Re: [ActiveDir] Built in Security groups
From what you're saying here, it doesn't sound like you need to basically... well... completely f*ck up your environment, you just need to remove the nesting of the Administrators group from the other groups. Auditors saying that you need to delete a built-in group really need to get a clue, just to be honest. If you have to give it to them, then that shouldn't be an issue. Don't view an auditors request as a You must do this statement, because it isn't. They are basing their recommendations off incomplete understanding of the Windows environment, fill in the missing information and there is a really good chance that they'll go Oh It really sounds like what you need is appropriate auditing to make sure that you have your sensitive group memberships monitored for membership changes. On 12/26/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Nope, we haven't delegated the rights to anyone else. We are a single forest farm that hasn't done a schema update with the current staff so I doubt they even know what the groups are for. They saw that Administrator was a member of those groups, didn't know what they were for, and said to disable them. This is the problem with SOX and similar setups, the auditors and people making decisions based on their findings are often not the people best equipped to make the decisions from a technical standpoint. Regardless I found the list of built in accounts and groups and a reference from an outside authority (article in ITPro) stating that the built in groups can not be deleted, so I think I have enough ammo to push back =) Thanks, Andrew Fidel *joe [EMAIL PROTECTED]* Sent by: [EMAIL PROTECTED] 12/23/2006 01:49 PM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] Built in Security groups Yep the reference is Error Code 0x55B (1371) in winerror.h ERROR_SPECIAL_ACCOUNT # Cannot perform this operation on built-in accounts. An alternate reference is isCriticalSystemObject: TRUE Send back up to the above that they should be setting overall generic security policies and the technical people should be figuring out how to interpret them. Telling you to delete certain groups is deeper into the details than they likely should be based on this requirement. Course my response probably would have been a chuckle or two and Yeah I'll get right on that ;o) The basic concept is silly. Correct me if I am wrong but I am guessing you have delegated the same rights to other groups so they feel that leaving the original groups is a security issue? Obviously this is silly on the surface and actually at any level. Any group that has the same rights represents the same security risk. I wouldn't even bother taking the schema admins group and delegated those rights to some other group I made, I don't see the point and I could visualize tools that will actually break if you did that because they may look at the token or directory to verify someone is a member of that group directly to continue on. joe -- O'Reilly Active Directory Third Edition - * http://www.joeware.net/win/ad3e.htm* http://www.joeware.net/win/ad3e.htm -- *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of [EMAIL PROTECTED] Sent:* Friday, December 22, 2006 11:14 AM* To:* [EMAIL PROTECTED] Subject:* [ActiveDir] Built in Security groups Does anyone have a reference (preferably from MS) showing that you should not remove the Built in Security groups such as Schema Admins, Enterprise Admins, etc. It has come down from above that we should be removing these groups and while I know better I need some ammunition to back me up. Thanks, Andrew Fidel
Re: [ActiveDir] Built in Security groups
Technically, he could remove those group objects from having the ability to manage whatever items. Any user members of these groups could simply 'take it back', but that requires a decent amount of knowledge. My recommendation: Restrict those group memberships by GPO on the DC GPO. This will end up with the user list being very small and the chance that someone hacks both the group membership and goes to check and/or edit the GPO in the time that it would take before the GPO refreshes on a DC (and that change gets replicated out) to be relatively small. It's not vanishingly, but small enough to where it's a manageable risk, as opposed to a non-manageable one. The groups are there for very good reasons and some of the capabilities can't be moved to another group without some serious work (if at all). Basically, there has to be some form of 'emergency' fixing and lacking some of these groups, you'd lose that capability, which might not seem important until you need to have it, then you're in a world of hurt. On 12/22/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote: Not putting any users in the groups is basically the same effect as removing them from an operational perspective. If you don't have a user in the group, nobody has the rights to change things that only these groups have rights to. That's probably what your mgmt wants to achieve. You'd then populate the groups on a as-needed basis to perform specific tasks. The reason why you don't want to remove them (which you could technically) is pretty easy: these groups are there for a purpose, i.e. they have been granted specific rights in AD to perform special tasks. This includes schema mgmt and administration of the config NC. If you don't like the groups, you'd have to ACL AD to allow another group to perform the tasks – doesn't really make any sense ... /Guido *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of [EMAIL PROTECTED] *Sent:* Freitag, 22. Dezember 2006 17:14 *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Built in Security groups Does anyone have a reference (preferably from MS) showing that you should not remove the Built in Security groups such as Schema Admins, Enterprise Admins, etc. It has come down from above that we should be removing these groups and while I know better I need some ammunition to back me up. Thanks, Andrew Fidel
Re: [ActiveDir] Bulk of client going to PDC
