MSGINA is the Logon Process that was loaded.(GINA= Graphical
Identification and Authentication)
KSecDD,RASMAN,Secondary Logon Service,LAN Manager Workstation
Service,CHAP,DCOMSCM,Winlogon,Winlogon\MSGina are all standard logon
processes you could see in the logs according to what mechanism is
Even with smaller organizations, are the IT people the ones who should
be saying who needs to have access to the CFOs information or should it
be the CFO? Just to be honest, there are a lot of areas within a
company that the IT people aren't qualified enough to even hazard a
guess as to who should
I don't usually think of these as security-enabled distribution lists, but as mail-enabled security groups that users can manage in the same manner as they do distribution lists. When you think of them that way, it's not quite so painfully stupid.
Don't get me wrong, turning all your DLs into
You do make a strong argument, but I'm not sold. The part I can't get past is that the users have the control over adding a sec-prin to be able to pull the data. Vs. pushing the protected data via email. The subtlety is important in my opinion.
The only issue I have with the convenience of adding
I can understand your arguments, but the larger the organization, the more likelihood that the groups are controlled by users (in one way or another) anyway. When you've got 100k groups, you have someone listed as a group owner or someone authorized to approve new members of the group and the only
Thanks for the doc, Jorge; I'd missed that in my searches. And my initial reaction was not only no, but hell no! to the request. But when I examine it logically it's harder to reject out of hand. A little while ago, we did change the default for new DL group requests to be security enabled.
And
Assume. Hmm.. That's been over done so I'll pass this time :)Harvey, I just replied to a similar thread on this with my thoughts. I won't bore you with repetition. But I'm curious what makes you want to assume anything when it comes to security issues like this? I think it's way to
have a look at:
Addressing Problems Due to Access Token Limitation
http://www.microsoft.com/downloads/details.aspx?FamilyID=22dd9251-0781-42e6-9346-89d577a3e74aDisplayLang=en#filelist
http://www.microsoft.com/downloads/details.aspx?FamilyID=4a303fa5-cf20-43fb-9483-0f0b0dae265cDisplayLang=en
My first reaction is, NOOO don't do that. That's silly. I absolutely abhor the concept of convenience to this level when it comes to access to secured resources. Saying that, DG's are often created by default as a security group. I'd actually be surprised, and I would applaud the person
] On Behalf Of Steve Linehan
Sent: Tuesday, October 18, 2005 8:59 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Log file size not reaching the maximum
log file size
And just so you do not think I am making this up here is the public
reference that documents it:
http
Is the local setting perhaps being overwritten by a Group
Policy setting? Just a thought.
Tony
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Wednesday, 19 October 2005 2:54
p.m.To: ActiveDir@mail.activedir.orgSubject: [ActiveDir]
Security Log file
This problem is described in http://support.microsoft.com/default.aspx?scid=kb;en-us;312571
. The fix allows the automatic archiving of the log files but does not explain
why the problem occurs. The issue is around the fact that a contiguous block
of memory is needed for all of the log
Have you cleared (archived) the logs since
the new settings???
Dan
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, October 18, 2005
6:54 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Security Log
file size not
:[EMAIL PROTECTED] On Behalf Of Steve
Linehan
Sent: Tuesday, October 18, 2005
10:45 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security
Log file size not reaching the maximum log file size
This problem is described in http://support.microsoft.com/default.aspx?scid=kb;en-us;312571
Logon as an administrator and take ownership of the drive. Then grant
adequate permissions again.
Reinstalling Windows will obviously fix it, but is a drastic measure.
- Original Message -
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Sunday, October 16, 2005 5:43
how can I take the ownership while I do not have the security tab any more
because I have taken the control of C drive for every one. so There is no
security tab is gone for every drive because the windows was installed on C
drive.
thanks in advance
roseta
Quoting Paul Williams [EMAIL
http://www.eventid.net/display.asp?eventid=1202eventno=348source=SceClipha
se=1
Look at the 0x4b8 section.
