RE: [ActiveDir] AD, Logon times Custom messages
Title: Message The right tool for this job might just be the StIcK(tm) ;) Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 1:20 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] AD, Logon times Custom messages The right tool for the right job. I do not think the place you are looking at is the right place for this job. May I suggest ISA server, or similar web filter programs.HTH Sincerely,Dj Akmlf, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Roger SeielstadSent: Mon 7/7/2003 8:59 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] AD, Logon times Custom messages The reject should be logged automatically, but I haven't checked for sure--Roger D. Seielstad - MTS MCSE MS-MVPSr. Systems AdministratorInovis Inc. -Original Message- From: Mr Clark [mailto:[EMAIL PROTECTED]] Sent: Monday, July 07, 2003 10:52 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD, Logon times Custom messages Well, I just wanted to customize the message for my kids when they try to *sneak* on the computer during the middle of the night. :) As another thought, is there a way to "log" when someone tries to sign on at a restricted time? Charlie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Roger Seielstad Sent: Monday, July 07, 2003 09:43 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] AD, Logon times Custom messages Best guess is that you cannot modify the message. As is pretty much standard for that type of message in Microsoft products, its coded into a DLL, and the only supportable way to do that would be to engage Microsoft Consulting Services to modify the DLL. However, since I believe that's part of the LSASS process on the client, and that gets patched somewhat regularly by service packs, etc, you'd have to reenage them for every new service pack. IMO, its not worth it. What are you trying to accomplish? -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Mr Clark [mailto:[EMAIL PROTECTED]] Sent: Monday, July 07, 2003 9:36 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] AD, Logon times Custom messagesGreetings all. I'm new to the list and very new to AD. I have successfully set up my server for our LAN. DNS functions correctly (so far, no error messages), etc. The question I would like to start off with first is this: Under Active Directory, you can specify Logon times for a user. What I would like to know is this: Can you customize the message that comes up when a user tries to logon during the prohibited time? I haven't seen this listed in the MSKB, and I didn't turn up anything via google.TIA Charlie List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/List info : http://www.activedir.org/mail_list.htmList FAQ : http://www.activedir.org/list_faq.htmList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD, Logon times Custom messages
Title: Message And what, exactly would be StIck? How would ISA server, or a web filter program change/customize the logon message? Thanks. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Tuesday, July 08, 2003 06:43 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] AD, Logon times Custom messages The right tool for this job might just be the StIcK(tm) ;) Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 1:20 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD, Logon times Custom messages The right tool for the right job. I do not think the place you are looking at is the right place for this job. May I suggest ISA server, or similar web filter programs. HTH Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Roger Seielstad Sent: Mon 7/7/2003 8:59 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] AD, Logon times Custom messages The reject should be logged automatically, but I haven't checked for sure -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Mr Clark [mailto:[EMAIL PROTECTED]] Sent: Monday, July 07, 2003 10:52 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD, Logon times Custom messages Well, I just wanted to customize the message for my kids when they try to *sneak* on the computer during the middle of the night. :) As another thought, is there a way to log when someone tries to sign on at a restricted time? Charlie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Roger Seielstad Sent: Monday, July 07, 2003 09:43 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] AD, Logon times Custom messages Best guess is that you cannot modify the message. As is pretty much standard for that type of message in Microsoft products, its coded into a DLL, and the only supportable way to do that would be to engage Microsoft Consulting Services to modify the DLL. However, since I believe that's part of the LSASS process on the client, and that gets patched somewhat regularly by service packs, etc, you'd have to reenage them for every new service pack. IMO, its not worth it. What are you trying to accomplish? -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Mr Clark [mailto:[EMAIL PROTECTED]] Sent: Monday, July 07, 2003 9:36 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] AD, Logon times Custom messages Greetings all. I'm new to the list and very new to AD. I have successfully set up my server for our LAN. DNS functions correctly (so far, no error messages), etc. The question I would like to start off with first is this: Under Active Directory, you can specify Logon times for a user. What I would like to know is this: Can you customize the message that comes up when a user tries to logon during the prohibited time? I haven't seen this listed in the MSKB, and I didn't turn up anything via google. TIA Charlie List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Taking DC Offline
Title: Message nice tool Joe, but you should add a time filter. In an attack-scenario (be it hacker or auditors), you don't necessarily want to unlock all the locked accounts you find - instead you want to unlock the ones that were locked after a specific time (this is the approach I took - using a UI you select the users you wish to unlock). However, unlocking all is better than unlocking none. /Guido From: Joe [mailto:[EMAIL PROTECTED] Sent: Montag, 7. Juli 2003 21:26To: [EMAIL PROTECTED] Check out unlock at www.joeware.net. Its free, its fast. Will display locked accounts or unlock them. Saves you the scripting time... Plus it runs faster than any script I have seen. :o) As for those folks doing the testing, if it isn't security running those password check tools, it is hacking. Treat the admins accordingly. joe -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Monday, July 07, 2003 9:41 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Taking DC Offline In a way you should be happy they asked you, before just running a password guessing tool against the domain... Ofcourse that won't necessarily be destructive - unless you have configured Account Lockout for X nr. of logons, which I always consult my customers to do. But if your AD domain spans multiple countries/locations or simply a large population of users (which might previously have been separate NT domains) - you're suddenly very vulnerable afterall... I've seen auditors from one location run their magic tools unanounced to any admin against the AD domain spanning the United States - voila, just like an attack from a hacker, that domain was quickly seizing to work for any user with logins and eMail etc. failing all over the place (thankfully admin accounts were hidden in AD and thus not known to the tool used by the auditors) Wasn't hard to find the issue and yell at the folks - but try to quickly revert the status of many hundreds of locked out users... So now we're prepared for these situations via a scripting solution - I would suggest everyone to prepare something for their own environment as well. Nothing like being caught off guard. /Guido From: Simpsen, Paul A. (HSC) [mailto:[EMAIL PROTECTED] Sent: Montag, 7. Juli 2003 03:25To: [EMAIL PROTECTED] The whole purpose of this is all political. It has already been decided to enable password complexity but to help make the campus more agreeable ( we are an edu!) our Security director wants to shoot them some stats. The % of PWs that they could crack, etc Why this is good for you, you know the deal. Im still hoping my boss will see the light and just say no! J Thanks for all the responses, there might be some other options. Paul -Original Message-From: Rick Kingslan [mailto:[EMAIL PROTECTED]] Sent: Friday, July 04, 2003 4:51 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Taking DC Offline Paul, I'm somewhat mystified by the request. I might be completely missing the point, but unless the scan is going to be destructive, what is the value of giving the Security Director a DC that has been taken off-line? I do agree with what others have said here to this point (remove connection objects, clean up the objects from the DIT via NTDSUTIL, etc.), but the value of the work that is being done is still questionable. The DC is no longer in your environment, which from the standpoint of testing the security or the password complexity, makes it no longer a viable environment to do such. And, if the process is going to be destructive, is this something that they will want to do on a quarterly basis (again with questionable value in the security realm)? Also, do your Security Analysts already have Administrative context access? If not, all passwords of this type should be nulled out. Even if they do - those that are not theirs should be erased as well. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simpsen, Paul A. (HSC)Sent: Thursday, July 03, 2003 4:32 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Taking DC Offline Our Security Director has requested that we build a temporary DC for his group. They want to take it offline and audit the current password complexity and strength. This DC will never return to the domain so I will have to manually remove the replication connections in the NTDS settings for each repl partner, plus the DNS records created. Im just wondering if Im missing something obvious and that this might not be such a good idea. Possibility of
RE: [ActiveDir] Taking DC Offline
Title: Message I know that your program is far better than any script but an unlock script is easy to do and might give a starting point to people wanting to write scripts.What I've done before is: net user users.txt Load the users.txt file into Excel and remove the header/footer. Make the 3 columns one longer column of users. Now add a formula in (say) B1 which does ="net user " a1 "/active:yes" fill this down, copy it to notepad and save it as a .cmd file It's hardly elegant but it's easy to create and might get people thinking about other things which can be done easily with a batch file :-) Steve -Original Message-From: Joe [mailto:[EMAIL PROTECTED] Sent: 07 July 2003 20:26To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Taking DC Offline Check out unlock at www.joeware.net. Its free, its fast. Will display locked accounts or unlock them. Saves you the scripting time... Plus it runs faster than any script I have seen. :o)
RE: [ActiveDir] AD, Logon times Custom messages
Title: Message The StIcK(tm) is a wonderful tool for addressing those issues which aren't quite technological in nature. Its generally applied, somewhat liberally, by a trained professional. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Mr Clark [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 7:47 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] AD, Logon times Custom messages And what, exactly would be StIck? How would ISA server, or a web filter program change/customize the logon message? Thanks. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Tuesday, July 08, 2003 06:43To: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] AD, Logon times Custom messages The right tool for this job might just be the StIcK(tm) ;) Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 1:20 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] AD, Logon times Custom messages The right tool for the right job. I do not think the place you are looking at is the right place for this job. May I suggest ISA server, or similar web filter programs.HTH Sincerely,Dj Akmlf, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Roger SeielstadSent: Mon 7/7/2003 8:59 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] AD, Logon times Custom messages The reject should be logged automatically, but I haven't checked for sure--Roger D. Seielstad - MTS MCSE MS-MVPSr. Systems AdministratorInovis Inc. -Original Message- From: Mr Clark [mailto:[EMAIL PROTECTED]] Sent: Monday, July 07, 2003 10:52 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD, Logon times Custom messages Well, I just wanted to customize the message for my kids when they try to *sneak* on the computer during the middle of the night. :) As another thought, is there a way to "log" when someone tries to sign on at a restricted time? Charlie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Roger Seielstad Sent: Monday, July 07, 2003 09:43 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] AD, Logon times Custom messages Best guess is that you cannot modify the message. As is pretty much standard for that type of message in Microsoft products, its coded into a DLL, and the only supportable way to do that would be to engage Microsoft Consulting Services to modify the DLL. However, since I believe that's part of the LSASS process on the client, and that gets patched somewhat regularly by service packs, etc, you'd have to reenage them for every new service pack. IMO, its not worth it. What are you trying to accomplish? -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Mr Clark [mailto:[EMAIL PROTECTED]] Sent: Monday, July 07, 2003 9:36 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] AD, Logon times Custom messagesGreetings all. I'm new to the list and very new to AD. I have successfully set up my server for our LAN. DNS functions correctly (so far, no error messages), etc. The question I would like to start off with first is this: Under Active Directory, you can specify Logon times for a user. What I would like to know is this: Can you customize the message that comes up when a user tries to logon during the prohibited time? I haven't seen this listed in the MSKB, and I didn't turn up anything via google. TIA Charlie List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/List info : http://www.activedir.org/mail_list.htmList FAQ : http://www.activedir.org/list_faq.htmList archive:
