What about people who have those groups as a primary group? 30 seconds is a long time, I could be a domain admin and have it not show in the DA member attribute in milliseconds. Also do you chase all nesting? If so how? What do you key your hash/map/associative array/dictionary on so you don't get stuck in a recursive nesting? Name? SamAccountName? Should be using DN if you aren't. When building the list of current unique members do you key off of name, samaccountname? Again, should be using DN if you aren't.
The restricted groups GPO should remove a user that isn't in the list within 5 minutes on a DC. But still, in computer and hacking time, that is an eternity. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Fontana Sent: Saturday, October 08, 2005 12:45 AM To: [email protected] Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group Call my method crude and archaic...but I have a box that just runs scripts...all day...nothing else. One of them is to do a simple dump of the domain, enterprise, and schema admins group once every 30 seconds or something and diff it against the previous run. If there's a difference I get an email. This was a 2 minute batch file I put in place because someone was added to the DA's group and decided it would be fun to try and bring up a new domain. I decided to leave it in place cause it just worked; any change to the groups and I get an email with in a few minutes. Already caught a few "mistakes". The restricted groups (which are also in place) have sat for hours and not kicked the "non-specified" user out...then again, sometimes it kicks them out right away. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 07, 2005 8:06 PM To: [email protected] Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group I am. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, October 07, 2005 10:20 PM To: [email protected] Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group Joe, I actually thought you were referring to the somewhat "hidden" primaryGroupID issue in your previous response. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of joe Sent: Fri 10/7/2005 6:01 PM To: [email protected] Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group You have to look at what the scripts and GPOs are actually doing in the background. For instance, gpo simply looks at the LDAP membership of a group, ditto many of the WMI scripts out there that "monitor" group membership. Not all members will be listed there. Unless those items fire at a moment that the user is listed in the member list, they may not capture the info. How long does it take to get yourself into say the domain admins group and it not be listed in the member attribute for domain admins? Maybe milliseconds? How often are the monitors and GPOs firing? Auditing can help here since it will track every change if you are willing to have the overhead of the auditing, but you have to be aware if there are any limitations in your event log scraper tool. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott Sent: Friday, October 07, 2005 4:40 PM To: [email protected] Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group Care to elaborate on what you mean by defeated? Are you suggesting that gpo's can be overridden by a local user w/o admin rights? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, October 06, 2005 7:28 PM To: [email protected] Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group Both can be defeated. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, October 06, 2005 2:23 PM To: [email protected] Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group Use a "restricted group" policy, or use of one Alain Lissor's (lissware.net) scripts. You can find info on either methods by searching through the archives of this list, or you could use google ... ahem ....I meant msn search :) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Devan Pala Sent: Thu 10/6/2005 9:59 AM To: [email protected] Subject: [ActiveDir] Modifying Domain Admins & Administrators Group Hi, We have about 7 domain administrators in a particular child domain. I just found out someone added the DBA Group to part of the Administrators group in this domain. Not necessary, not required nor is it a policy. Event logs have obviously been overwritten therefore I would like to know the simplest method to avoid this scenario from ever happening again. What are my options? Thank you so much. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