HTH
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow
.
deji
@readymaids.com
Sent by: ActiveDir-owner
09/13/2005 06:00 PM
Please respond to ActiveDir
To:
ActiveDir@mail.activedir.org
cc:
Subject:
RE: [ActiveDir] Security Group Policy
Not Applying
http://www.eventid.net
ail.activedir.org
Subject
RE: [ActiveDir] Security Group
09/13/2005 07:39 Policy Not Applying
: RE: [ActiveDir] Security Group Policy Not Applying
It sounds like a restricted groups policy being attempted wrong.But, from
what I've seen, it won't even let you try that.
John
Sudhir Kaushal
You setting restricted groups in a policy? DCs dont have local groups,
they just have the domain database, so, this is to be expected depending on
what youre trying ot nest int eh domain version of this group.
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c -
312.731.3132
cc:
Subject:
RE: [ActiveDir] Security Group Policy
Not Applying
Unless you are entering the group as free text (i.e.
just typing it in). Couple of points here. Using restricted group policy
on DCs to control domain group membership is bad news. I would simply avoid
Jorge answered this pretty well.
Yes the name/cn can be the same if the groups are in different containers.
The sAMAccountNames need to be different if in the same domain.
The displayName should be different or you could get some serious confusion
if you mailenable both.
The Distribution
It shouldn't cause you a problem. The reason is because they don't have the
same name other than the displayname. Everything else should be different.
Al
From: [EMAIL PROTECTED] on behalf of Christine Allen
Sent: Fri 7/29/2005 10:24 AM
To:
each group in AD (distribution and/or security) must have a unique
samaccountname (pre-windows 2000 name) within the domain and must have a unique
common name within a container/OU.
Your groups have the same common name and they can exist because they are in
separate OUs. That's OK. Moving
, June 09, 2005 10:26 AM
To: 'Rimmerman, Russ '; Jorge de Almeida Pinto; 'Robert Williams (RRE) ';
'ActiveDir@mail.activedir.org '
Subject: RE: [ActiveDir] Security permissions on user object
I think the krbtgt account will also be listed.
To get all objects (users and groups) with admincount =1
designate which default MS admin groups are protected groups and thus
managed by the adminsdholder object
Cheers
#JORGE#
-Original Message-
From: [EMAIL PROTECTED]
To: Rimmerman, Russ; ActiveDir@mail.activedir.org
Sent: 6/9/2005 5:52 AM
Subject: RE: [ActiveDir] Security permissions
?
From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED]
Sent: Thu 6/9/2005 2:41 AM
To: 'Robert Williams (RRE) '; '[EMAIL PROTECTED] '; Rimmerman, Russ;
'ActiveDir@mail.activedir.org '
Subject: RE: [ActiveDir] Security permissions on user object
If you look at MS-KBQ817433
@mail.activedir.org
Subject: RE: [ActiveDir] Security permissions on user object
In fact, yes it will, Russ.
Looking back at the thread, I don't see any discussion about HOW these users
came to have the admincount attribute set to 1. Do you have a root cause?
The reason that I ask is because
Subject: RE: [ActiveDir] Security permissions on user object
In fact, yes it will, Russ.
Looking back at the thread, I don't see any discussion about HOW these
users came to have the admincount attribute set to 1. Do you have a
root cause?
The reason that I ask is because I've dealt
FSMO resets all accounts that you
did not want to change
#JORGE#
-Original Message-
From: Rimmerman, Russ
To: Jorge de Almeida Pinto; Robert Williams (RRE) ;
ActiveDir@mail.activedir.org
Sent: 6/9/2005 12:53 PM
Subject: RE: [ActiveDir] Security permissions on user object
But is it safe
Subject: RE: [ActiveDir] Security permissions on user object
OK this is odd, I changed admincount to 0 and an hour later it was
changed back to 1. How frustrating. What gives?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Wednesday
It ssounds like it'sthe adminSDHolder behavior that's
getting you. Are the users members of any of the other protected groups? It
varies across versions, IIRC 2003 added more groups. The articles below should
help point in the right direction.