Re: [ActiveDir] AD, Logon times Custom messages
Title: Message My father must have had a PhD in StIcK(tm).--Sent from my BlackBerry Wireless Handheld - Original Message - From: ActiveDir-owner Sent: 07/08/2003 08:55 AM To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD, Logon times Custom messages The StIcK(tm) is a wonderful tool for addressing those issues which aren't quite technological in nature. Its generally applied, somewhat liberally, by a trained professional. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Mr Clark [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 7:47 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] AD, Logon times Custom messages And what, exactly would be StIck? How would ISA server, or a web filter program change/customize the logon message? Thanks. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Tuesday, July 08, 2003 06:43To: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] AD, Logon times Custom messages The right tool for this job might just be the StIcK(tm) ;) Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 1:20 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] AD, Logon times Custom messages The right tool for the right job. I do not think the place you are looking at is the right place for this job. May I suggest ISA server, or similar web filter programs.HTH Sincerely,Dj Akmlf, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Roger SeielstadSent: Mon 7/7/2003 8:59 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] AD, Logon times Custom messages The reject should be logged automatically, but I haven't checked for sure--Roger D. Seielstad - MTS MCSE MS-MVPSr. Systems AdministratorInovis Inc. -Original Message- From: Mr Clark [mailto:[EMAIL PROTECTED]] Sent: Monday, July 07, 2003 10:52 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD, Logon times Custom messages Well, I just wanted to customize the message for my kids when they try to *sneak* on the computer during the middle of the night. :) As another thought, is there a way to "log" when someone tries to sign on at a restricted time? Charlie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Roger Seielstad Sent: Monday, July 07, 2003 09:43 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] AD, Logon times Custom messages Best guess is that you cannot modify the message. As is pretty much standard for that type of message in Microsoft products, its coded into a DLL, and the only supportable way to do that would be to engage Microsoft Consulting Services to modify the DLL. However, since I believe that's part of the LSASS process on the client, and that gets patched somewhat regularly by service packs, etc, you'd have to reenage them for every new service pack. IMO, its not worth it. What are you trying to accomplish? -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Mr Clark [mailto:[EMAIL PROTECTED]] Sent: Monday, July 07, 2003 9:36 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] AD, Logon times Custom messagesGreetings all. I'm new to the list and very new to AD. I have successfully set up my server for our LAN. DNS functions correctly (so far, no error messages), etc. The question I would like to start off with first is this: Under Active Directory, you can specify Logon times for a user. What I would like to know is this: Can you customize the message that comes up when a user tries to logon during the prohibited time? I haven't seen this listed in the MSKB, and I didn't turn up anything via google. TIA Charlie List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive:
RE: [ActiveDir] Identity Management using AD
Title: Message We are in the process of evaluating MIIS here, and AD is currently our source for authentication information, for Enterprise application, we are using a custom database running on Critical Path to sync with other application directories, and get a metaview of the information for identity management. Currently no one allows the metaview write access anywhere. I hope our testing and subsequent deployment will allow for a more standardized approach like what was described below. To build on what Gil wrote, The reason why SQL server was used to store identity information, was probably because it was a metaview of all the relevant data needed to construct an employee including privacy information. Active Directory doesn't need access to privacy information (SSN#, DOB, etc) nor do many LDAP applications. The nice thing about MIIS, is that it can create that metaview for you and store it in a SQL server. So if your privacy information is only stored in the HR system, and Payroll, Then you can set ACL's on the info so only those systems get that info. If you are getting into directories for both network access and Enterprise Resource and Application use, I suggest subscribing to the Burton Group papers on Enterprise directory, and constructing your architecture based on some of their principals. Now if we could only find a group willing to figure out the Laws of directories we would be golden... Maybe Murphy is already doing them. Todd -Original Message-From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Monday, July 07, 2003 5:30 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Identity Management using AD MSFT internally uses SQL Server as the authoritative store for identity information, and populates AD from that. -Original Message-From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Thursday, July 03, 2003 7:00 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Identity Management using AD All, We are in the process of redefining our Internet-enabled applications with a view to a centralised customer/client database. There has been quite a bit of discussion regarding using AD as this "customer store", since AD will already be in this environment. I'm a bit hesitant to recommend "vanilla" AD for this task, however I can see a number of benefits to this approach, as the support monkeys can manage the entire environment using the same tools they use to manage the production environment (ADUC etc). I've been reading up on the information regarding MIIS (what little there is), and can see some potential for a configuration such as this, eg: - Use AD to store the "core" customer information (user name, password, basic details) - Use ADAM or SQL (or whatever) for each application to store application specific extensions (so I don't end up with a blown out schema in AD with thousands of additional props for user objects) - Use MIIS as the Authentication / Identity management front end, and use it to sync these disparate databases to ensure some semblance of "sameness" between them. - Also use some of the MIIS features such as provisioning etc to ease the management overhead. Applications could use AD to authenticate the customer coming in, and then use their ADAM database to house the application specific information they need. We could possibly then use MIIS to "backchannel" into the production AD system, so that corporate users can gain access to these Internet applications without requiring multiple accounts. This is all just brainstorming at the moment, however (as usual), I need to come up with some sort of design by next week (gotta love being given lots of time *grin*). Having not actually got my hands on MIIS, this could be completely unfeasible. Other options are a custom database for the "customer store", or some other existing product. Has anyone been down this road before, and could share some insights / resources ? Thanks Glenn
RE: [ActiveDir] AD DOS vulnerability
Excellent info! Keep this stuff coming. I also use the GPO to enforce group memberships as well as some registry tips. I plan to write a story on my Blog soon that talks about this information. I will send you the URL when the blog starts to take shape. Todd -Original Message- From: Darren Mar-Elia [mailto:[EMAIL PROTECTED] Sent: Monday, July 07, 2003 7:11 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD DOS vulnerability Rick- Glad to help! One thing I've played around with on this is some low-tech methods for slowing down potential exploits of this. For example, I've used Services security in Group Policy to disable the Scheduler service on all DCs and then permissioned it so that only Enterprise Admins could start it up. I've also set up a loopback policy on all DCs that used Admin. Template settings to prevent anyone except Enterprise Admins from loading the ADSIEdit Schema Manager MMC snap-ins on a DC. You could probably do even more with software restriction policy here. This by no means prevents the issue and the extra crafty admin can probably find ways around it, but it slows down the most obvious routes of exploitation, which is worth something :-) -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Monday, July 07, 2003 3:08 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD DOS vulnerability Darren, Thanks for providing the clarity. No intent to be 'stealthy' about the vulnerability, but - frankly, I couldn't think of the proper words at the moment. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Monday, July 07, 2003 1:37 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD DOS vulnerability I think this refers to the issue recently identified where a member of the Domain Admins group, with access to a domain controller within a domain in the forest, could, for example, start a process within the security context of LocalSystem (e.g. using the AT scheduler), and thus gain privileged access to the schema and configuration naming contexts that they weren't granted explicitly. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Monday, July 07, 2003 6:25 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] AD DOS vulnerability Could you expand on what the specific vulnerability is there? I've not heard that terminology before. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Friday, July 04, 2003 5:42 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD DOS vulnerability Joe, Unfortunately, one of the biggest issues with AD can't be addressed with an upgrade, and that's the Security vulnerability from cross-domain admins. Looking to NetPro's monitoring tool to aid in this as a 'burglar alarm'. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Friday, July 04, 2003 10:21 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD DOS vulnerability Also note that there is another D.O.S. capable bug that SP4 fixes if I recall correctly. It was something with referrals. Note that there are several things that can be done to W2K AD by a bright programmer with internal access who has had a chance to sit back and think about it that can hurt AD. Some only require having an account in AD, some requiring a machine account. Won't give details here or anywhere due to social conscience and not willing to expose shit that could hurt me personally but they are there... Move to W2K3 when you can as that may help based on some of the newer docs I have seen. I agree with what everyone else has said on SP4... Test test test, then deploy. When you do have an issue, post back here or in the newsgroups so others can learn of the experience. Even if you call MS and they say, nope, no one is having that issue. I have found that they know of things but won't come fully forward with them until some minimum number of customers/people have complained. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Thursday, July 03, 2003 10:04 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] AD DOS vulnerability Thanks Everyone for the great information. We have already begun patching the systems as a result of the information from the list. Todd Myrick -Original Message- From: Robert Moir [mailto:[EMAIL PROTECTED] Sent:
