RE: [ActiveDir] Hardening Active Directory
Title: Message http://www.nsa.gov/snac/win2k/download.htm-- Guides for AD, DNS, Group Polices, File System. I use these guides religiously. -Original Message-From: Hazelman, Doug [mailto:[EMAIL PROTECTED]] Sent: Friday, December 27, 2002 11:19 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Hardening Active Directory There's some good tips here. Make sure the AD servers on the NET are in a separate forest. http://www.aelita.com/ADSecurity -doug -Original Message-From: Brad Martin [mailto:[EMAIL PROTECTED]] Sent: Friday, December 27, 2002 11:11 AMTo: Active Directory Mailing ListSubject: [ActiveDir] Hardening Active Directory Anyone have any good links with tips on securing Active Directory? I'm going to have a couple of AD servers out on the Net, so I want to do what I can to lock them down. Brad Martin Go Daddy Software [EMAIL PROTECTED] 480.505.8800 ext. 250
RE: [ActiveDir] How to make a Domain group local administrator onworkstations
Title: Message Steve, You can use Restricted Groups via a group policy. Set that group policy on your domain or on the OU's that the 100 workstations reside. Let me know if you need any further info. Jbl -Original Message-From: Byrne, Steve [mailto:[EMAIL PROTECTED]]Sent: Wednesday, November 27, 2002 3:20 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] How to make a Domain group local administrator on workstations How do I make a domain group or user a local admin on 100 Workstations?
[ActiveDir] Folder Redirection using .NET AD Tools
Hi, Has anyone tried setting up Folder Redirection Group Policies with the .NET version of the AD Users and Computers Tool? Normally, Folder Redirection is located under: User Configuration--Windows Settings--Folder Redirection. However, w/ the .NET version of the tools, there are no Folder Redirection policies listed. Even the help page within the Group Policy MMC tells you the path. Any help would be appreciated, Thanks, jbl Justin Leney NIST/Systems Plus Windows Server Team 301-975-4903 (Desk) 301-664-0106 (Pager) List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] XP GPOs vs Win2k GPOs
Title: Message Greg, thanks for the help on that. -Original Message-From: Greg Felzer [mailto:[EMAIL PROTECTED]]Sent: Friday, September 27, 2002 11:28 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] XP GPOs vs Win2k GPOs Here is MS solutions, they are now sure why this is happening but at least the solution works: If you are missing the GPO extensions under User Configuration/windows settings you need to register the following dll's for each extension that is missing. Open a command prompt and type the following: cd %systemroot%\system32 regsvr32 "name of dll" (without the ""'s) The dll's for each extension are listed below: Scripts (Logon/Logoff) --- %SystemRoot%\System32\gptext.dll Security Settings --- C:\WINDOWS\System32\wsecedit.dll Internet Explorer Maintenance -- %SystemRoot%\System32\ieaksie.dll Remote Installation Services -- %SystemRoot%\System32\RIGPSNAP.dll Folder Redirection Editor -- C:\WINDOWS\system32\fde.dll Greg Felzer -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Leney, JustinSent: Wednesday, September 25, 2002 4:11 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] XP GPOs vs Win2k GPOs No doubt, RSoP is a nice tool. More in depth than doing a Security Config/Analysis. I am actually havinga similar issue as you, sometimes you can see the entire GPO (with the extended-XP only policies) and sometimes not. Strange. When MS helps you can, can you post it up here? Jbl -Original Message-From: Greg Felzer [mailto:[EMAIL PROTECTED]]Sent: Wednesday, September 25, 2002 2:48 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] XP GPOs vs Win2k GPOs Yes they work. We are in the middle of developing our revised XP GPO's. The problem we have run into is that most of our XP pro SP1 machines will not show all of the available GPO settings under: user config/windows settings. On all but one XP machine the only thing listed is RIS and scripts. On the XP machine that works correctly we have all of the settings (IE RIS, scripts, Security settings, folder redirection and IE maintenance). I have an incident open with MS which has been booted up to development. FWIW the .net admin pak has some really cool features. The RSoP mmc, which provides a graphical display of what GPO settings have been applied to a user/computer and from what GPO they came from really helps when you are troubleshooting. Greg Felzer MCSE NT4, MCSE 2000, CCA, CCNA, CNA Senior Systems Engineer Center for Computing and Information Technology Medical University of South Carolina -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Leney, JustinSent: Wednesday, September 25, 2002 11:08 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] XP GPOs vs Win2k GPOs First thing to download is the .net betaadminpak.msi: http://www.microsoft.com/downloads/release.asp?ReleaseID=34032area=searchordinal=1 Then, you can look at the new group policies and explanations that will only affect XP. In fact, each GP will have a statement "At least Windows 2000" or "At least XP Pro", etc. Also, does anyone know if the newpoliciesactually 'work' yet, or dowe have to waituntilwe have a .net server running on our domain? -Original Message-From: Taylor, Eric [mailto:[EMAIL PROTECTED]]Sent: Wednesday, September 25, 2002 9:58 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] XP GPOs vs Win2k GPOs I am trying to find some information on the differences in GPOs for Windows 2000 and XP. Any links or whitepapers to reference would be great. Thanks, Eric
RE: [ActiveDir] XP GPOs vs Win2k GPOs
Title: Message First thing to download is the .net betaadminpak.msi: http://www.microsoft.com/downloads/release.asp?ReleaseID=34032area=searchordinal=1 Then, you can look at the new group policies and explanations that will only affect XP. In fact, each GP will have a statement "At least Windows 2000" or "At least XP Pro", etc. Also, does anyone know if the newpoliciesactually 'work' yet, or dowe have to waituntilwe have a .net server running on our domain? -Original Message-From: Taylor, Eric [mailto:[EMAIL PROTECTED]]Sent: Wednesday, September 25, 2002 9:58 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] XP GPOs vs Win2k GPOs I am trying to find some information on the differences in GPOs for Windows 2000 and XP. Any links or whitepapers to reference would be great. Thanks, Eric
RE: [ActiveDir] XP GPOs vs Win2k GPOs
Title: Message No doubt, RSoP is a nice tool. More in depth than doing a Security Config/Analysis. I am actually havinga similar issue as you, sometimes you can see the entire GPO (with the extended-XP only policies) and sometimes not. Strange. When MS helps you can, can you post it up here? Jbl -Original Message-From: Greg Felzer [mailto:[EMAIL PROTECTED]]Sent: Wednesday, September 25, 2002 2:48 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] XP GPOs vs Win2k GPOs Yes they work. We are in the middle of developing our revised XP GPO's. The problem we have run into is that most of our XP pro SP1 machines will not show all of the available GPO settings under: user config/windows settings. On all but one XP machine the only thing listed is RIS and scripts. On the XP machine that works correctly we have all of the settings (IE RIS, scripts, Security settings, folder redirection and IE maintenance). I have an incident open with MS which has been booted up to development. FWIW the .net admin pak has some really cool features. The RSoP mmc, which provides a graphical display of what GPO settings have been applied to a user/computer and from what GPO they came from really helps when you are troubleshooting. Greg Felzer MCSE NT4, MCSE 2000, CCA, CCNA, CNA Senior Systems Engineer Center for Computing and Information Technology Medical University of South Carolina -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Leney, JustinSent: Wednesday, September 25, 2002 11:08 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] XP GPOs vs Win2k GPOs First thing to download is the .net betaadminpak.msi: http://www.microsoft.com/downloads/release.asp?ReleaseID=34032area=searchordinal=1 Then, you can look at the new group policies and explanations that will only affect XP. In fact, each GP will have a statement "At least Windows 2000" or "At least XP Pro", etc. Also, does anyone know if the newpoliciesactually 'work' yet, or dowe have to waituntilwe have a .net server running on our domain? -Original Message-From: Taylor, Eric [mailto:[EMAIL PROTECTED]]Sent: Wednesday, September 25, 2002 9:58 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] XP GPOs vs Win2k GPOs I am trying to find some information on the differences in GPOs for Windows 2000 and XP. Any links or whitepapers to reference would be great. Thanks, Eric
RE: [ActiveDir] Security Templates