I'm curious whether there is some consistency in the clients and whether they're the latest version of the OS, what kind of DNS you have, WINS, etc Also, you might want to look at your DHCP and see where the DNS server is that the clients are bouncing against, but that doesn't seem to be the issue, since it's not consistent (that's the thing that seems to be strangest, that the issue seems to hop from site to site) Probably the best place to start is to track back to when the issue started and see if there were some changes that occured around that time, whether it be part of the physical network or something on the clients/servers On 12/2/06, joe [EMAIL PROTECTED] wrote: I would recommend doing a trace of one of the problem clients logging on and watch the whole referral process, etc. Actually I would probably just turn on a sniffer and let it watch everything from one of those machines from boot up for some time so you catch refreshes and everything else. At least then you should be able to nail down whether the clients are being referred to something incorrectly or they are off making their own incorrect decisions. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -- *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of *Kamlesh Parmar *Sent:* Saturday, December 02, 2006 1:55 PM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Bulk of client going to PDC Yes checked the correct subnets are attached to correct sites. All clients are connected via Ethernet 100/Full Duplex. Its like mass exodus of swarm of computers, going to PDCe, and in turn choking the WAN links. It happened like once a day.. and everyday it would be random site. Have asked different site people to install netmon on some PCs and keep it running..on Monday..hoping that one of those sites.. and in them.. one of those PCs misbehaves. Anything else, I should look at? -- Kamlesh On 12/2/06, Al Mulnick [EMAIL PROTECTED] wrote: Site definitions - are your site definitions up to date? How are your clients connected - Are they ethernet, 802.11x, tokenring, ?? On 12/2/06, Kamlesh Parmar [EMAIL PROTECTED] wrote: Am sorry, I didn't follow what you are asking.. could you be more specific. On 12/2/06, Al Mulnick [EMAIL PROTECTED] wrote: How are your clients connected? Site definitions? On 12/1/06, Kamlesh Parmar [EMAIL PROTECTED] wrote: Appreciate the efforts taken. AFAIK, this would be more of a DFS issue then authentication, as clients are pulling policies and files from PDCe. When I look into details of DFS link targets for sysvol or netlogon, PDCe is listed as distance 9th in the list of servers which clients should contact in case there primary link target failed. And this happens so randomly, from clients that I am not able to setup a network trace also. -- Kamlesh On 12/1/06, Thomas Michael Heß [EMAIL PROTECTED] wrote: Hi Kamlesh, first of all, iwould enable the logging of the Netlogon Service. I ve found an article in the WindowsITPro *The Netlogon service is one of the key Local Security Authority (LSA) processes that run on every Windows domain controller. When you troubleshoot authentication problems, analyzing the Netlogon service log files can be useful. How do I turn Netlogon service logging on and off, and how do I analyze the content of the Netlogon log files? * To turn on Netlogon service logging, type the following Nltest command at the command line: *nltest /dbflag:2080* Enabling Netlogon service logging requires that you restart the Netlogon service. To do so, use the Net Stop Netlogon and Net Start Netlogon commands. To disable netlogon service logging, type: *nltest /dbflag:0* Then, restart the Netlogon service again. The Netlogon service stores log data in a special log file called netlogon.log, in the %Windir%\debug folder. Two utilities are useful in querying the Netlogon log files: Nlparse.exe and Findstr.exe. Nlparse.exe is a GUI tool that comes with Microsoft Account Lockout tools. You can download Account Lockout tools for free from the Microsoft Web site as part of the Account Lockout and Management Tools ALTools.exe file at http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9Edisplaylang=en. Figure 1 http://www.winnetmag.com/Files/42850/Figure_01.gif shows the Nlparse GUI, which contains the most common Netlogon error codes and their meaning. Nlparse stores the output of its queries in two files in the %Windir%\debug folder: netlogon.log-out.scv and netlogon.log-summaryout.txt. *. . .* HtH Thomas
Re: [ActiveDir] Script to delete unwanted profiles form desktop
If you use roaming profiles it would be easier, as you can simply delete all profiles on bootup/shutdown and it would still keep the 'owner' profile, though if the computer is a laptop you wouldn't want that obviously On 12/3/06, Darren Mar-Elia [EMAIL PROTECTED] wrote: Check out delprof.exe. Its either in the reskit or part of suppor tools or part of the OS, depending upon which version of the OS you have. You would have to run it in a GPO-based computer startup script so that it runs when no users are logged on. Darren *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of *Mohan Rajput *Sent:* Sunday, December 03, 2006 4:30 PM *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Script to delete unwanted profiles form desktop Hi guys, I need a Script, which deletes unwanted profiles from the desktops and I need to run that script through Domain Policy for computers? -- Thanks Regards Mohan Kumar Mob:- (+91)981-195-7926 [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: [ActiveDir] OT: Possessed PCs
There are some wireless mice/keyboards that can potentially support hundreds of non-interfering devices - if they want to have wireless, make them use what has been 'approved' or nothing at all :) On 12/1/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Happens with my father and watches as well. The man cannot wear a watch without it dying within weeks. But thats another story. If you can isolate the symptoms to time of day or even the remote chance its a bad ballast (flouresent lighting used to cause occasional problems with old CRTs), etc. Atleast you can start to wittle things down a bit. But in this case it sounds like RF overlap. Perhaps there is one mouse that is emitting too strong a signal. I was a bit thrown this morning though when I thought I read that this was happening with corded devices as well. Brent Eads Employee Technology Solutions, Inc. Office: (312) 762-9224 Fax: (312) 762-9275 The contents contain privileged and/or confidential information intended for the named recipient of this email. ETSI (Employee Technology Solutions, Inc.) does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email in error, please reply to us immediately and delete the document. Viruses, Malware, Phishing and other known and unknown electronic threats: It is the recipient/client's duties to perform virus scans and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect. Any loss/damage incurred by using this material is not the sender's responsibility. Liability will be limited to resupplying the material. Message scanned by TrendMicro
Re: [ActiveDir] Granting rights to 'Manage GPOs'
