enough DCs to justify splitting FSMO roles, you've got enough to move it to another box for a week to upgrade the box. On 8/13/06, Chong Ai Chung [EMAIL PROTECTED] wrote: When the RID flexible single-master operations DC is restored, it may use old RID pool values, and it can cause the restored RID flexible single-master operations DC to begin issuing duplicate SIDs. The best way is: -to use another DC to seize the RID master role. - Rebuild the OS on crashed DC and promote it back as Domain Controller - transfer the RID master role back to the rebuild DC. Regards, Ai Chung On 8/14/06, Lucia Washaya [EMAIL PROTECTED] wrote: Colleagues, We have a server which crashed during upgrade (2000 to 2003). Now we want to restore it. Problem is this server is the RID holder and the documentation on the technet says Restoring the RID Master can result in Active Directory data corruption, so it is not recommended. So what is the best way to restore this server? Thank you in advance for your assistance Regards, Lucia WashayaCITS UNIOSILTel.: 022-295-526 xtn. 5497 Int'l Tel.: Via Italy + (39) 083123-5497Via USA +1(212) 963-9588 (after audio response dial 174-5497)==The cobra will bite whether you call it Cobra or Dear Mr. Cobra. ==
RE: [ActiveDir] Computer bootup speeds
Most times consulting when I see slow login times its dew to DNS miss configuration issues. Are your computers pointing to your internal DNS servers or an external DNS? If they point to an external it will take about 5 min before it times out and looks inside. Matt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, August 09, 2006 2:29 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Computer bootup speeds Is there any easy way to determine why it's taking so long for PCs in our AD to boot up? It sits at applying settings for quite awhile, so I'm thinking it may have something to do with GPOs, but most computers only have 2 or 3 GPOs applied to them. I wouldn't think the GPOs would take that long to apply though. Sometimes it literally sits at applying settings for 4 or 5 minutes! I guess I could move a computer to an OU with no GPOs and see, but is there any other ways? Thanks ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become?
I'm not sure what else he's running on his DC. He might be running complex intrusion detection software, DNS, WINS, etcI have to assume that he's got 4GB worth of RAM and plenty of 'crap' (ok, maybe not crap, but you know what I'm saying) running on the DC that I'm sure plenty of us would love to see running on a different box. The 1.25GB comment wasn't regarding any limitations to 32-bit Windows. It was more involving I seriously doubt that your DIT is going to double in size unless you're populating as few as possible fields and have like 3 groups per user than anything. You made a comment about him having a large environment with 100k+ users to have a 650MB DIT and I just kinda went Huh? because we're running a 3+GB DIT with just over half that number. Every environment is completely different and there are a lot of different things that impact the DIT outside of user count. Groups, GPOs, OUs, computer objects etc user count might be a reasonable guage, but I don't think that ~6k DIT per user object is a reasonable assumption unless it's a newer environment with a nice spanking new RBS model. On 8/1/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote: Richard doesn't seem to be too keen on giving us further details – too bad. But not sure why you – Matt - are talking about "breaking 1.25 GB" with respects to the 32-bit capabilities. By default 32-bit Win2003 DCs can cache a DIT up to approx. 1.5GB, which grows to 2.6-2.7GB using the /3GB switch (provided sufficient physical memory). But irrespective of these limitations, I'd argue you should move to Win2003 64bit DC anyways if you can. For example if you are doing a hardware refresh at the same time. It is cheaper (meaning you can support more memory for less licensing costs) and it will give you much more room to grow for the future. 64bit drivers for x64 server hardware are no longer an issue and even other important add-ons and management tools such as AV and Backup etc. are catching up quickly. So try not to use the 32bit WinOS versions for AD DCs, even if they still handle the load today – you'll do yourself a favor by moving to 64bit DCs as soon as you can. Time to learn all those little quirks and challenges around handling this OS. This way you'll be best prepared for when you really need to use 64bit Windows for other applications. /Guido From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Tuesday, August 01, 2006 12:02 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become? I guess the gist of what everyone is saying can be summed up with the following: What does the current environment look like? How extensive is your Exchange deployment going to be? Without some of that information, it's only going to be a vague guess that anyone can give. I seriously doubt you need to worry about breaking 1.25 GB, which is still well within the capability of a 32-bit server to handle. On 7/29/06, joe [EMAIL PROTECTED] wrote: To further add to this, it depends considerably on how populated you want your GAL to be. Some people just let the mandatory Exchange attributes get populated, others want the GAL to be the one stop shop for info on employees so everything goes into the GAL which means everything goes into AD. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Grillenmeier, Guido Sent: Friday, July 28, 2006 4:41 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become? Assuming this is after defrag, 650MB without Exchange is quite a large AD – guess you'd be close to 100k users in your forest, if you've used the standard attributes of the objects in AD (and haven't added stuff like thumbnail pictures to your users…). After adding the Exchange schema mods, the DIT shouldn't grow substantially, since AD doesn't use any space for unused attributes – and the Exchange attributes for your object won't be filled magically, until you mail-enable them. But once they are filled, it will impact your AD (e.g. E2k3 adds 130 attributes to the Public Information property set used by user class objects) It is very tough to make a guess at the actual size you'd have with a fully deployed Exchange, but if you do mail-enable the majority of your users (i.e. give them Exchange mailboxes) and add DLs etc. and assuming my guess with 100k users is in the right ballpark your AD DIT would easily grow to 3-5 GB. /Guido From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of RM Sent: Thursday, July 27, 2006 6:46 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become? NTDS.DIT is currently 650megs. Once Exchange has been fully dep
Re: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become?
