Not really, as it's now 512 and can't get
to that state without a password meeting complexity.
--Paul
- Original Message -
From:
Akomolafe,
Deji
To: ActiveDir@mail.activedir.org
Sent: Friday, September 15, 2006 4:52
AM
Subject: RE: [ActiveDir] Strange
Thanks for responses, all.
Al - we are designing a forest with regional domains (don't
ask!) and one region has suggested it needs to split from this forest since
elevating rights in any regional domain from DA to EA (forest wide) is 'simple'
[and this would break the admin / support
Al - we are designing a forest with regional domains (don't
ask!) and one region has suggested it needs to split from this forest since
elevating rights in any regional domain from DA to EA (forest wide) is 'simple'
[and this would break the admin / support
model].
What
is being said is
Title: Re: [ActiveDir] Any impacts to domain controller when changingits IP?
I knew that, I just preferred him to say it for himself...
;-) (BY THE WAY: Mark, did you go to the game?)
it is also possible to rename a W2K3 DC when not in
DFL=W2K3 (thus DFL=W2K native/mixed) AND it is
No I missed the game as the wife is not well -
she's from Maastricht so you can guess what it's like at home at the moment.
Mark
Mark Parris
Base IT Ltd
Active Directory Consultancy
Tel +44(0)7801 690596
-Original Message-
From: Almeida Pinto, Jorge de [EMAIL PROTECTED]
Date: Fri,
Neil,
Try a re-read of the first couple of
chapters of the first part of the deployment guide book designing and deploying
directory and security services. Obviously it doesn't spell out how to do
this -it doesn't even allude to how this is done- but does emphasise when and
when not to go
yes
htmlDIVSTRONGEMFONT face=Garamond, Times, Serif color=#cc0033
size=5Thanks amp; Regds./FONT/EM/STRONG/DIV
DIVSTRONGEMFONT face=Garamond color=#cc0033
size=5/FONT/EM/STRONGnbsp;/DIV
DIVSTRONGEMFONT face=Garamond color=#cc0033
size=5Dinesh/FONT/EM/STRONG/DIV/html
From: David Adner
Title: VBScript Container Security
I'm trying to create and secure the LDAP://cn=System Management,cn=System,dc=mydomain,dc=com container, as required for SMS[1].
I'm able to create the container successfully, but haven't found any examples of how to assign security to an OU or Container in
Title: VBScript Container Security
I can't point you at any examples, but
most of the documentation I read and from what MSFT people said at conferences,
reckons you should grant full control to the group for SMS servers on that
container. That's horse sh!t -you need to grant create and
Guys i need to develop a programe which
display the services in all the dc 's , any idea where i can find better
help regarding or nay other alternative solution
Thanks in advance
Joe McNicholas
[EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
09/15/2006 09:53 AM
Please respond to
Chris,
I guess I have three "comments" on
this:-
1) Putting user in "Power users" does "cut down on the potential",
however even on a properly configured machine users can usually install personal
browser extensions containing SpyWare.
2) Spy ware hangs around for a long time. Our users
Darren,
While that also seems intuitive to me, patently something odd happens.
It is clearly documented, (well I hope it is, its certainly my
understanding) that you can only set password policy on the Domain in a
top level GPO not one applied directly to the domain controllers OU.
Therefore
Look into the Win32_Service class for
info. on how to view and manage services via script. Or, if you fancy
calling EXEs and not handling everything in code, use the SC.EXE
tool.
--Paul
- Original Message -
From:
[EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
I guess it depends on what you mean by "display". Its pretty easy
to build a custom MMC console that contains a "Services" snap-in for each DC.
and then use "runas" to launch with the rights needed. You can still only see
the services on a single DC at once, but its pretty easy to flip round
I agree but, unfortunately, the software being used requires local admin
privileges. Which, as you might imagine, is quite frustratig.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Thursday, September
Return Receipt
Your RE: [ActiveDir] OT: Protecting against Spyware/Adware
document
:
Thanks for the feedback.I can defintely telnet to both servers interchangeably and netstat works as it should.I have the allow all servers listed under nameservers selected for zone transfers -- i might just change that to specific IP addresses.
