RE: [ActiveDir] security
MSGINA is the Logon Process that was loaded.(GINA= Graphical Identification and Authentication) KSecDD,RASMAN,Secondary Logon Service,LAN Manager Workstation Service,CHAP,DCOMSCM,Winlogon,Winlogon\MSGina are all standard logon processes you could see in the logs according to what mechanism is being used to authenticate. You will see those events at startup and during authentication attempts. MGGINA is the standard interactive logon interface you see when you press ctrl-alt-del, as implemented by msgina.dll. 3rd parties, such as RSA or PCAnywhere, can extend the functionality and present a different graphical interface to the user during the logon process. Winlogon and the standard GINA interact as follows: 1. Winlogon detects a Secure Action Sequence (SAS) event. (E.G. ctrl-alt-del) 2. Winlogon determines the system state when the SAS was detected. 3. Winlogon calls the appropriate GINA function. 4. The GINA function called performs the necessary operation. 5. The GINA passes a return value to Winlogon. If auditing is enabled, you should be able to see who knocked you off in the security logs. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Friday, December 01, 2006 12:31 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] security Hi, What is the meaning of this event, Does it means that MSGINA was trying to login into that machine where the event was found? I was connected to an XP pro using remote desktop and all the sudden it kicked me out saying someone else connected to it, how do I find out who was it? Thanks A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests. Logon Process Name:Winlogon\MSGina For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Rezuma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] Security-enable all your distribution lists?
Even with smaller organizations, are the IT people the ones who should be saying who needs to have access to the CFOs information or should it be the CFO? Just to be honest, there are a lot of areas within a company that the IT people aren't qualified enough to even hazard a guess as to who should and shouldn't have access to. Couldn't agree more. My opinion is that IT should NEVER manage group memberships. In that same sphere of thought, I think that users should not either. My reasoning is control. Not control in the sense that I want to dictate everything you do and micromanage. Far from it. That's not what I get paid for and I think it's degrading to want to do that to people. I am referring to control as in process controls. There should be a process control for every group modification if security is to be taken seriously. Does that mean it'll be perfect? No. does that exclude self-service? No. But it does mean that every change needs to be logged and a sanity check or some similar business logic check needs to be applied to the process. Having your IT security folks control the group administration is the same as controlling badge access in my mind. In a regulated environment, the detail is a necessary control and to me, it belongs to the information security people. My job ends when I empower them to do their job (even if that means to empower the end users that do the actual work; just that it's not my process.) AlOn 11/7/06, Matt Hargraves [EMAIL PROTECTED] wrote: I can understand your arguments, but the larger the organization, the more likelihood that the groups are controlled by users (in one way or another) anyway. When you've got 100k groups, you have someone listed as a group owner or someone authorized to approve new members of the group and the only people who even know what the group is for are either members of that group or in the direct management chain - definitely not the IT people who 'manage' the groups. Even with smaller organizations, are the IT people the ones who should be saying who needs to have access to the CFOs information or should it be the CFO? Just to be honest, there are a lot of areas within a company that the IT people aren't qualified enough to even hazard a guess as to who should and shouldn't have access to. I think that the biggest difference between security-enabling distribution lists and enabling mail on security lists is the way that users think of them. The same people are managing them and if they're going to screw up their security in a DL, they're probably going to screw it up by rubber-stamp approvals too. The Security groups that you enable mail on aren't going to be big mail usage lists and the distribution lists aren't going to be used 90% of the time for security. Personally, I'd rather keep mail/security hybrids to the RBS groups and avoid it for the ABS (access/task-based security) groups. If someone wants to enable his/her ABS group for mail though, I'm not one to say what they can/can't do with their group/data. This way, your RBS groups have a built-in e-mail group to communicate with, but the mail/security overlap isn't so extreme that your company's security is a nightmarish web of DL/security groups. One important thing though, your privileged groups that grant special access to servers should always be managed by the IT persons, never let them turn into a mail-enabled security group. On 11/7/06, Al Mulnick [EMAIL PROTECTED] wrote: You do make a strong argument, but I'm not sold. The part I can't get past is that the users have the control over adding a sec-prin to be able to pull the data. Vs. pushing the protected data via email. The subtlety is important in my opinion. The only issue I have with the convenience of adding users to sec-enabled-dg's is the lack of controls to prevent the mis-use (either intentional or unintentional). Outside of that, I'm all for the concept. :) On 11/7/06, Matt Hargraves [EMAIL PROTECTED] wrote: I don't usually think of these as security-enabled distribution lists, but as mail-enabled security groups that users can manage in the same manner as they do distribution lists. When you think of them that way, it's not quite so painfully stupid. Don't get me wrong, turning all your DLs into security-enabled DLs and then sticking resources in them isn't exactly what I'd call brilliant, as Al alluded to - just because you're turning some of your DLs into security groups doesn't mean that you should do it with all of them. Hell, I'd argue that you shouldn't do it with any of them - that you should do it the other way around, mail-enable a small portion of your security groups and have the users pick which ones while reminding them that they are still *Security* groups and they need to manage their memberships with the same diligence they did before (yeah, yeah, I know - they didn't really take that good of care of them before). If you make sure that the DLs that stay DLs have something in the name that
Re: [ActiveDir] Security-enable all your distribution lists?
I don't usually think of these as security-enabled distribution lists, but as mail-enabled security groups that users can manage in the same manner as they do distribution lists. When you think of them that way, it's not quite so painfully stupid. Don't get me wrong, turning all your DLs into security-enabled DLs and then sticking resources in them isn't exactly what I'd call brilliant, as Al alluded to - just because you're turning some of your DLs into security groups doesn't mean that you should do it with all of them. Hell, I'd argue that you shouldn't do it with any of them - that you should do it the other way around, mail-enable a small portion of your security groups and have the users pick which ones while reminding them that they are still *Security* groups and they need to manage their memberships with the same diligence they did before (yeah, yeah, I know - they didn't really take that good of care of them before). If you make sure that the DLs that stay DLs have something in the name that designate them as a DL, it will make it easier. That being said, data on a share is no less sensitive than data in an e-mail. Companies lose secrets in e-mails, get sued because of what has been said in an e-mail. The fact that the majority of us sit here going NO!! NOT MY SECURITY GROUPS!!! DON'T LET THEM HAVE SECURITY GROUPS tells me that, regardless of the fact that 99% of all leaks occur through e-mail, we still don't 'get it' that e-mail is where most of this information sneaks between the cracks and it's not the 'grunts' that have the patent-holding information, it's the higher-up muckity mucks that are leaking data (SEC sensitive information most of the time). But to summarize - I'd recommend that you don't change the role of your DLs, but change the role of your security groups to fulfill this new need. Then you're not granting access to data based upon pre-existing groups that don't have access to data, you're simply allowing groups that already have access to data to fulfill an additional task. Mail exclusive DLs serve a number of purposes, one of them being to keep the higher-up muckity mucks out of the data that there is a *very* good chance that they don't understand anyway, but still allow them to be 'in the loop' on information that they do understand (well, kinda anyway). On 10/27/06, Al Mulnick [EMAIL PROTECTED] wrote: Assume. Hmm.. That's been over done so I'll pass this time :)Harvey, I just replied to a similar thread on this with my thoughts. I won't bore you with repetition. But I'm curious what makes you want to assume anything when it comes to security issues like this? I think it's way to unpredictable to assume that users will understand that concept. That's me though. I'm not your user. On 10/27/06, Harvey Kamangwitz [EMAIL PROTECTED] wrote:Thanks for the doc, Jorge; I'd missed that in my searches. And my initial reaction was not only no, but hell no! to the request. But when I examine it logically it's harder to reject out of hand. A little while ago, we did change the default for new DL group requests to be security enabled. And it seems to me that one would implicitly assume that if one were setting access to a resource like sharepoint, they would use the same thought process as when they're sending mail: Do I want everyone in this group to get this mail | have this access? - Harvey On 10/21/06, Al Mulnick [EMAIL PROTECTED] wrote: My first reaction is, NOOO don't do that. That's silly. I absolutely abhor the concept of convenience to this level when it comes to access to secured resources. Saying that, DG's are often created by default as a security group. I'd actually be surprised, and I would applaud the person that made that choice in your organization. From my perspective, the worst thing ever done by Microsoft was to allow DG's to be security groups. Made it easier to transition PF's sure, but the layer8 contingent doesn't understand the subtle differences between a distribution list and a security-enabled-distribution-group. This loosely translates into people that want to include somebody on their regular mail lists, but don't want them to necessarily have access to the same data shares. They do NOT understand the difference in most cases. I don't know sharepoint well enough to say, but I would be completely floored if they did not have a way to revert behavior. I also would be totally surprised if your information security people were OK with this concept for the reasons I mentioned above. TokenBloat is not the only concern you have here, Harvey. On 10/20/06, Harvey Kamangwitz [EMAIL PROTECTED] wrote: Hi all, I'm interested in your opinion here, and perhaps a heads-up on requirements that may be coming your way. We have a request from the sharepoint team to security-enable all of our 18,000 distribution lists. Our concern, naturally, is token size. What will this do to Joe User's access token? The issue is tied in to Sharepoint.
Re: [ActiveDir] Security-enable all your distribution lists?
You do make a strong argument, but I'm not sold. The part I can't get past is that the users have the control over adding a sec-prin to be able to pull the data. Vs. pushing the protected data via email. The subtlety is important in my opinion. The only issue I have with the convenience of adding users to sec-enabled-dg's is the lack of controls to prevent the mis-use (either intentional or unintentional). Outside of that, I'm all for the concept. :) On 11/7/06, Matt Hargraves [EMAIL PROTECTED] wrote: I don't usually think of these as security-enabled distribution lists, but as mail-enabled security groups that users can manage in the same manner as they do distribution lists. When you think of them that way, it's not quite so painfully stupid. Don't get me wrong, turning all your DLs into security-enabled DLs and then sticking resources in them isn't exactly what I'd call brilliant, as Al alluded to - just because you're turning some of your DLs into security groups doesn't mean that you should do it with all of them. Hell, I'd argue that you shouldn't do it with any of them - that you should do it the other way around, mail-enable a small portion of your security groups and have the users pick which ones while reminding them that they are still *Security* groups and they need to manage their memberships with the same diligence they did before (yeah, yeah, I know - they didn't really take that good of care of them before). If you make sure that the DLs that stay DLs have something in the name that designate them as a DL, it will make it easier. That being said, data on a share is no less sensitive than data in an e-mail. Companies lose secrets in e-mails, get sued because of what has been said in an e-mail. The fact that the majority of us sit here going NO!! NOT MY SECURITY GROUPS!!! DON'T LET THEM HAVE SECURITY GROUPS tells me that, regardless of the fact that 99% of all leaks occur through e-mail, we still don't 'get it' that e-mail is where most of this information sneaks between the cracks and it's not the 'grunts' that have the patent-holding information, it's the higher-up muckity mucks that are leaking data (SEC sensitive information most of the time). But to summarize - I'd recommend that you don't change the role of your DLs, but change the role of your security groups to fulfill this new need. Then you're not granting access to data based upon pre-existing groups that don't have access to data, you're simply allowing groups that already have access to data to fulfill an additional task. Mail exclusive DLs serve a number of purposes, one of them being to keep the higher-up muckity mucks out of the data that there is a *very* good chance that they don't understand anyway, but still allow them to be 'in the loop' on information that they do understand (well, kinda anyway). On 10/27/06, Al Mulnick [EMAIL PROTECTED] wrote: Assume. Hmm.. That's been over done so I'll pass this time :)Harvey, I just replied to a similar thread on this with my thoughts. I won't bore you with repetition. But I'm curious what makes you want to assume anything when it comes to security issues like this? I think it's way to unpredictable to assume that users will understand that concept. That's me though. I'm not your user. On 10/27/06, Harvey Kamangwitz [EMAIL PROTECTED] wrote:Thanks for the doc, Jorge; I'd missed that in my searches. And my initial reaction was not only no, but hell no! to the request. But when I examine it logically it's harder to reject out of hand. A little while ago, we did change the default for new DL group requests to be security enabled. And it seems to me that one would implicitly assume that if one were setting access to a resource like sharepoint, they would use the same thought process as when they're sending mail: Do I want everyone in this group to get this mail | have this access? - Harvey On 10/21/06, Al Mulnick [EMAIL PROTECTED] wrote: My first reaction is, NOOO don't do that. That's silly. I absolutely abhor the concept of convenience to this level when it comes to access to secured resources. Saying that, DG's are often created by default as a security group. I'd actually be surprised, and I would applaud the person that made that choice in your organization. From my perspective, the worst thing ever done by Microsoft was to allow DG's to be security groups. Made it easier to transition PF's sure, but the layer8 contingent doesn't understand the subtle differences between a distribution list and a security-enabled-distribution-group. This loosely translates into people that want to include somebody on their regular mail lists, but don't want them to necessarily have access to the same data shares. They do NOT understand the difference in most cases. I don't know sharepoint well enough to say, but I would be completely floored if they did not have a way to revert behavior. I also would be totally surprised if your information security people were OK
Re: [ActiveDir] Security-enable all your distribution lists?
I can understand your arguments, but the larger the organization, the more likelihood that the groups are controlled by users (in one way or another) anyway. When you've got 100k groups, you have someone listed as a group owner or someone authorized to approve new members of the group and the only people who even know what the group is for are either members of that group or in the direct management chain - definitely not the IT people who 'manage' the groups. Even with smaller organizations, are the IT people the ones who should be saying who needs to have access to the CFOs information or should it be the CFO? Just to be honest, there are a lot of areas within a company that the IT people aren't qualified enough to even hazard a guess as to who should and shouldn't have access to. I think that the biggest difference between security-enabling distribution lists and enabling mail on security lists is the way that users think of them. The same people are managing them and if they're going to screw up their security in a DL, they're probably going to screw it up by rubber-stamp approvals too. The Security groups that you enable mail on aren't going to be big mail usage lists and the distribution lists aren't going to be used 90% of the time for security. Personally, I'd rather keep mail/security hybrids to the RBS groups and avoid it for the ABS (access/task-based security) groups. If someone wants to enable his/her ABS group for mail though, I'm not one to say what they can/can't do with their group/data. This way, your RBS groups have a built-in e-mail group to communicate with, but the mail/security overlap isn't so extreme that your company's security is a nightmarish web of DL/security groups. One important thing though, your privileged groups that grant special access to servers should always be managed by the IT persons, never let them turn into a mail-enabled security group. On 11/7/06, Al Mulnick [EMAIL PROTECTED] wrote: You do make a strong argument, but I'm not sold. The part I can't get past is that the users have the control over adding a sec-prin to be able to pull the data. Vs. pushing the protected data via email. The subtlety is important in my opinion. The only issue I have with the convenience of adding users to sec-enabled-dg's is the lack of controls to prevent the mis-use (either intentional or unintentional). Outside of that, I'm all for the concept. :) On 11/7/06, Matt Hargraves [EMAIL PROTECTED] wrote: I don't usually think of these as security-enabled distribution lists, but as mail-enabled security groups that users can manage in the same manner as they do distribution lists. When you think of them that way, it's not quite so painfully stupid. Don't get me wrong, turning all your DLs into security-enabled DLs and then sticking resources in them isn't exactly what I'd call brilliant, as Al alluded to - just because you're turning some of your DLs into security groups doesn't mean that you should do it with all of them. Hell, I'd argue that you shouldn't do it with any of them - that you should do it the other way around, mail-enable a small portion of your security groups and have the users pick which ones while reminding them that they are still *Security* groups and they need to manage their memberships with the same diligence they did before (yeah, yeah, I know - they didn't really take that good of care of them before). If you make sure that the DLs that stay DLs have something in the name that designate them as a DL, it will make it easier. That being said, data on a share is no less sensitive than data in an e-mail. Companies lose secrets in e-mails, get sued because of what has been said in an e-mail. The fact that the majority of us sit here going NO!! NOT MY SECURITY GROUPS!!! DON'T LET THEM HAVE SECURITY GROUPS tells me that, regardless of the fact that 99% of all leaks occur through e-mail, we still don't 'get it' that e-mail is where most of this information sneaks between the cracks and it's not the 'grunts' that have the patent-holding information, it's the higher-up muckity mucks that are leaking data (SEC sensitive information most of the time). But to summarize - I'd recommend that you don't change the role of your DLs, but change the role of your security groups to fulfill this new need. Then you're not granting access to data based upon pre-existing groups that don't have access to data, you're simply allowing groups that already have access to data to fulfill an additional task. Mail exclusive DLs serve a number of purposes, one of them being to keep the higher-up muckity mucks out of the data that there is a *very* good chance that they don't understand anyway, but still allow them to be 'in the loop' on information that they do understand (well, kinda anyway). On 10/27/06, Al Mulnick [EMAIL PROTECTED] wrote: Assume. Hmm.. That's been over done so I'll pass this time :)Harvey, I just replied to a similar thread on this with my thoughts. I won't bore
Re: [ActiveDir] Security-enable all your distribution lists?
Thanks for the doc, Jorge; I'd missed that in my searches. And my initial reaction was not only no, but hell no! to the request. But when I examine it logically it's harder to reject out of hand. A little while ago, we did change the default for new DL group requests to be security enabled. And it seems to me that one would implicitly assume that if one were setting access to a resource like sharepoint, they would use the same thought process as when they're sending mail: Do I want everyone in this group to get this mail | have this access? - Harvey On 10/21/06, Al Mulnick [EMAIL PROTECTED] wrote: My first reaction is, NOOO don't do that. That's silly. I absolutely abhor the concept of convenience to this level when it comes to access to secured resources. Saying that, DG's are often created by default as a security group. I'd actually be surprised, and I would applaud the person that made that choice in your organization. From my perspective, the worst thing ever done by Microsoft was to allow DG's to be security groups. Made it easier to transition PF's sure, but the layer8 contingent doesn't understand the subtle differences between a distribution list and a security-enabled-distribution-group. This loosely translates into people that want to include somebody on their regular mail lists, but don't want them to necessarily have access to the same data shares. They do NOT understand the difference in most cases. I don't know sharepoint well enough to say, but I would be completely floored if they did not have a way to revert behavior. I also would be totally surprised if your information security people were OK with this concept for the reasons I mentioned above. TokenBloat is not the only concern you have here, Harvey. On 10/20/06, Harvey Kamangwitz [EMAIL PROTECTED] wrote: Hi all, I'm interested in your opinion here, and perhaps a heads-up on requirements that may be coming your way. We have a request from the sharepoint team to security-enable all of our 18,000 distribution lists. Our concern, naturally, is token size. What will this do to Joe User's access token? The issue is tied in to Sharepoint. Setting permissions on Sharepoint sites has always been kind of a pain, partly because of Sharepoint itself but also because of the nature of what you're doing. (DISCLAIMER: I'm nothing more than a just-beyond-basic Sharepoint user.) When you set up a teamsite for a project, you want to enable access to the site to the project people. Typically you use an existing group of people in your org ( e.g. your work group for a weekly meeting site), or you create a new group to manage access. Most work groups have mailing distribution lists, but I'll bet most are not security-enabled. So when you set up your teamsite, you have to wait and ask for IT to security-enable your DL so you can use it on your shiny new teamsite. (Unless you're one of us, in which case you can do it yourself :) In the current version of sharepoint, you can work around this by going to the GAL and manually adding individual users to site access. Apparently the next version of Sharepoint does not allow you to do this, forcing everyone that needs group access to security-enable their group. That's why they want to enable ALL of them, not just piecemeal. Our analysis shows that the MEDIAN number of distribution lists per user is relatively small (5-6) and the MEDIAN number of groups in Joe User's token is relatively small (40-50). But we have lots of users in the 100+ groups range, and the winner for greatest number of groups is 400! So...we have to do what we can to mitigate the impact for the large--token people. Do you folks have any feel for a you really don't want to go beyond there limit on token size? Any direct experience? There's no way we can know all the apps out there that might be affected by this. Thanks, Harvey
Re: [ActiveDir] Security-enable all your distribution lists?