RE: [ActiveDir] AD, Logon times Custom messages
Well, a couple of solutions exist here: 1. You can set a generic notification at logon time Start-Programs-Administrative Tools-Local Security Policy-Local Policies-Security Options- Message Text/Title for Users Attempting to Logon You could say something menacing like I know what you're doing, so don't even try it... :-) 2. Enable auditing for the success failure of logon events. Start-Programs-Administrative Tools-Local Security Policy-Local Policies-Audit Policy-Audit Logon/Account Logon Events This will enable the generation of event entries in the security event log, events like: - 530 (Failure Audit) Account logon time restriction violation - 529 (Failure Audit) Unknown user name or bad password - 537 (Failure Audit) An error occurred during logon 3. You can easily retrieve these events either by manual perusal of the event logs (a tedious job), or with freeware tools like Mark Russinovich's PSLogList http://www.sysinternals.com/ntw2k/freeware/psloglist.shtml, or with a bit of VBS: strComputer = . Set objWMIService = GetObject(winmgmts:{impersonationLevel=impersonate}!\\ strComputer \root\cimv2) objWMIService.Security_.Privileges.AddAsString SeSecurityPrivilege Set colLoggedEvents = objWMIService.ExecQuery (SELECT * FROM Win32_NTLogEvent WHERE Logfile='Security' AND EventCode='530') For Each objEvent in colLoggedEvents Wscript.Echo Category: objEvent.Category Wscript.Echo Computer Name: objEvent.ComputerName Wscript.EchoEvent Code: objEvent.EventCode Wscript.Echo Message: objEvent.Message Wscript.Echo Record Number: objEvent.RecordNumber Wscript.Echo Source Name: objEvent.SourceName Wscript.Echo Time Written: objEvent.TimeWritten Wscript.EchoEvent Type: objEvent.Type Wscript.Echo User: objEvent.User Next If you're *really* paranoid, you can register a temporary event consumer using WMI to keep a sleeper thread active to the Security event log, and have it e-mail (or page) you in the event it encounters restricted logon activity. If you'd like to initiate a less passive course of action, you can actually have the system shut itself down each time it encounters this (again, using WMI). There's plenty o' data on registering consumers on MSDN, or you can simply activate a script like the one below through a batch file at system startup. # developed on Windows XP #! c:\perl\bin\perl.exe -w use strict; use Win32; use Win32::OLE qw(in); use Win32::OLE::Const 'Microsoft CDO 1.21 Library'; $Win32::OLE::Warn = 3; my $smtpsrvr = mailserver.company.com; my $fromaddr = [EMAIL PROTECTED]; my $recpaddr = [EMAIL PROTECTED]; my $computer = Win32::NodeName; my $query = SELECT * FROM __instancecreationevent ; $query .= WHERE targetinstance ISA 'Win32_NTLogEvent' ; $query .= AND targetinstance.Logfile='Security' ; $query .= AND targetinstance.EventCode='552'; my $events = Win32::OLE-GetObject(WinMgmts:{impersonationLevel=impersonate,(security)} )- ExecNotificationQuery($query) || die Win32::OLE-LastError; print Polling for new Security Events...\n; while (my $event = $events-NextEvent) { print - x 75; print \n; my $evtid = $event-TargetInstance-{EventCode}; printEventCode: .$evtid.\n; print Category: .$event-TargetInstance-{Category}.\n; print CategoryString: .$event-TargetInstance-{CategoryString}.\n; print ComputerName: .$event-TargetInstance-{ComputerName}.\n; #print Data: .$event-TargetInstance-{Data}.\n; print EventIdentifier: .$event-TargetInstance-{EventIdentifier}.\n; print InsertionStrings: .$event-TargetInstance-{InsertionStrings}.\n; print Logfile: .$event-TargetInstance-{Logfile}.\n; print RecordNumber: .$event-TargetInstance-{RecordNumber}.\n; print SourceName: .$event-TargetInstance-{SourceName}.\n; printTimeGenerated: .$event-TargetInstance-{TimeGenerated}.\n; print TimeWritten: .$event-TargetInstance-{TimeWritten}.\n; print Type: .$event-TargetInstance-{Type}.\n; print User: .$event-TargetInstance-{User}.\n; #print Message: .$event-TargetInstance-{Message}.\n; print - x 75; print \n; # Send off an e-mail about the captured event... my $time = scalar(localtime()); e_mail ($smtpsrvr, $fromaddr, $recpaddr, Event $evtid was generated on $computer on $time, $event-TargetInstance-{Message}); print Polling for new Security Events...\n; } #--- sub e_mail {
RE: [ActiveDir] AD, Logon times Custom messages
Title: Message I ordered 10 StIcK's (tm) and they work great. I name my StIck's for the special purposes they serve. The best thing is one size fits all! Toddler -Original Message-From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 8:56 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] AD, Logon times Custom messages The StIcK(tm) is a wonderful tool for addressing those issues which aren't quite technological in nature. Its generally applied, somewhat liberally, by a trained professional. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Mr Clark [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 7:47 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] AD, Logon times Custom messages And what, exactly would be StIck? How would ISA server, or a web filter program change/customize the logon message? Thanks. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Tuesday, July 08, 2003 06:43To: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] AD, Logon times Custom messages The right tool for this job might just be the StIcK(tm) ;) Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 1:20 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] AD, Logon times Custom messages The right tool for the right job. I do not think the place you are looking at is the right place for this job. May I suggest ISA server, or similar web filter programs.HTH Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Roger SeielstadSent: Mon 7/7/2003 8:59 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] AD, Logon times Custom messages The reject should be logged automatically, but I haven't checked for sure--Roger D. Seielstad - MTS MCSE MS-MVPSr. Systems AdministratorInovis Inc. -Original Message- From: Mr Clark [mailto:[EMAIL PROTECTED]] Sent: Monday, July 07, 2003 10:52 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD, Logon times Custom messages Well, I just wanted to customize the message for my kids when they try to *sneak* on the computer during the middle of the night. :) As another thought, is there a way to "log" when someone tries to sign on at a restricted time? Charlie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Roger Seielstad Sent: Monday, July 07, 2003 09:43 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] AD, Logon times Custom messages Best guess is that you cannot modify the message. As is pretty much standard for that type of message in Microsoft products, its coded into a DLL, and the only supportable way to do that would be to engage Microsoft Consulting Services to modify the DLL. However, since I believe that's part of the LSASS process on the client, and that gets patched somewhat regularly by service packs, etc, you'd have to reenage them for every new service pack. IMO, its not worth it. What are you trying to accomplish? -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Mr Clark [mailto:[EMAIL PROTECTED]] Sent: Monday, July 07, 2003 9:36 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] AD, Logon times Custom messages Greetings all. I'm new to the list and very new to AD. I have successfully set up my server for our LAN. DNS functions correctly (so far, no error messages), etc. The question I would like to start off with first is this: Under Active Directory, you can specify Logon times for a user. What I would like to know is this: Can you customize the message that comes up when a user tries to logon during the prohibited time? I haven't seen this listed in
OT Re: [ActiveDir] SP4
We run application center and SP4 seems to corrupt MSSQL$MSAC. To correct it is easy enough, you uninstall MSDE through app center install and then re-install and re-apply MSDE SP2. [EMAIL PROTECTED] 07/07/03 03:40PM Anyone installed SP4 yet on their DC's? If so, have you had any issues? Don L. Murawski Sr. Network Administrator file://C:\Documents and Settings\dmurawsk\Application Data\Microsoft\Stationery\../../../My Documents/My Pictures/mcse.gif WorldTravel BTI Phone: (404) 923-9468 Fax: (404) 949-6710 Cell: (678) 549-1264 -- Confidentiality Note: This message is intended for use only by the individual or entity to which it is addressed and may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. Thank you. == List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Taking DC Offline
Title: Message Why not use a tool like Aelita's In-trust http://www.aelita.com/products/InTrust.htmto run the scans against the production environment, I would also mention BV-Control, but I am mad at bindview right now and don't want to promote their products. (Long story). It would be less intrusive into your environment... also lets you get a pretty good tool, all in the name of better security.I would make the argument that standing upDC'sand taking them down is nota goodpractice forproductionAD'sdue to the clean-up and potentialfor the data to be compromised outside of the datacenter.AnActive Directory domain security is onlyas good as the security of the datacenter the DC's are hosted in and the physical DC's themselves. Standing up and taking down DC'sin the name of better security only complicates operations.Does this security director know the EA password or the Domain Admin passwords? If he doesn't, he will using this method. Also do you plan only to run only one security scan? To make security operations more useful, scans should be run several times a year, and data collected over time. Things like, when was the account last accessed, how many times does an account log in badly or get locked out, etc are more useful, then just is the password complex enough. Also I wouldn't run a password guessing tool against a domain if you have account lockouts enabled. Could make the helpdesk revolt. In the name of politics I understand your dilemma, I just want to fuel your argument for not doing this all the time due to the impact on operations. Power to the AD admins... Toddler -Original Message-From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 8:33 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Taking DC Offline nice tool Joe, but you should add a time filter. In an attack-scenario (be it hacker or auditors), you don't necessarily want to unlock all the locked accounts you find - instead you want to unlock the ones that were locked after a specific time (this is the approach I took - using a UI you select the users you wish to unlock). However, unlocking all is better than unlocking none. /Guido From: Joe [mailto:[EMAIL PROTECTED] Sent: Montag, 7. Juli 2003 21:26To: [EMAIL PROTECTED] Check out unlock at www.joeware.net. Its free, its fast. Will display locked accounts or unlock them. Saves you the scripting time... Plus it runs faster than any script I have seen. :o) As for those folks doing the testing, if it isn't security running those password check tools, it is hacking. Treat the admins accordingly. joe -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Monday, July 07, 2003 9:41 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Taking DC Offline In a way you should be happy they asked you, before just running a password guessing tool against the domain... Ofcourse that won't necessarily be destructive - unless you have configured Account Lockout for X nr. of logons, which I always consult my customers to do. But if your AD domain spans multiple countries/locations or simply a large population of users (which might previously have been separate NT domains) - you're suddenly very vulnerable afterall... I've seen auditors from one location run their magic tools unanounced to any admin against the AD domain spanning the United States - voila, just like an attack from a hacker, that domain was quickly seizing to work for any user with logins and eMail etc. failing all over the place (thankfully admin accounts were hidden in AD and thus not known to the tool used by the auditors) Wasn't hard to find the issue and yell at the folks - but try to quickly revert the status of many hundreds of locked out users... So now we're prepared for these situations via a scripting solution - I would suggest everyone to prepare something for their own environment as well. Nothing like being caught off guard. /Guido From: Simpsen, Paul A. (HSC) [mailto:[EMAIL PROTECTED] Sent: Montag, 7. Juli 2003 03:25To: [EMAIL PROTECTED] The whole purpose of this is all political. It has already been decided to enable password complexity but to help make the campus more agreeable ( we are an edu!) our Security director wants to shoot them some stats. The % of PW's that they could crack, etc... Why this is good for you, you know the deal. I'm still hoping my boss will see the light and just say no! J Thanks for all the responses, there might be some other options. Paul -Original Message-From: Rick Kingslan [mailto:[EMAIL
[ActiveDir] First AD Domain?