Response Engineer
Northeast Region
MicrosoftCorporation
Global Solutions Support Center
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob
Sent: Wednesday, June 08, 2005
4:00 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security
permissions on user
@mail.activedir.org
Subject: RE: [ActiveDir] Security permissions on user object
It ssounds like it's the adminSDHolder behavior that's getting you. Are the
users members of any of the other protected groups? It varies across versions,
IIRC 2003 added more groups. The articles below should help
Northeast Region
MicrosoftCorporation
Global Solutions Support Center
From: Rimmerman, Russ
[mailto:[EMAIL PROTECTED]
Sent: Wednesday, June 08, 2005
8:38 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security
permissions on user object
OK looks like ya'll
] On Behalf Of Rimmerman, Russ
Sent: Wednesday, June 08, 2005 9:52 PM
To: Robert Williams (RRE); ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security permissions on user object
Can I just use ADSIEDIT and go to individual users and set the admincount to
0? Will that stick? If that works, I
[mailto:[EMAIL PROTECTED]
Sent: Wednesday, June 08, 2005 10:52 PM
To: Robert Williams (RRE); ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security permissions on user object
Can I just use ADSIEDIT and go to individual users and set the
admincount to 0? Will that stick? If that works, I
ail.activedir.org
Subject
RE: [ActiveDir] Security settings
05/27/2005 04:12 not Inheriting
Sounds like it could be the AdminSDHolder. Have a look at the following
articles.
http://support.microsoft.com/?kbid=232199
http://support.microsoft.com/default.aspx?scid=kb;en-us;817433
Tony
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL
As much as it's a 3rd party utility you might want to take a look at
something like NetIQ's Security Manager or DRA or App Manager. Any of
these have the functionality that you are looking for.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Aaron Visser
:07 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Security
How does this one relate specifically to restricted groups? This applies to
a whole slew of items.. the worst offender IMO being a hub and spoke topo
with file system permissions being pushed down to sysvol or dfs link\root
which
: Friday, June 11, 2004 5:12 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Security
sure:
1. replication of changes and applying the GPO will cause undesireable
results at times.
2. the AdminSDholder process of the domain controlls the sensitive groups
in AD (e.g. Domain Enterprise Schema Admin
[EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, June 21, 2004 2:55 PM
Subject: RE: [ActiveDir] Security
Guido's #1 can be a nightmare. Say you have a single DC that isn't playing
well with the FRS replication topology and you go to change the restricted
group you will get this great
/advanced_group_search) you'll find
some sample vbscript to grab the USN.
Hunter
-Original Message-
From: Aaron Visser [mailto:[EMAIL PROTECTED]
Sent: Thursday, June 10, 2004 10:47 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Security
More Details
Win2k Servers 1 Root Server with another one
://groups.google.com/advanced_group_search) you'll find
some sample vbscript to grab the USN.
Hunter
-Original Message-
From: Aaron Visser [mailto:[EMAIL PROTECTED]
Sent: Thursday, June 10, 2004 10:47 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Security
More Details
Win2k Servers 1 Root Server
]
Sent: Thursday, June 10, 2004 9:47 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Security
More Details
Win2k Servers 1 Root Server with another one for redundancy, 1 ISA Server, 1
Server for Teacher Data, 1 Server for Student Data
Win2003 Servers 1 for Office Staff
And the fun begins,
Well
PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
Sent: Friday, June 11, 2004 2:12 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Security
sure:
1. replication of changes and applying the GPO will cause undesireable
results at times.
2. the AdminSDholder process of the domain
If you want to make sure that no one is added to the group you could
make the group a Restricted Group via a GPO.
If you want to know when a user is added to the group, you could use a
GPO to turn on auditing of Account Management but then you would have
to search the audit logs of all of the DCs
We have some homegrown stuff that monitors specified groups and sends an
email nightly if anything changes. Been doing that for quite sometime.