You might want to set the account to have non-interactive rights, since I'm assuming that it runs a service that actually handles all the changes - then grant it membership within the Domain Admins group - that would fix the issue once and for all, unless you've changed Domain Admins to not have the ability to edit GPOs, though it's automatically granted every time a new GPO is created, regardless of what permissions were before. On 11/25/06, Darren Mar-Elia [EMAIL PROTECTED] wrote: Neil- Assuming the setgpocreationpermissions script didn't fail in some way, I think the next step would be to check the perms on the various objects that should get this right. Namely, the service account you're granting access to should have the Create GroupPolicyContainer right over the cn=policies,cn=system container in AD and, similarly on the SYSVOL Policies folder, it should have Change rights over that container. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guidehttp://www.amazon.com/gp/product/0735622175/qid=1122367169/sr=8-1/ref=pd_bbs_1/104-1133146-9411929?v=glancen=283155, the definitive resource for Group Policy information. Group Policy Management solutions at SDM Softwarehttp://www.sdmsoftware.com/ *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of * [EMAIL PROTECTED] *Sent:* Friday, November 24, 2006 6:57 AM *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Granting rights to 'Manage GPOs' I am attempting to assign rights to a service account [sys-zzz], used by a Group Policy Management tool (3rd party) so that the service account has the necessary rights to 'manage' all GPOs in the domain. Aside from app specific rights, I have assigned the following rights using GPMC scripts [scripts shown below]: 1. Create/edit GPO links at the root of the domain and all child containers cscript %programfiles%\gpmc\scripts\SetSOMPermissions.wsf xxx.yyyxxx\sys-zzz /Permission:linkgpos /Inherit /Domain: xxx.yyy 2. Create new GPOs in the domain cscript %programfiles%\gpmc\scripts\SetGPOCreationPermissions.wsf xxx\sys-zzz /Domain:xxx.yyy 3. Edit, delete and mod security rights to all existing GPOs in the domain cscript %programfiles%\gpmc\scripts\GrantPermissionOnAllGPOs.wsf xxx\sys-zzz /Permission:fulledit /Domain:xxx.yyy To cut a long story short, step 2 does not appear to grant the required 'create' right [GP mgmt tool complains of an access denied issue]. However, if I manually (using GPMC) add the service account to the list of objects permitted to create GPOs in the domain [instead of using the script in step 2], then the GP Management app functions fine. Has anyone encountered a similar issues? Are there newer version of the GPMC scripts? [I have GPMC with SP1] Just to add to the strangeness of this issue, if I execute the same scripts above but against a different domain (same service account) the 3rd party app functions fine in that other domain :/ Any comments? Thanks, neil PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
Re: [ActiveDir] Security-enable all your distribution lists?
I don't usually think of these as security-enabled distribution lists, but as mail-enabled security groups that users can manage in the same manner as they do distribution lists. When you think of them that way, it's not quite so painfully stupid. Don't get me wrong, turning all your DLs into security-enabled DLs and then sticking resources in them isn't exactly what I'd call brilliant, as Al alluded to - just because you're turning some of your DLs into security groups doesn't mean that you should do it with all of them. Hell, I'd argue that you shouldn't do it with any of them - that you should do it the other way around, mail-enable a small portion of your security groups and have the users pick which ones while reminding them that they are still *Security* groups and they need to manage their memberships with the same diligence they did before (yeah, yeah, I know - they didn't really take that good of care of them before). If you make sure that the DLs that stay DLs have something in the name that designate them as a DL, it will make it easier. That being said, data on a share is no less sensitive than data in an e-mail. Companies lose secrets in e-mails, get sued because of what has been said in an e-mail. The fact that the majority of us sit here going NO!! NOT MY SECURITY GROUPS!!! DON'T LET THEM HAVE SECURITY GROUPS tells me that, regardless of the fact that 99% of all leaks occur through e-mail, we still don't 'get it' that e-mail is where most of this information sneaks between the cracks and it's not the 'grunts' that have the patent-holding information, it's the higher-up muckity mucks that are leaking data (SEC sensitive information most of the time). But to summarize - I'd recommend that you don't change the role of your DLs, but change the role of your security groups to fulfill this new need. Then you're not granting access to data based upon pre-existing groups that don't have access to data, you're simply allowing groups that already have access to data to fulfill an additional task. Mail exclusive DLs serve a number of purposes, one of them being to keep the higher-up muckity mucks out of the data that there is a *very* good chance that they don't understand anyway, but still allow them to be 'in the loop' on information that they do understand (well, kinda anyway). On 10/27/06, Al Mulnick [EMAIL PROTECTED] wrote: Assume. Hmm.. That's been over done so I'll pass this time :)Harvey, I just replied to a similar thread on this with my thoughts. I won't bore you with repetition. But I'm curious what makes you want to assume anything when it comes to security issues like this? I think it's way to unpredictable to assume that users will understand that concept. That's me though. I'm not your user. On 10/27/06, Harvey Kamangwitz [EMAIL PROTECTED] wrote:Thanks for the doc, Jorge; I'd missed that in my searches. And my initial reaction was not only no, but hell no! to the request. But when I examine it logically it's harder to reject out of hand. A little while ago, we did change the default for new DL group requests to be security enabled. And it seems to me that one would implicitly assume that if one were setting access to a resource like sharepoint, they would use the same thought process as when they're sending mail: Do I want everyone in this group to get this mail | have this access? - Harvey On 10/21/06, Al Mulnick [EMAIL PROTECTED] wrote: My first reaction is, NOOO don't do that. That's silly. I absolutely abhor the concept of convenience to this level when it comes to access to secured resources. Saying that, DG's are often created by default as a security group. I'd actually be surprised, and I would applaud the person that made that choice in your organization. From my perspective, the worst thing ever done by Microsoft was to allow DG's to be security groups. Made it easier to transition PF's sure, but the layer8 contingent doesn't understand the subtle differences between a distribution list and a security-enabled-distribution-group. This loosely translates into people that want to include somebody on their regular mail lists, but don't want them to necessarily have access to the same data shares. They do NOT understand the difference in most cases. I don't know sharepoint well enough to say, but I would be completely floored if they did not have a way to revert behavior. I also would be totally surprised if your information security people were OK with this concept for the reasons I mentioned above. TokenBloat is not the only concern you have here, Harvey. On 10/20/06, Harvey Kamangwitz [EMAIL PROTECTED] wrote: Hi all, I'm interested in your opinion here, and perhaps a heads-up on requirements that may be coming your way. We have a request from the sharepoint team to security-enable all of our 18,000 distribution lists. Our concern, naturally, is token size. What will this do to Joe User's access token? The issue is tied in to Sharepoint.