Just to be honest, it sounds like I made a bad assumption... that AD holds as much information (or more) natively as it does for Exchange. From what Joe is saying, it sounds like Exchange is a huge AD bloat monster. Not that it's a problem for many environments, just the larger ones.I'd be interested to hear about that environment that Joe was talking about where a DIT went from 900MB to 6GB (and was that defragged?). I mean... holding 5x the native infromation of AD in *just* the Exchange extensions? Wow... I'd swear if someone wouldn't send me naughty boy messages. On 8/1/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote: Not disagreeing with you Matt – we're all just in a guess mode without RM providing more information. I love those posts to lists where the original poster never get's back the questions being posted to his questions… Anyways – I just made the point that his DIT size is not small for a company not running Exchange. The number of users given was just an example – more likely 100k vs. 5k users… And naturally most "corporate" environments then have a similar amount of computer accounts and a strongly varying number of groups (totally depends on group model being used). And even if his AD already included Exchange we couldn't easily tell how large his environment is, simply because there are so many dependencies. That's why I gave those numbers using assumptions – certainly nothing to take as a fixed value. Heck, we don't even know his DC version (Win2003 single instance storage of ACE has a huge impact on DIT size) or if he has disabled Distributed Link Tracking (DLT), which adds a ton of garbage to every DC. Provided you have sufficient file servers in your AD and are happily moving data around between the servers (or between volumes), DLT alone can eat up many hundred meg of your AD DIT. Did he defrag or not? Etc. /Guido From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Tuesday, August 01, 2006 10:46 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become? I'm not sure what else he's running on his DC. He might be running complex intrusion detection software, DNS, WINS, etc I have to assume that he's got 4GB worth of RAM and plenty of 'crap' (ok, maybe not crap, but you know what I'm saying) running on the DC that I'm sure plenty of us would love to see running on a different box. The 1.25GB comment wasn't regarding any limitations to 32-bit Windows. It was more involving I seriously doubt that your DIT is going to double in size unless you're populating as few as possible fields and have like 3 groups per user than anything. You made a comment about him having a large environment with 100k+ users to have a 650MB DIT and I just kinda went Huh? because we're running a 3+GB DIT with just over half that number. Every environment is completely different and there are a lot of different things that impact the DIT outside of user count. Groups, GPOs, OUs, computer objects etc user count might be a reasonable guage, but I don't think that ~6k DIT per user object is a reasonable assumption unless it's a newer environment with a nice spanking new RBS model. On 8/1/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote: Richard doesn't seem to be too keen on giving us further details – too bad. But not sure why you – Matt - are talking about breaking 1.25 GB with respects to the 32-bit capabilities. By default 32-bit Win2003 DCs can cache a DIT up to approx. 1.5GB, which grows to 2.6-2.7GB using the /3GB switch (provided sufficient physical memory). But irrespective of these limitations, I'd argue you should move to Win2003 64bit DC anyways if you can. For example if you are doing a hardware refresh at the same time. It is cheaper (meaning you can support more memory for less licensing costs) and it will give you much more room to grow for the future. 64bit drivers for x64 server hardware are no longer an issue and even other important add-ons and management tools such as AV and Backup etc. are catching up quickly. So try not to use the 32bit WinOS versions for AD DCs, even if they still handle the load today – you'll do yourself a favor by moving to 64bit DCs as soon as you can. Time to learn all those little quirks and challenges around handling this OS. This way you'll be best prepared for when you really need to use 64bit Windows for other applications. /Guido From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Tuesday, August 01, 2006 12:02 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become? I guess the gist of what everyone is saying can be summed up with the following: What does the current environment look like? How extensive is your Exchange deployment going to be? Without some of that i
[ActiveDir] Need some user/group tools...
This might be something that I can do with a combination of scripts, though I'm not sure where I'd get them from.1) I need to be able to export a list of users (the userID is fine) with their group memberships. (AD objects) 2) I need to be able to export a list of groups with their list of members and memberships. (AD objects)3) I need to be able to export a list of groups with their list of members and memberships. (NT objects) Once I get all of that information, I need to 'connect the dots' between domains to determine overall group membership (across domains), including nesting. If the tool doesn't exist to do this last part I'm sure I can find someone to do the gruntwork of putting together a _vbscript_ to do the grunt work of it in Access or something like that.Preferably all of this would go into CSV files so that it can go into Access or maybe pull it all into SQL.Thanks for any help that can be provided.