I am wondering if there is a preferred location for the first (AKA root) domain in a AD forest given these parameters. Company name is example and they have a Internet presence at example.com. They have registered example.net for there AD DNS structure. example.net will never be resolvable in the public namespace. Is there any reason why one of these options is better than the other? 1) example.net 2) ad.example.net Thanks, The information contained in this message is confidential and is intended for the addressee(s) only. If you have received this message in error or there are any problems please notify the originator immediately. The unauthorized use, disclosure, copying or alteration of this message is strictly forbidden. Badger Meter, Inc. will not be liable for direct, special, indirect or consequential damages arising from alteration of the contents of this message by a third party or as a result of any virus being passed on. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Identity Management using AD
Title: Message I've been told that MIIS is really just MMS 3.0 renamed. The description of the software would seem to indicate so. Is this true? Mike Thommes Argonne National Laboratory -Original Message-From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED]Sent: Tuesday, July 08, 2003 9:12 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Identity Management using AD We are in the process of evaluating MIIS here, and AD is currently our source for authentication information, for Enterprise application, we are using a custom database running on Critical Path to sync with other application directories, and get a metaview of the information for identity management. Currently no one allows the metaview write access anywhere. I hope our testing and subsequent deployment will allow for a more standardized approach like what was described below. To build on what Gil wrote, The reason why SQL server was used to store identity information, was probably because it was a metaview of all the relevant data needed to construct an employee including privacy information. Active Directory doesn't need access to privacy information (SSN#, DOB, etc) nor do many LDAP applications. The nice thing about MIIS, is that it can create that metaview for you and store it in a SQL server. So if your privacy information is only stored in the HR system, and Payroll, Then you can set ACL's on the info so only those systems get that info. If you are getting into directories for both network access and Enterprise Resource and Application use, I suggest subscribing to the Burton Group papers on Enterprise directory, and constructing your architecture based on some of their principals. Now if we could only find a group willing to figure out the Laws of directories we would be golden... Maybe Murphy is already doing them. Todd -Original Message-From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Monday, July 07, 2003 5:30 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Identity Management using AD MSFT internally uses SQL Server as the authoritative store for identity information, and populates AD from that. -Original Message-From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Thursday, July 03, 2003 7:00 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Identity Management using AD All, We are in the process of redefining our Internet-enabled applications with a view to a centralised customer/client database. There has been quite a bit of discussion regarding using AD as this "customer store", since AD will already be in this environment. I'm a bit hesitant to recommend "vanilla" AD for this task, however I can see a number of benefits to this approach, as the support monkeys can manage the entire environment using the same tools they use to manage the production environment (ADUC etc). I've been reading up on the information regarding MIIS (what little there is), and can see some potential for a configuration such as this, eg: - Use AD to store the "core" customer information (user name, password, basic details) - Use ADAM or SQL (or whatever) for each application to store application specific extensions (so I don't end up with a blown out schema in AD with thousands of additional props for user objects) - Use MIIS as the Authentication / Identity management front end, and use it to sync these disparate databases to ensure some semblance of "sameness" between them. - Also use some of the MIIS features such as provisioning etc to ease the management overhead. Applications could use AD to authenticate the customer coming in, and then use their ADAM database to house the application specific information they need. We could possibly then use MIIS to "backchannel" into the production AD system, so that corporate users can gain access to these Internet applications without requiring multiple accounts. This is all just brainstorming at the moment, however (as usual), I need to come up with some sort of design by next week (gotta love being given lots of time *grin*). Having not actually got my hands on MIIS, this could be completely unfeasible. Other options are a custom database for the "customer store", or some other existing product. Has anyone been down this road before, and could share some insights / resources ? Thanks Glenn
RE: [ActiveDir] First AD Domain?
Shorter is better, IMO. Now, you *could*, although I haven't tried it, do a non-contiguous forest using a contiguous namespace. This might get a little convoluted... In other words, it should be possible to create the root domain as root.example.net. Once that's complete, you should be able to install the second domain as example.net, choosing to create a new tree in an existing forest. There is no theoretically reason this can't work, unless there are some underlying, strict hierarchical issues within AD that I haven't seen before, but I doubt its that bad. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Cary, Mark [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 11:29 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] First AD Domain? I am wondering if there is a preferred location for the first (AKA root) domain in a AD forest given these parameters. Company name is example and they have a Internet presence at example.com. They have registered example.net for there AD DNS structure. example.net will never be resolvable in the public namespace. Is there any reason why one of these options is better than the other? 1) example.net 2) ad.example.net Thanks, The information contained in this message is confidential and is intended for the addressee(s) only. If you have received this message in error or there are any problems please notify the originator immediately. The unauthorized use, disclosure, copying or alteration of this message is strictly forbidden. Badger Meter, Inc. will not be liable for direct, special, indirect or consequential damages arising from alteration of the contents of this message by a third party or as a result of any virus being passed on. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD, Logon times Custom messages
Title: Message I stil prefer the upgraded version, bIg stIck® Diane -Original Message-From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED]Sent: Tuesday, July 08, 2003 7:37 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] AD, Logon times Custom messages I ordered 10 StIcK's (tm) and they work great. I name my StIck's for the special purposes they serve. The best thing is one size fits all! Toddler -Original Message-From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 8:56 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] AD, Logon times Custom messages The StIcK(tm) is a wonderful tool for addressing those issues which aren't quite technological in nature. Its generally applied, somewhat liberally, by a trained professional. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Mr Clark [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 7:47 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] AD, Logon times Custom messages And what, exactly would be StIck? How would ISA server, or a web filter program change/customize the logon message? Thanks. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Tuesday, July 08, 2003 06:43To: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] AD, Logon times Custom messages The right tool for this job might just be the StIcK(tm) ;) Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 1:20 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] AD, Logon times Custom messages The right tool for the right job. I do not think the place you are looking at is the right place for this job. May I suggest ISA server, or similar web filter programs.HTH Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Roger SeielstadSent: Mon 7/7/2003 8:59 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] AD, Logon times Custom messages The reject should be logged automatically, but I haven't checked for sure--Roger D. Seielstad - MTS MCSE MS-MVPSr. Systems AdministratorInovis Inc. -Original Message- From: Mr Clark [mailto:[EMAIL PROTECTED]] Sent: Monday, July 07, 2003 10:52 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD, Logon times Custom messages Well, I just wanted to customize the message for my kids when they try to *sneak* on the computer during the middle of the night. :) As another thought, is there a way to "log" when someone tries to sign on at a restricted time? Charlie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Roger Seielstad Sent: Monday, July 07, 2003 09:43 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] AD, Logon times Custom messages Best guess is that you cannot modify the message. As is pretty much standard for that type of message in Microsoft products, its coded into a DLL, and the only supportable way to do that would be to engage Microsoft Consulting Services to modify the DLL. However, since I believe that's part of the LSASS process on the client, and that gets patched somewhat regularly by service packs, etc, you'd have to reenage them for every new service pack. IMO, its not worth it. What are you trying to accomplish? -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Mr Clark [mailto:[EMAIL PROTECTED]] Sent: Monday, July 07, 2003 9:36 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] AD, Logon times
RE: [ActiveDir] Identity Management using AD
Title: Message Mike, You're basically correct, although the renaming of MMS is accompanied by a broader IM strategy incorporating other products, services, and partnerships. MSFT is going to spell it out at Catlyst this week (today I think). IM has become a strategic issue for MSFT, partly because IM provides a more sellable benefit that Active Directory can provide to customers. "Improved TCO" wasn't a strong enough reason for getting people to make the leap to AD. -gil -Original Message-From: Thommes, Michael M. [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 8:57 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Identity Management using AD I've been told that MIIS is really just MMS 3.0 renamed. The description of the software would seem to indicate so. Is this true? Mike Thommes Argonne National Laboratory -Original Message-From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED]Sent: Tuesday, July 08, 2003 9:12 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Identity Management using AD We are in the process of evaluating MIIS here, and AD is currently our source for authentication information, for Enterprise application, we are using a custom database running on Critical Path to sync with other application directories, and get a metaview of the information for identity management. Currently no one allows the metaview write access anywhere. I hope our testing and subsequent deployment will allow for a more standardized approach like what was described below. To build on what Gil wrote, The reason why SQL server was used to store identity information, was probably because it was a metaview of all the relevant data needed to construct an employee including privacy information. Active Directory doesn't need access to privacy information (SSN#, DOB, etc) nor do many LDAP applications. The nice thing about MIIS, is that it can create that metaview for you and store it in a SQL server. So if your privacy information is only stored in the HR system, and Payroll, Then you can set ACL's on the info so only those systems get that info. If you are getting into directories for both network access and Enterprise Resource and Application use, I suggest subscribing to the Burton Group papers on Enterprise directory, and constructing your architecture based on some of their principals. Now if we could only find a group willing to figure out the Laws of directories we would be golden... Maybe Murphy is already doing them. Todd -Original Message-From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Monday, July 07, 2003 5:30 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Identity Management using AD MSFT internally uses SQL Server as the authoritative store for identity information, and populates AD from that. -Original Message-From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Thursday, July 03, 2003 7:00 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Identity Management using AD All, We are in the process of redefining our Internet-enabled applications with a view to a centralised customer/client database. There has been quite a bit of discussion regarding using AD as this "customer store", since AD will already be in this environment. I'm a bit hesitant to recommend "vanilla" AD for this task, however I can see a number of benefits to this approach, as the support monkeys can manage the entire environment using the same tools they use to manage the production environment (ADUC etc). I've been reading up on the information regarding MIIS (what little there is), and can see some potential for a configuration such as this, eg: - Use AD to store the "core" customer information (user name, password, basic details) - Use ADAM or SQL (or whatever) for each application to store application specific extensions (so I don't end up with a blown out schema in AD with thousands of additional props for user objects) - Use MIIS as the Authentication / Identity management front end, and use it to sync these disparate databases to ensure some semblance of "sameness" between them. - Also use some of the MIIS features such as provisioning etc to ease the management overhead. Applications could use AD to authenticate the customer coming in, and then use their ADAM database to house the application specific information they need. We could possibly then use MIIS to