Re: [ActiveDir] Security-enable all your distribution lists?
I can understand your arguments, but the larger the organization, the more likelihood that the groups are controlled by users (in one way or another) anyway. When you've got 100k groups, you have someone listed as a group owner or someone authorized to approve new members of the group and the only people who even know what the group is for are either members of that group or in the direct management chain - definitely not the IT people who 'manage' the groups. Even with smaller organizations, are the IT people the ones who should be saying who needs to have access to the CFOs information or should it be the CFO? Just to be honest, there are a lot of areas within a company that the IT people aren't qualified enough to even hazard a guess as to who should and shouldn't have access to. I think that the biggest difference between security-enabling distribution lists and enabling mail on security lists is the way that users think of them. The same people are managing them and if they're going to screw up their security in a DL, they're probably going to screw it up by rubber-stamp approvals too. The Security groups that you enable mail on aren't going to be big mail usage lists and the distribution lists aren't going to be used 90% of the time for security. Personally, I'd rather keep mail/security hybrids to the RBS groups and avoid it for the ABS (access/task-based security) groups. If someone wants to enable his/her ABS group for mail though, I'm not one to say what they can/can't do with their group/data. This way, your RBS groups have a built-in e-mail group to communicate with, but the mail/security overlap isn't so extreme that your company's security is a nightmarish web of DL/security groups. One important thing though, your privileged groups that grant special access to servers should always be managed by the IT persons, never let them turn into a mail-enabled security group. On 11/7/06, Al Mulnick [EMAIL PROTECTED] wrote: You do make a strong argument, but I'm not sold. The part I can't get past is that the users have the control over adding a sec-prin to be able to pull the data. Vs. pushing the protected data via email. The subtlety is important in my opinion. The only issue I have with the convenience of adding users to sec-enabled-dg's is the lack of controls to prevent the mis-use (either intentional or unintentional). Outside of that, I'm all for the concept. :) On 11/7/06, Matt Hargraves [EMAIL PROTECTED] wrote: I don't usually think of these as security-enabled distribution lists, but as mail-enabled security groups that users can manage in the same manner as they do distribution lists. When you think of them that way, it's not quite so painfully stupid. Don't get me wrong, turning all your DLs into security-enabled DLs and then sticking resources in them isn't exactly what I'd call brilliant, as Al alluded to - just because you're turning some of your DLs into security groups doesn't mean that you should do it with all of them. Hell, I'd argue that you shouldn't do it with any of them - that you should do it the other way around, mail-enable a small portion of your security groups and have the users pick which ones while reminding them that they are still *Security* groups and they need to manage their memberships with the same diligence they did before (yeah, yeah, I know - they didn't really take that good of care of them before). If you make sure that the DLs that stay DLs have something in the name that designate them as a DL, it will make it easier. That being said, data on a share is no less sensitive than data in an e-mail. Companies lose secrets in e-mails, get sued because of what has been said in an e-mail. The fact that the majority of us sit here going NO!! NOT MY SECURITY GROUPS!!! DON'T LET THEM HAVE SECURITY GROUPS tells me that, regardless of the fact that 99% of all leaks occur through e-mail, we still don't 'get it' that e-mail is where most of this information sneaks between the cracks and it's not the 'grunts' that have the patent-holding information, it's the higher-up muckity mucks that are leaking data (SEC sensitive information most of the time). But to summarize - I'd recommend that you don't change the role of your DLs, but change the role of your security groups to fulfill this new need. Then you're not granting access to data based upon pre-existing groups that don't have access to data, you're simply allowing groups that already have access to data to fulfill an additional task. Mail exclusive DLs serve a number of purposes, one of them being to keep the higher-up muckity mucks out of the data that there is a *very* good chance that they don't understand anyway, but still allow them to be 'in the loop' on information that they do understand (well, kinda anyway). On 10/27/06, Al Mulnick [EMAIL PROTECTED] wrote: Assume. Hmm.. That's been over done so I'll pass this time :)Harvey, I just replied to a similar thread on this with my thoughts. I won't bore
Re: [ActiveDir] OT: Exchange Question
Can't remember offhand if you can do this on a per-site basis or not, but you might be able to stick them in a site and have that site set to a max of 1MB e-mail, then the only way that they'll receive any e-mail is if they delete everything. On 11/7/06, Navroz Shariff [EMAIL PROTECTED] wrote: Apologies if this has already been answered; cleaning out my mailbox ;-) Larry, you can use the ADUC and Exchange tools where you will find the 'Exchange General' tab. From there, you can fine tune the account for delivery restrictions. -Shariff From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Larry Wahlers Sent: Wednesday, November 01, 2006 9:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Exchange Question And, you can even turn the mailbox into a honeypot of sorts, by logging into it via Outlook and creating a rule that deletes all email sent to it! -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Steve Comeau Sent: Wednesday, November 01, 2006 8:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Exchange Question You can also make their incoming email addresses something obnoxious. Steve Comeau IT Manager