Re: [ActiveDir] 80/20 ..... Was: Read-Only Domain Controller and Server Core
Well, the problem of the postit note is that the people doing it are a bit more circumspect than they used to be. They don't post it with Password: ilikebananas and they don't necessarily put it on their monitor (though it hasn't been that long since I saw that and I always at the very least scold them and always make sure they take it down and throw it away themselves... taking ownership of disposing of eliminating their security risk). They stick it under their keyboards, in the top drawer of their desk... basically taking it out of sight so that we won't catch them. Unfortunately the people who are trying to breach your security are at least smart enough to check the top drawer, under the keyboard, under the monitor, under the paperweight, etc... I for one, would love to see AD related security taken a lot more seriously. Restricting the Domain Admins group members, applying more granular security throughout the environment so that if I need to create computer objects in the User workstations OU, then I can create them there and only there. If I can only change the user's homedrive location, then that's all I get the rights to do. It's only a lot of work when you first implement it and after it's done, then your overhead is mostly done and the minor cost of maintaining it is relatively low. Unfortunately it's difficult to get the momentum going to implement this level of security. As for security models, whether RBS or ABS... problems are abound. RBS is easy to audit, but grants rights that aren't necessarily required. ABS bloats quickly and ends up with someone having membership in many groups that haven't been needed for the past 18 months (or longer) because the group administrator added the user for a one-time reason and never removed them and on the last 18 once per month (or quarter or whatever) security audits, they verified that the user still needs those group memberships, out of sync with reality. Which is better? I think both can be ugly on their face when taken alone. Using a combination of the two is hopefully better (when people aren't getting added into both), but with the volume of data in many environments, it gets more and more difficult to control that data with any reasonable level of confidence, no matter what you do with your security model. On 8/1/06, joe [EMAIL PROTECTED] wrote: Interesting thoughts there...My only tongue in cheek response right off (though this will bubble in myhead for some time) is that most predators are brighter than many peopledoing admin work and we still need them to be able to find the systems... ;o)Raise your hand if in the last year you saw a postit with a password on it?Keep your hand up if you did anything about it like ripping it up andtalking to the person? If your hand went down, was it yours by any chance? How many people now see a security problem and shake their head and say, wowthat isn't good but there isn't anything I can do about it and then continueon your day. That is the kind of stuff that really needs to stop. joe--O'Reilly Active Directory Third Edition -http://www.joeware.net/win/ad3e.htm-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Susan Bradley, CPAaka Ebitz - SBS Rocks [MVP]Sent: Tuesday, August 01, 2006 3:28 PM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] 80/20 . Was: Read-Only Domain Controller andServer CoreOn a totally serious note to Joe's tongue in cheek posting Go to a zoo(1).. and you'll hear stories of how each animal has natural'protection' from their predators.Each animal has evolved to ensure they have some level of camouflage inthe way of color/features etc so that when their predator targets them they attempt to blend into the background.Some plants and animalsdepend on other plants and animals to survive.There's a unique falconthat will only nest in leftover Weaver bird nests.. they don't build their own..but by moving into a Weaver bird area, they act as bouncersat the door and keep out the predators that prey on the Weaver birds.Given that here's what nature does to protect itself what (if anything) has the computing industry done to camouflage to reduce risk?(call me wacko) but it seems to me that we do a lot of footballishtype of security models.. offensive moves and defensive moves.(Isn't RODC a defensive move?)Do we and can we add lessons from nature intofuture networks?(1)Lessons learned from camping in a zoo...yes.. this high maintenancefemale stayed in a tent in a zoo... if you are going to be without power and electricity camping in a zoo at the San Diego Zoo's Wild AnimalPark's Roar and Snore is the way to do it.Matt Hargraves wrote: Joe's blog doesn't seem to say anything about what DSI actually *is*. I'm not seeing it as a security model beyond my impression of it being Don't tell anyone what your security infrastructure looks like or something like that. On 8/1/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]* [EMAIL
Re: [ActiveDir] Need some user/group tools...
That's not even fair I own that book already.I was hoping to avoid doing the scripting part... but that being said, how much of that will work in NT domains to get groups and their members/memberships? On 8/1/06, Michael B. Smith [EMAIL PROTECTED] wrote: You can certainly get all the piece parts from here: http://rallenhome.com/books/adcookbook/code.html And you can use joe's wonderful adfind (or dsquery if you were to insist) to do much of the gruntwork. I show you some examples here: http://blogs.brnets.com/michael/archive/2004/06/24/168.aspx From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: Tuesday, August 01, 2006 7:29 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Need some user/group tools... This might be something that I can do with a combination of scripts, though I'm not sure where I'd get them from.1) I need to be able to export a list of users (the userID is fine) with their group memberships. (AD objects) 2) I need to be able to export a list of groups with their list of members and memberships. (AD objects)3) I need to be able to export a list of groups with their list of members and memberships. (NT objects) Once I get all of that information, I need to 'connect the dots' between domains to determine overall group membership (across domains), including nesting. If the tool doesn't exist to do this last part I'm sure I can find someone to do the gruntwork of putting together a _vbscript_ to do the grunt work of it in Access or something like that.Preferably all of this would go into CSV files so that it can go into Access or maybe pull it all into SQL.Thanks for any help that can be provided.
Re: [ActiveDir] Revoke domain administrator's right to create GPO?
By revoking Domain Admins I mean revoking their membership...On 7/31/06, Matt Hargraves [EMAIL PROTECTED] wrote: I'd think of revoking Domain Admins and grant them their rights via an RBS group in AD. Changing the rights of the builtin admin groups isn't something that you should necessarily do, primarily because so many applications out there require special privileges and fail out because the application doesn't check to see if the user has the required rights, but instead checks to see if they're a member of the Domain Admins group. Domain and Enterprise Admins are a very powerful group of people. If you don't trust them to be able to do what they can do (or better yet, not do what they don't know how to do), then they shouldn't have those rights. I know that it's a constant battle to try and keep our membership in these groups down. Seriously... RBS is your friend. Rip those people out of the Domain Admins group. You can grant them the ability to do whatever they need to on users, computers or even OUs via AD security. Do it there and keep people out of the Domain Admins group if you can. On 7/31/06, Andy Wang [EMAIL PROTECTED] wrote: Hi,I have a Group Policy delegation question. By default, only domain administrators, enterprise administrators, Group Policy Creator Owners, and the operating system can create new Group Policy objects. Since our company has lots of domain administrators, I'm thinking revoke domain administrators rights to create GPOs, then add only several of them to enterprise admin group / Group Policy Creator Owners. Is it possible? Thanks in advance.Andy
Re: [ActiveDir] Revoke domain administrator's right to create GPO?