When i reload, that works fine - the problem is the
Return Receipt
Your RE: [ActiveDir] OT: Protecting against Spyware/Adware
document
:
Just tell your boss you didn't say the hour would be made up of
consecutive minutes. [1]
Cheers,
-BrettSh
[1] A line that was used on me when Windows Architect told me I'd be able
to solve my global sync object naming problem within a few hours. A
couple days of issues later, and after he spent
2) Spy ware hangs around for a long time. Our users used to have admin
rights so there is a lot of legacy spyware around
Create a project to re-build these machines? If you've got a standard
deployment image for workstations, this might not be too disruptive.
3) We still have business
>From what I've seen, the timeout can also be attributed to the transfer failing for whatever reason. If, during the transfer the entire zone is not copied, then you hit an error. This sounds like some network issues or you're behind in your patching. Have you verified that there are no network
Return Receipt
Your RE: [ActiveDir] OT: Protecting against Spyware/Adware
document:
One help might be to run in admin mode (since you have to) but
launch ie and outlook from shortcuts which run as unprivileged accounts - that
might cut down on SOME vectors. HTH(PS - the following
info from Mark Russinovich uses this approach - I can't get it to open on blogger (it's from
www.threatcode.com
and those business critical apps are?
Have you tried hacking up the registry to get them to work?
Dave Wade wrote:
Chris,
I guess I have three comments on this:-
1) Putting user in Power users does cut down on the potential,
however even on a properly configured
Thanks Al.I will monitor the link and check to see if any latency or packet loss occurs and if so, if it coincides with the zone expiring.what about the second part of the question ? would you recommend dns delgation ?
On 9/15/06, Al Mulnick [EMAIL PROTECTED] wrote:
From what I've seen, the
Return Receipt
Your RE: [ActiveDir] OT: Protecting against Spyware/Adware
document:
Yes, I would. From parent to the child DNS server. Then create a Primary or AD-int child zone on the child DNS server. It's a KISS factor.
Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory
Paul, did you try this?
Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday?
That thing is always really really slow for me.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David
AdnerSent: Friday, September 15, 2006 12:06 AMTo:
ActiveDir@mail.activedir.orgSubject:
The account is currently 512... You can't get there with a
blank password without 1-4.
joe
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe,
DejiSent: Thursday, September 14, 2006
Thanks for that pointer. I might be making some nominations.
I have done lots of hacking of registry etc, but at some point you have
to cut your losses. I think when before we started the lock down there
were about 3,500 PC's with local admin rights. We are now down to
between 20 and 30. This
I've seen that work Ok if used with forwarding. I think I'd prefer stub zones though. On 9/15/06, HBooGz [EMAIL PROTECTED]
wrote:Thanks Al.I will monitor the link and check to see if any latency or packet loss occurs and if so, if it coincides with the zone expiring.
what about the second part of
Hell I posted it in the post I wrote Deji, take a
peek...
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe,
DejiSent: Friday, September 15, 2006 10:39 AMTo:
If you mean you purchased Active Directory Second Edition... Ebay it and
just start reading the Third Edition, I made considerable changes through it
and not just for new stuff. The security and schema chapters and most all of
the scripts got massive work done to them to correct issues, etc.
Now
say for example i havecompany.org - parentsales.company.org - child.from the parent dns server i would start the delegation wizard and the delegated domain would be the
sales.company.org, fqdn of child dns server ?then on the child server i would create a primary of the dnsdomain zone
I agree and add to that some additional thoughts: Not long ago there was some conversation around a suggestion that [EMAIL PROTECTED] put out regarding the idea of using multiple forests vs. domains in such a model. Personally, I disagree with that recommendation as given. I think A LOT more
Hi Guys,
I have a small site with 2 DCs, the pdc emulator originally
did not sync with any external source, I made the changes so it would seek an external
source but now due to policy it needs to sync to its internal
clock.
When I change the registry entry for Type from
NTP to
I'm sure there are apps that are written exceptionally stupidly,
requiring admin, but I've yet to run across one. I've had lots of our
guys tell me something HAS to have admin to run, but I've yet to run
across one that really does. I suggest you read this article:
I agree with the people who are saying Either trust all of them or none of them. Realistically, unless you have a large environment (BTW, some people argue that all but maybe 10 Fortune 100 companies are 'medium' sized and the other
99.% of organizations are 'small'), there should only be a
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rob MOIR
Sent: 15 September 2006 13:50
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Protecting against Spyware/Adware
2) Spy ware hangs around for a long time. Our users used to have
admin
Thanks Paul.,
Joe's been there and done
it...