Rutgers Athletics 83 Rockefeller Road Piscataway, NJ 08854 732-445-7802 732-445-4623 (fax) www.scarletknights.com From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Daash, Amr Sent: Wednesday, November 01, 2006 8:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Exchange Question Well there are a lot of things that could be done, 1- u can modify the user delivery restriction tab 2- u can create a security group add the user names to this group then open THE ESM navigate to the your default SMTP virtual server Access tab, the authentication, add the group u created The job now is done Amr EL Daash System Administrator, ITS Egypt KPMG Egypt, Hazem Hassan Pyramid Heights Office Park Km22 Cairo-Alex Desert Road, Giza Egypt Tel +20 (2)536 22 00 / 11 Fax +20 (2)536 23 01 / 05 Mobile +20 (10) 1925369 Email: [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan DeStefano Sent: Wednesday, November 01, 2006 3:01 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Exchange Question I have a client who would like certain users to no longer receive e-mail, while still being able to access their mailboxes. Is there a way to do this other than exporting their mailbox to PST and mailbox-disabling the users? Thank you in advance, The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing KPMG client engagement letter. *** This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Rutgers University - DIA, 83 Rockafeller Road, Piscataway, NJ www.scarletknights.com *** Dan DeStefano Info-lution Corporation [EMAIL PROTECTED] http://www.info-lution.com Office: 727 546-9143 FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession.
Re: [ActiveDir] problem in changing the default password setting
Password policies only work from the domain level and are ignored at all other OU levels.If you want this to be in effect, add that setting into the domain-level GPO, if you don't want it set for everyone in the organization, accept that you're going to have to do it manually (or with a script) on the user objects within the appropriate OU. On 11/6/06, Sri [EMAIL PROTECTED] wrote: Hi List, I am using AD on Win2k3 server. I have a requirement to disable the option User must change password at next login while adding a user to AD from AD Users Computers console and enable password never expires checkbox. While adding a user to a container, User must change password at next login is checked defaultly.To disable this option, the cmd line option -pwdneverexpires yes is working from AD machine's cmd prompt. To do the same from AD U C console, i created a group policy and set the max and min password ages in Account Settings -- password policies. But still the option User must change password at next login is checked and not checking the password never expires. Pls help me in this.Thanks in Advance.Sri
Re: [ActiveDir] Blocking IE7
You could be correct, it's been about 7 or 8 years since I worked with government institutions. I know that for K12 they were able to filter, but he's at a university and I didn't notice until later that it's (probably) a private institution that probably doesn't get money from the federal government. I know that when I worked for a library though, they were not able to filter at all (I asked what software they used and they said that they couldn't filter because they received government funds).. I assume that it's the same at a university, where everyone is expected to be an adult. Again though, he appears to be at a private institution, where those rules wouldn't apply. On 10/19/06, Brian Desmond [EMAIL PROTECTED] wrote: You might want to check on that again. To even qualify for erate funds as a K12 you need to be doing web content filtering. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Thursday, October 19, 2006 1:49 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Blocking IE7 I believe that disabling the Automatic Updates service via GPO will block them from installing it, not 100% sure though. Since you're in an educational environment, things can be a little dicey there. You can't restrict the internet (government funds thing) and I don't know offhand whether the IE7 installs through Windows Update are running as Local System or as the user that is logged in. If it's running as the user account, you can simply deny them the right to install software, but if it's running as the local System, things are a little more ugly. On 10/19/06, Lucas, Bryan [EMAIL PROTECTED] wrote: I see how to block IE7 from deploying through WSUS, but what I don't see is a way to block a user from manually installing it. ( http://www.microsoft.com/downloads/details.aspx?FamilyID=4516A6F7-5D44-482B-9DBD-869B4A90159Cdisplaylang=en) Our users are 90% XP SP2 and managed through GP. What about building a restricted software GPO that has a hash of iesetup7.exe (if that even exists)? I want to restrict them from getting it through microsoftupdate.com as well. Bryan Lucas Server Administrator Texas Christian University
Re: [ActiveDir] Blocking IE7
I believe that disabling the Automatic Updates service via GPO will block them from installing it, not 100% sure though.Since you're in an educational environment, things can be a little dicey there. You can't restrict the internet (government funds thing) and I don't know offhand whether the IE7 installs through Windows Update are running as Local System or as the user that is logged in. If it's running as the user account, you can simply deny them the right to install software, but if it's running as the local System, things are a little more ugly. On 10/19/06, Lucas, Bryan [EMAIL PROTECTED] wrote: I see how to block IE7 from deploying through WSUS, but what I don't see is a way to block a user from manually installing it. ( http://www.microsoft.com/downloads/details.aspx?FamilyID=4516A6F7-5D44-482B-9DBD-869B4A90159Cdisplaylang=en) Our users are 90% XP SP2 and managed through GP. What about building a restricted software GPO that has a hash of iesetup7.exe (if that even exists)? I want to restrict them from getting it through microsoftupdate.com as well. Bryan Lucas Server Administrator Texas Christian University
Re: [ActiveDir] I'm shareing the Best Kept Secret I know.