Marija, http://nsa2.www.conxion.com/win2k/index.html Lots of good info concerning Templates and how to implement/administer them. Microsoft Recommends this: C:\... (and most everything underneath) Administrators - FC System - FC Authenticated Users - Read, Execute Users should not be denied access to most of the C:, as they'll need to execute dll's and whatnot. -- C:\Documents and Settings\%username%\ (these will be set by the OS when the user logs into the local computer or domain) Administrators - FC System - FC %username% - FC (or Change, if you don't want them to delete their profile directory) -Original Message- From: marija efnuseva [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 24, 2002 7:02 AM To: ActiveDirLista Subject: [ActiveDir] Security Templates Hallo, Can anybody tell me where can I find more documentation on Security Templates especially about working with the File System on local computers. Also, can anybody send me an expample on how to deny access to all folders on the local C: drive, and then allow only one specific folder for every user. So drive C: and all subfolders should be inaccessible for everybody. But, for example the user marija should be able to access only her My Documents folder and have the rights that I assign her. She sholud not be able to see, browse, list the contents, and not to mention to read, or write to any other folder on drive C: Thanks, Marija List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Security Templates
You have been trying to set file system permissions via a template? -Original Message- From: marija efnuseva [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 24, 2002 3:42 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security Templates Thanks, I'll try that. Actually I have already been doing that but it seems not to be working. Regards marija -- Original Message -- From: Leney, Justin [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Tue, 24 Sep 2002 13:42:38 -0400 Marija, http://nsa2.www.conxion.com/win2k/index.html Lots of good info concerning Templates and how to implement/administer them. Microsoft Recommends this: C:\... (and most everything underneath) Administrators - FC System - FC Authenticated Users - Read, Execute Users should not be denied access to most of the C:, as they'll need to execute dll's and whatnot. --- - -- C:\Documents and Settings\%username%\ (these will be set by the OS when the user logs into the local computer or domain) Administrators - FC System - FC %username% - FC (or Change, if you don't want them to delete their profile directory) -Original Message- From: marija efnuseva [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 24, 2002 7:02 AM To: ActiveDirLista Subject: [ActiveDir] Security Templates Hallo, Can anybody tell me where can I find more documentation on Security Templates especially about working with the File System on local computers. Also, can anybody send me an expample on how to deny access to all folders on the local C: drive, and then allow only one specific folder for every user. So drive C: and all subfolders should be inaccessible for everybody. But, for example the user marija should be able to access only her My Documents folder and have the rights that I assign her. She sholud not be able to see, browse, list the contents, and not to mention to read, or write to any other folder on drive C: Thanks, Marija List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Extended Account Properties (?)
Hi, Does anyone know of a AD Tool/Query which will tell you the last date/time an AD Object was modified? Thanks, Justin Leney NIST/Systems Plus Windows Server Team 301-975-4903 (Desk) 301-664-0106 (Pager) List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Extended Account Properties (?)
Richard, thanks for the info. The WhenChanged attribute in ADSIEDIT is sufficient. Also, ENUMPROP.EXE; is that part of the 2000 Server Resource Kit? Jbl -Original Message- From: Puckett, Richard [mailto:[EMAIL PROTECTED]] Sent: Friday, September 20, 2002 9:35 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Extended Account Properties (?) Justin, I'd done an earlier posting for someone (w/ source) to view the whenChanged attribute on objects within a given timeframe. I can repost it if necessary. Additionally you can use ADSIEDIT.MSC to view that attribute directly on the desired object, or ENUMPROP.EXE LDAP://cn=administrator,...,dc=com; to view that value within the list of other returned attributes. Hope this helps, Richard -Original Message- From: Thornley, Dave H [mailto:[EMAIL PROTECTED]] Sent: Friday, September 20, 2002 9:09 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Extended Account Properties (?) Turn on Advanced Features (View menu in ADUC) and look on the Object tab? dave -Original Message- From: Leney, Justin [mailto:[EMAIL PROTECTED]] Sent: 20 September 2002 14:02 To: [EMAIL PROTECTED] Subject: [ActiveDir] Extended Account Properties (?) Hi, Does anyone know of a AD Tool/Query which will tell you the last date/time an AD Object was modified? Thanks, Justin Leney NIST/Systems Plus Windows Server Team 301-975-4903 (Desk) 301-664-0106 (Pager) List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/