Thanks, that is pretty good.
Time to start writing bug tracking software.
:)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh Parmar
Sent: Wednesday, October 12, 2005 12:52 AM
To: [email protected]
Subject: Re: [ActiveDir] Modifying Domain Admins & Administrators Group
I had liked the argument on this page, about pricing the software...
http://www.joelonsoftware.com/printerFriendly/articles/CamelsandRubberDuckies.html
I hope its a good read.
I hope its a good read.
--
Kamlesh
On 10/12/05, joe
<[EMAIL PROTECTED]>
wrote:
I am going to hurt myself when I fall off that pedestal you are trying to
stick me on.
If you knew the people I knew the way I knew them you would think the way I
do, I know quite a bit and have a lot of opinions but there are others with
far more knowledge and even better opinions. I just happen to have a bigger
mouth and faster typing skills and a desire to try and help. A lot of my
chattiness is to help draw others out to state their opinions and ideas and
problems. That helps those in the true positions of power to gauge what
should possibly be looked at for correction. I will often sustain a debate
just to get the other person to fully commit their ideas. Too many people
are too silent about what they think.
As for the bugs in the software. All software has bugs. It may not be
something that most people or even anyone finds, but they are there. Heck I
was just looking through some professional code today that I saw something
that I really really really disliked that could be a horrible bug if it got
hit right yet it is possible it never ever has been hit that way and
possibly never ever will. Anyway, I personally have had lots of bugs in my
programs, many of the list members here have found them and sent them to me
and I have mostly corrected them. I am generally quick to fess up to it and
try to fix though. That is another reason I like hanging out here, it makes
me accessible to the people who use my tools so they feel they can email me
and say "Dude, you really blew it on this case, check this out!".
So is that $100-$500 total cost for the tool to run on all DCs across an
entire company? Across a single forest? Across a single domain? Or on a
single DC? Keeping in mind some companies will have thousands of DCs and
tens or hundreds of forests and tens or hundreds or thousands of domains and
some will have 1 DC.
joe
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Rocky Habeeb
Sent: Tuesday, October 11, 2005 10:49 AM
To: [email protected]
Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group
joe,
You know this is not possible. No one has your knowledge base! I mean "no
one". You're in a class by yourself. You define the class, it's a little
bit like God. "No one can touch you!" Okay enough adulation.
Anyways, I would hope it would come in between $100 and $500 USD but who
knows how long it will take you to create and perfect it and I, for one,
know, unlike 99.999% of "all" software released, it will >not< have bugs in
it when it's released. Something we can count on with joeware.
Do you know that I have downloaded most of your free tools but have not used
virtually any of them because I simply don't have the knowledge base? I did
use a couple of them during my migration from Forest X to Forest Y and I
sure appreciated them then.
As always,
YMYMYM
Rocky
____________________________________________________
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto: [EMAIL PROTECTED]] On Behalf Of joe
Sent: Monday, October 10, 2005 4:45 PM
To: [email protected]
Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group
Define within reason.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Rocky Habeeb
Sent: Monday, October 10, 2005 12:33 PM
To: [email protected]
Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group
"Is a tool like that something people would be willing to pay for? "
Affirmative Mr. joe. (Within reason of course)
YMYMYM
___________________________________________________
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto: [EMAIL PROTECTED]] On Behalf Of joe
Sent: Sunday, October 09, 2005 11:51 PM
To: [email protected]
Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group
Ah global won't have the issue with primary group since it used the NET*
calls. However, it won't catch nesting that is disallowed in NT, those
entries will be curiously absent because the NET calls don't know anything
about it. If you are simply looking for any change on a group, fire a
notification on the changing of the metadata or the USN or the whenChanged
stamp.
What would I do? The answer is of course, it depends. :o)
It depends on what I perceive the risks are and the necessity for protecting
things. It could be very little or it could be a lot with several cross
checks. Generally, monitoring from multiple angles as well as trying to
prevent the possibility of any change is the best solution in my opinion.
Sort of like root kit detection, you won't know when looking at things one
way, you have to look from different angles and check the shadows.
If I really wanted to be sure I would have a service running on every DC
that made the sure the group memberships were exactly what I wanted.
These would be services that had change notifications set up for each
monitored group so AD told me when the group changed versus me looking at it
and seeing if something changed on some x interval. But just the same, that
service would still look at some very regular very short interval just in
case the change notification dorked up and I would do it using multiple
interfaces. If I was REALLY being paranoid I would possibly have the service
shut down the box if it detected a change being originated on it in case
that one box has been somehow compromised. That service might also, for
instance, look for certain known vectors and try to clean those up if
detected as well. There are other things but the more you tell people about
what you are doing to protect a system, the more you tell them on what they
may need to do to compromise a system.
Is a tool like that something people would be willing to pay for? You set it
for how jittery you are about changes to some finite small number of
specific groups and depending on the jittery setting it does anything from
warn to correct to locking the box down dead from any more mods?