I'd think of revoking Domain Admins and grant them their rights via an RBS group in AD. Changing the rights of the builtin admin groups isn't something that you should necessarily do, primarily because so many applications out there require special privileges and fail out because the application doesn't check to see if the user has the required rights, but instead checks to see if they're a member of the Domain Admins group. Domain and Enterprise Admins are a very powerful group of people. If you don't trust them to be able to do what they can do (or better yet, not do what they don't know how to do), then they shouldn't have those rights. I know that it's a constant battle to try and keep our membership in these groups down. Seriously... RBS is your friend. Rip those people out of the Domain Admins group. You can grant them the ability to do whatever they need to on users, computers or even OUs via AD security. Do it there and keep people out of the Domain Admins group if you can. On 7/31/06, Andy Wang [EMAIL PROTECTED] wrote: Hi,I have a Group Policy delegation question. By default, only domain administrators, enterprise administrators, Group Policy Creator Owners, and the operating system can create new Group Policy objects. Since our company has lots of domain administrators, I'm thinking revoke domain administrators rights to create GPOs, then add only several of them to enterprise admin group / Group Policy Creator Owners. Is it possible? Thanks in advance.Andy
Re: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become?
I guess the gist of what everyone is saying can be summed up with the following:What does the current environment look like?How extensive is your Exchange deployment going to be?Without some of that information, it's only going to be a vague guess that anyone can give. I seriously doubt you need to worry about breaking 1.25 GB, which is still well within the capability of a 32-bit server to handle.On 7/29/06, joe [EMAIL PROTECTED] wrote: To further add to this, it depends considerably on how populated you want your GAL to be. Some people just let the mandatory Exchange attributes get populated, others want the GAL to be the one stop shop for info on employees so everything goes into the GAL which means everything goes into AD. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Grillenmeier, GuidoSent: Friday, July 28, 2006 4:41 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become? Assuming this is after defrag, 650MB without Exchange is quite a large AD – guess you'd be close to 100k users in your forest, if you've used the "standard" attributes of the objects in AD (and haven't added stuff like thumbnail pictures to your users…). After adding the Exchange schema mods, the DIT shouldn't grow substantially, since AD doesn't use any space for unused attributes – and the Exchange attributes for your object won't be filled magically, until you mail-enable them. But once they are filled, it will impact your AD (e.g. E2k3 adds 130 attributes to the Public Information property set used by user class objects) It is very tough to make a guess at the actual size you'd have with a fully deployed Exchange, but if you do mail-enable the majority of your users (i.e. give them Exchange mailboxes) and add DLs etc. and assuming my guess with 100k users is in the right ballpark your AD DIT would easily grow to 3-5 GB. /Guido From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of RMSent: Thursday, July 27, 2006 6:46 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become? NTDS.DIT is currently 650megs. Once Exchange has been fully deployed, any guesses as to how much larger it will become? Just looking for a ballpark figure... thx, RM
Re: [ActiveDir] schema extensions for Vista wireless networking GP support
I thought all that stuff was part of the Server 2003 R2 schema extensions and would work in XP also.On 7/28/06, Darren Mar-Elia [EMAIL PROTECTED] wrote: In case anyone is interested, here's a doc that describes the AD schema extensions that will be required to support the new wireless networking Group Policy stuff in Vista: http://www.microsoft.com/technet/itsolutions/network/wifi/vista_ad_ext.mspx Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide,the definitiveresource for Group Policy information.
Re: [ActiveDir] OT: HP disk array expansion
I'm not understanding why the OP doesn't just stick the new drives in, create the new RAID set from those, create the drives and restore from tape to the new RAID drives. As long as he does it on a Sunday, it shouldn't really take more than an hour to get the old drives out and the new ones in (and the RAID built), then he just needs to worry about restoring from tape to the new location. On 7/27/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Maybe I misunderstand the post but why re build in this scenario? All the OP needs / wants to do is to add disks and to expand the existing arrays. He requires no or minimal downtime too. This can be achieved as the OP described. FWIW: I have performed this (not in the last 5 years) on many occasions and whilst the process can take some time to complete, it is relatively trivial to accomplish and AFAIK can be performed with zero downtime. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Ed BufordSent: 27 July 2006 00:49To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: HP disk array expansion I would use the ghost method, I've done this numerous times with servers and never ran into a problem. All in all it really is a fast solution. And since you're doing it over the wire you can speed the process up by using gigabit components. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Derek HarrisSent: Wednesday, July 26, 2006 6:12 PMTo: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: HP disk array expansion This sounds like the safest way to do it, but you will have some downtime. I've done it (on a Dell box) the way you described: swapping one disk at a time, and there is downtime that way, too. (in addition to the severe performance hit of the array having to rebuild several times) From: Blair, James [mailto:[EMAIL PROTECTED] ] Sent: Wednesday, July 26, 2006 3:52 PMTo: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: HP disk array expansion James, Have been in a similar situation on numerous occasions with HP ML350 G3/G4's. In our case we installed a firewire card and a Lacie drive or utilised the native USB to portable HD and Acronis True Image. We imaged the disks and then pulled them out and put the new ones in and imaged it back, works nicely…This solution even worked for an Exchange server and if it all fails you can simply put the old disks back in and be back where you started… James From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of James CarterSent: Thursday, 27 July 2006 7:36 AMTo: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: HP disk array expansion Hi, I have a HP ML370 Proliant Server. It currently has 4 x 36GB in a RAID 5 set. I want to upgrade the disk capacity of this server. I have bought 4 x 300gb disks as replacements. At present I have 4 x 36GB disks in the server. I was told I couldreplace one disk in the RAID with a 300GB, let the raid rebuild and do the next disk.Repeat until all of the disks are 300GB and then I can look in the ACU and create a second logical drive that sees all that new space. Can this be done? Anyone know how long it would take to rebuild? currently there is 90gb used in the current volume. My other alternative is to buy a Tape Drive, backup, break array, create new array and then restore but this department don't want any downtime. Anyway shed some light as to which is the best method to take? thanks James __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447