RE: [ActiveDir] Identity Management using AD
Title: Message Yes it is a new Architecture product from MMicrosoft. The next question should be does it use IIS? Todd -Original Message-From: Thommes, Michael M. [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 11:57 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Identity Management using AD I've been told that MIIS is really just MMS 3.0 renamed. The description of the software would seem to indicate so. Is this true? Mike Thommes Argonne National Laboratory -Original Message-From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED]Sent: Tuesday, July 08, 2003 9:12 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Identity Management using AD We are in the process of evaluating MIIS here, and AD is currently our source for authentication information, for Enterprise application, we are using a custom database running on Critical Path to sync with other application directories, and get a metaview of the information for identity management. Currently no one allows the metaview write access anywhere. I hope our testing and subsequent deployment will allow for a more standardized approach like what was described below. To build on what Gil wrote, The reason why SQL server was used to store identity information, was probably because it was a metaview of all the relevant data needed to construct an employee including privacy information. Active Directory doesn't need access to privacy information (SSN#, DOB, etc) nor do many LDAP applications. The nice thing about MIIS, is that it can create that metaview for you and store it in a SQL server. So if your privacy information is only stored in the HR system, and Payroll, Then you can set ACL's on the info so only those systems get that info. If you are getting into directories for both network access and Enterprise Resource and Application use, I suggest subscribing to the Burton Group papers on Enterprise directory, and constructing your architecture based on some of their principals. Now if we could only find a group willing to figure out the Laws of directories we would be golden... Maybe Murphy is already doing them. Todd -Original Message-From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Monday, July 07, 2003 5:30 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Identity Management using AD MSFT internally uses SQL Server as the authoritative store for identity information, and populates AD from that. -Original Message-From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Thursday, July 03, 2003 7:00 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Identity Management using AD All, We are in the process of redefining our Internet-enabled applications with a view to a centralised customer/client database. There has been quite a bit of discussion regarding using AD as this "customer store", since AD will already be in this environment. I'm a bit hesitant to recommend "vanilla" AD for this task, however I can see a number of benefits to this approach, as the support monkeys can manage the entire environment using the same tools they use to manage the production environment (ADUC etc). I've been reading up on the information regarding MIIS (what little there is), and can see some potential for a configuration such as this, eg: - Use AD to store the "core" customer information (user name, password, basic details) - Use ADAM or SQL (or whatever) for each application to store application specific extensions (so I don't end up with a blown out schema in AD with thousands of additional props for user objects) - Use MIIS as the Authentication / Identity management front end, and use it to sync these disparate databases to ensure some semblance of "sameness" between them. - Also use some of the MIIS features such as provisioning etc to ease the management overhead. Applications could use AD to authenticate the customer coming in, and then use their ADAM database to house the application specific information they need. We could possibly then use MIIS to "backchannel" into the production AD system, so that corporate users can gain access to these Internet applications without requiring multiple accounts. This is all just brainstorming at the moment, however (as usual), I need to come up with some sort of design by next week (gotta love being
RE: [ActiveDir] Identity Management using AD
Title: Message According to the Technical Overview of Microsoft Identity Integration Server 2003 whitepaper, MIIS 2003 is the third major release of Microsoft's metadirectory product. This would mean that, yes; MIIS is indeed the next version of the MMS product. http://www.microsoft.com/windowsserver2003/techinfo/overview/miis.mspx -Original Message- From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 12:02 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Identity Management using AD Yes it is a new Architecture product from MMicrosoft. The next question should be does it use IIS? Todd -Original Message- From: Thommes, Michael M. [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 11:57 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Identity Management using AD I've been told that MIIS is really just MMS 3.0 renamed. The description of the software would seem to indicate so. Is this true? Mike Thommes Argonne National Laboratory -Original Message- From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 9:12 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Identity Management using AD We are in the process of evaluating MIIS here, and AD is currently our source for authentication information, for Enterprise application, we are using a custom database running on Critical Path to sync with other application directories, and get a metaview of the information for identity management. Currently no one allows the metaview write access anywhere. I hope our testing and subsequent deployment will allow for a more standardized approach like what was described below. To build on what Gil wrote, The reason why SQL server was used to store identity information, was probably because it was a metaview of all the relevant data needed to construct an employee including privacy information. Active Directory doesn't need access to privacy information (SSN#, DOB, etc) nor do many LDAP applications. The nice thing about MIIS, is that it can create that metaview for you and store it in a SQL server. So if your privacy information is only stored in the HR system, and Payroll, Then you can set ACL's on the info so only those systems get that info. If you are getting into directories for both network access and Enterprise Resource and Application use, I suggest subscribing to the Burton Group papers on Enterprise directory, and constructing your architecture based on some of their principals. Now if we could only find a group willing to figure out the Laws of directories we would be golden... Maybe Murphy is already doing them. Todd -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Monday, July 07, 2003 5:30 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Identity Management using AD MSFT internally uses SQL Server as the authoritative store for identity information, and populates AD from that. -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Thursday, July 03, 2003 7:00 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Identity Management using AD All, We are in the process of redefining our Internet-enabled applications with a view to a centralised customer/client database. There has been quite a bit of discussion regarding using AD as this customer store, since AD will already be in this environment. I'm a bit hesitant to recommend vanilla AD for this task, however I can see a number of benefits to this approach, as the support monkeys can manage the entire environment using the same tools they use to manage the production environment (ADUC etc). I've been reading up on the information regarding MIIS (what little there is), and can see some potential for a configuration such as this, eg: - Use AD to store the core customer information (user name, password, basic details) - Use ADAM or SQL (or whatever) for each application to store application specific extensions (so I don't end up with a blown out schema in AD with thousands of additional props for user objects) - Use MIIS as the Authentication / Identity management front end, and use it to sync these disparate databases to ensure some semblance of sameness between them. - Also use some of the MIIS features such as provisioning etc to ease the management overhead. Applications could use AD to authenticate the customer coming in, and then use their ADAM database to house the application specific information they need. We could possibly then use MIIS to backchannel into the production AD system, so that corporate users can gain access to these Internet applications without requiring multiple accounts. This is all just brainstorming at the moment, however (as usual), I need to come up with some
RE: [ActiveDir] AD, Logon times Custom messages
Title: Message You've apparently never met the pimp^H^H^H^H salesman of the StIcK, have you? -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 12:47 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] AD, Logon times Custom messages I've always usedthe freeware predecessor to StIcK called KicK. Its not quite as fancy, but it requires no additional hardware. -gil -Original Message-From: Ayers, Diane [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 7:51 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] AD, Logon times Custom messages I stil prefer the upgraded version, bIg stIck Diane -Original Message-From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED]Sent: Tuesday, July 08, 2003 7:37 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] AD, Logon times Custom messages I ordered 10 StIcK's (tm) and they work great. I name my StIck's for the special purposes they serve. The best thing is one size fits all! Toddler -Original Message-From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 8:56 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] AD, Logon times Custom messages The StIcK(tm) is a wonderful tool for addressing those issues which aren't quite technological in nature. Its generally applied, somewhat liberally, by a trained professional. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Mr Clark [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 7:47 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] AD, Logon times Custom messages And what, exactly would be StIck? How would ISA server, or a web filter program change/customize the logon message? Thanks. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Tuesday, July 08, 2003 06:43To: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] AD, Logon times Custom messages The right tool for this job might just be the StIcK(tm) ;) Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 1:20 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] AD, Logon times Custom messages The right tool for the right job. I do not think the place you are looking at is the right place for this job. May I suggest ISA server, or similar web filter programs.HTH Sincerely,Dj Akmlf, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Roger SeielstadSent: Mon 7/7/2003 8:59 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] AD, Logon times Custom messages The reject should be logged automatically, but I haven't checked for sure--Roger D. Seielstad - MTS MCSE MS-MVPSr. Systems AdministratorInovis Inc. -Original Message- From: Mr Clark [mailto:[EMAIL PROTECTED]] Sent: Monday, July 07, 2003 10:52 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD, Logon times Custom messages Well, I just wanted to customize the message for my kids when they try to *sneak* on the computer during the middle of the night. :) As another thought, is there a way to "log" when someone tries to sign on at a
RE: [ActiveDir] First AD Domain?