Assume. Hmm.. That's been over done so I'll pass this time :)Harvey, I just replied to a similar thread on this with my thoughts. I won't bore you with repetition. But I'm curious what makes you want to assume anything when it comes to security issues like this? I think it's way to unpredictable to assume that users will understand that concept. That's me though. I'm not your user. On 10/27/06, Harvey Kamangwitz [EMAIL PROTECTED] wrote:Thanks for the doc, Jorge; I'd missed that in my searches. And my initial reaction was not only no, but hell no! to the request. But when I examine it logically it's harder to reject out of hand. A little while ago, we did change the default for new DL group requests to be security enabled. And it seems to me that one would implicitly assume that if one were setting access to a resource like sharepoint, they would use the same thought process as when they're sending mail: Do I want everyone in this group to get this mail | have this access? - Harvey On 10/21/06, Al Mulnick [EMAIL PROTECTED] wrote: My first reaction is, NOOO don't do that. That's silly. I absolutely abhor the concept of convenience to this level when it comes to access to secured resources. Saying that, DG's are often created by default as a security group. I'd actually be surprised, and I would applaud the person that made that choice in your organization. From my perspective, the worst thing ever done by Microsoft was to allow DG's to be security groups. Made it easier to transition PF's sure, but the layer8 contingent doesn't understand the subtle differences between a distribution list and a security-enabled-distribution-group. This loosely translates into people that want to include somebody on their regular mail lists, but don't want them to necessarily have access to the same data shares. They do NOT understand the difference in most cases. I don't know sharepoint well enough to say, but I would be completely floored if they did not have a way to revert behavior. I also would be totally surprised if your information security people were OK with this concept for the reasons I mentioned above. TokenBloat is not the only concern you have here, Harvey. On 10/20/06, Harvey Kamangwitz [EMAIL PROTECTED] wrote: Hi all, I'm interested in your opinion here, and perhaps a heads-up on requirements that may be coming your way. We have a request from the sharepoint team to security-enable all of our 18,000 distribution lists. Our concern, naturally, is token size. What will this do to Joe User's access token? The issue is tied in to Sharepoint. Setting permissions on Sharepoint sites has always been kind of a pain, partly because of Sharepoint itself but also because of the nature of what you're doing. (DISCLAIMER: I'm nothing more than a just-beyond-basic Sharepoint user.) When you set up a teamsite for a project, you want to enable access to the site to the project people. Typically you use an existing group of people in your org ( e.g. your work group for a weekly meeting site), or you create a new group to manage access. Most work groups have mailing distribution lists, but I'll bet most are not security-enabled. So when you set up your teamsite, you have to wait and ask for IT to security-enable your DL so you can use it on your shiny new teamsite. (Unless you're one of us, in which case you can do it yourself :) In the current version of sharepoint, you can work around this by going to the GAL and manually adding individual users to site access. Apparently the next version of Sharepoint does not allow you to do this, forcing everyone that needs group access to security-enable their group. That's why they want to enable ALL of them, not just piecemeal. Our analysis shows that the MEDIAN number of distribution lists per user is relatively small (5-6) and the MEDIAN number of groups in Joe User's token is relatively small (40-50). But we have lots of users in the 100+ groups range, and the winner for greatest number of groups is 400! So...we have to do what we can to mitigate the impact for the large--token people. Do you folks have any feel for a you really don't want to go beyond there limit on token size? Any direct experience? There's no way we can know all the apps out there that might be affected by this. Thanks, Harvey
RE: [ActiveDir] Security-enable all your distribution lists?
have a look at: Addressing Problems Due to Access Token Limitation http://www.microsoft.com/downloads/details.aspx?FamilyID=22dd9251-0781-42e6-9346-89d577a3e74aDisplayLang=en#filelist http://www.microsoft.com/downloads/details.aspx?FamilyID=4a303fa5-cf20-43fb-9483-0f0b0dae265cDisplayLang=en Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Harvey Kamangwitz Sent: Sat 2006-10-21 01:10 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Security-enable all your distribution lists? Hi all, I'm interested in your opinion here, and perhaps a heads-up on requirements that may be coming your way. We have a request from the sharepoint team to security-enable all of our 18,000 distribution lists. Our concern, naturally, is token size. What will this do to Joe User's access token? The issue is tied in to Sharepoint. Setting permissions on Sharepoint sites has always been kind of a pain, partly because of Sharepoint itself but also because of the nature of what you're doing. (DISCLAIMER: I'm nothing more than a just-beyond-basic Sharepoint user.) When you set up a teamsite for a project, you want to enable access to the site to the project people. Typically you use an existing group of people in your org ( e.g. your work group for a weekly meeting site), or you create a new group to manage access. Most work groups have mailing distribution lists, but I'll bet most are not security-enabled. So when you set up your teamsite, you have to wait and ask for IT to security-enable your DL so you can use it on your shiny new teamsite. (Unless you're one of us, in which case you can do it yourself :) In the current version of sharepoint, you can work around this by going to the GAL and manually adding individual users to site access. Apparently the next version of Sharepoint does not allow you to do this, forcing everyone that needs group access to security-enable their group. That's why they want to enable ALL of them, not just piecemeal. Our analysis shows that the MEDIAN number of distribution lists per user is relatively small (5-6) and the MEDIAN number of groups in Joe User's token is relatively small (40-50). But we have lots of users in the 100+ groups range, and the winner for greatest number of groups is 400! So...we have to do what we can to mitigate the impact for the large--token people. Do you folks have any feel for a you really don't want to go beyond there limit on token size? Any direct experience? There's no way we can know all the apps out there that might be affected by this. Thanks, Harvey This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
Re: [ActiveDir] Security-enable all your distribution lists?
My first reaction is, NOOO don't do that. That's silly. I absolutely abhor the concept of convenience to this level when it comes to access to secured resources. Saying that, DG's are often created by default as a security group. I'd actually be surprised, and I would applaud the person that made that choice in your organization. From my perspective, the worst thing ever done by Microsoft was to allow DG's to be security groups. Made it easier to transition PF's sure, but the layer8 contingent doesn't understand the subtle differences between a distribution list and a security-enabled-distribution-group. This loosely translates into people that want to include somebody on their regular mail lists, but don't want them to necessarily have access to the same data shares. They do NOT understand the difference in most cases. I don't know sharepoint well enough to say, but I would be completely floored if they did not have a way to revert behavior. I also would be totally surprised if your information security people were OK with this concept for the reasons I mentioned above. TokenBloat is not the only concern you have here, Harvey.On 10/20/06, Harvey Kamangwitz [EMAIL PROTECTED] wrote:Hi all, I'm interested in your opinion here, and perhaps a heads-up on requirements that may be coming your way. We have a request from the sharepoint team to security-enable all of our 18,000 distribution lists. Our concern, naturally, is token size. What will this do to Joe User's access token? The issue is tied in to Sharepoint. Setting permissions on Sharepoint sites has always been kind of a pain, partly because of Sharepoint itself but also because of the nature of what you're doing. (DISCLAIMER: I'm nothing more than a just-beyond-basic Sharepoint user.) When you set up a teamsite for a project, you want to enable access to the site to the project people. Typically you use an existing group of people in your org ( e.g. your work group for a weekly meeting site), or you create a new group to manage access. Most work groups have mailing distribution lists, but I'll bet most are not security-enabled. So when you set up your teamsite, you have to wait and ask for IT to security-enable your DL so you can use it on your shiny new teamsite. (Unless you're one of us, in which case you can do it yourself :) In the current version of sharepoint, you can work around this by going to the GAL and manually adding individual users to site access. Apparently the next version of Sharepoint does not allow you to do this, forcing everyone that needs group access to security-enable their group. That's why they want to enable ALL of them, not just piecemeal. Our analysis shows that the MEDIAN number of distribution lists per user is relatively small (5-6) and the MEDIAN number of groups in Joe User's token is relatively small (40-50). But we have lots of users in the 100+ groups range, and the winner for greatest number of groups is 400! So...we have to do what we can to mitigate the impact for the large--token people. Do you folks have any feel for a you really don't want to go beyond there limit on token size? Any direct experience? There's no way we can know all the apps out there that might be affected by this. Thanks, Harvey
RE: [ActiveDir] Security Log file size not reaching the maximum log file size
Another good reference from Eric Fitzgerald (Audit PM) Windows Security Logging and Other Esoterica : How big should my security event log be?: http://blogs.msdn.com/ericfitz/archive/2005/09/14/466336.aspx From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Tuesday, October 18, 2005 8:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security Log file size not reaching the maximum log file size And just so you do not think I am making this up here is the public reference that documents it: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/T echRef/5a86ab0f-c7eb-45ed-9e5e-514173bf15e3.mspx :-) Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Tuesday, October 18, 2005 10:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security Log file size not reaching the maximum log file size This problem is described in http://support.microsoft.com/default.aspx?scid=kb;en-us;312571 . The fix allows the automatic archiving of the log files but does not explain why the problem occurs. The issue is around the fact that a contiguous block of memory is needed for all of the log files and this is not pre-allocated so if the memory on the box becomes fragmented, which it will, then eventually the contiguous block can not be allocated and we will stop logging. Generally we recommend not setting the total size of all logs over 300 MB and using the feature above for the security log so that it can be automatically archived. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 18, 2005 8:54 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Security Log file size not reaching the maximum log file size We recently increased our auditing and set the security log file size to 1G, but the security log over-writes at about 409MBs; thus never reaching the 1G security log file size. Windows 2003 Domain Controllers Anyone with any ideas ? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Security Log file size not reaching the maximum log file size
Is the local setting perhaps being overwritten by a Group Policy setting? Just a thought. Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, 19 October 2005 2:54 p.m.To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Security Log file size not reaching the maximum log file size We recently increased our auditing and set the security log file size to 1G, but the security log over-writes at about 409MBs; thus never reaching the 1G security log file size. Windows 2003 Domain Controllers Anyone with any ideas ? This communication, including any attachments, is confidential.If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy oruse any part of this communication or disclose anything about it.Thank You. Please note that this communication does not designate an information system for the purposes of the NZ Electronic Transactions Act 2002.. This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i
RE: [ActiveDir] Security Log file size not reaching the maximum log file size
This problem is described in http://support.microsoft.com/default.aspx?scid=kb;en-us;312571 . The fix allows the automatic archiving of the log files but does not explain why the problem occurs. The issue is around the fact that a contiguous block of memory is needed for all of the log files and this is not pre-allocated so if the memory on the box becomes fragmented, which it will, then eventually the contiguous block can not be allocated and we will stop logging. Generally we recommend not setting the total size of all logs over 300 MB and using the feature above for the security log so that it can be automatically archived. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 18, 2005 8:54 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Security Log file size not reaching the maximum log file size We recently increased our auditing and set the security log file size to 1G, but the security log over-writes at about 409MBs; thus never reaching the 1G security log file size. Windows 2003 Domain Controllers Anyone with any ideas ?
RE: [ActiveDir] Security Log file size not reaching the maximum log file size
Have you cleared (archived) the logs since the new settings??? Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 18, 2005 6:54 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Security Log file size not reaching the maximum log file size We recently increased our auditing and set the security log file size to 1G, but the security log over-writes at about 409MBs; thus never reaching the 1G security log file size. Windows 2003 Domain Controllers Anyone with any ideas ?
RE: [ActiveDir] Security Log file size not reaching the maximum log file size
And just so you do not think I am making this up here is the public reference that documents it: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/5a86ab0f-c7eb-45ed-9e5e-514173bf15e3.mspx :-) Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Tuesday, October 18, 2005 10:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security Log file size not reaching the maximum log file size This problem is described in http://support.microsoft.com/default.aspx?scid=kb;en-us;312571 . The fix allows the automatic archiving of the log files but does not explain why the problem occurs. The issue is around the fact that a contiguous block of memory is needed for all of the log files and this is not pre-allocated so if the memory on the box becomes fragmented, which it will, then eventually the contiguous block can not be allocated and we will stop logging. Generally we recommend not setting the total size of all logs over 300 MB and using the feature above for the security log so that it can be automatically archived. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 18, 2005 8:54 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Security Log file size not reaching the maximum log file size We recently increased our auditing and set the security log file size to 1G, but the security log over-writes at about 409MBs; thus never reaching the 1G security log file size. Windows 2003 Domain Controllers Anyone with any ideas ?
Re: [ActiveDir] security problem
Logon as an administrator and take ownership of the drive. Then grant adequate permissions again. Reinstalling Windows will obviously fix it, but is a drastic measure. - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Sunday, October 16, 2005 5:43 PM Subject: [ActiveDir] security problem Hello, I have done a mistake now need an advice. on my computer which i have windows 2000 server. I have unchecked the security of my C drive . the security for everybody was full control and I unchecked it so when it was applied I did not have access to C drive. and then I shot down the computer then I could not restart it. now does installation of windows 2000 server again solves the problem or not? any advice or recommedation is appriciated. Thanks in advance roseta List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] security problem
how can I take the ownership while I do not have the security tab any more because I have taken the control of C drive for every one. so There is no security tab is gone for every drive because the windows was installed on C drive. thanks in advance roseta Quoting Paul Williams [EMAIL PROTECTED]: Logon as an administrator and take ownership of the drive. Then grant adequate permissions again. Reinstalling Windows will obviously fix it, but is a drastic measure. - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Sunday, October 16, 2005 5:43 PM Subject: [ActiveDir] security problem Hello, I have done a mistake now need an advice. on my computer which i have windows 2000 server. I have unchecked the security of my C drive . the security for everybody was full control and I unchecked it so when it was applied I did not have access to C drive. and then I shot down the computer then I could not restart it. now does installation of windows 2000 server again solves the problem or not? any advice or recommedation is appriciated. Thanks in advance roseta List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Security Group Policy Not Applying
http://www.eventid.net/display.asp?eventid=1202eventno=348source=SceClipha
se=1
Look at the 0x4b8 section.
HTH
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
From: [EMAIL PROTECTED] on behalf of Sudhir Kaushal
Sent: Tue 9/13/2005 5:10 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Security Group Policy Not Applying
Hi all
I'm having an issue with ONE of my DC's (Win2003) not applying a group policy
object.
in the event viewer of the DC's i'm getting this errors after every 5 min
Event id: 1202
Security policies were propagated with warning.
0x4b8 : An extended error has occurred.
When I drill down to the clients winlogon.log file i see the following entry
Error 0 to send the control flag 1 over to server.
Make a local copy of
\\domain.dom\sysvol\domain.dom\Policies\{31B2F340-0160-11D2-945F-00C04FB984F9
}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )
Process GP template gpt0.dom.
This is not the last GPO.
The log file also specifies:
Warning 2 - The system cannnot find the file specified.
cannot find the remote desktop users.
Configure the remote desktop users.
add domainname\group name
Error 8520 - A local group cannot have another cross domain local group as
member.
Has anyone ever seen this error and/or know what the solution is.
Regards,
Sudhir Kaushal
Systems Engineer (GIS)
Computer Sciences Corporation.
India - + 91 120 2582323 Ext. 2649
Denmark - + 45 70100024 Ext. 2649
You never win Silver, You lose Gold
-
---
This is a PRIVATE message. If you are not the intended recipient, please
delete without copying and kindly advise us by e-mail of the mistake in
delivery. NOTE: Regardless of content, this e-mail shall not operate to bind
CSC to any order or other contract unless pursuant to explicit written
agreement or government initiative expressly permitting the use of e-mail for
such purpose.
-
---
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Security Group Policy Not Applying
Thanks for the response.. However i
have already checked this and all the related policies in win2003 are not
defined in my case.. :-(
Regards,
Sudhir Kaushal
Systems Engineer (GIS)
Computer Sciences Corporation.
India - + 91 120 2582323 Ext. 2649
Denmark - + 45 70100024 Ext. 2649
“You never win Silver, You
lose Gold”
This is a PRIVATE message. If you are not the intended recipient, please
delete without copying and kindly advise us by e-mail of the mistake in
delivery. NOTE: Regardless of content, this e-mail shall not operate to
bind CSC to any order or other contract unless pursuant to explicit written
agreement or government initiative expressly permitting the use of e-mail
for such purpose.
deji
@readymaids.com
Sent by: ActiveDir-owner
09/13/2005 06:00 PM
Please respond to ActiveDir
To:
ActiveDir@mail.activedir.org
cc:
Subject:
RE: [ActiveDir] Security Group Policy
Not Applying
http://www.eventid.net/display.asp?eventid=1202eventno=348source=SceClipha
se=1
Look at the 0x4b8 section.
HTH
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
From: [EMAIL PROTECTED] on behalf of Sudhir Kaushal
Sent: Tue 9/13/2005 5:10 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Security Group Policy Not Applying
Hi all
I'm having an issue with ONE of my DC's (Win2003) not applying a group
policy
object.
in the event viewer of the DC's i'm getting this errors after every 5 min
Event id: 1202
Security policies were propagated with warning.
0x4b8 : An extended error has occurred.
When I drill down to the clients winlogon.log file i see the following
entry
Error 0 to send the control flag 1 over to server.
Make a local copy of
\\domain.dom\sysvol\domain.dom\Policies\{31B2F340-0160-11D2-945F-00C04FB984F9
}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )
Process GP template gpt0.dom.
This is not the last GPO.
The log file also specifies:
Warning 2 - The system cannnot find the file specified.
cannot find the remote desktop users.
Configure the remote desktop users.
add domainname\group name
Error 8520 - A local group cannot have another cross domain local group
as
member.
Has anyone ever seen this error and/or know what the solution is.
Regards,
Sudhir Kaushal
Systems Engineer (GIS)
Computer Sciences Corporation.
India - + 91 120 2582323 Ext. 2649
Denmark - + 45 70100024 Ext. 2649
You never win Silver, You lose Gold
-
---
This is a PRIVATE message. If you are not the intended recipient, please
delete without copying and kindly advise us by e-mail of the mistake in
delivery. NOTE: Regardless of content, this e-mail shall not operate to
bind
CSC to any order or other contract unless pursuant to explicit written
agreement or government initiative expressly permitting the use of e-mail
for
such purpose.
-
---
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Security Group Policy Not Applying
It sounds like a restricted groups policy being attempted wrong.But,
from what I've seen, it won't even let you try that.
John
Sudhir Kaushal
[EMAIL PROTECTED]
m To
Sent by: ActiveDir@mail.activedir.org
[EMAIL PROTECTED] cc
ail.activedir.org
Subject
RE: [ActiveDir] Security Group
09/13/2005 07:39 Policy Not Applying
AM
Please respond to
[EMAIL PROTECTED]
tivedir.org
Thanks for the response.. However i have already checked this and all the
related policies in win2003 are not defined in my case.. :-(
Regards,
Sudhir Kaushal
Systems Engineer (GIS)
Computer Sciences Corporation.
India - + 91 120 2582323 Ext. 2649
Denmark - + 45 70100024 Ext. 2649
âYou never win Silver, You lose Goldâ
This is a PRIVATE message. If you are not the intended recipient, please
delete without copying and kindly advise us by e-mail of the mistake in
delivery. NOTE: Regardless of content, this e-mail shall not operate to
bind CSC to any order or other contract unless pursuant to explicit written
agreement or government initiative expressly permitting the use of e-mail
for such purpose.
deji
@readymaids.com To:
Sent by: ActiveDir@mail.activedir.org
ActiveDir-owner cc:
Subject:RE: [ActiveDir] Security
Group Policy Not Applying
09/13/2005 06:00 PM
Please respond to
ActiveDir
http://www.eventid.net/display.asp?eventid=1202eventno=348source=SceClipha
se=1
Look at the 0x4b8 section.
HTH
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
From: [EMAIL PROTECTED] on behalf of Sudhir Kaushal
Sent: Tue 9/13/2005 5:10 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Security Group Policy Not Applying
Hi all
I'm having an issue with ONE of my DC's (Win2003) not applying a group
policy
object.
in the event viewer of the DC's i'm getting this errors after every 5 min
Event id: 1202
Security policies were propagated with warning.
0x4b8 : An extended error has occurred.
When I drill down to the clients winlogon.log file i see the following
entry
Error 0 to send the control flag 1 over to server.
Make a local copy of
\\domain.dom\sysvol\domain.dom\Policies\{31B2F340-0160-11D2-945F-00C04FB984F9
}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )
Process GP template gpt0.dom.
This is not the last GPO.
The log file also specifies:
Warning 2 - The system cannnot find the file specified.
cannot find the remote desktop users.
Configure the remote desktop users.
add domainname\group name
Error 8520 - A local group cannot have another cross domain local group as
member.
Has anyone ever seen this error and/or know what the solution is.
Regards,
Sudhir Kaushal
Systems Engineer (GIS)
Computer Sciences Corporation.