Re: [ActiveDir] Domain Local Groups vs Global Groups
Having went through this quite a bit recently, I'll see if I can give you some help on this. Every security group on a user's token adds about 45 bytes to the token and sometime around 80 security groups, you can expect a token to break 4k and bump up to 8k. This will have the most impact to Exchange until you bump up to Exchange 2007 and 64-bit OS. When debating between server local and domain groups (whether domain global or domain local), you have to decide between ease of management (domain groups) and ease on tokens (server local groups).Ideally, you will have an RBS model in place where a user is a member of a half dozen or so role-based groups which will grant access to shares instead of an Access Based Security (ABS) model. ABS creates a group (or groups) for each resource that needs access defined and then places all users and/or groups within that group. That's great in a user domain/resource domain architecture. If you don't have that though, you are just using a lot of redundant groups. I would recommend securing your shares and/or resources with role-based groups first, then if additional persons need access to a share or resourse, then grant them access through the ABS group at the domain level. Having to connect to 25 different file shares to manage share security is insane and nesting each group into 2-12 other groups ends up with a security model that quickly becomes very convoluted and difficult to map out. The one thing that an ABS model does do is make auditing access easier. But if you're making your day to day management of that model significantly more time consuming (by going with server local groups), then it's probably just easier to start defining items by RBS groups instead anyway. Not to mention that auditing server local groups is almost as much of a pain, if not more of one, as getting a tool that will go out and show you the share-level (or even file/directory level) ACLs ( www.winzero.ca has one).I know that MS recommends local server groups as an alternative when users end up with large amounts of security groups, but I feel that managing those objects is unwieldy enough (particularly in larger environments with a large number of file servers) to where you'd almost need to add a small team just to manage the shares. I'd rather double my number of Exchange servers and have everyone at an 8k tokens than add 4 employees at $x per hour just to manage server local groups. That's my take on it... I'm sure you'll end up with another 20 other opinions from 20 other people though. On 7/26/06, Wyatt, David [EMAIL PROTECTED] wrote: I'd be interested to hear peoples strategy for permissioning windows based file servers when the server is in a Windows 2003 domain. I have read the best practices about putting users into global groups then put the global groups into local groups then permission the resource with the local group. But: 1. Is it better practiceto put the domain local group into a local group on the file server and then use this local group to permission the share/folder? Is this excessive? I have read something about performance or avoiding limits by using the server local group when the access token is created. 2. What shortcomings would there be in putting users into global groups then simply permissioning the global group onto the resource. We only have a single forest/domain. I am also aware of Universal groups but lets put these to one side.for the moment..;-) Thanks David This message contains confidential information and is intended only for the individual or entity named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as an invitation or offer to buy or sell any securities or related financial instruments. GAM operates in many jurisdictions and is regulated or licensed in those jurisdictions as required.
Re: [ActiveDir] Domain Local Groups vs Global Groups
Somehow I avoided answring your question the first time...Going global role-based group and local task-based group is pretty standard in larger environments.You create the global group to hold users and the local group to hold users. The purpose for this is so that you can nest multiple role-based groups into your task-based group and quickly modify the task-based group and have it apply across the share/resource. The only problem with this model is being careful how you quantify when a new task-based group is needed. Be careful not to create a new task-based group (and similarly named role-based group for that task-based group) for everything under the sun or you'll find your users quickly becoming members through nesting of 100+ groups and finding your Exchange servers running out of paged pool memory space. There are plenty of articles on Microsoft's site about Exchange and paged pool memory, you can also look at the Exchange Team Blog site (msexchangeteam.com I think). On 7/26/06, Wyatt, David [EMAIL PROTECTED] wrote: I'd be interested to hear peoples strategy for permissioning windows based file servers when the server is in a Windows 2003 domain. I have read the best practices about putting users into global groups then put the global groups into local groups then permission the resource with the local group. But: 1. Is it better practiceto put the domain local group into a local group on the file server and then use this local group to permission the share/folder? Is this excessive? I have read something about performance or avoiding limits by using the server local group when the access token is created. 2. What shortcomings would there be in putting users into global groups then simply permissioning the global group onto the resource. We only have a single forest/domain. I am also aware of Universal groups but lets put these to one side.for the moment..;-) Thanks David This message contains confidential information and is intended only for the individual or entity named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as an invitation or offer to buy or sell any securities or related financial instruments. GAM operates in many jurisdictions and is regulated or licensed in those jurisdictions as required.
Re: [ActiveDir] Question on restricted group policy.