I think both should be considered together. Example.net will be at the top (empty forest root) and ad.example.net will be the production child domain where you have all the user accounts and resources. Makes it easier when it comes time for aquisition/merger/spin-off/political and diplomatic empire building, IMO. As for one being better than the other, it's a matter of taste. HTH Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Cary, Mark Sent: Tue 7/8/2003 8:28 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] First AD Domain? I am wondering if there is a preferred location for the first (AKA root) domain in a AD forest given these parameters. Company name is example and they have a Internet presence at example.com. They have registered example.net for there AD DNS structure. example.net will never be resolvable in the public namespace. Is there any reason why one of these options is better than the other? 1) example.net 2) ad.example.net Thanks, The information contained in this message is confidential and is intended for the addressee(s) only. If you have received this message in error or there are any problems please notify the originator immediately. The unauthorized use, disclosure, copying or alteration of this message is strictly forbidden. Badger Meter, Inc. will not be liable for direct, special, indirect or consequential damages arising from alteration of the contents of this message by a third party or as a result of any virus being passed on. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat
RE: [ActiveDir] First AD Domain?
Title: Message Actually, a better strategy to use for M/A/D activities (merger/acquisition/divestiture) activities is to use domain name(s) which are completely removed from the company's name. One of my two unofficial titles while we were part of a larger company was "Iron Chef - Migration". I'm none too happy to never do another M/A/D activity in my career... -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 1:54 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] First AD Domain? I think both should be considered together. Example.net will be at the top (empty forest root) and ad.example.net will be the production child domain where you have all the user accounts and resources. Makes it easier when it comes time for aquisition/merger/spin-off/political and diplomatic empire building, IMO. As for one being "better" than the other, it's a matter of taste. HTH Sincerely,Dj Akmlf, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Cary, MarkSent: Tue 7/8/2003 8:28 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] First AD Domain? I am wondering if there is a preferred location for the first (AKA root)domain in a AD forest given these parameters.Company name is example and they have a Internet presence at example.com.They have registered example.net for there AD DNS structure. example.netwill never be resolvable in the public namespace.Is there any reason why one of these options is better than the other?1) example.net2) ad.example.netThanks,The information contained in this message is confidential and is intendedfor the addressee(s) only. If you have received this message in error orthere are any problems please notify the originator immediately. Theunauthorized use, disclosure, copying or alteration of this message isstrictly forbidden. Badger Meter, Inc. will not be liable for direct,special, indirect or consequential damages arising from alteration of thecontents of this message by a third party or as a result of any virus beingpassed on.List info : http://www.activedir.org/mail_list.htmList FAQ : http://www.activedir.org/list_faq.htmList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Identity Management using AD
Title: Message My spell checker broke my joke... I ment to say Marchitecture. As in Marketing Architecture. I think the who IIS part is just a bad thing.. Todd -Original Message-From: Myrick, Todd (NIH/CIT) Sent: Tuesday, July 08, 2003 1:02 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Identity Management using AD Yes it is a new Architecture product from MMicrosoft. The next question should be does it use IIS? Todd -Original Message-From: Thommes, Michael M. [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 11:57 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Identity Management using AD I've been told that MIIS is really just MMS 3.0 renamed. The description of the software would seem to indicate so. Is this true? Mike Thommes Argonne National Laboratory -Original Message-From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED]Sent: Tuesday, July 08, 2003 9:12 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Identity Management using AD We are in the process of evaluating MIIS here, and AD is currently our source for authentication information, for Enterprise application, we are using a custom database running on Critical Path to sync with other application directories, and get a metaview of the information for identity management. Currently no one allows the metaview write access anywhere. I hope our testing and subsequent deployment will allow for a more standardized approach like what was described below. To build on what Gil wrote, The reason why SQL server was used to store identity information, was probably because it was a metaview of all the relevant data needed to construct an employee including privacy information. Active Directory doesn't need access to privacy information (SSN#, DOB, etc) nor do many LDAP applications. The nice thing about MIIS, is that it can create that metaview for you and store it in a SQL server. So if your privacy information is only stored in the HR system, and Payroll, Then you can set ACL's on the info so only those systems get that info. If you are getting into directories for both network access and Enterprise Resource and Application use, I suggest subscribing to the Burton Group papers on Enterprise directory, and constructing your architecture based on some of their principals. Now if we could only find a group willing to figure out the Laws of directories we would be golden... Maybe Murphy is already doing them. Todd -Original Message-From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Monday, July 07, 2003 5:30 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Identity Management using AD MSFT internally uses SQL Server as the authoritative store for identity information, and populates AD from that. -Original Message-From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Thursday, July 03, 2003 7:00 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Identity Management using AD All, We are in the process of redefining our Internet-enabled applications with a view to a centralised customer/client database. There has been quite a bit of discussion regarding using AD as this "customer store", since AD will already be in this environment. I'm a bit hesitant to recommend "vanilla" AD for this task, however I can see a number of benefits to this approach, as the support monkeys can manage the entire environment using the same tools they use to manage the production environment (ADUC etc). I've been reading up on the information regarding MIIS (what little there is), and can see some potential for a configuration such as this, eg: - Use AD to store the "core" customer information (user name, password, basic details) - Use ADAM or SQL (or whatever) for each application to store application specific extensions (so I don't end up with a blown out schema in AD with thousands of additional props for user objects) - Use MIIS as the Authentication / Identity management front end, and use it to sync these disparate databases to ensure some semblance of "sameness" between them. - Also use some of the MIIS features such as provisioning etc to ease the management overhead. Applications could use AD to authenticate the customer
Re: [ActiveDir] Proxy Server
I assume that will work for whatever browser they are using correct (doesn't have to be IE)? On Tuesday, July 8, 2003, at 12:05 PM, [EMAIL PROTECTED] wrote: Using GPO: User Configuration Windows Settings -Connection -Proxy Settings You can use IEAK for similar thing, but why do more work, eh? Enjoy. Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Richard Sumilang Sent: Tue 7/8/2003 11:47 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Proxy Server I'm running DHCP from my Windows 2000 Server for all my clients on the network and I just recently setup a proxy server on another computer. How can I apply the proxy server's information without having to walk to everyones computer? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Proxy Server
Oh wait, hmmm that's only good for IE. Is there a way to do it regardless of their browser? On Tuesday, July 8, 2003, at 12:05 PM, [EMAIL PROTECTED] wrote: Using GPO: User Configuration Windows Settings -Connection -Proxy Settings You can use IEAK for similar thing, but why do more work, eh? Enjoy. Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Richard Sumilang Sent: Tue 7/8/2003 11:47 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Proxy Server I'm running DHCP from my Windows 2000 Server for all my clients on the network and I just recently setup a proxy server on another computer. How can I apply the proxy server's information without having to walk to everyones computer? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Proxy Server
Title: [ActiveDir] Proxy Server Well, one benefit of going ahead and using IEAK is that if you use the Auto Config feature and change your settings/environment after the initial deployment of your IEAK package, then you can simply update the .INS file and the settings will be applied during the next synchronization. For example here is the [Proxy] section of our AutoConfig INS file: [Proxy] HTTP_Proxy_Server= FTP_Proxy_Server= Gopher_Proxy_Server= Secure_Proxy_Server= Socks_Proxy_Server= Use_Same_Proxy=1 Proxy_Enable=0 Proxy_Override=local -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 2:05 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Proxy Server Using GPO: User Configuration Windows Settings -Connection -Proxy Settings You can use IEAK for similar thing, but why do more work, eh? Enjoy. Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Richard Sumilang Sent: Tue 7/8/2003 11:47 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Proxy Server I'm running DHCP from my Windows 2000 Server for all my clients on the network and I just recently setup a proxy server on another computer. How can I apply the proxy server's information without having to walk to everyones computer? List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Proxy Server
GPO, there is a setting in the Computer Configuration section I believe -Original Message- From: Richard Sumilang [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 2:47 PM To: [EMAIL PROTECTED] Subject:[ActiveDir] Proxy Server I'm running DHCP from my Windows 2000 Server for all my clients on the network and I just recently setup a proxy server on another computer. How can I apply the proxy server's information without having to walk to everyones computer? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Proxy Server
Actually, I don't think so. The GPO path reference below appears to be missing the Internet Explorer Maintenance entry under Windows Settings. This would lead me to believe that it is a Microsoft-centric policy setting. -Original Message- From: Richard Sumilang [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 2:27 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Proxy Server I assume that will work for whatever browser they are using correct (doesn't have to be IE)? On Tuesday, July 8, 2003, at 12:05 PM, [EMAIL PROTECTED] wrote: Using GPO: User Configuration Windows Settings -Connection -Proxy Settings You can use IEAK for similar thing, but why do more work, eh? Enjoy. Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Richard Sumilang Sent: Tue 7/8/2003 11:47 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Proxy Server I'm running DHCP from my Windows 2000 Server for all my clients on the network and I just recently setup a proxy server on another computer. How can I apply the proxy server's information without having to walk to everyones computer? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Proxy Server