India - + 91 120 2582323 Ext. 2649
Denmark - + 45 70100024 Ext. 2649
You never win Silver, You lose Gold
RE: [ActiveDir] Security Group Policy Not Applying
Unless you are entering the group as free text (i.e. just typing it in). Couple of points here. Using restricted group policy on DCs to control domain group membership is bad news. I would simply avoid it. This particular error indicates that you are trying to add a group to a domain local group that is from another domain, and that this is not allowed--at least not on a domain local group. I would go into the Restricted Groups policies that are applying to your DCs (either linked to the Domain Controllers OU or to the Domain) and figure which policy is doing this. You can also run rsop.msc on the DC in question to see which GPO is delivering the winning restricted groups policy. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, September 13, 2005 6:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security Group Policy Not Applying It sounds like a restricted groups policy being attempted wrong.But, from what I've seen, it won't even let you try that. John Sudhir Kaushal [EMAIL PROTECTED] m To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject RE: [ActiveDir] Security Group 09/13/2005 07:39 Policy Not Applying AM Please respond to [EMAIL PROTECTED] tivedir.org Thanks for the response.. However i have already checked this and all the related policies in win2003 are not defined in my case.. :-( Regards, Sudhir Kaushal Systems Engineer (GIS) Computer Sciences Corporation. India - + 91 120 2582323 Ext. 2649 Denmark - + 45 70100024 Ext. 2649 “You never win Silver, You lose Gold” This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. deji @readymaids.com To: Sent by: ActiveDir@mail.activedir.org ActiveDir-owner cc: Subject:RE: [ActiveDir] Security Group Policy Not Applying 09/13/2005 06:00 PM Please respond to ActiveDir http://www.eventid.net/display.asp?eventid=1202eventno=348source=SceClipha se=1 Look at the 0x4b8 section. HTH Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Sudhir Kaushal Sent: Tue 9/13/2005 5:10 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Security Group Policy Not Applying Hi all I'm having an issue with ONE of my DC's (Win2003) not applying a group policy object. in the event viewer of the DC's i'm getting this errors after every 5 min Event id: 1202 Security policies were propagated with warning. 0x4b8 : An extended error has
RE: [ActiveDir] Security Group Policy Not Applying
You setting restricted groups in a policy? DCs dont have local groups,
they just have the domain database, so, this is to be expected depending on
what youre trying ot nest int eh domain version of this group.
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c -
312.731.3132
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sudhir Kaushal
Sent: Tuesday, September 13, 2005
8:10 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Security
Group Policy Not Applying
Hi all
I'm having an issue with ONE of my DC's (Win2003) not applying a group policy
object.
in the event viewer of the DC's i'm getting this errors after every 5 min
Event id: 1202
Security policies were propagated with warning.
0x4b8 : An extended error has occurred.
When I drill down to the clients winlogon.log file i see the following entry
Error 0 to send the control flag 1 over to server.
Make a local copy of
\\domain.dom\sysvol\domain.dom\Policies\{31B2F340-0160-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows
NT\SecEdit\GptTmpl.inf.
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )
Process GP template gpt0.dom.
This is not the last
GPO.
The log file also
specifies:
Warning 2 - The system
cannnot find the file specified.
cannot find the remote
desktop users.
Configure the remote
desktop users.
add
domainname\group name
Error 8520 - A local
group cannot have another cross domain local group as member.
Has anyone ever seen this error and/or
know what the solution is.
Regards,
Sudhir Kaushal
Systems Engineer (GIS)
Computer Sciences Corporation.
India
- + 91 120 2582323
Ext. 2649
Denmark
- + 45 70100024 Ext.
2649
You never win Silver, You lose Gold
This is a PRIVATE message. If you are not the intended recipient, please delete
without copying and kindly advise us by e-mail of the mistake in delivery.
NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any
order or other contract unless pursuant to explicit written agreement or
government initiative expressly permitting the use of e-mail for such purpose.
RE: [ActiveDir] Security Group Policy Not Applying
Hi All, Thanks to everyone for guiding me to the solution. It was because of the restricted group policy on the DC's to control the domain group membership. I removed it and updated the GP.and it worked. Have a nice day... :-) Regards, Sudhir Kaushal Systems Engineer (GIS) Computer Sciences Corporation. India - + 91 120 2582323 Ext. 2649 Denmark - + 45 70100024 Ext. 2649 “You never win Silver, You lose Gold” This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. Darren Mar-Elia darren.marelia @quest.com Sent by: ActiveDir-owner 09/13/2005 10:29 PM Please respond to ActiveDir To: ActiveDir@mail.activedir.org cc: Subject: RE: [ActiveDir] Security Group Policy Not Applying Unless you are entering the group as free text (i.e. just typing it in). Couple of points here. Using restricted group policy on DCs to control domain group membership is bad news. I would simply avoid it. This particular error indicates that you are trying to add a group to a domain local group that is from another domain, and that this is not allowed--at least not on a domain local group. I would go into the Restricted Groups policies that are applying to your DCs (either linked to the Domain Controllers OU or to the Domain) and figure which policy is doing this. You can also run rsop.msc on the DC in question to see which GPO is delivering the winning restricted groups policy. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, September 13, 2005 6:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security Group Policy Not Applying It sounds like a restricted groups policy being attempted wrong.But, from what I've seen, it won't even let you try that. John Sudhir Kaushal [EMAIL PROTECTED] m To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject RE: [ActiveDir] Security Group 09/13/2005 07:39 Policy Not Applying AM Please respond to [EMAIL PROTECTED] tivedir.org Thanks for the response.. However i have already checked this and all the related policies in win2003 are not defined in my case.. :-( Regards, Sudhir Kaushal Systems Engineer (GIS) Computer Sciences Corporation. India - + 91 120 2582323 Ext. 2649 Denmark - + 45 70100024 Ext. 2649 “You never win Silver, You lose Gold” This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. deji @readymaids.com To: Sent by: ActiveDir@mail.activedir.org ActiveDir-owner cc: Subject: RE: [ActiveDir] Security Group Policy Not Applying 09/13/2005 06:00 PM Please respond to ActiveDir http://www.eventid.net/display.asp?eventid=1202eventno=348source=SceClipha se=1 Look at the 0x4b8 section. HTH Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com
RE: [ActiveDir] Security Groups vs. Distribution Groups
Jorge answered this pretty well. Yes the name/cn can be the same if the groups are in different containers. The sAMAccountNames need to be different if in the same domain. The displayName should be different or you could get some serious confusion if you mailenable both. The Distribution Group being changed to a security group could be a standard function done by Exchange. When someone, ANYONE, decides they want to use a DL for securiing anything in Exchange, Exchange will help you out and convert that group to a security group. It doesn't matter if it is the lowest person in your company, they can do it because Exchange is doing it in the security context that Exchange has which allows it to much with group types. You can block this by mucking with your AD Delegation for Exchange but if Microsoft PSS ever figured out on accident[1] that you did this, you would be hearing the unsupported configuration talk. joe [1] I don't expect they would look directly for something like this. It would completely be, lets look at a good one and a bad one and WHOAH! This is missing, what will it break? I don't know but it isn't the way it is supposed to be! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christine Allen Sent: Friday, July 29, 2005 10:24 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Security Groups vs. Distribution Groups We are running 2000 AD. I have two groups named the same. One group is a security group and one is a distribution. They are in different OU's. Can having a Management security group cause some type of issue with a Management Distribution group in ad? The Management distirbution group will change to a security group. Could it be becase they have the same name? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Security Groups vs. Distribution Groups
It shouldn't cause you a problem. The reason is because they don't have the same name other than the displayname. Everything else should be different. Al From: [EMAIL PROTECTED] on behalf of Christine Allen Sent: Fri 7/29/2005 10:24 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Security Groups vs. Distribution Groups We are running 2000 AD. I have two groups named the same. One group is a security group and one is a distribution. They are in different OU's. Can having a Management security group cause some type of issue with a Management Distribution group in ad? The Management distirbution group will change to a security group. Could it be becase they have the same name? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat
RE: [ActiveDir] Security Groups vs. Distribution Groups
each group in AD (distribution and/or security) must have a unique samaccountname (pre-windows 2000 name) within the domain and must have a unique common name within a container/OU. Your groups have the same common name and they can exist because they are in separate OUs. That's OK. Moving one of the groups to the same OU as the other is not possible because you would then violate the rule mentioned above. I'm also sure they have different samaccountnames although having the same common name. otherwise they could not exist within the same domain. Changing the group type to security will only have impact on the security token of its members. The impact I'm talking about is that each member will have an additional sid in its access token. Don't forget each distribution group has a sid also, although not used and inactive. As soon as you change the group type to security it will become active Cheers #JORGE# From: [EMAIL PROTECTED] on behalf of Christine Allen Sent: Fri 7/29/2005 4:24 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Security Groups vs. Distribution Groups We are running 2000 AD. I have two groups named the same. One group is a security group and one is a distribution. They are in different OU's. Can having a Management security group cause some type of issue with a Management Distribution group in ad? The Management distirbution group will change to a security group. Could it be becase they have the same name? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Security permissions on user object
Oops I forgot to send this last night when I responded to the rest of the emails... === You guys seems to be on the right track here. On the question of setting all objects configured with admincount=1 to admincount=0 is perfectly fine. As Robert indicated, it will get reset based on group memberships. Anything that does get set that way is in some group that is forcing this. I want to correct a couple of things in the post below Unless you have indexed objectclass (which I WHOLEHEARTEDLY recommend) you will want to use objectcategory over objectclass. When you do users you will want to combine objectcategory with objectclass like ((objectcategory=person)(objectclass=user)) or alternatively do (samaccounttype=805306368). Also you don't need -s subtree, that is the default for adfind. On the admincount and inheritence. The question of whether it safe to reset everything and let it get corrected. The answer is maybe. If you are NOT depending on the functionality provided by adminSDHolder, knock yourself out, reset them all. What do I mean by this? I mean you aren't silly and sticking admin type IDs/groups into OUs controlled by non-admins (or using account operator accounts). This is what that whole piece of functionality is about. If you aren't doing that, you will have no issues resetting the ACL and clearing adminCount and letting AD clean it back up. If you are depending on that functionality (or account operator accounts), my first thought is stop it, but my main thought is you have to be more targeted in what you clean up. Keep in mind that adminCount isn't the main key in this, it is the ACL itself. If you clear all adminCount attributes but don't set inheritence on the ACL, I do not believe you will ever see adminCount get set again until the inheritence is cleared on those objects that are supposed to be protected (it has been a while since I looked into that functionality though) and the process cleans it up. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Thursday, June 09, 2005 10:26 AM To: 'Rimmerman, Russ '; Jorge de Almeida Pinto; 'Robert Williams (RRE) '; 'ActiveDir@mail.activedir.org ' Subject: RE: [ActiveDir] Security permissions on user object I think the krbtgt account will also be listed. To get all objects (users and groups) with admincount =1 run: adfind -s subtree -b baseDN -f ((|(objectclass=group)(objectclass=user))(admincount=1)) -dsq GROUPSUSERS_WITH_ADMINCOUNT.TXT For users: adfind -s subtree -b baseDN -f ((objectclass=user)(admincount=1)) -dsq USERS_WITH_ADMINCOUNT.TXT For groups: adfind -s subtree -b baseDN -f ((objectclass=groups)(admincount=1)) -dsq GROUPS_WITH_ADMINCOUNT.TXT Use the command line your prefer... Filter out accounts that MUST have the admincount property (e.g. administrator, krbtgt, default protected groups, etc.) Create a batch using excel. Import the TXT file into excel with the accounts you want to change the admincoutn property. admod -b baseDN of object admincount::0 If the objects you changed are direct members of protected groups the admincount property will be reset to 1. If you use group nesting the object is a member of a non-protected group and that group is a member of a protected group the same will happenj - the admincount property will be reset to 1. I prefer to only change those accounts that you want changed and not to change everything and wait until the PDC FSMO resets all accounts that you did not want to change #JORGE# -Original Message- From: Rimmerman, Russ To: Jorge de Almeida Pinto; Robert Williams (RRE) ; ActiveDir@mail.activedir.org Sent: 6/9/2005 12:53 PM Subject: RE: [ActiveDir] Security permissions on user object But is it safe to reset all admincounts back to 0? Running the ldifde report to see what accounts are going to change, I ended up with 126, and noticed Administrator is in there, as well as service accounts. How will setting admincount back to 0 affect these important accounts? From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Thu 6/9/2005 2:41 AM To: 'Robert Williams (RRE) '; '[EMAIL PROTECTED] '; Rimmerman, Russ; 'ActiveDir@mail.activedir.org ' Subject: RE: [ActiveDir] Security permissions on user object If you look at MS-KBQ817433 Delegated permissions are not available and inheritance is automatically disabled you will see it provides a VB script to Resets all accounts that have adminCount = 1 back to 0 and enables the inheritance flag. That article also tells you how to configure AD so that you designate which default MS admin groups are protected groups and thus managed by the adminsdholder object Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] To: Rimmerman, Russ; ActiveDir@mail.activedir.org Sent: 6/9/2005 5:52 AM Subject: RE: [ActiveDir] Security permissions on user object Oh Certainly...that would work quite well. Joe, how much
RE: [ActiveDir] Security permissions on user object
If you look at MS-KBQ817433 Delegated permissions are not available and inheritance is automatically disabled you will see it provides a VB script to Resets all accounts that have adminCount = 1 back to 0 and enables the inheritance flag. That article also tells you how to configure AD so that you designate which default MS admin groups are protected groups and thus managed by the adminsdholder object Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] To: Rimmerman, Russ; ActiveDir@mail.activedir.org Sent: 6/9/2005 5:52 AM Subject: RE: [ActiveDir] Security permissions on user object Oh Certainly...that would work quite well. Joe, how much should he charge for that ;-) Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 08, 2005 10:52 PM To: Robert Williams (RRE); ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object Can I just use ADSIEDIT and go to individual users and set the admincount to 0? Will that stick? If that works, I could write a winbatch that will prompt for a username, and set their admincount to 0 automatically. From: Robert Williams (RRE) [mailto:[EMAIL PROTECTED] Sent: Wed 6/8/2005 8:34 PM To: Rimmerman, Russ; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object Well...I guess you can reset it for all of them and count on the AdminSDHolder thread to reset them to 1 in about an hour or so...other than that, the logic needed in a script to differentiate between users who are / are not currently in one of the 'protected groups' would be astounding. You shouldn't have a problem trusting the fact that it will happen to the accounts still in the protected groups since that's what got you there in the first place :-) Hopefully that was helpful...have a great night! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 08, 2005 8:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object OK looks like ya'll are on the right track. I found the script in the KB article to reset all the admincounts to 0, but that sounds scary. Can't I selectively set admincounts to 0 on a user-by-user basis somehow? Or is it safe to reset all users' admincounts to 0? I see Administrator in there, so that vbscript in http://support.microsoft.com/default.aspx?scid=kb;en-us;817433 scares me. From: [EMAIL PROTECTED] on behalf of Robert Williams (RRE) Sent: Wed 6/8/2005 6:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object Also keep in mind that if you were ever a member of one of these 'protected groups' that your inheritance will not be turned on again, nor will the admincount attribute be reset to 0so you can change those back when you know the user isn't a member of one of the 'protected groups' (changing those values before ensuring this will result in the values being reset...as you are well aware by this point). AdminCount is just a 'book keeping' method to know that the ACL has been stamped by AdminSDHolder. I hope that helps. Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Wednesday, June 08, 2005 4:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object It ssounds like it's the adminSDHolder behavior that's getting you. Are the users members of any of the other protected groups? It varies across versions, IIRC 2003 added more groups. The articles below should help point in the right direction. http://support.microsoft.com/default.aspx?scid=kb;en-us;318180 http://support.microsoft.com/default.aspx?scid=kb;en-us;817433 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, June 08, 2005 12:26 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Security permissions on user object We migrated all our users from an NT4 domain to our AD domain. Anyone who was in Domain Admins on our NT4 domain got migrated into Domain Admins on our AD domain. We took them out of Domain Admins on our AD domain, but their accounts are inheriting the permissions like a normal user inherits. Whenever someone who is NOT a domain admin tries to reset a password or modify any
RE: [ActiveDir] Security permissions on user object
But is it safe to reset all admincounts back to 0? Running the ldifde report to see what accounts are going to change, I ended up with 126, and noticed Administrator is in there, as well as service accounts. How will setting admincount back to 0 affect these important accounts? From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Thu 6/9/2005 2:41 AM To: 'Robert Williams (RRE) '; '[EMAIL PROTECTED] '; Rimmerman, Russ; 'ActiveDir@mail.activedir.org ' Subject: RE: [ActiveDir] Security permissions on user object If you look at MS-KBQ817433 Delegated permissions are not available and inheritance is automatically disabled you will see it provides a VB script to Resets all accounts that have adminCount = 1 back to 0 and enables the inheritance flag. That article also tells you how to configure AD so that you designate which default MS admin groups are protected groups and thus managed by the adminsdholder object Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] To: Rimmerman, Russ; ActiveDir@mail.activedir.org Sent: 6/9/2005 5:52 AM Subject: RE: [ActiveDir] Security permissions on user object Oh Certainly...that would work quite well. Joe, how much should he charge for that ;-) Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 08, 2005 10:52 PM To: Robert Williams (RRE); ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object Can I just use ADSIEDIT and go to individual users and set the admincount to 0? Will that stick? If that works, I could write a winbatch that will prompt for a username, and set their admincount to 0 automatically. From: Robert Williams (RRE) [mailto:[EMAIL PROTECTED] Sent: Wed 6/8/2005 8:34 PM To: Rimmerman, Russ; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object Well...I guess you can reset it for all of them and count on the AdminSDHolder thread to reset them to 1 in about an hour or so...other than that, the logic needed in a script to differentiate between users who are / are not currently in one of the 'protected groups' would be astounding. You shouldn't have a problem trusting the fact that it will happen to the accounts still in the protected groups since that's what got you there in the first place :-) Hopefully that was helpful...have a great night! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 08, 2005 8:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object OK looks like ya'll are on the right track. I found the script in the KB article to reset all the admincounts to 0, but that sounds scary. Can't I selectively set admincounts to 0 on a user-by-user basis somehow? Or is it safe to reset all users' admincounts to 0? I see Administrator in there, so that vbscript in http://support.microsoft.com/default.aspx?scid=kb;en-us;817433 scares me. From: [EMAIL PROTECTED] on behalf of Robert Williams (RRE) Sent: Wed 6/8/2005 6:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object Also keep in mind that if you were ever a member of one of these 'protected groups' that your inheritance will not be turned on again, nor will the admincount attribute be reset to 0so you can change those back when you know the user isn't a member of one of the 'protected groups' (changing those values before ensuring this will result in the values being reset...as you are well aware by this point). AdminCount is just a 'book keeping' method to know that the ACL has been stamped by AdminSDHolder. I hope that helps. Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Wednesday, June 08, 2005 4:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object It ssounds like it's the adminSDHolder behavior that's getting you. Are the users members of any of the other protected groups? It varies across versions, IIRC 2003 added more groups. The articles below should help point in the right direction. http://support.microsoft.com/default.aspx?scid=kb;en-us;318180 http://support.microsoft.com/default.aspx?scid=kb;en-us;817433 From: [EMAIL PROTECTED] [mailto
RE: [ActiveDir] Security permissions on user object
---BeginMessage--- Yes, we migrated them from our NT4 domain to AD, and in our NT4 domain, these users were in Domain Admins. In AD, we removed them from Domain Admins. From: [EMAIL PROTECTED] on behalf of Rick Kingslan Sent: Wed 6/8/2005 10:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object In fact, yes it will, Russ. Looking back at the thread, I don't see any discussion about HOW these users came to have the admincount attribute set to 1. Do you have a root cause? The reason that I ask is because I've dealt with this before when someone (who I never caught) added a group to a Protected group. This effectively set the admincount attribute on about 200 techs, and it took a while to clean up and straighten out. If you don't know why it happened, you might be reliving this pretty soon. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, June 08, 2005 9:52 PM To: Robert Williams (RRE); ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object Can I just use ADSIEDIT and go to individual users and set the admincount to 0? Will that stick? If that works, I could write a winbatch that will prompt for a username, and set their admincount to 0 automatically. From: Robert Williams (RRE) [mailto:[EMAIL PROTECTED] Sent: Wed 6/8/2005 8:34 PM To: Rimmerman, Russ; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object Well...I guess you can reset it for all of them and count on the AdminSDHolder thread to reset them to 1 in about an hour or so...other than that, the logic needed in a script to differentiate between users who are / are not currently in one of the 'protected groups' would be astounding. You shouldn't have a problem trusting the fact that it will happen to the accounts still in the protected groups since that's what got you there in the first place :-) Hopefully that was helpful...have a great night! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 08, 2005 8:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object OK looks like ya'll are on the right track. I found the script in the KB article to reset all the admincounts to 0, but that sounds scary. Can't I selectively set admincounts to 0 on a user-by-user basis somehow? Or is it safe to reset all users' admincounts to 0? I see Administrator in there, so that vbscript in http://support.microsoft.com/default.aspx?scid=kb;en-us;817433 scares me. From: [EMAIL PROTECTED] on behalf of Robert Williams (RRE) Sent: Wed 6/8/2005 6:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object Also keep in mind that if you were ever a member of one of these 'protected groups' that your inheritance will not be turned on again, nor will the admincount attribute be reset to 0so you can change those back when you know the user isn't a member of one of the 'protected groups' (changing those values before ensuring this will result in the values being reset...as you are well aware by this point). AdminCount is just a 'book keeping' method to know that the ACL has been stamped by AdminSDHolder. I hope that helps. Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Wednesday, June 08, 2005 4:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object It ssounds like it's the adminSDHolder behavior that's getting you. Are the users members of any of the other protected groups? It varies across versions, IIRC 2003 added more groups. The articles below should help point in the right direction. http://support.microsoft.com/default.aspx?scid=kb;en-us;318180 http://support.microsoft.com/default.aspx?scid=kb;en-us;817433 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, June 08, 2005 12:26 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Security permissions on user object We migrated all our users from an NT4 domain to our AD domain. Anyone who was in Domain Admins on our NT4 domain got migrated into Domain Admins on our AD domain. We took them out of Domain Admins on our AD domain, but their accounts are inheriting the permissions like a normal user inherits. Whenever someone