LOL - so have I
several time before :)
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul
WilliamsSent: 15 September 2006 09:46To:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Elevating
privileges from DA to
May be some one should re-write in .NET! J
Alex
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, September 15, 2006
10:54 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] List
archive
That thing is always really really slow
Hi,
I want to start programming in AD.
I have experience programming with Python, PHP and VBA.
Any suggestion on which language is more convienient to program with
ADSI.
I was going to use Python because I can be use in windows, MAC or
Linux/unix
Thanks
Rezuma
List info :
OK. The account under discussion is "512". Had to refresh my brains because I just took your 1-4 bullet points and said, uh-uh, there is a way to have an enabled password-less account. Granted it won't be "512" and will be useless, it is still enabled.
Sorry, Paul.
Sincerely, _ (, / |
Don't you mean,
If vbscript Then : you want the XML versions : End If
Sorry, bad joke
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, September 14, 2006 6:31 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication
Hi All
I wanted to weigh in with two comments.
1) Elevating priveledges from DA to EA (or from physical DC access to EA)
is simple - it takes about 45 minutes and unless you have some very good
active monitoring is difficult to detect. There are automated tools out
there for doing this. I have
Here is a link to a script written in Jscript that may give you some ideas.
http://calnetad.berkeley.edu/documentation/scripts/index.html#ousetup
This script creates an OU and adds an ACE for delegating rights to the OU.
Regards,
Arden
On 9/15/06, Paul Williams [EMAIL PROTECTED] wrote:
I
Well, I guess you'd have to define has. We run a hospital IS from a major
healthcare s/ware vendor that has instructions on its customer website on
making a couple of registry changes to allow non-local admins to run it. So,
technically if a registry change is made, it doesn't have to run
Aspx == .Net
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Alex Alborzfard
Sent: Friday, September 15, 2006 12:31 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] List archive
I wonder whether ironpython http://www.ironpython.com/ is worth looking into in that case. I am no programmer but I have a hunch it might be to your liking. CheersM@
On 9/15/06, Ramon Linan [EMAIL PROTECTED] wrote:
Hi,I want to start programming in AD.I have experience programming with Python, PHP
Web bigger malware threat than email - ZDNet UK News:
http://news.zdnet.co.uk/0,39020330,39283339,00.htm
Dave Wade wrote:
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rob MOIR
Sent: 15 September 2006 13:50
To: ActiveDir@mail.activedir.org
You are almost assuredly running into
the default return limit of 1000 items. AD queries will only return that
many items per query by default. In order to retrieve more information
you need to use paging. I personally use SQL style syntax because I know
SQL and that is what the MS script center
Return Receipt
Your RE: [ActiveDir] OT: Protecting against Spyware/Adware
document:
Has = The user running the program needs to be a member of Power Users
or Administrators to run said program.
It sounds like your program requires one of two options to run - add the
user to Administrators or tweak the registry. Tweaking the registry is
by far the better option IMO. The
Well at one of the customers, they have around 10 to 15 GPOs applied at domain level, for various purposes ranging from software deployment to other settings.So they didn't wanted many of those GPOs to be applied to domain controllers.
Above that, they have block inheritance enabled at various
Elevating priveledges from DA to EA (or from physical DC access to EA)
is simple
Is this physical access to a DC in the root domain or physical access to
a DC with a forest trust to the root domain?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL
Dear All,Scenario : Single regional domain , two sites , both sites having separate links to Internet and direct WAN connectivity with each other.AD Integrated DNSsite1: 300 userssite2: 400 users
Now, due to restructuring, they have decided to get rid of WAN link joining the two sites immediately,
Again simple is relative. Also don't mistake your knowledge
for that of anyone else. You may know more than others, others may know more
than you. Me, I tend to expect others know more than I do so I error on the side
of caution because I know what I know and it sometimes scares me.