>From my experience, Restricted Groups settings simply state what the computer (or domain controller if you stick the setting in your DCs GPO) will make sure what the group memberships are going to be when it checks the GPO. If you set the Administrators group to be Domain Admins; groupa; groupb then when the computer applies the GPO settings, it will check to make sure that the local Administrators group (Or domain group for a DC) contains Domain Admins; groupa; groupb; builtin\Administrator. Just so you know, like with any GPO setting, anyone who has the right to change that group can still change it, but when the GPO applies, the group memberships will be verified again, removing whatever was added, or adding whatever was removed. This may be 2 minutes later or 2 hours later. This is the same if you set a service to disabled an administrator can still change it to enabled, but when the GPO goes back through, it will re-disable the service (though if the user also started the service it will remain started until the computer is restarted or someone manually stops it). If you remove the GPO setting, then it simply won't check the group memberships for those groups any more. Or at least that's my interpretation. Kind of like when you move a computer out of an OU where there is a GPO applied to it and into an OU without any GPOs applied to it; it won't change the current settings, though you can now manually change them and they won't be reverted. I guess I think of a GPO being a Go make sure that everything is like this and if it isn't, make it like this kind of thing and that's the way I always see it actually get applied. If the GPO isn't there, then nothing gets altered to a previous state, but it won't continue reverting settings to what the prior GPO settings stated that they would be. On 7/26/06, Derek Harris [EMAIL PROTECTED] wrote: Yes -- I've done that, and that's how it worked for me. From: Darren Mar-Elia [mailto:[EMAIL PROTECTED] ] Sent: Wednesday, July 26, 2006 5:23 PMTo: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on restricted group policy. This somewhat depends upon which side of Restricted Groups you're using (i.e. Members of this Group or This group is a member of). If its the former, and you clear out the users in the list but leave the local Administrators group under control, then it will clear out the members of that local Admin group on the target machines (but will leave the local Administrator account in (always)). If the latter, and you clear out the members of the group, I think what you will find is that those users/groups are simply left in the group that you made them members of. If you simply delete or unlink the GPO, then the groups should be left the way they were before you deleted/unlinked it (i.e. the group membership changes do not get unapplied in the case of restricted group policy). Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com -- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide,the definitiveresource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John StrongoskySent: Wednesday, July 26, 2006 4:08 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Question on restricted group policy. Hey, Created a restricted group policy for my domain that's adds some groups to the local administrators group of the workstations. My question is now management wants me to delete it. If I understand the way this works is that if I delete it then it will delete the groups that were associated with this policy thus leaving nobody in the local admin group. Am I correct... v/r john
Re: [ActiveDir] Domain Local Groups vs Global Groups
environment either. 10,000 empty groups aren't going to significantly affect your environment and if you have 64-bit DCs, 100,000 (or 1,000,000) empty security groups won't significantly impact your environment, so don't hesitate to have them in place so that if you need them, you can use them instead of running around in circles when you *do* find you need them. Do a little work now and save yourself some work later do both, but consider the role-based groups to be the preferred path. On 7/26/06, Dan Holme [EMAIL PROTECTED] wrote: That's what I get for reading my inbox "up"… David: do read my treatise in my earlier email. But Matt Hargraves response did raise the one technical issue I only alluded to: token size. He's right to raise a 'flag' about Exchange. Depending on the complexity of your role-based design and whether you use Exchange (2003 or 2000; 2007 seems to be exempt from this issue) and your Exchange architecture, you do have to watch for the number of total groups a user belongs to. A large number of group memberships will reduce the effective 'maximum users per exchange server' level somewhat… but whether that 'somewhat' would be salient depends on several factors. To "tie together" what Matt discussed and what I proposed, my discussion lays out a design that integrates both RBS and ABS. You definitely want role-based management. Whether you also go to the level I outlined of managing ACLs depends on your environment: more resources; more complex security; and more 'spread out' resources and you'll be better served by the design I described. In a simpler environment (e.g. "we have a departmental share with each department having a subfolder" on the extreme side), you don't necessarily need the ABS layer. Dan From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Wyatt, David Sent: Wednesday, July 26, 2006 8:28 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain Local Groups vs Global Groups I'd be interested to hear peoples strategy for permissioning windows based file servers when the server is in a Windows 2003 domain. I have read the best practices about putting users into global groups then put the global groups into local groups then permission the resource with the local group. But: 1. Is it better practiceto put the domain local group into a local group on the file server and then use this local group to permission the share/folder? Is this excessive? I have read something about performance or avoiding limits by using the server local group when the access token is created. 2. What shortcomings would there be in putting users into global groups then simply permissioning the global group onto the resource. We only have a single forest/domain. I am also aware of Universal groups but lets put these to one side.for the moment..;-) Thanks David This message contains confidential information and is intended only for the individual or entity named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as an invitation or offer to buy or sell any securities or related financial instruments. GAM operates in many jurisdictions and is regulated or licensed in those jurisdictions as required.
Re: [ActiveDir] Test Environments
It sounds like you have a good test environment. The only problem is that people may be scheduling their testing a little too tightly. They need to understand that this is a *TEST* environment. That means it's in a constant state of relative flux and that at any point in time, it could possibly go down for an hour or even possibly a day or two. It will largely be available, but it's not production and they shouldn't be expecting to receive the level of support and uptime that they receive in the production environment. If they expect that, they need to find a way to test outside your test environment. If their schedules are slipping because of the availability of the test environment, then they're not putting enough extra time into their plans and need to start consulting you before deciding when to test and how much time it's going to take. It may sound like I'm being harsh on them, but it sounds like they are really expecting too much from a test environment and that's because there isn't enough consulting occuring. It really sounds like you need to possibly make a Testing calendar so that everyone (or maybe even just you) have a list of applications that are being tested in the environment and when schema updates and other items which can affect multiple tests that are ongoing occur, the relevant persons can be notified so if they need to reschedule their testing or adjust their testing schedule, they can. On 7/25/06, WATSON, BEN [EMAIL PROTECTED] wrote: I was hoping to get some input from some of you to better understand how you handle the design of test environments for application testing. For example, I built a so-called "Offnet" which is a duplicate of our production domain. We have a couple domain controllers restored from tape backup, we have Exchange running, and various other production services using the same domain name and hostnames providing for a very production-like test environment. As time progressed, other production servers duplicated themselves into this test environment and we now have quite a number of people doing the majority of their testing in this environment. Unfortunately, as more and more people have begun to use this environment for testing, we have found that people are beginning to step on each others toes. For instance, I used this test environment to walk through the domain upgrade to 2003 and when there was some downtime other people were unable to do their own testing. So I was curious, how do you handle providing a working test environment for people that need it? At this point, we are trying to determine a better way for people to do their testing away from production. Thanks, ~Ben
Re: [ActiveDir] Enumerating Group type and Mebership...