RE: [ActiveDir] Security permissions on user object
OK this is odd, I changed admincount to 0 and an hour later it was changed back to 1. How frustrating. What gives? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Wednesday, June 08, 2005 10:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object In fact, yes it will, Russ. Looking back at the thread, I don't see any discussion about HOW these users came to have the admincount attribute set to 1. Do you have a root cause? The reason that I ask is because I've dealt with this before when someone (who I never caught) added a group to a Protected group. This effectively set the admincount attribute on about 200 techs, and it took a while to clean up and straighten out. If you don't know why it happened, you might be reliving this pretty soon. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, June 08, 2005 9:52 PM To: Robert Williams (RRE); ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object Can I just use ADSIEDIT and go to individual users and set the admincount to 0? Will that stick? If that works, I could write a winbatch that will prompt for a username, and set their admincount to 0 automatically. From: Robert Williams (RRE) [mailto:[EMAIL PROTECTED] Sent: Wed 6/8/2005 8:34 PM To: Rimmerman, Russ; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object Well...I guess you can reset it for all of them and count on the AdminSDHolder thread to reset them to 1 in about an hour or so...other than that, the logic needed in a script to differentiate between users who are / are not currently in one of the 'protected groups' would be astounding. You shouldn't have a problem trusting the fact that it will happen to the accounts still in the protected groups since that's what got you there in the first place :-) Hopefully that was helpful...have a great night! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 08, 2005 8:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object OK looks like ya'll are on the right track. I found the script in the KB article to reset all the admincounts to 0, but that sounds scary. Can't I selectively set admincounts to 0 on a user-by-user basis somehow? Or is it safe to reset all users' admincounts to 0? I see Administrator in there, so that vbscript in http://support.microsoft.com/default.aspx?scid=kb;en-us;817433 scares me. From: [EMAIL PROTECTED] on behalf of Robert Williams (RRE) Sent: Wed 6/8/2005 6:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object Also keep in mind that if you were ever a member of one of these 'protected groups' that your inheritance will not be turned on again, nor will the admincount attribute be reset to 0so you can change those back when you know the user isn't a member of one of the 'protected groups' (changing those values before ensuring this will result in the values being reset...as you are well aware by this point). AdminCount is just a 'book keeping' method to know that the ACL has been stamped by AdminSDHolder. I hope that helps. Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Wednesday, June 08, 2005 4:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object It ssounds like it's the adminSDHolder behavior that's getting you. Are the users members of any of the other protected groups? It varies across versions, IIRC 2003 added more groups. The articles below should help point in the right direction. http://support.microsoft.com/default.aspx?scid=kb;en-us;318180 http://support.microsoft.com/default.aspx?scid=kb;en-us;817433 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, June 08, 2005 12:26 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Security permissions on user object We migrated all our users from an NT4 domain to our AD domain. Anyone who was in Domain Admins on our NT4 domain got migrated into Domain Admins on our AD domain. We took them out of Domain Admins on our AD domain, but their accounts are inheriting the permissions like a normal user inherits. Whenever someone who is NOT a domain admin
RE: [ActiveDir] Security permissions on user object
I think the krbtgt account will also be listed. To get all objects (users and groups) with admincount =1 run: adfind -s subtree -b baseDN -f ((|(objectclass=group)(objectclass=user))(admincount=1)) -dsq GROUPSUSERS_WITH_ADMINCOUNT.TXT For users: adfind -s subtree -b baseDN -f ((objectclass=user)(admincount=1)) -dsq USERS_WITH_ADMINCOUNT.TXT For groups: adfind -s subtree -b baseDN -f ((objectclass=groups)(admincount=1)) -dsq GROUPS_WITH_ADMINCOUNT.TXT Use the command line your prefer... Filter out accounts that MUST have the admincount property (e.g. administrator, krbtgt, default protected groups, etc.) Create a batch using excel. Import the TXT file into excel with the accounts you want to change the admincoutn property. admod -b baseDN of object admincount::0 If the objects you changed are direct members of protected groups the admincount property will be reset to 1. If you use group nesting the object is a member of a non-protected group and that group is a member of a protected group the same will happenj - the admincount property will be reset to 1. I prefer to only change those accounts that you want changed and not to change everything and wait until the PDC FSMO resets all accounts that you did not want to change #JORGE# -Original Message- From: Rimmerman, Russ To: Jorge de Almeida Pinto; Robert Williams (RRE) ; ActiveDir@mail.activedir.org Sent: 6/9/2005 12:53 PM Subject: RE: [ActiveDir] Security permissions on user object But is it safe to reset all admincounts back to 0? Running the ldifde report to see what accounts are going to change, I ended up with 126, and noticed Administrator is in there, as well as service accounts. How will setting admincount back to 0 affect these important accounts? From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Thu 6/9/2005 2:41 AM To: 'Robert Williams (RRE) '; '[EMAIL PROTECTED] '; Rimmerman, Russ; 'ActiveDir@mail.activedir.org ' Subject: RE: [ActiveDir] Security permissions on user object If you look at MS-KBQ817433 Delegated permissions are not available and inheritance is automatically disabled you will see it provides a VB script to Resets all accounts that have adminCount = 1 back to 0 and enables the inheritance flag. That article also tells you how to configure AD so that you designate which default MS admin groups are protected groups and thus managed by the adminsdholder object Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] To: Rimmerman, Russ; ActiveDir@mail.activedir.org Sent: 6/9/2005 5:52 AM Subject: RE: [ActiveDir] Security permissions on user object Oh Certainly...that would work quite well. Joe, how much should he charge for that ;-) Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 08, 2005 10:52 PM To: Robert Williams (RRE); ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object Can I just use ADSIEDIT and go to individual users and set the admincount to 0? Will that stick? If that works, I could write a winbatch that will prompt for a username, and set their admincount to 0 automatically. From: Robert Williams (RRE) [mailto:[EMAIL PROTECTED] Sent: Wed 6/8/2005 8:34 PM To: Rimmerman, Russ; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object Well...I guess you can reset it for all of them and count on the AdminSDHolder thread to reset them to 1 in about an hour or so...other than that, the logic needed in a script to differentiate between users who are / are not currently in one of the 'protected groups' would be astounding. You shouldn't have a problem trusting the fact that it will happen to the accounts still in the protected groups since that's what got you there in the first place :-) Hopefully that was helpful...have a great night! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 08, 2005 8:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object OK looks like ya'll are on the right track. I found the script in the KB article to reset all the admincounts to 0, but that sounds scary. Can't I selectively set admincounts to 0 on a user-by-user basis somehow? Or is it safe to reset all users' admincounts to 0? I see Administrator in there, so that vbscript in http://support.microsoft.com/default.aspx?scid=kb;en-us;817433 scares me. From: [EMAIL PROTECTED] on behalf of Robert Williams (RRE) Sent: Wed 6/8/2005 6:36 PM
RE: [ActiveDir] Security permissions on user object
What group(s) is that principal currently a member of? I suspect it's still a member of a protected group. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Thursday, June 09, 2005 8:46 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object OK this is odd, I changed admincount to 0 and an hour later it was changed back to 1. How frustrating. What gives? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Wednesday, June 08, 2005 10:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object In fact, yes it will, Russ. Looking back at the thread, I don't see any discussion about HOW these users came to have the admincount attribute set to 1. Do you have a root cause? The reason that I ask is because I've dealt with this before when someone (who I never caught) added a group to a Protected group. This effectively set the admincount attribute on about 200 techs, and it took a while to clean up and straighten out. If you don't know why it happened, you might be reliving this pretty soon. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, June 08, 2005 9:52 PM To: Robert Williams (RRE); ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object Can I just use ADSIEDIT and go to individual users and set the admincount to 0? Will that stick? If that works, I could write a winbatch that will prompt for a username, and set their admincount to 0 automatically. From: Robert Williams (RRE) [mailto:[EMAIL PROTECTED] Sent: Wed 6/8/2005 8:34 PM To: Rimmerman, Russ; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object Well...I guess you can reset it for all of them and count on the AdminSDHolder thread to reset them to 1 in about an hour or so...other than that, the logic needed in a script to differentiate between users who are / are not currently in one of the 'protected groups' would be astounding. You shouldn't have a problem trusting the fact that it will happen to the accounts still in the protected groups since that's what got you there in the first place :-) Hopefully that was helpful...have a great night! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 08, 2005 8:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object OK looks like ya'll are on the right track. I found the script in the KB article to reset all the admincounts to 0, but that sounds scary. Can't I selectively set admincounts to 0 on a user-by-user basis somehow? Or is it safe to reset all users' admincounts to 0? I see Administrator in there, so that vbscript in http://support.microsoft.com/default.aspx?scid=kb;en-us;817433 scares me. From: [EMAIL PROTECTED] on behalf of Robert Williams (RRE) Sent: Wed 6/8/2005 6:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object Also keep in mind that if you were ever a member of one of these 'protected groups' that your inheritance will not be turned on again, nor will the admincount attribute be reset to 0so you can change those back when you know the user isn't a member of one of the 'protected groups' (changing those values before ensuring this will result in the values being reset...as you are well aware by this point). AdminCount is just a 'book keeping' method to know that the ACL has been stamped by AdminSDHolder. I hope that helps. Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Wednesday, June 08, 2005 4:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object It ssounds like it's the adminSDHolder behavior that's getting you. Are the users members of any of the other protected groups? It varies across versions, IIRC 2003 added more groups. The articles below should help point in the right direction. http://support.microsoft.com/default.aspx?scid=kb;en-us;318180 http://support.microsoft.com/default.aspx?scid=kb;en-us;817433 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, June 08, 2005 12:26 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Security permissions
RE: [ActiveDir] Security permissions on user object
It ssounds like it'sthe adminSDHolder behavior that's getting you. Are the users members of any of the other protected groups? It varies across versions, IIRC 2003 added more groups. The articles below should help point in the right direction. http://support.microsoft.com/default.aspx?scid=kb;en-us;318180 http://support.microsoft.com/default.aspx?scid=kb;en-us;817433 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Wednesday, June 08, 2005 12:26 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Security permissions on user object We migrated all our users from an NT4 domain to our AD domain. Anyone who was in "Domain Admins" on our NT4 domain got migrated into "Domain Admins" on our AD domain. We took them out of Domain Admins on our AD domain, but their accounts are inheriting the permissions like a normal user inherits. Whenever someone who is NOT a domain admin tries to reset a password or modify any properties of these migrated "Domain Admins" who are no longer Domain Admins, they are denied access. If I open up one of these users, they are not inheriting the permissions on their user object like every other normal user does. If I open their account and go to the object security the "Inherit from parent the permission entries that apply to child objects. Include these with entries explicity defined here." box isnot checked like every other user. If I check the box, others are temporarily able to modify thatformer domain admins account, but eventually, the box is unchecked again and they inherit their old security on their user object and it's broken again. I know thatI once read that this is by design, but how the heck do Ifix these users once and for all? ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~
RE: [ActiveDir] Security permissions on user object
Also keep in mind that if you were ever a member of one of these protected groups that your inheritance will not be turned on again, nor will the admincount attribute be reset to 0.so you can change those back when you know the user isnt a member of one of the protected groups (changing those values before ensuring this will result in the values being resetas you are well aware by this point). AdminCount is just a book keeping method to know that the ACL has been stamped by AdminSDHolder. I hope that helps. Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region MicrosoftCorporation Global Solutions Support Center From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Wednesday, June 08, 2005 4:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object It ssounds like it'sthe adminSDHolder behavior that's getting you. Are the users members of any of the other protected groups? It varies across versions, IIRC 2003 added more groups. The articles below should help point in the right direction. http://support.microsoft.com/default.aspx?scid=kb;en-us;318180 http://support.microsoft.com/default.aspx?scid=kb;en-us;817433 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, June 08, 2005 12:26 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Security permissions on user object We migrated all our users from an NT4 domain to our AD domain. Anyone who was in Domain Admins on our NT4 domain got migrated into Domain Admins on our AD domain. We took them out of Domain Admins on our AD domain, but their accounts are inheriting the permissions like a normal user inherits. Whenever someone who is NOT a domain admin tries to reset a password or modify any properties of these migrated Domain Admins who are no longer Domain Admins, they are denied access. If I open up one of these users, they are not inheriting the permissions on their user object like every other normal user does. If I open their account and go to the object security the Inherit from parent the permission entries that apply to child objects. Include these with entries explicity defined here. box isnot checked like every other user. If I check the box, others are temporarily able to modify thatformer domain admins account, but eventually, the box is unchecked again and they inherit their old security on their user object and it's broken again. I know thatI once read that this is by design, but how the heck do Ifix these users once and for all? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
RE: [ActiveDir] Security permissions on user object
---BeginMessage--- OK looks like ya'll are on the right track. I found the script in the KB article to reset all the admincounts to 0, but that sounds scary. Can't I selectively set admincounts to 0 on a user-by-user basis somehow? Or is it safe to reset all users' admincounts to 0? I see Administrator in there, so that vbscript in http://support.microsoft.com/default.aspx?scid=kb;en-us;817433 scares me. From: [EMAIL PROTECTED] on behalf of Robert Williams (RRE) Sent: Wed 6/8/2005 6:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object Also keep in mind that if you were ever a member of one of these 'protected groups' that your inheritance will not be turned on again, nor will the admincount attribute be reset to 0so you can change those back when you know the user isn't a member of one of the 'protected groups' (changing those values before ensuring this will result in the values being reset...as you are well aware by this point). AdminCount is just a 'book keeping' method to know that the ACL has been stamped by AdminSDHolder. I hope that helps. Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Wednesday, June 08, 2005 4:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object It ssounds like it's the adminSDHolder behavior that's getting you. Are the users members of any of the other protected groups? It varies across versions, IIRC 2003 added more groups. The articles below should help point in the right direction. http://support.microsoft.com/default.aspx?scid=kb;en-us;318180 http://support.microsoft.com/default.aspx?scid=kb;en-us;817433 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, June 08, 2005 12:26 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Security permissions on user object We migrated all our users from an NT4 domain to our AD domain. Anyone who was in Domain Admins on our NT4 domain got migrated into Domain Admins on our AD domain. We took them out of Domain Admins on our AD domain, but their accounts are inheriting the permissions like a normal user inherits. Whenever someone who is NOT a domain admin tries to reset a password or modify any properties of these migrated Domain Admins who are no longer Domain Admins, they are denied access. If I open up one of these users, they are not inheriting the permissions on their user object like every other normal user does. If I open their account and go to the object security the Inherit from parent the permission entries that apply to child objects. Include these with entries explicity defined here. box is not checked like every other user. If I check the box, others are temporarily able to modify that former domain admins account, but eventually, the box is unchecked again and they inherit their old security on their user object and it's broken again. I know that I once read that this is by design, but how the heck do I fix these users once and for all? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ winmail.dat---End Message--- ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
RE: [ActiveDir] Security permissions on user object
WellI guess you can reset it for all of them and count on the AdminSDHolder thread to reset them to 1 in about an hour or soother than that, the logic needed in a script to differentiate between users who are / are not currently in one of the protected groups would be astounding. You shouldnt have a problem trusting the fact that it will happen to the accounts still in the protected groups since thats what got you there in the first place J Hopefully that was helpfulhave a great night! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region MicrosoftCorporation Global Solutions Support Center From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 08, 2005 8:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object OK looks like ya'll are on the right track. I found the script in the KB article to reset all the admincounts to 0, but that sounds scary. Can't I selectively set admincounts to 0 on a user-by-user basis somehow? Or is it safe to reset all users' admincounts to 0? I see Administrator in there, so that _vbscript_ in http://support.microsoft.com/default.aspx?scid=kb;en-us;817433scares me. From: [EMAIL PROTECTED] on behalf of Robert Williams (RRE) Sent: Wed 6/8/2005 6:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object Also keep in mind that if you were ever a member of one of these protected groups that your inheritance will not be turned on again, nor will the admincount attribute be reset to 0.so you can change those back when you know the user isnt a member of one of the protected groups (changing those values before ensuring this will result in the values being resetas you are well aware by this point). AdminCount is just a book keeping method to know that the ACL has been stamped by AdminSDHolder. I hope that helps. Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region MicrosoftCorporation Global Solutions Support Center From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Wednesday, June 08, 2005 4:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object It ssounds like it'sthe adminSDHolder behavior that's getting you. Are the users members of any of the other protected groups? It varies across versions, IIRC 2003 added more groups. The articles below should help point in the right direction. http://support.microsoft.com/default.aspx?scid=kb;en-us;318180 http://support.microsoft.com/default.aspx?scid=kb;en-us;817433 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, June 08, 2005 12:26 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Security permissions on user object We migrated all our users from an NT4 domain to our AD domain. Anyone who was in Domain Admins on our NT4 domain got migrated into Domain Admins on our AD domain. We took them out of Domain Admins on our AD domain, but their accounts are inheriting the permissions like a normal user inherits. Whenever someone who is NOT a domain admin tries to reset a password or modify any properties of these migrated Domain Admins who are no longer Domain Admins, they are denied access. If I open up one of these users, they are not inheriting the permissions on their user object like every other normal user does. If I open their account and go to the object security the Inherit from parent the permission entries that apply to child objects. Include these with entries explicity defined here. box isnot checked like every other user. If I check the box, others are temporarily able to modify thatformer domain admins account, but eventually, the box is unchecked again and they inherit their old security on their user object and it's broken again. I know thatI once read that this is by design, but how the heck do Ifix these users once and for all? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
RE: [ActiveDir] Security permissions on user object
In fact, yes it will, Russ. Looking back at the thread, I don't see any discussion about HOW these users came to have the admincount attribute set to 1. Do you have a root cause? The reason that I ask is because I've dealt with this before when someone (who I never caught) added a group to a Protected group. This effectively set the admincount attribute on about 200 techs, and it took a while to clean up and straighten out. If you don't know why it happened, you might be reliving this pretty soon. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, June 08, 2005 9:52 PM To: Robert Williams (RRE); ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object Can I just use ADSIEDIT and go to individual users and set the admincount to 0? Will that stick? If that works, I could write a winbatch that will prompt for a username, and set their admincount to 0 automatically. From: Robert Williams (RRE) [mailto:[EMAIL PROTECTED] Sent: Wed 6/8/2005 8:34 PM To: Rimmerman, Russ; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object Well...I guess you can reset it for all of them and count on the AdminSDHolder thread to reset them to 1 in about an hour or so...other than that, the logic needed in a script to differentiate between users who are / are not currently in one of the 'protected groups' would be astounding. You shouldn't have a problem trusting the fact that it will happen to the accounts still in the protected groups since that's what got you there in the first place :-) Hopefully that was helpful...have a great night! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 08, 2005 8:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object OK looks like ya'll are on the right track. I found the script in the KB article to reset all the admincounts to 0, but that sounds scary. Can't I selectively set admincounts to 0 on a user-by-user basis somehow? Or is it safe to reset all users' admincounts to 0? I see Administrator in there, so that vbscript in http://support.microsoft.com/default.aspx?scid=kb;en-us;817433 scares me. From: [EMAIL PROTECTED] on behalf of Robert Williams (RRE) Sent: Wed 6/8/2005 6:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object Also keep in mind that if you were ever a member of one of these 'protected groups' that your inheritance will not be turned on again, nor will the admincount attribute be reset to 0so you can change those back when you know the user isn't a member of one of the 'protected groups' (changing those values before ensuring this will result in the values being reset...as you are well aware by this point). AdminCount is just a 'book keeping' method to know that the ACL has been stamped by AdminSDHolder. I hope that helps. Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Wednesday, June 08, 2005 4:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object It ssounds like it's the adminSDHolder behavior that's getting you. Are the users members of any of the other protected groups? It varies across versions, IIRC 2003 added more groups. The articles below should help point in the right direction. http://support.microsoft.com/default.aspx?scid=kb;en-us;318180 http://support.microsoft.com/default.aspx?scid=kb;en-us;817433 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, June 08, 2005 12:26 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Security permissions on user object We migrated all our users from an NT4 domain to our AD domain. Anyone who was in Domain Admins on our NT4 domain got migrated into Domain Admins on our AD domain. We took them out of Domain Admins on our AD domain, but their accounts are inheriting the permissions like a normal user inherits. Whenever someone who is NOT a domain admin tries to reset a password or modify any properties of these migrated Domain Admins who are no longer Domain Admins, they are denied access. If I open up one of these users, they are not inheriting the permissions on their user object like every other normal user does. If I open their account and go to the object security the Inherit from parent