See, after being married, I have found a few things are consistent:1) You are always wrong.2) If you think you might say something the wrong way, then it's DEFINITELY going to go badly - VERY badly.3) Always assume that she didn't mean it in the horrible way she phrased it. 4) She will always assume that you meant it in a much worse way then how you phrased it.5) You will hear about your mistakes for years, so try not to make any of them.6) You're mean, she's just upset. 7) Those aren't rhetorical questions, she really does want an answer.8) Logic is your way of saying that she's stupid.9) Pointing out inconsistencies between actions and statements is just changing the subject 10) No matte how much empirical evidence backs you up, see rule #1.On 10/17/06, Daniel Gilbert [EMAIL PROTECTED] wrote:Something tells me you should be ducking and running Original Message Subject: [ActiveDir] I'm shareing the Best Kept Secret I know. From: Fleming, Dave (DotComm) [EMAIL PROTECTED] Date: Tue, October 17, 2006 6:29 am To:Top Ten Things Men Understand About Women 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Dave Fleming Network Administrator Douglas-Omaha Technology Commission 408 So. 18th St. Omaha NE 68102 [EMAIL PROTECTED] (402) 444-6290List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] The remote computer has ended the connection.
I read this and all I can think is that something happend to your Terminal Server mode on this server. Sometimes settings get changed when you install a security patch, you might want to verify your TS settings and make sure that it's in application mode (non-app mode means that only admins can connect). Also, go into Terminal Services Configuration and make sure that RDP isn't restricted to the local Administrators group. Is there anything else special about this server? Is it a DC? Does it have Exchange or something else installed on it?On 10/17/06, Technical Support [EMAIL PROTECTED] wrote: Hi, I am trying to access one of my servers using Remote Connection. I am using mstsc but its not connecting me to the server. error The remote computer has ended the connection.However if i am using mstsc /v:IP Address /console it lets me connect to it. Problem is in this mode i can use only admin id when connected like this. I want my engineers (who dont have administrator priviledges) to access this. its not possible in this mode. This all happened when i rebooted my server. Please suggest what can be done to normalize the things. Thanks!!! Ravi
Re: [ActiveDir] Seperating Database and logs on seperate disks
Yeah, just to be honest, as long as you have 3+ DCs, there isn't much reason not to do it though. Even if you lose one, you just rebuild it and repromote it - never restore btw - that can make all kinds of messy issues about replication show up that nobody wants to deal with. On 10/16/06, Brian Desmond [EMAIL PROTECTED] wrote: No not that I can think of. If one raid group fails and corrupts thedata you're still screwed so it's not going to save you there.Thanks,Brian Desmond[EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED]] On Behalf Of AD Sent: Monday, October 16, 2006 11:29 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Seperating Database and logs on seperate disks Is there any other reason other then performance to have the Active Directory log files and database on separate disks? Opinions are welcome. Thanks Yves List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Account becomes disabled by DCs when it logs in.
This is a non-interactive account, but when the service that uses the account goes to login to the PDC emulators, the account gets deleted.This is only happening to 1 account, we have deleted and recreated the account, have created a new account with the same name (and rights) after renaming the old account, no matter what we do the account (call it disableduser for simplicity's sake), it gets disabled every time it tries to do what it does. Oh yeah, the account was running for well over a year without a problem. The PDC emulators are Win2k running in a 2003 mixed mode environment (our backup and auditing tools don't support our 64-bit 2003 DCs yet, waiting on those to be updated before moving the roles over to a 2003 DC) and the GPOs on the Domain Controllers OU haven't changed in quite some time (or at the domain level). The account hasn't expired and every time the account logs in (non-interactively), the DC Service account (servername$) disables the account with a 642 event and *not* a 629 event. I've banged my head against this for a day or so and figured I'd fire off something here before calling MS. This is a service-type account and changing the name would take a lot of time adjusting the environment to reflect the new name. Is there some MS patch that might be biting us in the rear that may have been applied in the last 2-3 weeks? I'm just kinda baffled on this, never seen a DC disable an account for apparently no reason.