You either have a small environment or someone wants a document that will be completely outdated 12 minutes after it's compiled.Though just to be honest, I'd love to be able to click on a '+' on groups and show their members and continue to follow the '+' if there is nesting. That would be an awesome feature in the ADUC. Maybe I should submit that feature request to Quest and Microsoft. On 7/25/06, Mike Hogenauer [EMAIL PROTECTED] wrote: I need all Security Groups and Distribution groups – and their members Thanks Laura! From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Laura A. Robinson Sent: Tuesday, July 25, 2006 12:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enumerating Group type and Mebership... What is everything [you] need, specifically? Thanks, Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mike Hogenauer Sent: Tuesday, July 25, 2006 2:49 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Enumerating Group type and Mebership... All, I'm trying to enumerate all groups in my AD environment. I need to get Group name group type and group members for each group… I've tried some sample _vbscript_s from http://www.microsoft.com/technet/scriptcenter/resources/qanda/apr05/hey0419.mspx Then I tried (below) but It still doesn't seem to pull back everything I need- Any help would be great! In a perfect world - J - I need a list of all security groups and distribution groups and their members Thanks, Mike Enumerate Security Groups and Member in Domain csvde -f c:\tmp\SecurityGroups.csv -p subtree -l cn,mail,member -r (|((objectCategory=Group)(objectClass=Group)(|(groupType=-2147483644)(groupType=-2147483646)(groupType=-2147483640 -j c:\tmp Enumerate Distribution Groups and Member in Domain csvde -f c:\tmp\DistributionLists.csv -p subtree -l cn,mail,member -r (|((objectCategory=Group)(objectClass=Group)(|(groupType=8)(groupType=4)(groupType=2 -j c:\tmp
Re: [ActiveDir] Enumerating Group type and Mebership...
Getting a list of groups is easy... getting it all enumerated will be a bit more complex, though not terribly so.The ADUC allows you to create queries and list all security groups. You can then export this list to a file. Once you have the file, you need to import that list into Excel (pretty easy), then run a _vbscript_ against with LDAP or ADSI scripting in it (or something like that) to enumerate group members. If they want nested members also, then you've got a lot more complex issue, but I would just state that it's not practical and let him work with the current list. Hopefully the resulting gargantuan file will be enough to make anyone choke and stop making rediculous requests that they don't understand the futility of. Enumerating 10k groups simply so that you can toss the list out later that week because it's just going to get more and more out of date is worse than silly, it's a waste of company effort (and money). Make it too easy for him to generate that report and soon he'll be wanting to see what items they have access to in the environment, so you'll end up enumerating out all files and shares and rights assignments on computers. On 7/25/06, Mike Hogenauer [EMAIL PROTECTED] wrote: We're medium size – and yes someone does want a current outdated list J - Just trying to make it happen…. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Tuesday, July 25, 2006 2:02 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Enumerating Group type and Mebership... You either have a small environment or someone wants a document that will be completely outdated 12 minutes after it's compiled. Though just to be honest, I'd love to be able to click on a '+' on groups and show their members and continue to follow the '+' if there is nesting. That would be an awesome feature in the ADUC. Maybe I should submit that feature request to Quest and Microsoft. On 7/25/06, Mike Hogenauer [EMAIL PROTECTED] wrote: I need all Security Groups and Distribution groups – and their members Thanks Laura! From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Laura A. Robinson Sent: Tuesday, July 25, 2006 12:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enumerating Group type and Mebership... What is everything [you] need, specifically? Thanks, Laura From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Mike Hogenauer Sent: Tuesday, July 25, 2006 2:49 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Enumerating Group type and Mebership... All, I'm trying to enumerate all groups in my AD environment. I need to get Group name group type and group members for each group… I've tried some sample _vbscript_s from http://www.microsoft.com/technet/scriptcenter/resources/qanda/apr05/hey0419.mspx Then I tried (below) but It still doesn't seem to pull back everything I need- Any help would be great! In a perfect world - J - I need a list of all security groups and distribution groups and their members Thanks, Mike Enumerate Security Groups and Member in Domain csvde -f c:\tmp\SecurityGroups.csv -p subtree -l cn,mail,member -r (|((objectCategory=Group)(objectClass=Group)(|(groupType=-2147483644)(groupType=-2147483646)(groupType=-2147483640 -j c:\tmp Enumerate Distribution Groups and Member in Domain csvde -f c:\tmp\DistributionLists.csv -p subtree -l cn,mail,member -r (|((objectCategory=Group)(objectClass=Group)(|(groupType=8)(groupType=4)(groupType=2 -j c:\tmp
Re: [ActiveDir] Domain Trusts.
