Thank you very much for the information! Sincerely, Francis
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thorbj�rn Sj�vold Sent: 11 mars 2005 12:29 To: [email protected] Subject: RE: [ActiveDir] Speaking of DAs...GP link Date Francis, the reason that the creation and administration of GPOs is focused, by default, on the PDC emulator is that this minimizes the risk that two or more admins edit a GPO on different DCs and then AD replication occurs and removes one of the changes. I guess the GP team on MS could have chosen any of the domain wide FSMO role to use for this to get the same result, or maybe create yet another FSMO role perhaps... Unimportant, but interesting knowledge, is that the PDC affinity is actually something that is part of the GP admin tools, not the underlying GP infrastructure. Actually there is also another not so obvious role for the PDC emulator that you should be aware of and that is that it is the root server for the time sync within each domain. In a forest they also communicate with each other and the PDC emulator of the root domain being the the forest time root. Best Regards, Thorbj�rn Sj�vold Special Operations Software www.specopssoft.com thorbjorn.sjovold a t specopssoft.com Specops Deploy, Takes Group Policy Based Software Deployment to the next level -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, March 11, 2005 5:24 PM To: [email protected] Subject: RE: [ActiveDir] Speaking of DAs...GP link Date Yes, that's the first thing I made sure. I'll fire up my test domain shortly and try it on a brand-new install. Second thing why is it automatically focused on the PDC role? I was under certain that the PDC role holder was only related to password changes... Thanks, Francis -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: 11 mars 2005 11:11 To: [email protected] Subject: RE: [ActiveDir] Speaking of DAs...GP link Date Francis- I just tested this on Server 2003 and it worked as Mika described. Keep in mind that when you create a GPO, you're by default, focused on the PDC role holder DC, and of course, events are held per-DC. So make sure you're looking at the logs on the correct DC. Darren -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, March 11, 2005 7:51 AM To: [email protected] Subject: RE: [ActiveDir] Speaking of DAs...GP link Date Hi Mika, I just created a test GPO with the GPMC and then connected to the event viewer (security log) and waited for the 566 events to show up but nothing! Are you sure not other steps are required? Thanks! Francis -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mika Seitsonen Sent: 10 mars 2005 16:54 To: [email protected] Subject: RE: [ActiveDir] Speaking of DAs...GP link Date In addition to Joe's and Darren's suggestions, you could just check security logs. By default (in WS03, I don't have a W2k environment running at the moment), there are two ACEs (inheritable to OUs) in the SACL for the domain object: Ace[0] Ace Type: 0x7 - SYSTEM_AUDIT_OBJECT_ACE_TYPE Ace Size: 56 bytes Ace Flags: 0x42 CONTAINER_INHERIT_ACE Object Ace Mask: 0x00000020 ACTRL_DS_WRITE_PROP Object Ace Flags: 0x3 ACE_OBJECT_TYPE_PRESENT ACE_INHERITED_OBJECT_TYPE_PRESENT Object Ace Type: Attr - gPLink Inherited object type: Class - organizationalUnit Object Ace Sid: Everyone S-1-1-0 Ace[1] Ace Type: 0x7 - SYSTEM_AUDIT_OBJECT_ACE_TYPE Ace Size: 56 bytes Ace Flags: 0x42 CONTAINER_INHERIT_ACE Object Ace Mask: 0x00000020 ACTRL_DS_WRITE_PROP Object Ace Flags: 0x3 ACE_OBJECT_TYPE_PRESENT ACE_INHERITED_OBJECT_TYPE_PRESENT Object Ace Type: Attr - gPOptions Inherited object type: Class - organizationalUnit Object Ace Sid: Everyone S-1-1-0 Thus, you don't have to configure anything in order to start auditing. Just look the security log for event ID 566. Unfortunately, as Darren pointed out, GPO names aren't written to the events but rather the GUID for the GPO :( In addition, when a GPO is linked to a container, only an event is written indicating that a change on gPLink attribute occurred. Below is a sample event from the security log for linking a GPO to an OU: 2/25/2005 8:02:31 AM Security Success Audit Directory Service Access 566 SANAO\OU02Admin DC01 "Object Operation: Object Type: organizationalUnit Object Name: OU=OU02,DC=DC=sanao,DC=com Accesses: Write Property Properties: Write Property Default property set gPLink If a GPO is created and linked to an OU with e.g. GPMC command Create and link a GPO here...), five events with event ID 566 are created in the security log; three of them with the GUID of the GPO. Go and figure... :) My point: security log will have an answer to your question when the linking occurred. Rgds Mika -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 9. maaliskuuta 2005 23:29 To: [email protected] Subject: RE: [ActiveDir] Speaking of DAs...GP link Date Yep. The other thing you could do is look at the metadata for the gplink attribute. This will tell you the last time it was udpated and where the change was mastered but that is about it. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Wednesday, March 09, 2005 3:53 PM To: [email protected] Subject: RE: [ActiveDir] Speaking of DAs...GP link Date Not easily. The way this works is that the DN of the GPC object is stored on the gpLink attribute on the container object in question. So you could audit on that container object (OU) for changes to gpLink but then you have to figure out which GPO was added/removed by its DN. So it's a container-centric thing rather than a GPO-centric thing. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, March 09, 2005 12:11 PM To: [email protected] Subject: [ActiveDir] Speaking of DAs...GP link Date Speaking of domain admins. Anyone know of a way to find out when a GP was linked to an OU? (or alternatively when the links on the GP were last updated)? --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 c - 312.731.3132 List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