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Alex Fontana
Sent: Saturday, October 08, 2005 6:36 PM
To: [email protected]
Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group
I'm just using the (I believe) resource kit tool global.exe to return
samaccountname of users in the group. A user who has that particular group
as primary still shows up. At the time my biggest concern was ANY change.
There should not be any changes made to those groups at any time with out my
groups knowledge. Obviously if a group (nesting) is added I'll know about
it and whip out my ruler to smack someone with.
As far as the restricted groups are concerned; when I first added them to
the policy it worked like a charm. After some more testing I found it was
taking longer than expected...more than 15 minutes. After looking at the
policy I saw that I had entered "domain admins" instead of domain\domain
admins. I changed it and it never worked. Changed it back to just "domain
admins" and again it usually works but I recently saw a user sit in the
group for an hour or so before I removed it manually. I was however
notified with in a minute of the change.
Like I said, it's crude but it get's what I need done. I know that I have
to deal with replication time and I could hit a DC that doesn't know about
the change immediately which could delay my notification by up to a few
minutes, but my biggest concern at this time are certain admins that can add
to the DA's group. No need to start down that road...I walked into this and
am slowly cleaning up this mess. Who the hell makes a file server a DC...
Now...I have to ask...how would Joe do it? ;-)
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of joe
Sent: Saturday, October 08, 2005 2:31 PM
To: [email protected]
Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group
What about people who have those groups as a primary group? 30 seconds is a
long time, I could be a domain admin and have it not show in the DA member
attribute in milliseconds. Also do you chase all nesting? If so how? What do
you key your hash/map/associative array/dictionary on so you don't get stuck
in a recursive nesting? Name? SamAccountName? Should be using DN if you
aren't. When building the list of current unique members do you key off of
name, samaccountname? Again, should be using DN if you aren't.
The restricted groups GPO should remove a user that isn't in the list within
5 minutes on a DC. But still, in computer and hacking time, that is an
eternity.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Alex Fontana
Sent: Saturday, October 08, 2005 12:45 AM
To: [email protected]
Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group
Call my method crude and archaic...but I have a box that just runs
scripts...all day...nothing else. One of them is to do a simple dump of the
domain, enterprise, and schema admins group once every 30 seconds or
something and diff it against the previous run. If there's a difference I
get an email. This was a 2 minute batch file I put in place because someone
was added to the DA's group and decided it would be fun to try and bring up
a new domain. I decided to leave it in place cause it just worked; any
change to the groups and I get an email with in a few minutes. Already
caught a few "mistakes".
The restricted groups (which are also in place) have sat for hours and not
kicked the "non-specified" user out...then again, sometimes it kicks them
out right away.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] ] On Behalf Of joe
Sent: Friday, October 07, 2005 8:06 PM
To: [email protected]
Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group
I am.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] ] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, October 07, 2005 10:20 PM
To: [email protected]
Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group
Joe,
I actually thought you were referring to the somewhat "hidden"
primaryGroupID issue in your previous response.
Sincerely,
D�j� Ak�m�l�f�, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________
From: [EMAIL PROTECTED] on behalf of joe
Sent: Fri 10/7/2005 6:01 PM
To: [email protected]
Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group
You have to look at what the scripts and GPOs are actually doing in the
background. For instance, gpo simply looks at the LDAP membership of a
group, ditto many of the WMI scripts out there that "monitor" group
membership. Not all members will be listed there. Unless those items fire at
a moment that the user is listed in the member list, they may not capture
the info. How long does it take to get yourself into say the domain admins
group and it not be listed in the member attribute for domain admins? Maybe
milliseconds? How often are the monitors and GPOs firing? Auditing can help
here since it will track every change if you are willing to have the
overhead of the auditing, but you have to be aware if there are any
limitations in your event log scraper tool.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Crawford, Scott
Sent: Friday, October 07, 2005 4:40 PM
To: [email protected]
Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group
Care to elaborate on what you mean by defeated? Are you suggesting that
gpo's can be overridden by a local user w/o admin rights?
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto: [EMAIL PROTECTED]] On Behalf Of joe
Sent: Thursday, October 06, 2005 7:28 PM
To: [email protected]
Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group
Both can be defeated.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto: [EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, October 06, 2005 2:23 PM
To: [email protected]
Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group
Use a "restricted group" policy, or use of one Alain Lissor's
(lissware.net) scripts.
You can find info on either methods by searching through the archives of
this list, or you could use google ... ahem ....I meant msn search :)
Sincerely,
D�j� Ak�m�l�f�, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________
From: [EMAIL PROTECTED] on behalf of Devan Pala
Sent: Thu 10/6/2005 9:59 AM
To: [email protected]
Subject: [ActiveDir] Modifying Domain Admins & Administrators Group
Hi,
We have about 7 domain administrators in a particular child domain. I just
found out someone added the DBA Group to part of the Administrators group in
this domain. Not necessary, not required nor is it a policy.
Event logs have obviously been overwritten therefore I would like to know
the simplest method to avoid this scenario from ever happening again.
What are my options?
Thank you so much.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Fortune and Love befriend the bold"
~~~~~~~~~~~~~~~~~~~~~~~~~~~