Basically we're looking at creating a resource domain because the objects that need to go in that domain really do need to get out of our current user environment.But if you can't move items into a forest without having an automatic 2-way transitive trust, then we might need to just go with a separate forest. We're looking at other options internally and it's possible that we may not need security isolation for these other domains. Time will tell. You've all been very helpful, thank you. Hopefully MS will state in their documentation at some point in time that these trusts can't be altered so that other people don't have to go I know it's automatically created when I create the object, but what can I do with the trust any more :) On 7/22/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote: you might want to describe to us what your actual goal is for creating a non-fully trusted domain in your AD forst. Maybe you can reach a similar goal by using the fairly powerful capabilities in AD to delegate administration of objects within a domain. You can also use these features to hide specific parts of AD from the rest of the organization and thus create a semi-isolated units within a single AD domain. Note that there is no way to fully isolate any objects within a domain or forest from domain or enterprise admins - if you do need full administrative isolation, you have to create multiple forests. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Almeida Pinto, Jorge deSent: Saturday, July 22, 2006 12:45 AMTo: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Trusts. 1-yep 2-yep Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server- Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile: +31-(0)6-26.26.62.80 * E-mail: see sender address From: [EMAIL PROTECTED] on behalf of Matt HargravesSent: Sat 2006-07-22 00:35To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Domain Trusts. So basically there's no way to have a domain in a forest that doesn't fully trust every other domain in the forest?The only way to have a non 2-way trust is to make a separate forest?
Re: [ActiveDir] Raid 1 tangent -- Vendor Domain
Just as an FYI: I've seen 64-bit DCs run and I have one thing that I can recommend to everyone:Go 64-bits as soon as possible. There are hundreds of benefits on the server side when going 64-bits, whether it's Exchange (yay for 2007) or your DCs, the performance level is just staggering compared to a 32-bit OS. All your former large application limitations just kinda disappear, unless it's an application-based limitation. No 3GB limitation on the application memory size, no paged pool memory limitation for connections (this hits Exchange first) It's like you're crippling your hardware by staying 32-bits nowadays if you don't have to. On 7/22/06, joe [EMAIL PROTECTED] wrote: That's a command line guy for you...:o)The thing is that I type in a very odd way two, my whole right hand just oneor two fingers from my left hand. People tend to get a bit confused whenthey see me type. joe--O'Reilly Active Directory Third Edition -http://www.joeware.net/win/ad3e.htm-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Kevin GentSent: Saturday, July 22, 2006 7:29 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Raid 1 tangent -- Vendor Domainjoe,you must type really, really fast- Original Message -From: Albert Duro [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSent: Saturday, July 22, 2006 7:06 PMSubject: Re: [ActiveDir] Raid 1 tangent -- Vendor Domain no debate from me.I was just asking.Thank you for the lesson. - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Saturday, July 22, 2006 9:48 AM Subject: RE: [ActiveDir] Raid 1 tangent -- Vendor Domain Mirrors don't scale. Microsoft's deployment doc mostly just talks about using mirrors (small nod to RAID 10/0+1) so everyone thinks that they should build their Corporate DCs on mirrors, usually 3 - OS, Logs, and DIT. Very few people if anyone would build a corporate Exchange Server on mirrors... Why not? The DB is the same under both of them... What is critical to Exchange? IOPS and that means spindles. If something is really beating on AD and the entire DIT can't be cached, IOPS are critical to AD as well. The main difference is that AD is mostly random read and Exchange is heavy writing and reading. The exception to this is the edge case of Eric's big DIT[1] in which he dumped 2TB of data into AD in a month at which point he did something that few people see, pushed the IOPS on the log drive through the roof. In a smaller environment (very low thousands), or for a low use DC (small WAN site), or a DC with a DIT fully cached a RAID-1 drive for DIT will probably be sufficient, you will note that the only numbers mentioned in the deployment guide are about 5000[2]... That usually means a small DIT and it is extremely likely that a K3 DC will cache the entire DIT. Plus the usage is probably such that the IO capability of two spindles will likely be ok. Let me state though that even in a small user environment if there was an intensive directory based app or a buttload of data that pushes the DIT into GB's instead of MBs I would still be watching my disk queueing pretty close as well as the Read and Write Ops. AD admins who aren't running directory intensive apps (read as Exchange 2000+) usually don't see any issues but then again most aren't looking very closely at the counters because they haven't had a reason too and even if they had some short lived issues they probably wouldn't go look at the counters. At least that has been my experience in dealing with companies. I will admit that prior to implementing Exchange when I did AD Ops with a rather large company I didn't once look at the disk counters, didn't care, everything ran perfectly well and about the only measure of perf was replication latency and does ADUC start fast enough and it always was fine there unless there were network related issues or a DC was having hardware failure. Enter Exchange... Or some other app that pounds your DCs with millions of queries a day and tiny little bits of latency that you didn't previously feel start having an impact. You won't feel 70-80ms of latency in anything you are doing with normal AD tools or NOS ops, not at all. You will feel that with Exchange (and other heavy directory use apps), often with painful results unless it isn't consistent and the directory can unwind itself again and hence allow Exchange to then unwind itself. Now let me point out, I don't deal with tiny companies for work, small to me is less than 40-50k. The smallest I tend to deal with is about 30k. I usually get called to walk in to Exchange issues where Exchange is underperforming or outright hanging, sometimes for hours at a time. There can be all sorts of issues causing this such as O poor disk subsystem design for Exchange (someone say got fancy with a SAN layout and really didn't know what they were doing seems to be popular here) O hardware/drivers on the