RE: [ActiveDir] Security permissions on user object
Oh Certainly...that would work quite well. Joe, how much should he charge for that ;-) Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 08, 2005 10:52 PM To: Robert Williams (RRE); ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object Can I just use ADSIEDIT and go to individual users and set the admincount to 0? Will that stick? If that works, I could write a winbatch that will prompt for a username, and set their admincount to 0 automatically. From: Robert Williams (RRE) [mailto:[EMAIL PROTECTED] Sent: Wed 6/8/2005 8:34 PM To: Rimmerman, Russ; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object Well...I guess you can reset it for all of them and count on the AdminSDHolder thread to reset them to 1 in about an hour or so...other than that, the logic needed in a script to differentiate between users who are / are not currently in one of the 'protected groups' would be astounding. You shouldn't have a problem trusting the fact that it will happen to the accounts still in the protected groups since that's what got you there in the first place :-) Hopefully that was helpful...have a great night! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 08, 2005 8:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object OK looks like ya'll are on the right track. I found the script in the KB article to reset all the admincounts to 0, but that sounds scary. Can't I selectively set admincounts to 0 on a user-by-user basis somehow? Or is it safe to reset all users' admincounts to 0? I see Administrator in there, so that vbscript in http://support.microsoft.com/default.aspx?scid=kb;en-us;817433 scares me. From: [EMAIL PROTECTED] on behalf of Robert Williams (RRE) Sent: Wed 6/8/2005 6:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object Also keep in mind that if you were ever a member of one of these 'protected groups' that your inheritance will not be turned on again, nor will the admincount attribute be reset to 0so you can change those back when you know the user isn't a member of one of the 'protected groups' (changing those values before ensuring this will result in the values being reset...as you are well aware by this point). AdminCount is just a 'book keeping' method to know that the ACL has been stamped by AdminSDHolder. I hope that helps. Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Wednesday, June 08, 2005 4:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object It ssounds like it's the adminSDHolder behavior that's getting you. Are the users members of any of the other protected groups? It varies across versions, IIRC 2003 added more groups. The articles below should help point in the right direction. http://support.microsoft.com/default.aspx?scid=kb;en-us;318180 http://support.microsoft.com/default.aspx?scid=kb;en-us;817433 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, June 08, 2005 12:26 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Security permissions on user object We migrated all our users from an NT4 domain to our AD domain. Anyone who was in Domain Admins on our NT4 domain got migrated into Domain Admins on our AD domain. We took them out of Domain Admins on our AD domain, but their accounts are inheriting the permissions like a normal user inherits. Whenever someone who is NOT a domain admin tries to reset a password or modify any properties of these migrated Domain Admins who are no longer Domain Admins, they are denied access. If I open up one of these users, they are not inheriting the permissions on their user object like every other normal user does. If I open their account and go to the object security the Inherit from parent the permission entries that apply to child objects. Include these with entries explicity defined here. box is not checked like every other user. If I check the box, others are temporarily able to modify that former domain admins account, but eventually, the box is unchecked again and they inherit
RE: [ActiveDir] Security settings not Inheriting
That was exactly right. Thanks for the help! Chris Ryan The Kroger Company [EMAIL PROTECTED] Office (513) 698-1935 Cell (513) 623-5362 Tony Murray [EMAIL PROTECTED] rgTo Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject RE: [ActiveDir] Security settings 05/27/2005 04:12 not Inheriting PM Please respond to [EMAIL PROTECTED] tivedir.org Sounds like it could be the AdminSDHolder. Have a look at the following articles. http://support.microsoft.com/?kbid=232199 http://support.microsoft.com/default.aspx?scid=kb;en-us;817433 Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Saturday, 28 May 2005 7:52 a.m. To: activedir@mail.activedir.org Subject: [ActiveDir] Security settings not Inheriting All, I am attempting to delegate full control of one OU to a particular group of Admins. I have run the Delegation Wizard, selected the group, customized a task to delegate permissions to the folder, all existing objects in the folder and the creation of new objects and then selected Full control. I checked the security tab of the OU and the group is there with full control. I checked some of the sub OU's and this group is given full control over them via inheritance. I am running into trouble with some specific objects. These security settings did not filter down to some groups and users. I attempt to manually give the group full control and it allows me to add them. I check it again a few minutes later and the group is gone. Does anybody know what would cause this? As far as I know there are no scripts or GPO's affecting this OU that would cause this to happen. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Security settings not Inheriting
Sounds like it could be the AdminSDHolder. Have a look at the following articles. http://support.microsoft.com/?kbid=232199 http://support.microsoft.com/default.aspx?scid=kb;en-us;817433 Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Saturday, 28 May 2005 7:52 a.m. To: activedir@mail.activedir.org Subject: [ActiveDir] Security settings not Inheriting All, I am attempting to delegate full control of one OU to a particular group of Admins. I have run the Delegation Wizard, selected the group, customized a task to delegate permissions to the folder, all existing objects in the folder and the creation of new objects and then selected Full control. I checked the security tab of the OU and the group is there with full control. I checked some of the sub OU's and this group is given full control over them via inheritance. I am running into trouble with some specific objects. These security settings did not filter down to some groups and users. I attempt to manually give the group full control and it allows me to add them. I check it again a few minutes later and the group is gone. Does anybody know what would cause this? As far as I know there are no scripts or GPO's affecting this OU that would cause this to happen. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Security
As much as it's a 3rd party utility you might want to take a look at something like NetIQ's Security Manager or DRA or App Manager. Any of these have the functionality that you are looking for. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Visser Sent: 10 June 2004 18:51 To: [EMAIL PROTECTED] Subject: [ActiveDir] Security I need to know when the Domain Admin Group has a user added to it or at least have that operation audited, is there anyway to perform this with GPO or something built into win2k server. Thanks, Aaron Visser List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Security
Say you set all of the admin groups (admins, domain admins, ent admins) as a restricted groups. You set membership of builtin Admin userA userB userC userD That replicates out and works. Then at some point someone changes the restricted groups to be userA userB userC userD This (on 2K SP1 which I encountered it on) causes all sorts of fun and from what I have seen made replication work in a sporadic way and causes out of resource issues. At some later point you need to change that membership again and various parts of replication aren't working properly because of the above and other issues (This specifically occurred with me when I took over an AD previously). You break into a DC, you make the changes to that restricted group to be builtin Admin user1 user2 user3 user4 That replicates out and DCs that get it set it, that change starts to replicate out through AD Replication. Then some (or more than one which occurred to me) DC that has good AD replication but failing FRS replication gets the group change through AD replication, sees that it isn't right, changes the membership back to UserA/B/C/D and that replicates back out to the environment. So now you have your domain admin membership bouncing back and forth and some times you have access to do things and sometimes you don't. It is messy, took me several hours to get it straightened out when it did and in the meanwhile was a huge security hole because the people who were removed from access still had access to the network because they still supported other things in the environment but absolutely were not supposed to have domain access. I have seen on multiple occasions the same thing occur with lockout settings and password settings. That simply causes mass confusion because you tell people the lockout policy is 15 bads and occasionally someone locks out in less and you start to chase into it figuring something is sending multiple requests but in fact at the moment they were logging on, the previous lockout policy was in effect because of the bouncing policy. Our sysvol/dfs data is all replicated out through a single replication model, FRS. There are ties to AD in terms of linking data but not actual data so you wouldn't expect say a file to have different data at different points. With the above items, your GPO and AD are telling DCs to do entirely different things and each wins for a short period of time. In an environment with more than 50-60 DCs in a domain, this was, a couple of years ago for me, a time consuming issue to track down, especially since the issue was coming from multiple DCs with close to 100 or so in the domain. In the end, about 80% of the DCs in that domain had some form of replication issue that had to be straightened out and it is was one domain of 11 or 12 in the forest. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Patrick Sent: Monday, June 21, 2004 9:07 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Security How does this one relate specifically to restricted groups? This applies to a whole slew of items.. the worst offender IMO being a hub and spoke topo with file system permissions being pushed down to sysvol or dfs link\root which is replicated. -steve - Original Message - From: joe [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 21, 2004 2:55 PM Subject: RE: [ActiveDir] Security Guido's #1 can be a nightmare. Say you have a single DC that isn't playing well with the FRS replication topology and you go to change the restricted group you will get this great battle going on in AD as the change is made by GPO on one machine, it will replicate through the environment, the GPO on another machine won't agree and will change it to something else and that will replicate through the environment. Actually I think MS is rather kooky for setting anything in GPO that changes something that replicates in normal AD replication. Do it so that it is replicated one way or the other. This goes for restricted AD groups as well as lockout policies and things like that. Can't say I see how #2 could impact and don't see how restricted groups could impact #3. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Friday, June 11, 2004 5:12 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security sure: 1. replication of changes and applying the GPO will cause undesireable results at times. 2. the AdminSDholder process of the domain controlls the sensitive groups in AD (e.g. Domain Enterprise Schema Admin, Account Operators, Server Operators etc.) and periodically checks permissions on these groups and for those accounts that need to be in this group have not been removed etc. (could also be impacted negatively by the GPO) 3. there are a couple of hidden group memberships in AD that you don't know about
RE: [ActiveDir] Security
Guido's #1 can be a nightmare. Say you have a single DC that isn't playing well with the FRS replication topology and you go to change the restricted group you will get this great battle going on in AD as the change is made by GPO on one machine, it will replicate through the environment, the GPO on another machine won't agree and will change it to something else and that will replicate through the environment. Actually I think MS is rather kooky for setting anything in GPO that changes something that replicates in normal AD replication. Do it so that it is replicated one way or the other. This goes for restricted AD groups as well as lockout policies and things like that. Can't say I see how #2 could impact and don't see how restricted groups could impact #3. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Friday, June 11, 2004 5:12 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security sure: 1. replication of changes and applying the GPO will cause undesireable results at times. 2. the AdminSDholder process of the domain controlls the sensitive groups in AD (e.g. Domain Enterprise Schema Admin, Account Operators, Server Operators etc.) and periodically checks permissions on these groups and for those accounts that need to be in this group have not been removed etc. (could also be impacted negatively by the GPO) 3. there are a couple of hidden group memberships in AD that you don't know about and thus not adding them via restricted groups could cause replication problems: e.g. each DC is a member of the local domain administrators group using the NT Authority\Enterprise Domain Controllers group - but you don't see this group as a member in the group. If this member is missing, DCs can't replicate successfully. I don't have a complete list of hidden memberships (this one could or could not be all), so that I wouldn't risk breaking things in AD using this GPO on domain groups (mainly the administrative groups). \Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry Sent: Freitag, 11. Juni 2004 05:37 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security I'm curious, do you have any more details? -Original Message- From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 2:47 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security don't use the Restricted Groups feature on domain groups, especially domain admins. This has caused various issues for companies and thus they've backed away from this approach. However, using restricted groups on member servers and clients works well. \Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry Sent: Donnerstag, 10. Juni 2004 19:38 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security If you want to make sure that no one is added to the group you could make the group a Restricted Group via a GPO. If you want to know when a user is added to the group, you could use a GPO to turn on auditing of Account Management but then you would have to search the audit logs of all of the DCs in the domain to find the activity. Or you could write a script that looked at the group membership and compared it with a pre-determined list. Then execute the script on a schedule of your choice. -Original Message- From: Aaron Visser [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 9:51 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Security I need to know when the Domain Admin Group has a user added to it or at least have that operation audited, is there anyway to perform this with GPO or something built into win2k server. Thanks, Aaron Visser List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Security
How does this one relate specifically to restricted groups? This applies to a whole slew of items.. the worst offender IMO being a hub and spoke topo with file system permissions being pushed down to sysvol or dfs link\root which is replicated. -steve - Original Message - From: joe [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 21, 2004 2:55 PM Subject: RE: [ActiveDir] Security Guido's #1 can be a nightmare. Say you have a single DC that isn't playing well with the FRS replication topology and you go to change the restricted group you will get this great battle going on in AD as the change is made by GPO on one machine, it will replicate through the environment, the GPO on another machine won't agree and will change it to something else and that will replicate through the environment. Actually I think MS is rather kooky for setting anything in GPO that changes something that replicates in normal AD replication. Do it so that it is replicated one way or the other. This goes for restricted AD groups as well as lockout policies and things like that. Can't say I see how #2 could impact and don't see how restricted groups could impact #3. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Friday, June 11, 2004 5:12 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security sure: 1. replication of changes and applying the GPO will cause undesireable results at times. 2. the AdminSDholder process of the domain controlls the sensitive groups in AD (e.g. Domain Enterprise Schema Admin, Account Operators, Server Operators etc.) and periodically checks permissions on these groups and for those accounts that need to be in this group have not been removed etc. (could also be impacted negatively by the GPO) 3. there are a couple of hidden group memberships in AD that you don't know about and thus not adding them via restricted groups could cause replication problems: e.g. each DC is a member of the local domain administrators group using the NT Authority\Enterprise Domain Controllers group - but you don't see this group as a member in the group. If this member is missing, DCs can't replicate successfully. I don't have a complete list of hidden memberships (this one could or could not be all), so that I wouldn't risk breaking things in AD using this GPO on domain groups (mainly the administrative groups). \Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry Sent: Freitag, 11. Juni 2004 05:37 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security I'm curious, do you have any more details? -Original Message- From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 2:47 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security don't use the Restricted Groups feature on domain groups, especially domain admins. This has caused various issues for companies and thus they've backed away from this approach. However, using restricted groups on member servers and clients works well. \Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry Sent: Donnerstag, 10. Juni 2004 19:38 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security If you want to make sure that no one is added to the group you could make the group a Restricted Group via a GPO. If you want to know when a user is added to the group, you could use a GPO to turn on auditing of Account Management but then you would have to search the audit logs of all of the DCs in the domain to find the activity . Or you could write a script that looked at the group membership and compared it with a pre-determined list. Then execute the script on a schedule of your choice. -Original Message- From: Aaron Visser [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 9:51 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Security I need to know when the Domain Admin Group has a user added to it or at least have that operation audited, is there anyway to perform this with GPO or something built into win2k server. Thanks, Aaron Visser List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir
RE: [ActiveDir] Security
Sounds like the rebuild is a good thing, given the little angels' propensity to do things they shouldn't. The approach I'd take is to monitor the update sequence number on the Domain Admins, Schema Admins, and Enterprise Admins groups. If the USN changes on any of the groups, then you know that *something* about the group changed, and you can start looking at memberships. Wrap this up in a script that you run frequently, and have it notify you when the USN changes. If you search microsoft.public.* newsgroups for vbscript usnChanged richard mueller (go to http://groups.google.com/advanced_group_search) you'll find some sample vbscript to grab the USN. Hunter -Original Message- From: Aaron Visser [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 10:47 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Security More Details Win2k Servers 1 Root Server with another one for redundancy, 1 ISA Server, 1 Server for Teacher Data, 1 Server for Student Data Win2003 Servers 1 for Office Staff And the fun begins, Well the biggest problem I am faced with is that the users (Students) ON the network are constantly trying to break in or crash the Servers, They are relentless somehow yesterday (I have no idea how) they had managed to add accounts to the Domain Admin Group, the Schema Admins and the Enterprise Admins. The accounts they have added have been removed but again today I encountered two new instances of users being added to the Domain Admin group. I am following this as closely as I can checking the groups every 10 15 minutes but that becomes very tedious and a real pain in the ...so I was wondering if I could be notified of such things happening rather than have to find out the hard way. I did the GPO thing of Restricting Groups and I restricted the mentioned groups but I am pretty sure I shouldn't have done that as now all my Admin groups are Restricted(Domain Admins, Schema Admins, Enterprise Admins) I just want to make it a few more weeks until the end of the School year so I can rebuild the entire network with new servers etc. ,(I inherited it about a month ago). Any help or insight or just thoughts on the whole situation is appreciated Thanks to everyone, Aaron Visser From: Passo, Larry [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 10 Jun 2004 20:37:24 -0700 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security I'm curious, do you have any more details? -Original Message- From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 2:47 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security don't use the Restricted Groups feature on domain groups, especially domain admins. This has caused various issues for companies and thus they've backed away from this approach. However, using restricted groups on member servers and clients works well. \Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry Sent: Donnerstag, 10. Juni 2004 19:38 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security If you want to make sure that no one is added to the group you could make the group a Restricted Group via a GPO. If you want to know when a user is added to the group, you could use a GPO to turn on auditing of Account Management but then you would have to search the audit logs of all of the DCs in the domain to find the activity. Or you could write a script that looked at the group membership and compared it with a pre-determined list. Then execute the script on a schedule of your choice. -Original Message- From: Aaron Visser [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 9:51 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Security I need to know when the Domain Admin Group has a user added to it or at least have that operation audited, is there anyway to perform this with GPO or something built into win2k server. Thanks, Aaron Visser List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http
RE: [ActiveDir] Security
Additionally, it would be helpful to know how they did what they did and what account they used to do it. I can think of many ways it's possible, but it would be good to know what avenue they are using. You should be able to correlate the change of USN with the Event log entry (audit) of the change. EventcombMT is a useful tool for this and is available at the Microsoft web site as a security tool. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Friday, June 11, 2004 10:07 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security Sounds like the rebuild is a good thing, given the little angels' propensity to do things they shouldn't. The approach I'd take is to monitor the update sequence number on the Domain Admins, Schema Admins, and Enterprise Admins groups. If the USN changes on any of the groups, then you know that *something* about the group changed, and you can start looking at memberships. Wrap this up in a script that you run frequently, and have it notify you when the USN changes. If you search microsoft.public.* newsgroups for vbscript usnChanged richard mueller (go to http://groups.google.com/advanced_group_search) you'll find some sample vbscript to grab the USN. Hunter -Original Message- From: Aaron Visser [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 10:47 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Security More Details Win2k Servers 1 Root Server with another one for redundancy, 1 ISA Server, 1 Server for Teacher Data, 1 Server for Student Data Win2003 Servers 1 for Office Staff And the fun begins, Well the biggest problem I am faced with is that the users (Students) ON the network are constantly trying to break in or crash the Servers, They are relentless somehow yesterday (I have no idea how) they had managed to add accounts to the Domain Admin Group, the Schema Admins and the Enterprise Admins. The accounts they have added have been removed but again today I encountered two new instances of users being added to the Domain Admin group. I am following this as closely as I can checking the groups every 10 15 minutes but that becomes very tedious and a real pain in the ...so I was wondering if I could be notified of such things happening rather than have to find out the hard way. I did the GPO thing of Restricting Groups and I restricted the mentioned groups but I am pretty sure I shouldn't have done that as now all my Admin groups are Restricted(Domain Admins, Schema Admins, Enterprise Admins) I just want to make it a few more weeks until the end of the School year so I can rebuild the entire network with new servers etc. ,(I inherited it about a month ago). Any help or insight or just thoughts on the whole situation is appreciated Thanks to everyone, Aaron Visser From: Passo, Larry [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 10 Jun 2004 20:37:24 -0700 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security I'm curious, do you have any more details? -Original Message- From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 2:47 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security don't use the Restricted Groups feature on domain groups, especially domain admins. This has caused various issues for companies and thus they've backed away from this approach. However, using restricted groups on member servers and clients works well. \Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry Sent: Donnerstag, 10. Juni 2004 19:38 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security If you want to make sure that no one is added to the group you could make the group a Restricted Group via a GPO. If you want to know when a user is added to the group, you could use a GPO to turn on auditing of Account Management but then you would have to search the audit logs of all of the DCs in the domain to find the activity. Or you could write a script that looked at the group membership and compared it with a pre-determined list. Then execute the script on a schedule of your choice. -Original Message- From: Aaron Visser [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 9:51 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Security I need to know when the Domain Admin Group has a user added to it or at least have that operation audited, is there anyway to perform this with GPO or something built into win2k server. Thanks, Aaron Visser List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List