Re: [ActiveDir] RealVNC removal
I'd go with just disabling the service and setting it so that only Domain Admins and System can even manage and/or see the service. This is a 10-minute solution, whereas the others could take quite a bit of time to research how to do correctly. On 10/2/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:Return Receipt Your RE: [ActiveDir] RealVNC removal document: wasJustin Leney/US/DCI received by: at:10/02/2006 04:08:38 PMNEW! COSMEO, THE ONLINE HOMEWORK HELP TOOL BROUGHT TO YOU BY DISCOVERY CHANNEL.FREE TRIAL AT HTTP://WWW.COSMEO.COMThis e-mail, and any attachment, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, copying, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. The contents of this message may contain personal views which are not the views of Discovery Communications, Inc. (DCI). List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] ip problem
There's any number of 'easy' problems that you could be running into.1) Your router isn't set as the default gateway.2) Your router's routing table is messed up.3) You've got your network all messed up (example, you're trying to route to/from a 83.161.118.x/24 subnet to your 83.161.118.XXX/28 address)If your problem is #1 then you need to set your router as the default gateway and it *should* fix your problem.If your problem is #2, then you need to fix the routing table to have your local subnet routed to the internal port and everything else routed to the external port (and whatever the IP address of what it's connected to). If your problem is #3, then you need to fix your 2 subnets. It sounds like you've got a Class A overall (or are part of a Class A), you need to make sure that whatever you're connected to on the other side has it's routing tables and subnet correct or it won't be able to connect to you. If you're talking from a 83.161.118.XXX/28 network to a 83.161.118.XXX/24 network then what you're running into is that the /24 side won't route to you because they think your addresses are on the LAN (no need to route anything on a LAN). I'm not a router guru though, there might be ways to set this up on your router so that it will route, though I'm not thinking that's the case, as I don't think that a client tries to go to the default gateway unless something isn't on the local subnet. As others alluded, it could also be a proxy/firewall issue. If your firewall and/or proxy are set to block ping/tracert, then you won't see it. If you don't have the ACLs set right, you won't get in or out (possibly). If you're going from a trusted network to a trusted network, then you need to make sure you've got everything setup appropriately. If you're not, it may be that you need to set up a DMZ (where your proxy/firewall go usually and maybe a web/e-mail server) and then setup certain protocols to pass to other addresses. If all of these addresses are config'd on your side (you own the 83.x.x.x A class), then I'd bet that it's either #2 or #3. If you got your /28 subnet from an ISP, then I'd bet the problem is at your firewall/router (#1 or bad/missing ACLs on your proxy/firewall). On 10/8/06, Quatro Info [EMAIL PROTECTED] wrote: There is a router: funkwerk bintec r1200.All proper configured through a external company.What do youmean with layer 3 domains?Gr. J-Oorspronkelijk bericht-Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Namens Brian DesmondVerzonden: maandag 9 oktober 2006 5:45Aan: ActiveDir@mail.activedir.orgOnderwerp: RE: [ActiveDir] ip problemWell you need a router to cross subnets ... routers connect layer 3domains.I'm not sure if you're expecting this to be classfully routed or something ... the Internet hasn't worked that way for a very long time.Thanks,Brian Desmond[EMAIL PROTECTED]c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] ] On Behalf Of Quatro Info Sent: Sunday, October 08, 2006 11:36 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ip problem Hi all, I have a weird issue, which seems a mask problem. I have a routed subnet at 83.161.118.XXX range, with a subnet 255.255.255.240 . 16 ip addresses. Problem is that I cant connect to this 83 range from the outside froma same 83 address like 83.98.244.148 Furthermore I cant connect from this same 83 address to a external 83 address. So both ways is locked. Tried changing all subnets in every which way but no result. You folks got a clue? All input is appreciated. Thx Jorre List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] ip problem
Oh yeah, if you're getting your IP addresses from an ISP, it could very well be #2. That's where I'd start either way, make sure that the routing tables are setup correctly on your router. Your ISP (or someone who knows what they're doing on the other side) should be able to verify that they can ping the backside address on your router (usually a 10.x.x.x address) from their router (and vice-versa). If they can, and a tracert to one of the addresses on the other side of the 83.161.118.XXX Class C stops at your router, then odds on are that your routing table is messed up or that theirs is. On 10/8/06, Matt Hargraves [EMAIL PROTECTED] wrote: There's any number of 'easy' problems that you could be running into.1) Your router isn't set as the default gateway.2) Your router's routing table is messed up.3) You've got your network all messed up (example, you're trying to route to/from a 83.161.118.x/24 subnet to your 83.161.118.XXX/28 address)If your problem is #1 then you need to set your router as the default gateway and it *should* fix your problem.If your problem is #2, then you need to fix the routing table to have your local subnet routed to the internal port and everything else routed to the external port (and whatever the IP address of what it's connected to). If your problem is #3, then you need to fix your 2 subnets. It sounds like you've got a Class A overall (or are part of a Class A), you need to make sure that whatever you're connected to on the other side has it's routing tables and subnet correct or it won't be able to connect to you. If you're talking from a 83.161.118.XXX/28 network to a 83.161.118.XXX/24 network then what you're running into is that the /24 side won't route to you because they think your addresses are on the LAN (no need to route anything on a LAN). I'm not a router guru though, there might be ways to set this up on your router so that it will route, though I'm not thinking that's the case, as I don't think that a client tries to go to the default gateway unless something isn't on the local subnet. As others alluded, it could also be a proxy/firewall issue. If your firewall and/or proxy are set