An example of one easy approach is at
http://www.winnetmag.com/WindowsScripting/Article/ArticleID/38400/38400.
html
Sure you can audit it with built in
: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry
Sent: Donnerstag, 10. Juni 2004 19:38
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Security
If you want to make sure that no one is added to the group you could
make the group a Restricted Group via a GPO.
If you want to know
I'm curious, do you have any more details?
-Original Message-
From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED]
Sent: Thursday, June 10, 2004 2:47 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Security
don't use the Restricted Groups feature on domain groups, especially
domain
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Security
I'm curious, do you have any more details?
-Original Message-
From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED]
Sent: Thursday, June 10, 2004 2:47 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Security
don't use
These articles might help:
A List of the Windows 2000 Domain Controller Default Ports:
http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;Q289241
AD Replication over Firewalls by Steve Riley,
http://www.microsoft.com/SERVICEPROVIDERS/columns/config_ipsec_p63623.asp
FYI:
Q224196 -
I also wrote a lot of things many years ago ;-) I'd still have a closer
look at MACS today...
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of stefano tufillaro
Sent: Dienstag, 16. März 2004 20:37
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] security
PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO
(HP-Germany,ex1)
Sent: Wednesday, March 17, 2004 2:06 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] security event log audits
I also wrote a lot of things many years ago ;-) I'd still have a closer
look at MACS today
MACS (MS Audit Collector System) will do all of that for
you and likely much more efficient than what you'd do yourself (and more secure
as well) - should be released soon (I think with 2003 SP1)
/Guido
From: Creamer, Mark [mailto:[EMAIL PROTECTED]
Sent: Dienstag, 16. März 2004 19:18To:
AhhhI forgot about that coming.
Thanks Guido!
mc
-Original Message-
From: GRILLENMEIER,GUIDO
(HP-Germany,ex1) [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 16, 2004 1:40
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] security
event log audits
MACS (MS Audit
Will this work for Win2k servers also?
Mike
From: GRILLENMEIER,GUIDO (HP-Germany,ex1)
[mailto:[EMAIL PROTECTED] Sent: Tuesday, March 16, 2004 1:40
PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir]
security event log audits
MACS (MS Audit Collector System) will do all of that for
you
PROTECTED]'
Subject: RE: [ActiveDir] security event log audits
Will this work for Win2k servers also?
Mike
From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 16, 2004 1:40 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] security event log audits
MACS (MS Audit
reports (Crystal, Html,
PDF etc.) and also send script as soon as a program to modify the system
from remote location.
From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] security event log audits
Date: Tue, 16
I would ask them there reasons and then post them here...
I cant think of any real reasons as long as your servers are sat internally
and talk on your private WAN?
Rob
/
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Monday, November 17, 2003 11:49 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Security Concerns With Creating a
Secondary DNS Zone
I would ask them there reasons
I think I'd create a web page which uses WMI to query the logs and
displays (say) the last half hour's data or asks for a username and then
shows the data relevant to that user - a quick google gives
http://www.eggheadcafe.com/articles/20010614a.asp which looks like a
good starting point.
Steve
.
Cheers!
John Reijnders
MCSE Windows Server 2003
-Original Message-
From: Joe
To: [EMAIL PROTECTED]
Sent: 25-9-2003 3:36
Subject: RE: [ActiveDir] Security Logs
The only way to give out the ability to non-admins to read the security
log
in Windows NT or Windows 2000 is to grant
James-
I think that the riskiest thing that someone can get out of the security
logs is information on all of the user accounts and groups within your
domain. Since there isn't a way to block this information if they have
access to the live logs, it may not be something the other companies
would
The only way to give out the ability to non-admins to read the security log
in Windows NT or Windows 2000 is to grant the Manage auditing and security
logs security user right. You DO NOT want to do this as it gives the user
the ability to both clear the security log as well as write security
Message -
From: Free, Bob [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, February 25, 2003 6:00 PM
Subject: RE: [ActiveDir] security templates
very keen to leverage the templates for baselining DC
security and configuration distributed with the MS security
operations guide
/default.asp?url=/technet/security/prodtech/windows/secwin2k/default.asp
-Original Message-
From: Rick Kingslan [mailto:[EMAIL PROTECTED]
Sent: Tuesday, February 18, 2003 3:53 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] security templates
Thanks, Bob! ;-)
Rick Kingslan MCSE, MCSA, MCT
/treeview/default.asp?url=/technet/security/
prodtech/windows/secwin2k/default.asp
-Original Message-
From: Rick Kingslan [mailto:[EMAIL PROTECTED]
Sent: Tuesday, February 18, 2003 3:53 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] security templates
Thanks, Bob! ;-)
Rick Kingslan
: Rick Kingslan [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, February 18, 2003 11:52 PM
Subject: RE: [ActiveDir] security templates
Thanks, Bob! ;-)
Rick Kingslan MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
??