RE: [ActiveDir] Security
Thanks for the details, but I was hoping that Guido would provide some of the reasons whay Restricted Groups was a bad idea. Although, I would consider having all of the Domain groups be locked out to not be a graet idea. -Original Message- From: Aaron Visser [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 9:47 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Security More Details Win2k Servers 1 Root Server with another one for redundancy, 1 ISA Server, 1 Server for Teacher Data, 1 Server for Student Data Win2003 Servers 1 for Office Staff And the fun begins, Well the biggest problem I am faced with is that the users (Students) ON the network are constantly trying to break in or crash the Servers, They are relentless somehow yesterday (I have no idea how) they had managed to add accounts to the Domain Admin Group, the Schema Admins and the Enterprise Admins. The accounts they have added have been removed but again today I encountered two new instances of users being added to the Domain Admin group. I am following this as closely as I can checking the groups every 10 15 minutes but that becomes very tedious and a real pain in the ...so I was wondering if I could be notified of such things happening rather than have to find out the hard way. I did the GPO thing of Restricting Groups and I restricted the mentioned groups but I am pretty sure I shouldn't have done that as now all my Admin groups are Restricted(Domain Admins, Schema Admins, Enterprise Admins) I just want to make it a few more weeks until the end of the School year so I can rebuild the entire network with new servers etc. ,(I inherited it about a month ago). Any help or insight or just thoughts on the whole situation is appreciated Thanks to everyone, Aaron Visser From: Passo, Larry [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 10 Jun 2004 20:37:24 -0700 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security I'm curious, do you have any more details? -Original Message- From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 2:47 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security don't use the Restricted Groups feature on domain groups, especially domain admins. This has caused various issues for companies and thus they've backed away from this approach. However, using restricted groups on member servers and clients works well. \Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry Sent: Donnerstag, 10. Juni 2004 19:38 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security If you want to make sure that no one is added to the group you could make the group a Restricted Group via a GPO. If you want to know when a user is added to the group, you could use a GPO to turn on auditing of Account Management but then you would have to search the audit logs of all of the DCs in the domain to find the activity. Or you could write a script that looked at the group membership and compared it with a pre-determined list. Then execute the script on a schedule of your choice. -Original Message- From: Aaron Visser [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 9:51 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Security I need to know when the Domain Admin Group has a user added to it or at least have that operation audited, is there anyway to perform this with GPO or something built into win2k server. Thanks, Aaron Visser List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Security
Why not create a group and modify the default rights to it (allow interactive logon and the like) then set as the default group for the people in question. I have done this for questionable users in the past with decent results. Thanks, Raymond -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Friday, June 11, 2004 2:12 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security sure: 1. replication of changes and applying the GPO will cause undesireable results at times. 2. the AdminSDholder process of the domain controlls the sensitive groups in AD (e.g. Domain Enterprise Schema Admin, Account Operators, Server Operators etc.) and periodically checks permissions on these groups and for those accounts that need to be in this group have not been removed etc. (could also be impacted negatively by the GPO) 3. there are a couple of hidden group memberships in AD that you don't know about and thus not adding them via restricted groups could cause replication problems: e.g. each DC is a member of the local domain administrators group using the NT Authority\Enterprise Domain Controllers group - but you don't see this group as a member in the group. If this member is missing, DCs can't replicate successfully. I don't have a complete list of hidden memberships (this one could or could not be all), so that I wouldn't risk breaking things in AD using this GPO on domain groups (mainly the administrative groups). \Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry Sent: Freitag, 11. Juni 2004 05:37 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security I'm curious, do you have any more details? -Original Message- From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 2:47 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security don't use the Restricted Groups feature on domain groups, especially domain admins. This has caused various issues for companies and thus they've backed away from this approach. However, using restricted groups on member servers and clients works well. \Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry Sent: Donnerstag, 10. Juni 2004 19:38 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security If you want to make sure that no one is added to the group you could make the group a Restricted Group via a GPO. If you want to know when a user is added to the group, you could use a GPO to turn on auditing of Account Management but then you would have to search the audit logs of all of the DCs in the domain to find the activity. Or you could write a script that looked at the group membership and compared it with a pre-determined list. Then execute the script on a schedule of your choice. -Original Message- From: Aaron Visser [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 9:51 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Security I need to know when the Domain Admin Group has a user added to it or at least have that operation audited, is there anyway to perform this with GPO or something built into win2k server. Thanks, Aaron Visser List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Security
If you want to make sure that no one is added to the group you could make the group a Restricted Group via a GPO. If you want to know when a user is added to the group, you could use a GPO to turn on auditing of Account Management but then you would have to search the audit logs of all of the DCs in the domain to find the activity. Or you could write a script that looked at the group membership and compared it with a pre-determined list. Then execute the script on a schedule of your choice. -Original Message- From: Aaron Visser [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 9:51 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Security I need to know when the Domain Admin Group has a user added to it or at least have that operation audited, is there anyway to perform this with GPO or something built into win2k server. Thanks, Aaron Visser List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Security
We have some homegrown stuff that monitors specified groups and sends an email nightly if anything changes. Been doing that for quite sometime. An example of one easy approach is at http://www.winnetmag.com/WindowsScripting/Article/ArticleID/38400/38400. html Sure you can audit it with built in auditing, dump the logs and scrape out the info you need. Also have seen examples of WMI sinks to monitor in real time -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Visser Sent: Thursday, June 10, 2004 9:51 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Security I need to know when the Domain Admin Group has a user added to it or at least have that operation audited, is there anyway to perform this with GPO or something built into win2k server. Thanks, Aaron Visser List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Security
don't use the Restricted Groups feature on domain groups, especially domain admins. This has caused various issues for companies and thus they've backed away from this approach. However, using restricted groups on member servers and clients works well. \Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry Sent: Donnerstag, 10. Juni 2004 19:38 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security If you want to make sure that no one is added to the group you could make the group a Restricted Group via a GPO. If you want to know when a user is added to the group, you could use a GPO to turn on auditing of Account Management but then you would have to search the audit logs of all of the DCs in the domain to find the activity. Or you could write a script that looked at the group membership and compared it with a pre-determined list. Then execute the script on a schedule of your choice. -Original Message- From: Aaron Visser [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 9:51 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Security I need to know when the Domain Admin Group has a user added to it or at least have that operation audited, is there anyway to perform this with GPO or something built into win2k server. Thanks, Aaron Visser List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Security
I'm curious, do you have any more details? -Original Message- From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 2:47 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security don't use the Restricted Groups feature on domain groups, especially domain admins. This has caused various issues for companies and thus they've backed away from this approach. However, using restricted groups on member servers and clients works well. \Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry Sent: Donnerstag, 10. Juni 2004 19:38 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security If you want to make sure that no one is added to the group you could make the group a Restricted Group via a GPO. If you want to know when a user is added to the group, you could use a GPO to turn on auditing of Account Management but then you would have to search the audit logs of all of the DCs in the domain to find the activity. Or you could write a script that looked at the group membership and compared it with a pre-determined list. Then execute the script on a schedule of your choice. -Original Message- From: Aaron Visser [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 9:51 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Security I need to know when the Domain Admin Group has a user added to it or at least have that operation audited, is there anyway to perform this with GPO or something built into win2k server. Thanks, Aaron Visser List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Security
More Details Win2k Servers 1 Root Server with another one for redundancy, 1 ISA Server, 1 Server for Teacher Data, 1 Server for Student Data Win2003 Servers 1 for Office Staff And the fun begins, Well the biggest problem I am faced with is that the users (Students) ON the network are constantly trying to break in or crash the Servers, They are relentless somehow yesterday (I have no idea how) they had managed to add accounts to the Domain Admin Group, the Schema Admins and the Enterprise Admins. The accounts they have added have been removed but again today I encountered two new instances of users being added to the Domain Admin group. I am following this as closely as I can checking the groups every 10 15 minutes but that becomes very tedious and a real pain in the ...so I was wondering if I could be notified of such things happening rather than have to find out the hard way. I did the GPO thing of Restricting Groups and I restricted the mentioned groups but I am pretty sure I shouldn't have done that as now all my Admin groups are Restricted(Domain Admins, Schema Admins, Enterprise Admins) I just want to make it a few more weeks until the end of the School year so I can rebuild the entire network with new servers etc. ,(I inherited it about a month ago). Any help or insight or just thoughts on the whole situation is appreciated Thanks to everyone, Aaron Visser From: Passo, Larry [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 10 Jun 2004 20:37:24 -0700 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security I'm curious, do you have any more details? -Original Message- From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 2:47 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security don't use the Restricted Groups feature on domain groups, especially domain admins. This has caused various issues for companies and thus they've backed away from this approach. However, using restricted groups on member servers and clients works well. \Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry Sent: Donnerstag, 10. Juni 2004 19:38 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security If you want to make sure that no one is added to the group you could make the group a Restricted Group via a GPO. If you want to know when a user is added to the group, you could use a GPO to turn on auditing of Account Management but then you would have to search the audit logs of all of the DCs in the domain to find the activity. Or you could write a script that looked at the group membership and compared it with a pre-determined list. Then execute the script on a schedule of your choice. -Original Message- From: Aaron Visser [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 9:51 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Security I need to know when the Domain Admin Group has a user added to it or at least have that operation audited, is there anyway to perform this with GPO or something built into win2k server. Thanks, Aaron Visser List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Security and AD
These articles might help: A List of the Windows 2000 Domain Controller Default Ports: http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;Q289241 AD Replication over Firewalls by Steve Riley, http://www.microsoft.com/SERVICEPROVIDERS/columns/config_ipsec_p63623.asp FYI: Q224196 - Restricting AD Replication Traffice to a Specific Port. http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;Q224196 Q179442 - How to Configure a Firewall for Domains and Trusts. http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;Q179442 Regards, /Jimmy - Jimmy Andersson, Q Advice AB Principal Advisor Microsoft MVP - Directory Services -- www.qadvice.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gagnesh Kumar Sent: Wednesday, March 24, 2004 2:24 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Security and AD Hi, I want to run AD behind a firewall.Can someone please suggest what ports should I leave open so that all the clients to my AD can access it successfully? Any help would be greatly appreciated. Thanks and regards, Gagnesh List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] security event log audits
I also wrote a lot of things many years ago ;-) I'd still have a closer look at MACS today... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of stefano tufillaro Sent: Dienstag, 16. März 2004 20:37 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security event log audits I wrote it four year ago. A Windows NT Service on every machine send the information (every eventlog section ) to a database ODBC connected (Oracle, MSSQlserver, DB2, MySql etc.) I wrote also the client administrative to setup, install, modify configuration and interrogate the datbase, produce reports (Crystal, Html, PDF etc.) and also send script as soon as a program to modify the system from remote location. From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security event log audits Date: Tue, 16 Mar 2004 19:40:02 +0100 MIME-Version: 1.0 Received: from mail.activedir.org ([64.245.160.7]) by mc2-f10.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Tue, 16 Mar 2004 10:40:40 -0800 Received: from bbnrelint01.net.external.hp.com [192.6.76.88] by mail.activedir.org with ESMTP (SMTPD32-8.05) id AA071D5B0150; Tue, 16 Mar 2004 13:40:07 -0500 Received: from isar.bbn.hp.com (isar.bbn.hp.com [15.140.168.13])by bbnrelint01.net.external.hp.com (Postfix) with ESMTP id 0C6D137C90for [EMAIL PROTECTED]; Tue, 16 Mar 2004 19:37:32 +0100 (CET) Received: by isar.bbn.hp.com with Internet Mail Service (5.5.2657.72)id GPZ8QP5T; Tue, 16 Mar 2004 19:40:06 +0100 X-Message-Info: yilqo4+6kc42bID0SLkQu4MzXVSilpwe Message-ID: [EMAIL PROTECTED] X-Mailer: Internet Mail Service (5.5.2657.72) Precedence: bulk Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 16 Mar 2004 18:40:40.0966 (UTC) FILETIME=[2EAA6A60:01C40B86] MACS (MS Audit Collector System) will do all of that for you and likely much more efficient than what you'd do yourself (and more secure as well) - should be released soon (I think with 2003 SP1) /Guido _ From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Dienstag, 16. März 2004 19:18 To: [EMAIL PROTECTED] Subject: [ActiveDir] security event log audits Has anyone had success putting together something home-grown to centralize security event logs into a sql database? If so, I wanted to get some tips on how the tables should be set up - can all events that are captured in the security log be placed in the same table, or do different events have their own structure and would have to go into separate tables? Also, I'm familiar with EventCombMT and eldump - are there any other tools I should be considering to pull the data? I'm assuming I'll need to use something like one of those to act as the middleware between the logs and the database. Thanks... Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do _ Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] security event log audits
I wrote a nice little fortune cookie program years ago for when your PC starts up, however I am still planning on looking at MACS. :o) - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Wednesday, March 17, 2004 2:06 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security event log audits I also wrote a lot of things many years ago ;-) I'd still have a closer look at MACS today... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of stefano tufillaro Sent: Dienstag, 16. März 2004 20:37 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security event log audits I wrote it four year ago. A Windows NT Service on every machine send the information (every eventlog section ) to a database ODBC connected (Oracle, MSSQlserver, DB2, MySql etc.) I wrote also the client administrative to setup, install, modify configuration and interrogate the datbase, produce reports (Crystal, Html, PDF etc.) and also send script as soon as a program to modify the system from remote location. From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security event log audits Date: Tue, 16 Mar 2004 19:40:02 +0100 MIME-Version: 1.0 Received: from mail.activedir.org ([64.245.160.7]) by mc2-f10.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Tue, 16 Mar 2004 10:40:40 -0800 Received: from bbnrelint01.net.external.hp.com [192.6.76.88] by mail.activedir.org with ESMTP (SMTPD32-8.05) id AA071D5B0150; Tue, 16 Mar 2004 13:40:07 -0500 Received: from isar.bbn.hp.com (isar.bbn.hp.com [15.140.168.13])by bbnrelint01.net.external.hp.com (Postfix) with ESMTP id 0C6D137C90for [EMAIL PROTECTED]; Tue, 16 Mar 2004 19:37:32 +0100 (CET) Received: by isar.bbn.hp.com with Internet Mail Service (5.5.2657.72)id GPZ8QP5T; Tue, 16 Mar 2004 19:40:06 +0100 X-Message-Info: yilqo4+6kc42bID0SLkQu4MzXVSilpwe Message-ID: [EMAIL PROTECTED] X-Mailer: Internet Mail Service (5.5.2657.72) Precedence: bulk Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 16 Mar 2004 18:40:40.0966 (UTC) FILETIME=[2EAA6A60:01C40B86] MACS (MS Audit Collector System) will do all of that for you and likely much more efficient than what you'd do yourself (and more secure as well) - should be released soon (I think with 2003 SP1) /Guido _ From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Dienstag, 16. März 2004 19:18 To: [EMAIL PROTECTED] Subject: [ActiveDir] security event log audits Has anyone had success putting together something home-grown to centralize security event logs into a sql database? If so, I wanted to get some tips on how the tables should be set up - can all events that are captured in the security log be placed in the same table, or do different events have their own structure and would have to go into separate tables? Also, I'm familiar with EventCombMT and eldump - are there any other tools I should be considering to pull the data? I'm assuming I'll need to use something like one of those to act as the middleware between the logs and the database. Thanks... Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do _ Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] security event log audits
MACS (MS Audit Collector System) will do all of that for you and likely much more efficient than what you'd do yourself (and more secure as well) - should be released soon (I think with 2003 SP1) /Guido From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Dienstag, 16. März 2004 19:18To: [EMAIL PROTECTED]Subject: [ActiveDir] security event log audits Has anyone had success putting together something home-grown to centralize security event logs into a sql database? If so, I wanted to get some tips on how the tables should be set up - can all events that are captured in the security log be placed in the same table, or do different events have their own structure and would have to go into separate tables? Also, I'm familiar with EventCombMT and eldump - are there any other tools I should be considering to pull the data? I'm assuming I'll need to use something like one of those to act as the middleware between the logs and the database. Thanks... Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do
RE: [ActiveDir] security event log audits
AhhhI forgot about that coming. Thanks Guido! mc -Original Message- From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 16, 2004 1:40 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security event log audits MACS (MS Audit Collector System) will do all of that for you and likely much more efficient than what you'd do yourself (and more secure as well) - should be released soon (I think with 2003 SP1) /Guido From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Dienstag, 16. März 2004 19:18 To: [EMAIL PROTECTED] Subject: [ActiveDir] security event log audits Has anyone had success putting together something home-grown to centralize security event logs into a sql database? If so, I wanted to get some tips on how the tables should be set up - can all events that are captured in the security log be placed in the same table, or do different events have their own structure and would have to go into separate tables? Also, I'm familiar with EventCombMT and eldump - are there any other tools I should be considering to pull the data? I'm assuming I'll need to use something like one of those to act as the middleware between the logs and the database. Thanks... Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do �
RE: [ActiveDir] security event log audits
Will this work for Win2k servers also? Mike From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 16, 2004 1:40 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] security event log audits MACS (MS Audit Collector System) will do all of that for you and likely much more efficient than what you'd do yourself (and more secure as well) - should be released soon (I think with 2003 SP1) /Guido From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Dienstag, 16. März 2004 19:18To: [EMAIL PROTECTED]Subject: [ActiveDir] security event log audits Has anyone had success putting together something home-grown to centralize security event logs into a sql database? If so, I wanted to get some tips on how the tables should be set up - can all events that are captured in the security log be placed in the same table, or do different events have their own structure and would have to go into separate tables? Also, I'm familiar with EventCombMT and eldump - are there any other tools I should be considering to pull the data? I'm assuming I'll need to use something like one of those to act as the middleware between the logs and the database. Thanks... Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do
RE: [ActiveDir] security event log audits
Short answer: Yes More detailed info: http://www.windowsboston.com/downloads/doc/MACS_beta_Overview.doc Hope that helps :) r/ Lou -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Celone, Mike Sent: Tuesday, March 16, 2004 1:49 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] security event log audits Will this work for Win2k servers also? Mike From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 16, 2004 1:40 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security event log audits MACS (MS Audit Collector System) will do all of that for you and likely much more efficient than what you'd do yourself (and more secure as well) - should be released soon (I think with 2003 SP1) /Guido From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Dienstag, 16. März 2004 19:18 To: [EMAIL PROTECTED] Subject: [ActiveDir] security event log audits Has anyone had success putting together something home-grown to centralize security event logs into a sql database? If so, I wanted to get some tips on how the tables should be set up - can all events that are captured in the security log be placed in the same table, or do different events have their own structure and would have to go into separate tables? Also, I'm familiar with EventCombMT and eldump - are there any other tools I should be considering to pull the data? I'm assuming I'll need to use something like one of those to act as the middleware between the logs and the database. Thanks... Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] security event log audits