:o)
Well, you don't need a .NET implementation of Python (which is what
IronPython is) to use Python with ADSI. Python already has COM support. If
one was interested in Python running on the CLR, then that would be the
thing to check out, but I'm guessing the guy just wants to write some ADSI
Kevin,
FWIW - as others are stating, assuming you know what you are doing, it is
*simple* and painless so long assuming that you are a DA of any domain in the
forest and have access to the console of a GC. There are many exploits
strategies in this area and in its most basic form this can be
I just prefer using sec. Group filtering over block and enforced flags. In your
scenario I would have added explicit denies for the DC group to those GPOs that
should not have applied rather than block inheritance.
-Original Message-
From: Kamlesh Parmar [EMAIL PROTECTED]
To:
It seems to me that a better solution is to only put the
password policy into the default domain GPO, and create a separate GPO for any
other settings to apply to the OUs.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh
ParmarSent: Friday, September 15, 2006 2:38
Yes, but there are times when you want to affect all
machines or users in a domain and its a pain to have to link those policies to
every OU. Domain-linked GPOs are useful but you do have to be explicitly aware
of what you're targeting. That's why I like using explicit security group
Hi,
I am facing a weird problem here is some required information.
Frontend - Backend Structure.
Exchange with SP2 on Win2k3 SP1 on all Servers.
FE1 and BE1 is on a different site,
BE2 is on my Site.
Configured RPC Over Https on Frontend Server. OWA (SSL) is working fine.
Now here is the
The usual issue with that is that the url u r connecting to matches the
name on the cert.
This must match on internal and external, i.e. u must use split brain or
you must config ur firewall to accept that connection on the WAN
interface.
Rob
Robert Rutherford
QuoStar Solutions Limited
T:
Hi Bob,
Can you please explain how it should be. because i think i have
something wrong here related to certificate.
Thanks
Ravi Dogra
On 9/16/06, Robert Rutherford [EMAIL PROTECTED] wrote:
The usual issue with that is that the url u r connecting to matches the
name on the cert.
This must
Hi Ravi,
The certifcate does needs to match the name of the site... i.e.
mail.comp.com . If it doesn't then it wont work. There are numerous
reasons why it fails but that is the first.
Rob
Robert Rutherford
QuoStar Solutions Limited
T:+44 (0) 8456 440 331
F:+44 (0) 8456 440 332
In addition to what Robert is saying, take a look at http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3RPCHTTPDep/0849cb53-f1f9-419b-bb74-82bc010e247f.mspx?mfr=true
There are many things that can be responsible for this failure, and you need to selectively eliminate each.
I hear you joe. I think it depends upon the environment and
its goals. I'm generally against implicit stuff like blocking flags because its
hard for people to troubleshoot. I'm also not terribly thrilled with the notion,
in large environments, of having to manage 10s or 100s of gplinks and
I am the type that argues that 3-5 EA/DA folksis good
for any size org. Showing that the large companies with hundreds of thousands of
seats can accomplish it helps illustrate that smaller companies should be able
to accomplish it and that instead of making the job harder,it makes it easier.
Yep yep. Good arguments for standardization of OU hierarchy
and overall automated management of the OU's. :)
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren
Mar-EliaSent: Friday,
First impression: Yuck.
The main thing that caught my attention is the "migrate
into a corporate domain at a later time". I assume you mean both of these
"separated" domains would be migrated? If so, how do you plan to do the
migration? You won't be able to have name res for the trusts,
;o)
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Friday, September 15, 2006 1:08 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
In addition to what everyone else has said, if there is an issue with SSL in
Windows, you almost always get an error from schannel in the System event
log on the machine that rejected the connection that explains exactly what
the problem is (if you can figure out what it is telling you).
For
However this isn't a query, it is an enumeratiion, no 1000
record limit here...
There could be various issues. I don't code in _vbscript_
enough to catch issues at a glance especially with recursive functions which can
introduce nice oddities. The OP doesn't indicate the number of users he
I generally try to dissuade folks from pillaging the base schema
attributes... While MSFT may not be using them now it doesn't mean that
later they won't start and you could be stuck in a difficult position.
Creating a new attribute is relatively painless if you follow the basic
rules, get an OID
Yep, as sucky as a method as it is it is something that has been floating
around as *a* method for years and years to work out the Windows security
related uses. I know I started mentioning it to folks once I noticed
non-security groups maintained their SID. I find causing temporary easy to
77 matches
Mail list logo