Besides a hardware solution, both browser platforms support Proxy Auto-Configuration (PAC) files. But, this is a last-ditch effort by those in the know. IE, in particular, has been known to dislike PACs. Another alternative is to use the login script to modify the registry. Not pretty, but it works. -Original Message- From: Richard Sumilang [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 2:30 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Proxy Server Oh wait, hmmm that's only good for IE. Is there a way to do it regardless of their browser? On Tuesday, July 8, 2003, at 12:05 PM, [EMAIL PROTECTED] wrote: Using GPO: User Configuration Windows Settings -Connection -Proxy Settings You can use IEAK for similar thing, but why do more work, eh? Enjoy. Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Richard Sumilang Sent: Tue 7/8/2003 11:47 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Proxy Server I'm running DHCP from my Windows 2000 Server for all my clients on the network and I just recently setup a proxy server on another computer. How can I apply the proxy server's information without having to walk to everyones computer? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Proxy Server
DHCP Scope Options? -Original Message- From: Richard Sumilang [mailto:[EMAIL PROTECTED] Sent: Tue 7/8/2003 3:29 PM To: [EMAIL PROTECTED] Cc: Subject: Re: [ActiveDir] Proxy Server Oh wait, hmmm that's only good for IE. Is there a way to do it regardless of their browser? On Tuesday, July 8, 2003, at 12:05 PM, [EMAIL PROTECTED] wrote: Using GPO: User Configuration Windows Settings -Connection -Proxy Settings You can use IEAK for similar thing, but why do more work, eh? Enjoy. Sincerely, Dj Akmlf, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Richard Sumilang Sent: Tue 7/8/2003 11:47 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Proxy Server I'm running DHCP from my Windows 2000 Server for all my clients on the network and I just recently setup a proxy server on another computer. How can I apply the proxy server's information without having to walk to everyones computer? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat
Re: [ActiveDir] Proxy Server
Thats why everyone should use a Mac!!! Hehehe, with my mac I can just specify it in my Network Settings for the system and that should work for all my browsers. Anyways since we are bringing up GPO, I have a finger to pick with that. For some reason my group policies are only getting applied on the server computers and not the workstations? Any ideas? On Tuesday, July 8, 2003, at 12:44 PM, Duncan, Larry wrote: Actually, I don't think so. The GPO path reference below appears to be missing the Internet Explorer Maintenance entry under Windows Settings. This would lead me to believe that it is a Microsoft-centric policy setting. -Original Message- From: Richard Sumilang [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 2:27 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Proxy Server I assume that will work for whatever browser they are using correct (doesn't have to be IE)? On Tuesday, July 8, 2003, at 12:05 PM, [EMAIL PROTECTED] wrote: Using GPO: User Configuration Windows Settings -Connection -Proxy Settings You can use IEAK for similar thing, but why do more work, eh? Enjoy. Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Richard Sumilang Sent: Tue 7/8/2003 11:47 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Proxy Server I'm running DHCP from my Windows 2000 Server for all my clients on the network and I just recently setup a proxy server on another computer. How can I apply the proxy server's information without having to walk to everyones computer? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] admt 2.0 - nt4 computer migration
Am attempting the migration of computer from NT4 source domain to Windows 2000 target domain. the migration environment is working fine with windows 2000 professional clients have got issues with the migration of an NT4 workstation the extract from dispatch.log on the admt server is attached from which i am hoping to get a few clues as to the access denied have checked the obvious issues such as sourcedom\domain admins being a member of the local administrators group and the computer migration being run while logged an as a member of that sourcedom\domain admins group Thanks GT sp94781.doc Description: MS-Word document
RE: [ActiveDir] Proxy Server
Check under the Computer Configuration side of the GPO -Original Message- From: Duncan, Larry [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 3:44 PM To: '[EMAIL PROTECTED]' Subject:RE: [ActiveDir] Proxy Server Actually, I don't think so. The GPO path reference below appears to be missing the Internet Explorer Maintenance entry under Windows Settings. This would lead me to believe that it is a Microsoft-centric policy setting. -Original Message- From: Richard Sumilang [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 2:27 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Proxy Server I assume that will work for whatever browser they are using correct (doesn't have to be IE)? On Tuesday, July 8, 2003, at 12:05 PM, [EMAIL PROTECTED] wrote: Using GPO: User Configuration Windows Settings -Connection -Proxy Settings You can use IEAK for similar thing, but why do more work, eh? Enjoy. Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Richard Sumilang Sent: Tue 7/8/2003 11:47 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Proxy Server I'm running DHCP from my Windows 2000 Server for all my clients on the network and I just recently setup a proxy server on another computer. How can I apply the proxy server's information without having to walk to everyones computer? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Proxy Server
Richard- Where are the GPOs linked? Have you checked permissions on them to ensure that the workstation machine accounts have Read and Apply Group Policy perms? Authenticated Users will do. -Original Message- From: Richard Sumilang [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 1:18 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Proxy Server Thats why everyone should use a Mac!!! Hehehe, with my mac I can just specify it in my Network Settings for the system and that should work for all my browsers. Anyways since we are bringing up GPO, I have a finger to pick with that. For some reason my group policies are only getting applied on the server computers and not the workstations? Any ideas? On Tuesday, July 8, 2003, at 12:44 PM, Duncan, Larry wrote: Actually, I don't think so. The GPO path reference below appears to be missing the Internet Explorer Maintenance entry under Windows Settings. This would lead me to believe that it is a Microsoft-centric policy setting. -Original Message- From: Richard Sumilang [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 2:27 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Proxy Server I assume that will work for whatever browser they are using correct (doesn't have to be IE)? On Tuesday, July 8, 2003, at 12:05 PM, [EMAIL PROTECTED] wrote: Using GPO: User Configuration Windows Settings -Connection -Proxy Settings You can use IEAK for similar thing, but why do more work, eh? Enjoy. Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Richard Sumilang Sent: Tue 7/8/2003 11:47 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Proxy Server I'm running DHCP from my Windows 2000 Server for all my clients on the network and I just recently setup a proxy server on another computer. How can I apply the proxy server's information without having to walk to everyones computer? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] admt 2.0 - nt4 computer migration
While continuing my interest in this issue, I came across the following Q-article that seems dead-on: http://support.microsoft.com/default.aspx?scid=kb;en-us;316073 -Original Message- From: Graham Turner [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 3:24 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] admt 2.0 - nt4 computer migration Am attempting the migration of computer from NT4 source domain to Windows 2000 target domain. the migration environment is working fine with windows 2000 professional clients have got issues with the migration of an NT4 workstation the extract from dispatch.log on the admt server is attached from which i am hoping to get a few clues as to the access denied have checked the obvious issues such as sourcedom\domain admins being a member of the local administrators group and the computer migration being run while logged an as a member of that sourcedom\domain admins group Thanks GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Proxy Server
How so? 072 World Wide Web Servers? On Tuesday, July 8, 2003, at 01:04 PM, Robinson, Chuck wrote: DHCP Scope Options? -Original Message- From: Richard Sumilang [mailto:[EMAIL PROTECTED] Sent: Tue 7/8/2003 3:29 PM To: [EMAIL PROTECTED] Cc: Subject: Re: [ActiveDir] Proxy Server Oh wait, hmmm that's only good for IE. Is there a way to do it regardless of their browser? On Tuesday, July 8, 2003, at 12:05 PM, [EMAIL PROTECTED] wrote: Using GPO: User Configuration Windows Settings -Connection -Proxy Settings You can use IEAK for similar thing, but why do more work, eh? Enjoy. Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Richard Sumilang Sent: Tue 7/8/2003 11:47 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Proxy Server I'm running DHCP from my Windows 2000 Server for all my clients on the network and I just recently setup a proxy server on another computer. How can I apply the proxy server's information without having to walk to everyones computer? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] admt 2.0 - nt4 computer migration
Has the Everyone group been added to the Pre-Windows 2000 Compatible Access group in the new domain? -Original Message- From: Graham Turner [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 3:24 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] admt 2.0 - nt4 computer migration Am attempting the migration of computer from NT4 source domain to Windows 2000 target domain. the migration environment is working fine with windows 2000 professional clients have got issues with the migration of an NT4 workstation the extract from dispatch.log on the admt server is attached from which i am hoping to get a few clues as to the access denied have checked the obvious issues such as sourcedom\domain admins being a member of the local administrators group and the computer migration being run while logged an as a member of that sourcedom\domain admins group Thanks GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Proxy Server
Check out KB http://support.microsoft.com/default.aspx?scid=kb%3ben-us%3b252898 I haven't used this feature, thought it could be relevant. -Original Message- From: Richard Sumilang [mailto:[EMAIL PROTECTED] Sent: Tue 7/8/2003 4:49 PM To: [EMAIL PROTECTED] Cc: Subject: Re: [ActiveDir] Proxy Server How so? 072 World Wide Web Servers? On Tuesday, July 8, 2003, at 01:04 PM, Robinson, Chuck wrote: DHCP Scope Options? -Original Message- From: Richard Sumilang [mailto:[EMAIL PROTECTED] Sent: Tue 7/8/2003 3:29 PM To: [EMAIL PROTECTED] Cc: Subject: Re: [ActiveDir] Proxy Server Oh wait, hmmm that's only good for IE. Is there a way to do it regardless of their browser? On Tuesday, July 8, 2003, at 12:05 PM, [EMAIL PROTECTED] wrote: Using GPO: User Configuration Windows Settings -Connection -Proxy Settings You can use IEAK for similar thing, but why do more work, eh? Enjoy. Sincerely, Dj Akmlf, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Richard Sumilang Sent: Tue 7/8/2003 11:47 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Proxy Server I'm running DHCP from my Windows 2000 Server for all my clients on the network and I just recently setup a proxy server on another computer. How can I apply the proxy server's information without having to walk to everyones computer? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat
Re: [ActiveDir] Proxy Server
Workstation machine accounts? I don't think so nor recall anything about that? As for Authenticated Users group, yes. On Tuesday, July 8, 2003, at 01:48 PM, Darren Mar-Elia wrote: Richard- Where are the GPOs linked? Have you checked permissions on them to ensure that the workstation machine accounts have Read and Apply Group Policy perms? Authenticated Users will do. -Original Message- From: Richard Sumilang [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 1:18 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Proxy Server Thats why everyone should use a Mac!!! Hehehe, with my mac I can just specify it in my Network Settings for the system and that should work for all my browsers. Anyways since we are bringing up GPO, I have a finger to pick with that. For some reason my group policies are only getting applied on the server computers and not the workstations? Any ideas? On Tuesday, July 8, 2003, at 12:44 PM, Duncan, Larry wrote: Actually, I don't think so. The GPO path reference below appears to be missing the Internet Explorer Maintenance entry under Windows Settings. This would lead me to believe that it is a Microsoft-centric policy setting. -Original Message- From: Richard Sumilang [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 2:27 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Proxy Server I assume that will work for whatever browser they are using correct (doesn't have to be IE)? On Tuesday, July 8, 2003, at 12:05 PM, [EMAIL PROTECTED] wrote: Using GPO: User Configuration Windows Settings -Connection -Proxy Settings You can use IEAK for similar thing, but why do more work, eh? Enjoy. Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Richard Sumilang Sent: Tue 7/8/2003 11:47 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Proxy Server I'm running DHCP from my Windows 2000 Server for all my clients on the network and I just recently setup a proxy server on another computer. How can I apply the proxy server's information without having to walk to everyones computer? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Identity Management using AD
Title: Message Thanks Todd. At the moment, we arent hugely concerned about putting *some* privacy information into AD, as this instance of AD will only be for our external clients, and the attribute level ACL's provided by AD should provide enough security to stop certain applications / users from seeing this information. That being said, we are looking into the appropiate laws / leglislation / statutes regarding privacy and the storage of personal information to make sure we are covered from that aspect. I've done the required high level checking, andAD shouldnt have any trouble storing the amount and type of information we require (up to 6-8 million user objects, several thousand groups etc), its really down to the following questions: a) Is AD an *appropiate* store for this sort of information (my answer would be yes, based on the Authentication / Authorisation provided by AD) b) What sorts of information should be stored in AD (I'll be pointing out the often read / rarely written aspects of AD) c) for application specific extensions, is this appropiate to store in AD (my current thinking is NO, as I'll end up with several hundred additional user properties, better to store them elsewhere and sync) d) in relation to c, if not in AD, then where, and how to keep these disprate databases in sync e) What management tools / processes are required to manage a 6-8 million user AD, and what are the associated security implications (eg exposing the admin interfaces to the internet, as opposed to just internal exposure) f) What other solutions are available that may be able to provide the Authentication / Authorisation that is required (mention has been made of Passport etc, and how would this tie in with AD - if at all) g) What additional authentication methods can be layered on AD to provide additional levels of authentication (Certifications, SmartCards, Biometrics etc)- I know AD can do all these, its really how to integrate them, and the associated security / management implications. h) What are some of the constraints on AD that could be an issue down the track (like the X users in a group problem under 2k). i) Why me ?? *grin* I'm sure Murphy was the first one out with a book :P Glenn - Original Message - From: Myrick, Todd (NIH/CIT) To: '[EMAIL PROTECTED]' Sent: Wednesday, July 09, 2003 12:11 AM Subject: RE: [ActiveDir] Identity Management using AD We are in the process of evaluating MIIS here, and AD is currently our source for authentication information, for Enterprise application, we are using a custom database running on Critical Path to sync with other application directories, and get a metaview of the information for identity management. Currently no one allows the metaview write access anywhere. I hope our testing and subsequent deployment will allow for a more standardized approach like what was described below. To build on what Gil wrote, The reason why SQL server was used to store identity information, was probably because it was a metaview of all the relevant data needed to construct an employee including privacy information. Active Directory doesn't need access to privacy information (SSN#, DOB, etc) nor do many LDAP applications. The nice thing about MIIS, is that it can create that metaview for you and store it in a SQL server. So if your privacy information is only stored in the HR system, and Payroll, Then you can set ACL's on the info so only those systems get that info. If you are getting into directories for both network access and Enterprise Resource and Application use, I suggest subscribing to the Burton Group papers on Enterprise directory, and constructing your architecture based on some of their principals. Now if we could only find a group willing to figure out the Laws of directories we would be golden... Maybe Murphy is already doing them. Todd -Original Message-From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Monday, July 07, 2003 5:30 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Identity Management using AD MSFT internally uses SQL Server as the authoritative store for identity information, and populates AD from that. -Original Message-From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Thursday, July 03, 2003 7:00 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Identity Management using AD All, We are in the process of redefining our Internet-enabled applications with a view to a centralised customer/client database. There has been quite a bit of discussion regarding using AD as this "customer store", since AD will already be in this environment. I'm a bit hesitant to recommend "vanilla" AD for this task, however I can see a number of
RE: [ActiveDir] Identity Management using AD
Title: Message Glenn, Interesting questions, and I'd like to take a shot at lending an opinion on some of these points. Firstly, privacy seems to have become a trure art form in the States. From Graham-Leach-Bliley to HIPPA, we're regulated to the n-th degree. I'm not sure if it's good or bad - but it's something to be aware of. Then, to the other extreme - the Higher Educationalsystem where the 1st Amendment meets rational thought and security. ;-) a) I agree 100% I think AD is a very well designed store for this type of storage - given that triple-A is available out of the box (authorization, authentication, auditing) b) True - fairly static - not changing much. Just enough to keep the Identity portion in place. c) Nope - see D d)ADAM - Active Directory Application Mode. Synching available, greater level with MMS (MIIS??) multiple instances and truly designed for the application depository e) Joe is going to be the man to answer this - he's been doing the massive number management function - though I don't think to this number. ;-) f) Passport (and to some degree, rightly so) has been beat up pretty badly However, in your environment, Passport may be more viable than how it is being leveraged by MS g) Heh - layering these things is possible, though it can get hairy to manage. Mapping of certs to names / objects, expansion of schema for new funtion to handle biometrics, and the smart card option is all pretty good - but smart card is going to leverage certs to some degree at some level Not knowing what price level / sensitivity of data / regulations you are delaing with makes it a bit hard for me to suggest anything, but any layering is obviously going to raise the price becasue of the complexity / added hardware / software and added processor for keyed type solutions h) Can't say that I've run into any or know of anyone that has (well - not completely true I know Gary Olsen with HP, and he ran into the KCC issue mentioned in a moment)- obviously, they are there. Microsoft claims to have tested to billions of objects - and I have no reason to not believe this to be true. TheKCC topology(KCC cannot work if (1 + #Domains) x sites^2 100,000) issue of Windows 2000 does indicate that there are issues here and there. They get fixed, but usually are big fixes. In the case of the KCC issue, it's fixed in Server 2003, but only once you get to 2003 Forest Functional mode. That's a big move. i) Because it's there. Oh, wait! That's for mountains. never mind. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn CorbettSent: Tuesday, July 08, 2003 6:36 PMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] Identity Management using AD Thanks Todd. At the moment, we arent hugely concerned about putting *some* privacy information into AD, as this instance of AD will only be for our external clients, and the attribute level ACL's provided by AD should provide enough security to stop certain applications / users from seeing this information. That being said, we are looking into the appropiate laws / leglislation / statutes regarding privacy and the storage of personal information to make sure we are covered from that aspect. I've done the required high level checking, andAD shouldnt have any trouble storing the amount and type of information we require (up to 6-8 million user objects, several thousand groups etc), its really down to the following questions: a) Is AD an *appropiate* store for this sort of information (my answer would be yes, based on the Authentication / Authorisation provided by AD) b) What sorts of information should be stored in AD (I'll be pointing out the often read / rarely written aspects of AD) c) for application specific extensions, is this appropiate to store in AD (my current thinking is NO, as I'll end up with several hundred additional user properties, better to store them elsewhere and sync) d) in relation to c, if not in AD, then where, and how to keep these disprate databases in sync e) What management tools / processes are required to manage a 6-8 million user AD, and what are the associated security implications (eg exposing the admin interfaces to the internet, as opposed to just internal exposure) f) What other solutions are available that may be able to provide the Authentication / Authorisation that is required (mention has been made of Passport etc, and how would this tie in with AD - if at all) g) What additional authentication methods can be layered on AD to provide additional levels of authentication (Certifications, SmartCards, Biometrics etc)- I know AD can do all these, its really how to integrate them, and the associated security / management implications. h) What are some of the constraints on AD that could be an issue down the track (like the X