I wrote it four year ago. A Windows NT Service on every machine send the information (every eventlog section ) to a database ODBC connected (Oracle, MSSQlserver, DB2, MySql etc.) I wrote also the client administrative to setup, install, modify configuration and interrogate the datbase, produce reports (Crystal, Html, PDF etc.) and also send script as soon as a program to modify the system from remote location. From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security event log audits Date: Tue, 16 Mar 2004 19:40:02 +0100 MIME-Version: 1.0 Received: from mail.activedir.org ([64.245.160.7]) by mc2-f10.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Tue, 16 Mar 2004 10:40:40 -0800 Received: from bbnrelint01.net.external.hp.com [192.6.76.88] by mail.activedir.org with ESMTP (SMTPD32-8.05) id AA071D5B0150; Tue, 16 Mar 2004 13:40:07 -0500 Received: from isar.bbn.hp.com (isar.bbn.hp.com [15.140.168.13])by bbnrelint01.net.external.hp.com (Postfix) with ESMTP id 0C6D137C90for [EMAIL PROTECTED]; Tue, 16 Mar 2004 19:37:32 +0100 (CET) Received: by isar.bbn.hp.com with Internet Mail Service (5.5.2657.72)id GPZ8QP5T; Tue, 16 Mar 2004 19:40:06 +0100 X-Message-Info: yilqo4+6kc42bID0SLkQu4MzXVSilpwe Message-ID: [EMAIL PROTECTED] X-Mailer: Internet Mail Service (5.5.2657.72) Precedence: bulk Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 16 Mar 2004 18:40:40.0966 (UTC) FILETIME=[2EAA6A60:01C40B86] MACS (MS Audit Collector System) will do all of that for you and likely much more efficient than what you'd do yourself (and more secure as well) - should be released soon (I think with 2003 SP1) /Guido _ From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Dienstag, 16. März 2004 19:18 To: [EMAIL PROTECTED] Subject: [ActiveDir] security event log audits Has anyone had success putting together something home-grown to centralize security event logs into a sql database? If so, I wanted to get some tips on how the tables should be set up - can all events that are captured in the security log be placed in the same table, or do different events have their own structure and would have to go into separate tables? Also, I'm familiar with EventCombMT and eldump - are there any other tools I should be considering to pull the data? I'm assuming I'll need to use something like one of those to act as the middleware between the logs and the database. Thanks... Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do _ Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Security Concerns With Creating a Secondary DNS Zone
I would ask them there reasons and then post them here... I cant think of any real reasons as long as your servers are sat internally and talk on your private WAN? Rob [EMAIL PROTECTED] .com To: [EMAIL PROTECTED] Sent by: cc: [EMAIL PROTECTED]Subject: [ActiveDir] Security Concerns With Creating a Secondary DNS Zone tivedir.org 17/11/2003 16:45 Please respond to ActiveDir Hi, Are there any security concerns or issues with creating a secondary DNS zone and doing Zone transfer? If you have a root Windows 2000 domain in a different country and want to create a secondary zone for the root domain in the US, what are the security issues associated with the configuration? If the security department is not allowing the creation of a secondary zone because of Security reasons, what would be those reasons? Any input would be really appreciated. Thanks, Santhosh (See attached file: winmail.dat) ** This E-mail and any files transmitted with it are in commercial confidence and intended solely for the use of the individual or entity to whom they are addressed. If you have received this E-mail in error please notify the Administrator by E-mail ([EMAIL PROTECTED]). Any views or opinions expressed are solely those of the author and do not necessarily represent those of DEK International., or its affiliates. ** This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.dek.com ** winmail.dat Description: Binary data
RE: [ActiveDir] Security Concerns With Creating a Secondary DNS Z one
As long as this is on the intranet and you restrict the IPs that can perform zone transfers, there should be no security problems. That's not to say your security team can't invent a problem :-) Regards, Robbie Allen http://www.rallenhome.com/ http://www.rallenhome.com/blog/adcookbook/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, November 17, 2003 11:49 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Security Concerns With Creating a Secondary DNS Zone I would ask them there reasons and then post them here... I cant think of any real reasons as long as your servers are sat internally and talk on your private WAN? Rob [EMAIL PROTECTED] .com To: [EMAIL PROTECTED] Sent by: cc: [EMAIL PROTECTED]Subject: [ActiveDir] Security Concerns With Creating a Secondary DNS Zone tivedir.org 17/11/2003 16:45 Please respond to ActiveDir Hi, Are there any security concerns or issues with creating a secondary DNS zone and doing Zone transfer? If you have a root Windows 2000 domain in a different country and want to create a secondary zone for the root domain in the US, what are the security issues associated with the configuration? If the security department is not allowing the creation of a secondary zone because of Security reasons, what would be those reasons? Any input would be really appreciated. Thanks, Santhosh (See attached file: winmail.dat) ** This E-mail and any files transmitted with it are in commercial confidence and intended solely for the use of the individual or entity to whom they are addressed. If you have received this E-mail in error please notify the Administrator by E-mail ([EMAIL PROTECTED]). Any views or opinions expressed are solely those of the author and do not necessarily represent those of DEK International., or its affiliates. ** This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.dek.com ** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Security Logs
I think I'd create a web page which uses WMI to query the logs and displays (say) the last half hour's data or asks for a username and then shows the data relevant to that user - a quick google gives http://www.eggheadcafe.com/articles/20010614a.asp which looks like a good starting point. Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 24 September 2003 16:15 To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Security Logs This is my first posting so please be gentle. We have an empty root then a single domain under the empty root. We have separate companies that have their own ou within this domain. One of the companies is requesting access to the Security log on the domain controllers so that they can see why users have been locked out of their account. We do have auditing enabled with the following settings: Audit account logon events - Success, Failure Audit account management - Success, Failure Audit directory service access - Failure Audit logon events - Success, Failure Audit object access - Failure Audit policy change - Success, Failure Audit privilege use - Failure Audit process tracking - No auditing Audit system events - Success, Failure 1. To me this would seem to be a security risk to allow read access to the security logs but I have to justify this. Is there information within the log file that could be extracted and used to do harm? Does anybody have any ammo related to this? 2. Is there even a way to allow real time read access to the security logs in a windows 2000 environment without giving them domain admin access? q323076 pertains to this on windows 2003 but doesn't mention windows 2000. 3. If we can give them real time read access to the security log file is there a way that we could filter out all entries except the messages that would pertain to user lock outs? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Security Logs
Consider using some of the tools in AlTools.exe in stead of giving access to the sec.log. (http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63 -8629-B999ADDE0B9Edisplaylang=en) This contains tools that assist you in managing accounts and in troubleshooting account lockouts. Cheers! John Reijnders MCSE Windows Server 2003 -Original Message- From: Joe To: [EMAIL PROTECTED] Sent: 25-9-2003 3:36 Subject: RE: [ActiveDir] Security Logs The only way to give out the ability to non-admins to read the security log in Windows NT or Windows 2000 is to grant the Manage auditing and security logs security user right. You DO NOT want to do this as it gives the user the ability to both clear the security log as well as write security events (i.e. overflow the log). There is supposed to be some enhanced options in Windows 20003 but I have not had a chance to experiment with that functionality. The best you can do is get something that pulls events and collects them somewhere and allows you to say who can see what. Possibly look into ManageX or MOM or OpenView or even write your own service or script that constantly collects events on the machine and sends them back to a collector every 10 minutes or so. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, September 24, 2003 11:15 AM To: '[EMAIL PROTECTED]' This is my first posting so please be gentle. We have an empty root then a single domain under the empty root. We have separate companies that have their own ou within this domain. One of the companies is requesting access to the Security log on the domain controllers so that they can see why users have been locked out of their account. We do have auditing enabled with the following settings: Audit account logon events - Success, Failure Audit account management - Success, Failure Audit directory service access - Failure Audit logon events - Success, Failure Audit object access - Failure Audit policy change - Success, Failure Audit privilege use - Failure Audit process tracking - No auditing Audit system events - Success, Failure 1. To me this would seem to be a security risk to allow read access to the security logs but I have to justify this. Is there information within the log file that could be extracted and used to do harm? Does anybody have any ammo related to this? 2. Is there even a way to allow real time read access to the security logs in a windows 2000 environment without giving them domain admin access? q323076 pertains to this on windows 2003 but doesn't mention windows 2000. 3. If we can give them real time read access to the security log file is there a way that we could filter out all entries except the messages that would pertain to user lock outs? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Security Logs
James- I think that the riskiest thing that someone can get out of the security logs is information on all of the user accounts and groups within your domain. Since there isn't a way to block this information if they have access to the live logs, it may not be something the other companies would look too kindly on. Once you know user accounts, a persistent ill-intentioned person could try to guess passwords or at the least, lockout accounts. There is a user right in Win2K called Manage auditing and security logs that appears to give access to the security log without allowing the ability to clear the log, but again, giving live access to the whole log may not be a great idea. What might be a better idea is do some kind of automated, filtered dump of the event log data that is specific to just their user accounts and for a specific event id. You should be able to create a script using dumpel.exe and maybe some regex scripting to do what you need. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, September 24, 2003 8:15 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Security Logs This is my first posting so please be gentle. We have an empty root then a single domain under the empty root. We have separate companies that have their own ou within this domain. One of the companies is requesting access to the Security log on the domain controllers so that they can see why users have been locked out of their account. We do have auditing enabled with the following settings: Audit account logon events - Success, Failure Audit account management - Success, Failure Audit directory service access - Failure Audit logon events - Success, Failure Audit object access - Failure Audit policy change - Success, Failure Audit privilege use - Failure Audit process tracking - No auditing Audit system events - Success, Failure 1. To me this would seem to be a security risk to allow read access to the security logs but I have to justify this. Is there information within the log file that could be extracted and used to do harm? Does anybody have any ammo related to this? 2. Is there even a way to allow real time read access to the security logs in a windows 2000 environment without giving them domain admin access? q323076 pertains to this on windows 2003 but doesn't mention windows 2000. 3. If we can give them real time read access to the security log file is there a way that we could filter out all entries except the messages that would pertain to user lock outs? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Security Logs
The only way to give out the ability to non-admins to read the security log in Windows NT or Windows 2000 is to grant the Manage auditing and security logs security user right. You DO NOT want to do this as it gives the user the ability to both clear the security log as well as write security events (i.e. overflow the log). There is supposed to be some enhanced options in Windows 20003 but I have not had a chance to experiment with that functionality. The best you can do is get something that pulls events and collects them somewhere and allows you to say who can see what. Possibly look into ManageX or MOM or OpenView or even write your own service or script that constantly collects events on the machine and sends them back to a collector every 10 minutes or so. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, September 24, 2003 11:15 AM To: '[EMAIL PROTECTED]' This is my first posting so please be gentle. We have an empty root then a single domain under the empty root. We have separate companies that have their own ou within this domain. One of the companies is requesting access to the Security log on the domain controllers so that they can see why users have been locked out of their account. We do have auditing enabled with the following settings: Audit account logon events - Success, Failure Audit account management - Success, Failure Audit directory service access - Failure Audit logon events - Success, Failure Audit object access - Failure Audit policy change - Success, Failure Audit privilege use - Failure Audit process tracking - No auditing Audit system events - Success, Failure 1. To me this would seem to be a security risk to allow read access to the security logs but I have to justify this. Is there information within the log file that could be extracted and used to do harm? Does anybody have any ammo related to this? 2. Is there even a way to allow real time read access to the security logs in a windows 2000 environment without giving them domain admin access? q323076 pertains to this on windows 2003 but doesn't mention windows 2000. 3. If we can give them real time read access to the security log file is there a way that we could filter out all entries except the messages that would pertain to user lock outs? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] security templates
Have reviewed these templates seem to have addressed the issue of services that have been introduced by SP3 such as BITS .. my only point would be the relation of these templates to those issued as part of the security operations guidelines from Microsoft ie. 1. version control of these templates is not consistent. 2. more importantly - seem to have some other inconsistencies - for example in the time between issuance of the two sets of templates MS have decided that baseline security event log should be set to max size of 180 or so MB where before 10 MB was deemed adequate - seem to changed their minds over auditlogretentioneperiod not major i guess in the context of an entire w2k installation but am just reflecting on the inconsistencies from an initial comparison of the 2 sets of templates views would be gladly received for further discussion GT - Original Message - From: Free, Bob [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 25, 2003 6:00 PM Subject: RE: [ActiveDir] security templates very keen to leverage the templates for baselining DC security and configuration distributed with the MS security operations guide, it would seem that these would have been developed certainly before SP3 (w2k by the way) which seems to have introduced a number of additional services eg The new Securing Windows 2000 Server solution is now available and contains a number of new templates: MSS Baseline.inf MSS DCBaseline Role.inf MSS Domain.inf MSS FilePrint Role.inf MSS IIS Role.inf MSS Infrastructure Role.inf MSS Optional File System ACLs.inf Since the original question was about services included in SP3, I took a quick glance and, BITS, for example is accounted for in the template framework. Download- http://microsoft.com/downloads/details.aspx?FamilyId=9964CF42-E236-4D73-AEF4 -7B4FDC0A25F6displaylang=en Guide- http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ prodtech/windows/secwin2k/default.asp -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 18, 2003 3:53 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Thanks, Bob! ;-) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, February 18, 2003 5:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Funny, I was just looking at those :-] http://www.microsoft.com/technet/treeview/default.asp?url=/tec hnet/security/issues/W2kCCSCG/W2kSCGcf.asp -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 18, 2003 3:22 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Graham, Though I don't have a link to them in front of me at the moment, as you might recall, Microsoft submitted for and passed the Common Criteria. Microsoft (via SAIC) published a configuration and an administration guide that is a bit more current with templates, et. al. Look into those for your Security Configuration guidelines, in conjunction with the SecOps guides. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Tuesday, February 18, 2003 3:08 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] security templates very keen to leverage the templates for baselining DC security and configuration distributed with the MS security operations guide, it would seem that these would have been developed certainly before SP3 (w2k by the way) which seems to have introduced a number of additional services eg Automatic updates Background Intelligent transfer service would anyone have a reference on what additional services are added to the base w2k distribution and IDEALLY (says he being a bit lazy !!) updated revisions of the security templates to reflect a SP3 installation - if not i guess off to MMC i go !!! GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail
RE: [ActiveDir] security templates
very keen to leverage the templates for baselining DC security and configuration distributed with the MS security operations guide, it would seem that these would have been developed certainly before SP3 (w2k by the way) which seems to have introduced a number of additional services eg The new Securing Windows 2000 Server solution is now available and contains a number of new templates: MSS Baseline.inf MSS DCBaseline Role.inf MSS Domain.inf MSS FilePrint Role.inf MSS IIS Role.inf MSS Infrastructure Role.inf MSS Optional File System ACLs.inf Since the original question was about services included in SP3, I took a quick glance and, BITS, for example is accounted for in the template framework. Download- http://microsoft.com/downloads/details.aspx?FamilyId=9964CF42-E236-4D73-AEF4-7B4FDC0A25F6displaylang=en Guide- http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/prodtech/windows/secwin2k/default.asp -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 18, 2003 3:53 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Thanks, Bob! ;-) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, February 18, 2003 5:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Funny, I was just looking at those :-] http://www.microsoft.com/technet/treeview/default.asp?url=/tec hnet/security/issues/W2kCCSCG/W2kSCGcf.asp -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 18, 2003 3:22 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Graham, Though I don't have a link to them in front of me at the moment, as you might recall, Microsoft submitted for and passed the Common Criteria. Microsoft (via SAIC) published a configuration and an administration guide that is a bit more current with templates, et. al. Look into those for your Security Configuration guidelines, in conjunction with the SecOps guides. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Tuesday, February 18, 2003 3:08 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] security templates very keen to leverage the templates for baselining DC security and configuration distributed with the MS security operations guide, it would seem that these would have been developed certainly before SP3 (w2k by the way) which seems to have introduced a number of additional services eg Automatic updates Background Intelligent transfer service would anyone have a reference on what additional services are added to the base w2k distribution and IDEALLY (says he being a bit lazy !!) updated revisions of the security templates to reflect a SP3 installation - if not i guess off to MMC i go !!! GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] security templates
Thanks too from me !!! will review these tomorrow settling down to watch 2nd half of Juve / Man utd 3-0 to Man U if you can believe that ! GT - Original Message - From: Free, Bob [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 25, 2003 6:00 PM Subject: RE: [ActiveDir] security templates very keen to leverage the templates for baselining DC security and configuration distributed with the MS security operations guide, it would seem that these would have been developed certainly before SP3 (w2k by the way) which seems to have introduced a number of additional services eg The new Securing Windows 2000 Server solution is now available and contains a number of new templates: MSS Baseline.inf MSS DCBaseline Role.inf MSS Domain.inf MSS FilePrint Role.inf MSS IIS Role.inf MSS Infrastructure Role.inf MSS Optional File System ACLs.inf Since the original question was about services included in SP3, I took a quick glance and, BITS, for example is accounted for in the template framework. Download- http://microsoft.com/downloads/details.aspx?FamilyId=9964CF42-E236-4D73-AEF4 -7B4FDC0A25F6displaylang=en Guide- http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ prodtech/windows/secwin2k/default.asp -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 18, 2003 3:53 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Thanks, Bob! ;-) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, February 18, 2003 5:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Funny, I was just looking at those :-] http://www.microsoft.com/technet/treeview/default.asp?url=/tec hnet/security/issues/W2kCCSCG/W2kSCGcf.asp -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 18, 2003 3:22 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Graham, Though I don't have a link to them in front of me at the moment, as you might recall, Microsoft submitted for and passed the Common Criteria. Microsoft (via SAIC) published a configuration and an administration guide that is a bit more current with templates, et. al. Look into those for your Security Configuration guidelines, in conjunction with the SecOps guides. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Tuesday, February 18, 2003 3:08 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] security templates very keen to leverage the templates for baselining DC security and configuration distributed with the MS security operations guide, it would seem that these would have been developed certainly before SP3 (w2k by the way) which seems to have introduced a number of additional services eg Automatic updates Background Intelligent transfer service would anyone have a reference on what additional services are added to the base w2k distribution and IDEALLY (says he being a bit lazy !!) updated revisions of the security templates to reflect a SP3 installation - if not i guess off to MMC i go !!! GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] security templates
Dear All, have rather belatedly got to this. Thanks for the posted replies on this. this looks an excellent reference. it would seem that these are later versions of the templates made avialable through the security operations guide. could anyone point us to URL where these are available for download am just reveiwing the high security DC templates - I see that the user rights assignment references what i would assume to be well known SID's would anyone perhaps be able to point me to a reference wehere these are documented ?? Thanks for you help GT - Original Message - From: Rick Kingslan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 18, 2003 11:52 PM Subject: RE: [ActiveDir] security templates Thanks, Bob! ;-) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, February 18, 2003 5:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Funny, I was just looking at those :-] http://www.microsoft.com/technet/treeview/default.asp?url=/tec hnet/security/issues/W2kCCSCG/W2kSCGcf.asp -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 18, 2003 3:22 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Graham, Though I don't have a link to them in front of me at the moment, as you might recall, Microsoft submitted for and passed the Common Criteria. Microsoft (via SAIC) published a configuration and an administration guide that is a bit more current with templates, et. al. Look into those for your Security Configuration guidelines, in conjunction with the SecOps guides. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Tuesday, February 18, 2003 3:08 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] security templates very keen to leverage the templates for baselining DC security and configuration distributed with the MS security operations guide, it would seem that these would have been developed certainly before SP3 (w2k by the way) which seems to have introduced a number of additional services eg Automatic updates Background Intelligent transfer service would anyone have a reference on what additional services are added to the base w2k distribution and IDEALLY (says he being a bit lazy !!) updated revisions of the security templates to reflect a SP3 installation - if not i guess off to MMC i go !!! GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] security templates