Thanks for you help
GT
- Original Message -
From: Rick Kingslan [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, February 18, 2003 11:52 PM
Subject: RE: [ActiveDir] security templates
Thanks, Bob! ;-)
Rick Kingslan MCSE, MCSA, MCT
Microsoft MVP - Active Directory
- Original Message -
From: Rick Kingslan [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Sunday, February 23, 2003 4:11 PM
Subject: RE: [ActiveDir] security templates
Graham,
If there are versions of the templates that have been made available
since those initial ones, I'm unaware of them
/23/2003 10:11 AM
Subject: RE: [ActiveDir] security templates
Graham,
If there are versions of the templates that have been made available
since those initial ones, I'm unaware of them.
As to the SIDs, as I recall, you're correct - they are well-known
principals, users and groups both. I've seen
yeh, a blatant bit of oneupmanship to us mere mortals
- Original Message -
From: Thommes, Michael M. [EMAIL PROTECTED]
To: 'Rick Kingslan ' [EMAIL PROTECTED]; [EMAIL PROTECTED]
Sent: Sunday, February 23, 2003 5:42 PM
Subject: RE: [ActiveDir] security templates
Hi Rick
Graham,
Though I don't have a link to them in front of me at the moment, as you
might recall, Microsoft submitted for and passed the Common Criteria.
Microsoft (via SAIC) published a configuration and an administration
guide that is a bit more current with templates, et. al. Look into
those for
: [ActiveDir] security templates
Graham,
Though I don't have a link to them in front of me at the moment, as you
might recall, Microsoft submitted for and passed the Common Criteria.
Microsoft (via SAIC) published a configuration and an administration
guide that is a bit more current with templates
:26 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] security templates
Funny, I was just looking at those :-]
http://www.microsoft.com/technet/treeview/default.asp?url=/tec
hnet/security/issues/W2kCCSCG/W2kSCGcf.asp
-Original Message-
From: Rick Kingslan [mailto:[EMAIL
Title: Message
You
can do so by Group-Policies, e.g. in the Default Domain Controllers Policy
(Computer Config\ Windows Settings \ Security Settings \ System Services).
Beware, that the GUI only lists the services that it can see on the _machine_
from where you edit the GPO, so you should
Title: Message
Hey
John,
That
checkbox is a representation of the inheriteance flags thatare associated
with each access control entry (ACE), i.e with each specific permission granted
or denied in the ACL.
There
are five flags in the mask that define how each ACE is
inherited:
0x01
-To: [EMAIL PROTECTED]
Date: Tue, 24 Sep 2002 17:17:25 -0400
You have been trying to set file system permissions via a template?
-Original Message-
From: marija efnuseva [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 24, 2002 3:42 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Security
Marija,
http://nsa2.www.conxion.com/win2k/index.html Lots of good info concerning
Templates and how to implement/administer them.
Microsoft Recommends this:
C:\... (and most everything underneath)
Administrators - FC
System - FC
Authenticated Users - Read, Execute
Users should not be
You have been trying to set file system permissions via a template?
-Original Message-
From: marija efnuseva [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 24, 2002 3:42 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Security Templates
Thanks, I'll try that. Actually I have
83 matches
Mail list logo