Graham, If there are versions of the templates that have been made available since those initial ones, I'm unaware of them. As to the SIDs, as I recall, you're correct - they are well-known principals, users and groups both. I've seen these documented numerous places, but I can't think of one good source off the top of my head. I typically use SIDToNAME, coded by another MVP, Joe Richards - and available at his site www.joeware.net On a whim, I did a quick check on the MS Knowledgebase and found this. It's pretty complete and should help: http://mvp.support.microsoft.com/default.aspx?scid=kb;en-us;243330 Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Sunday, February 23, 2003 5:33 AM To: [EMAIL PROTECTED] Dear All, have rather belatedly got to this. Thanks for the posted replies on this. this looks an excellent reference. it would seem that these are later versions of the templates made avialable through the security operations guide. could anyone point us to URL where these are available for download am just reveiwing the high security DC templates - I see that the user rights assignment references what i would assume to be well known SID's would anyone perhaps be able to point me to a reference wehere these are documented ?? Thanks for you help GT - Original Message - From: Rick Kingslan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 18, 2003 11:52 PM Subject: RE: [ActiveDir] security templates Thanks, Bob! ;-) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, February 18, 2003 5:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Funny, I was just looking at those :-] http://www.microsoft.com/technet/treeview/default.asp?url=/tec hnet/security/issues/W2kCCSCG/W2kSCGcf.asp -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 18, 2003 3:22 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Graham, Though I don't have a link to them in front of me at the moment, as you might recall, Microsoft submitted for and passed the Common Criteria. Microsoft (via SAIC) published a configuration and an administration guide that is a bit more current with templates, et. al. Look into those for your Security Configuration guidelines, in conjunction with the SecOps guides. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Tuesday, February 18, 2003 3:08 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] security templates very keen to leverage the templates for baselining DC security and configuration distributed with the MS security operations guide, it would seem that these would have been developed certainly before SP3 (w2k by the way) which seems to have introduced a number of additional services eg Automatic updates Background Intelligent transfer service would anyone have a reference on what additional services are added to the base w2k distribution and IDEALLY (says he being a bit lazy !!) updated revisions of the security templates to reflect a SP3 installation - if not i guess off to MMC i go !!! GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org
Re: [ActiveDir] security templates
Rick, Q243330 - thats' great - exactly what i look for. i have to admit that the issue of security templates is a little frustrating. i guess it is indicative of the ongoing development of w2k but nonetheless a little time consuming to be having to mod security templates, reload into GPOs each time a service pack introduces any number of services that do not fulfil the requirement of minimal (secure) configuration. for me i think to use the security operationd guide templates as the starting point, tweaks to get out the SP3 nasties !! ps how's the soccer going for you ?? GT - Original Message - From: Rick Kingslan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, February 23, 2003 4:11 PM Subject: RE: [ActiveDir] security templates Graham, If there are versions of the templates that have been made available since those initial ones, I'm unaware of them. As to the SIDs, as I recall, you're correct - they are well-known principals, users and groups both. I've seen these documented numerous places, but I can't think of one good source off the top of my head. I typically use SIDToNAME, coded by another MVP, Joe Richards - and available at his site www.joeware.net On a whim, I did a quick check on the MS Knowledgebase and found this. It's pretty complete and should help: http://mvp.support.microsoft.com/default.aspx?scid=kb;en-us;243330 Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Sunday, February 23, 2003 5:33 AM To: [EMAIL PROTECTED] Dear All, have rather belatedly got to this. Thanks for the posted replies on this. this looks an excellent reference. it would seem that these are later versions of the templates made avialable through the security operations guide. could anyone point us to URL where these are available for download am just reveiwing the high security DC templates - I see that the user rights assignment references what i would assume to be well known SID's would anyone perhaps be able to point me to a reference wehere these are documented ?? Thanks for you help GT - Original Message - From: Rick Kingslan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 18, 2003 11:52 PM Subject: RE: [ActiveDir] security templates Thanks, Bob! ;-) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, February 18, 2003 5:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Funny, I was just looking at those :-] http://www.microsoft.com/technet/treeview/default.asp?url=/tec hnet/security/issues/W2kCCSCG/W2kSCGcf.asp -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 18, 2003 3:22 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Graham, Though I don't have a link to them in front of me at the moment, as you might recall, Microsoft submitted for and passed the Common Criteria. Microsoft (via SAIC) published a configuration and an administration guide that is a bit more current with templates, et. al. Look into those for your Security Configuration guidelines, in conjunction with the SecOps guides. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Tuesday, February 18, 2003 3:08 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] security templates very keen to leverage the templates for baselining DC security and configuration distributed with the MS security operations guide, it would seem that these would have been developed certainly before SP3 (w2k by the way) which seems to have introduced a number of additional services eg Automatic updates Background Intelligent transfer service would anyone have a reference on what additional services are added to the base w2k distribution and IDEALLY (says he being a bit lazy !!) updated revisions of the security templates to reflect a SP3 installation - if not i guess off to MMC i go !!! GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail
RE: [ActiveDir] security templates
Hi Rick, The URL you posted is available to MVP accounts only. However, an open reference can be found at http://support.microsoft.com/default.aspx?scid=kb;en-us;243330 Mike Thommes Argonne National Laboratory -Original Message- From: Rick Kingslan To: [EMAIL PROTECTED] Sent: 2/23/2003 10:11 AM Subject: RE: [ActiveDir] security templates Graham, If there are versions of the templates that have been made available since those initial ones, I'm unaware of them. As to the SIDs, as I recall, you're correct - they are well-known principals, users and groups both. I've seen these documented numerous places, but I can't think of one good source off the top of my head. I typically use SIDToNAME, coded by another MVP, Joe Richards - and available at his site www.joeware.net On a whim, I did a quick check on the MS Knowledgebase and found this. It's pretty complete and should help: http://mvp.support.microsoft.com/default.aspx?scid=kb;en-us;243330 Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Sunday, February 23, 2003 5:33 AM To: [EMAIL PROTECTED] Dear All, have rather belatedly got to this. Thanks for the posted replies on this. this looks an excellent reference. it would seem that these are later versions of the templates made avialable through the security operations guide. could anyone point us to URL where these are available for download am just reveiwing the high security DC templates - I see that the user rights assignment references what i would assume to be well known SID's would anyone perhaps be able to point me to a reference wehere these are documented ?? Thanks for you help GT - Original Message - From: Rick Kingslan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 18, 2003 11:52 PM Subject: RE: [ActiveDir] security templates Thanks, Bob! ;-) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, February 18, 2003 5:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Funny, I was just looking at those :-] http://www.microsoft.com/technet/treeview/default.asp?url=/tec hnet/security/issues/W2kCCSCG/W2kSCGcf.asp -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 18, 2003 3:22 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Graham, Though I don't have a link to them in front of me at the moment, as you might recall, Microsoft submitted for and passed the Common Criteria. Microsoft (via SAIC) published a configuration and an administration guide that is a bit more current with templates, et. al. Look into those for your Security Configuration guidelines, in conjunction with the SecOps guides. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Tuesday, February 18, 2003 3:08 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] security templates very keen to leverage the templates for baselining DC security and configuration distributed with the MS security operations guide, it would seem that these would have been developed certainly before SP3 (w2k by the way) which seems to have introduced a number of additional services eg Automatic updates Background Intelligent transfer service would anyone have a reference on what additional services are added to the base w2k distribution and IDEALLY (says he being a bit lazy !!) updated revisions of the security templates to reflect a SP3 installation - if not i guess off to MMC i go !!! GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm
Re: [ActiveDir] security templates
yeh, a blatant bit of oneupmanship to us mere mortals - Original Message - From: Thommes, Michael M. [EMAIL PROTECTED] To: 'Rick Kingslan ' [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Sunday, February 23, 2003 5:42 PM Subject: RE: [ActiveDir] security templates Hi Rick, The URL you posted is available to MVP accounts only. However, an open reference can be found at http://support.microsoft.com/default.aspx?scid=kb;en-us;243330 Mike Thommes Argonne National Laboratory -Original Message- From: Rick Kingslan To: [EMAIL PROTECTED] Sent: 2/23/2003 10:11 AM Subject: RE: [ActiveDir] security templates Graham, If there are versions of the templates that have been made available since those initial ones, I'm unaware of them. As to the SIDs, as I recall, you're correct - they are well-known principals, users and groups both. I've seen these documented numerous places, but I can't think of one good source off the top of my head. I typically use SIDToNAME, coded by another MVP, Joe Richards - and available at his site www.joeware.net On a whim, I did a quick check on the MS Knowledgebase and found this. It's pretty complete and should help: http://mvp.support.microsoft.com/default.aspx?scid=kb;en-us;243330 Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Sunday, February 23, 2003 5:33 AM To: [EMAIL PROTECTED] Dear All, have rather belatedly got to this. Thanks for the posted replies on this. this looks an excellent reference. it would seem that these are later versions of the templates made avialable through the security operations guide. could anyone point us to URL where these are available for download am just reveiwing the high security DC templates - I see that the user rights assignment references what i would assume to be well known SID's would anyone perhaps be able to point me to a reference wehere these are documented ?? Thanks for you help GT - Original Message - From: Rick Kingslan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 18, 2003 11:52 PM Subject: RE: [ActiveDir] security templates Thanks, Bob! ;-) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, February 18, 2003 5:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Funny, I was just looking at those :-] http://www.microsoft.com/technet/treeview/default.asp?url=/tec hnet/security/issues/W2kCCSCG/W2kSCGcf.asp -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 18, 2003 3:22 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Graham, Though I don't have a link to them in front of me at the moment, as you might recall, Microsoft submitted for and passed the Common Criteria. Microsoft (via SAIC) published a configuration and an administration guide that is a bit more current with templates, et. al. Look into those for your Security Configuration guidelines, in conjunction with the SecOps guides. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Tuesday, February 18, 2003 3:08 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] security templates very keen to leverage the templates for baselining DC security and configuration distributed with the MS security operations guide, it would seem that these would have been developed certainly before SP3 (w2k by the way) which seems to have introduced a number of additional services eg Automatic updates Background Intelligent transfer service would anyone have a reference on what additional services are added to the base w2k distribution and IDEALLY (says he being a bit lazy !!) updated revisions of the security templates to reflect a SP3 installation - if not i guess off to MMC i go !!! GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List
RE: [ActiveDir] security templates
Graham, Though I don't have a link to them in front of me at the moment, as you might recall, Microsoft submitted for and passed the Common Criteria. Microsoft (via SAIC) published a configuration and an administration guide that is a bit more current with templates, et. al. Look into those for your Security Configuration guidelines, in conjunction with the SecOps guides. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Graham Turner Sent: Tuesday, February 18, 2003 3:08 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] security templates very keen to leverage the templates for baselining DC security and configuration distributed with the MS security operations guide, it would seem that these would have been developed certainly before SP3 (w2k by the way) which seems to have introduced a number of additional services eg Automatic updates Background Intelligent transfer service would anyone have a reference on what additional services are added to the base w2k distribution and IDEALLY (says he being a bit lazy !!) updated revisions of the security templates to reflect a SP3 installation - if not i guess off to MMC i go !!! GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] security templates
Funny, I was just looking at those :-] http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/issues/W2kCCSCG/W2kSCGcf.asp -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 18, 2003 3:22 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Graham, Though I don't have a link to them in front of me at the moment, as you might recall, Microsoft submitted for and passed the Common Criteria. Microsoft (via SAIC) published a configuration and an administration guide that is a bit more current with templates, et. al. Look into those for your Security Configuration guidelines, in conjunction with the SecOps guides. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Graham Turner Sent: Tuesday, February 18, 2003 3:08 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] security templates very keen to leverage the templates for baselining DC security and configuration distributed with the MS security operations guide, it would seem that these would have been developed certainly before SP3 (w2k by the way) which seems to have introduced a number of additional services eg Automatic updates Background Intelligent transfer service would anyone have a reference on what additional services are added to the base w2k distribution and IDEALLY (says he being a bit lazy !!) updated revisions of the security templates to reflect a SP3 installation - if not i guess off to MMC i go !!! GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] security templates
Thanks, Bob! ;-) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Free, Bob Sent: Tuesday, February 18, 2003 5:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Funny, I was just looking at those :-] http://www.microsoft.com/technet/treeview/default.asp?url=/tec hnet/security/issues/W2kCCSCG/W2kSCGcf.asp -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 18, 2003 3:22 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security templates Graham, Though I don't have a link to them in front of me at the moment, as you might recall, Microsoft submitted for and passed the Common Criteria. Microsoft (via SAIC) published a configuration and an administration guide that is a bit more current with templates, et. al. Look into those for your Security Configuration guidelines, in conjunction with the SecOps guides. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Graham Turner Sent: Tuesday, February 18, 2003 3:08 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] security templates very keen to leverage the templates for baselining DC security and configuration distributed with the MS security operations guide, it would seem that these would have been developed certainly before SP3 (w2k by the way) which seems to have introduced a number of additional services eg Automatic updates Background Intelligent transfer service would anyone have a reference on what additional services are added to the base w2k distribution and IDEALLY (says he being a bit lazy !!) updated revisions of the security templates to reflect a SP3 installation - if not i guess off to MMC i go !!! GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Security Priv over Services on a DC
Title: Message You can do so by Group-Policies, e.g. in the Default Domain Controllers Policy (Computer Config\ Windows Settings \ Security Settings \ System Services). Beware, that the GUI only lists the services that it can see on the _machine_ from where you edit the GPO, so you should edit this part of the GPO on a DC (or via TS, instead of remotely via the ADUC GUI from your desktop). Some more tips: * in W2K, the GUI doesn't show you the current permissions, that exist on a service (when you choose to edit the security, it defaults to Everyone Full Control...), so be sure to add SYSTEM and Administrators into the mix, when you change the services ACLs (in Windows Server 2003, the current ACLs are shown) * when you change the Default Domain Controllers Policy, you will obviously effect all DCs. This may be o.k. for what you want, but if you want to limit your setting to a specific DC, this won't really help. But you really don't want to take the DC out of that OU, as otherwise it won't get the other settings it requires...= the solution: create sub-OUs underneath the Domain Controllers OU (e.g. one for each AD site) and create dedicated GPOs for these sub-OUs to define the security on the services (or to grant local staff of a remote location the permission to gracefully shutdown only their local DC) The latter is a well known practice, yet there are different statements from MS rgd. the supportability of sub-OUs underneath the Domain Controllers OU. This is currently being discussed in Redmond and I hope to have an official answer to this soon, but it looks like MS will support it. /Guido -Original Message-From: John F. Hann [mailto:[EMAIL PROTECTED]] Sent: Samstag, 15. Februar 2003 04:56To: ActiveDir ListSubject: [ActiveDir] Security Priv over Services on a DC What/Where would I adjust the security to allow a group to start/stop services on a DC? Obviously, I would only do this for certain services, since this group will not have DA level access. John Hann BancorpSouth 662.678.7179
RE: [ActiveDir] Security Tab on User Object - Allow inheritable Permissions
Title: Message Hey John, That checkbox is a representation of the inheriteance flags thatare associated with each access control entry (ACE), i.e with each specific permission granted or denied in the ACL. There are five flags in the mask that define how each ACE is inherited: 0x01 OBJECT_INHERIT_ACE indicates that the ACE should be inherited by all non-container child objects, and should propagate through (but not apply to) any container child obejcts 0x02 CONTAINER_INHERIT_ACE indicates that the ACE should be inherited by all container child objects and propagate through to subsequent child objects 0x04 NO_PROPAGATE_INHERIT_ACE causes an inherited ACE to not be propagated any further down the hierarchy0x08 INHERIT_ONLY_ACE indicates that the ACE does not apply to the (container) object it is attached to, but will be inherited by child objects 0x10 INHERITED_ACE indicates the ACE was inherited from a parent container You can set these values in a script using the IADsAccessControlEntry::put_Flags method. -gil -Original Message-From: John F. Hann [mailto:[EMAIL PROTECTED]] Sent: Monday, February 03, 2003 2:07 PMTo: ActiveDir ListSubject: [ActiveDir] Security Tab on User Object - Allow inheritable Permissions On the Security Tab at the bottom is a check box: All inheritable Permissions from parent to propagate to this object. Is this an ACL or property? I have some user objects that do not have this checked and I have to delegate authority SoHow can I set this with a script? John Hann BancorpSouth 662.678.7179
RE: [ActiveDir] Security Templates
Yes that is what i was trying to do. Have I done anything wrong? I added folder paths in a new security template called folders, amd I set the permissions I wanted. And then I imported it in the Group poliy object that takes care of some of my users, and computers. But it seems not to be working. My users are still able to browse all of C: and even delete files from folders under C: that they have no privileges to do according to the Template I created. regards, Marija -- Original Message -- From: Leney, Justin [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Tue, 24 Sep 2002 17:17:25 -0400 You have been trying to set file system permissions via a template? -Original Message- From: marija efnuseva [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 24, 2002 3:42 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security Templates Thanks, I'll try that. Actually I have already been doing that but it seems not to be working. Regards marija -- Original Message -- From: Leney, Justin [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Tue, 24 Sep 2002 13:42:38 -0400 Marija, http://nsa2.www.conxion.com/win2k/index.html Lots of good info concerning Templates and how to implement/administer them. Microsoft Recommends this: C:\... (and most everything underneath) Administrators - FC System - FC Authenticated Users - Read, Execute Users should not be denied access to most of the C:, as they'll need to execute dll's and whatnot. --- - -- C:\Documents and Settings\%username%\ (these will be set by the OS when the user logs into the local computer or domain) Administrators - FC System - FC %username% - FC (or Change, if you don't want them to delete their profile directory) -Original Message- From: marija efnuseva [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 24, 2002 7:02 AM To: ActiveDirLista Subject: [ActiveDir] Security Templates Hallo, Can anybody tell me where can I find more documentation on Security Templates especially about working with the File System on local computers. Also, can anybody send me an expample on how to deny access to all folders on the local C: drive, and then allow only one specific folder for every user. So drive C: and all subfolders should be inaccessible for everybody. But, for example the user marija should be able to access only her My Documents folder and have the rights that I assign her. She sholud not be able to see, browse, list the contents, and not to mention to read, or write to any other folder on drive C: Thanks, Marija List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Security Templates
Marija, http://nsa2.www.conxion.com/win2k/index.html Lots of good info concerning Templates and how to implement/administer them. Microsoft Recommends this: C:\... (and most everything underneath) Administrators - FC System - FC Authenticated Users - Read, Execute Users should not be denied access to most of the C:, as they'll need to execute dll's and whatnot. -- C:\Documents and Settings\%username%\ (these will be set by the OS when the user logs into the local computer or domain) Administrators - FC System - FC %username% - FC (or Change, if you don't want them to delete their profile directory) -Original Message- From: marija efnuseva [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 24, 2002 7:02 AM To: ActiveDirLista Subject: [ActiveDir] Security Templates Hallo, Can anybody tell me where can I find more documentation on Security Templates especially about working with the File System on local computers. Also, can anybody send me an expample on how to deny access to all folders on the local C: drive, and then allow only one specific folder for every user. So drive C: and all subfolders should be inaccessible for everybody. But, for example the user marija should be able to access only her My Documents folder and have the rights that I assign her. She sholud not be able to see, browse, list the contents, and not to mention to read, or write to any other folder on drive C: Thanks, Marija List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Security Templates
You have been trying to set file system permissions via a template? -Original Message- From: marija efnuseva [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 24, 2002 3:42 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security Templates Thanks, I'll try that. Actually I have already been doing that but it seems not to be working. Regards marija -- Original Message -- From: Leney, Justin [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Tue, 24 Sep 2002 13:42:38 -0400 Marija, http://nsa2.www.conxion.com/win2k/index.html Lots of good info concerning Templates and how to implement/administer them. Microsoft Recommends this: C:\... (and most everything underneath) Administrators - FC System - FC Authenticated Users - Read, Execute Users should not be denied access to most of the C:, as they'll need to execute dll's and whatnot. --- - -- C:\Documents and Settings\%username%\ (these will be set by the OS when the user logs into the local computer or domain) Administrators - FC System - FC %username% - FC (or Change, if you don't want them to delete their profile directory) -Original Message- From: marija efnuseva [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 24, 2002 7:02 AM To: ActiveDirLista Subject: [ActiveDir] Security Templates Hallo, Can anybody tell me where can I find more documentation on Security Templates especially about working with the File System on local computers. Also, can anybody send me an expample on how to deny access to all folders on the local C: drive, and then allow only one specific folder for every user. So drive C: and all subfolders should be inaccessible for everybody. But, for example the user marija should be able to access only her My Documents folder and have the rights that I assign her. She sholud not be able to see, browse, list the contents, and not to mention to read, or write to any other folder on drive C: Thanks, Marija List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