to block ping/tracert, then you won't see it. If you don't have the ACLs set right, you won't get in or out (possibly). If you're going from a trusted network to a trusted network, then you need to make sure you've got everything setup appropriately. If you're not, it may be that you need to set up a DMZ (where your proxy/firewall go usually and maybe a web/e-mail server) and then setup certain protocols to pass to other addresses. If all of these addresses are config'd on your side (you own the 83.x.x.x A class), then I'd bet that it's either #2 or #3. If you got your /28 subnet from an ISP, then I'd bet the problem is at your firewall/router (#1 or bad/missing ACLs on your proxy/firewall). On 10/8/06, Quatro Info [EMAIL PROTECTED] wrote: There is a router: funkwerk bintec r1200.All proper configured through a external company.What do youmean with layer 3 domains?Gr. J-Oorspronkelijk bericht-Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Namens Brian Desmond Verzonden: maandag 9 oktober 2006 5:45Aan: ActiveDir@mail.activedir.orgOnderwerp: RE: [ActiveDir] ip problemWell you need a router to cross subnets ... routers connect layer 3domains.I'm not sure if you're expecting this to be classfully routed or something ... the Internet hasn't worked that way for a very long time.Thanks,Brian Desmond [EMAIL PROTECTED]c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto: ActiveDir- [EMAIL PROTECTED] ] On Behalf Of Quatro Info Sent: Sunday, October 08, 2006 11:36 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ip problem Hi all, I have a weird issue, which seems a mask problem. I have a routed subnet at 83.161.118.XXX range, with a subnet 255.255.255.240 . 16 ip addresses. Problem is that I cant connect to this 83 range from the outside froma same 83 address like 83.98.244.148 Furthermore I cant connect from this same 83 address to a external 83 address. So both ways is locked. Tried changing all subnets in every which way but no result. You folks got a clue? All input is appreciated. Thx Jorre List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] OT: wikis
I wonder if you realize that what you posted was incorrect:1 (-1+1) (-1+1) ...turns into:1*0*0*0So in the end 0 = 0:)On 10/6/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Very good altho dividing by zero (last step) is not permitted and (asper the below) causes an issue if permitted.How about this:(1-1) + (1-1) + (1-1) + ... = 0Re-write left hand side by moving brackets one place to the right: 1 (-1+1) (-1+1) ...Or simplified:1 + 0 + 0 + ... = 1So 1 = 0 !neilPS Glad to see I managed to get the list talking about stuff other thanIT/Windows/AD/Exch/Jet/ESE...-Original Message- From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Crawford, Scott Sent: 05 October 2006 23:27To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: wikisFrom: http://www.jimloy.com/algebra/two.htm a = x[true for some a's and x's] a+a = a+x[add a to both sides]2a = a+x[a+a = 2a] 2a-2x = a+x-2x [subtract 2x from both sides]2(a-x) = a+x-2x [2a-2x = 2(a-x)] 2(a-x) = a-x[x-2x = -x] 2 = 1[divide both sides by a-x]-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of joeSent: Thursday, October 05, 2006 1:22 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: wikisCareful, I recall a math professor in my differential equations class ormaybe it was higher throwing a proof up on the board showing that 1 + 1 != 2 and it wasn't a numberical base trickI didn't follow through it, I just closed my eyes and shook my head andthought forward to my communications class as the sights were easier onthe eyes... I still wonder why I went into a field with such a high ratio of men towomen... :)--O'Reilly Active Directory Third Edition -http://www.joeware.net/win/ad3e.htm -Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] ] On Behalf Of Laura A.RobinsonSent: Thursday, October 05, 2006 12:55 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: wikis999,998 + 2 = 1,000,000, not 100,000. ;-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of Greg Nims Sent: Thursday, October 05, 2006 11:49 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: wikis It's funny how we quote wikis as definitive sources of information, when they can be edited by anyone and everyone :) Who vets the edits and how much does that person know about the subject matter?? Anyone can edit, which is why they are generally correct. When 100,000 people view a record, and 2 people want to change it to be incorrect, 999,998 will want to correct it. I wouldn't use a wiki as a great historical or technical source.But for encyclopedia entries, which give a good summation of a subject, they are great. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspxPLEASE READ: The information contained in this email is confidential andintended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete yourcopy from your system. You must not copy, distribute or take any furtheraction in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law,accept responsibility or liability for (a) the accuracy or completeness of,or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of thisemail is sought then please request a hard copy. Unless otherwise statedthis email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those ofthe author and do not necessarily represent those of NIplc; (3) is intendedfor informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments.NIplcdoes not provide investment services to private customers.Authorised andregulated by the Financial Services Authority.Registered in England no. 1550505 VAT No. 447 2492 35.Registered Office: 1 St Martin's-le-Grand,London, EC1A 4NP.A member of the Nomura group of companies.List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] RE: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now
Security a goal? It's more of a journey where the destination is we didn't get hacked this week (month/year)BTW, I wasn't saying that it's the worst idea ever to put e-mail on a DC (if it's a GC it will save you the journey for authentication), but in an organization where you have 2+ sites (and probably more than 500 users), I would tend to recommend putting Exchange on a separate server. I know that SBS isn't the *worst* tool ever (well... if you used it back in 1997 - which I did - it was), in fact, I've set up my sister/brother-in-law's network with an SBS box. Of course, they don't have 500+ users, they have 4. It's a matter of scale I guess. On 10/6/06, Al Mulnick [EMAIL PROTECTED] wrote: Hmm... I'm becoming more and more convinced that security on any platform is more of a goal than a destination anyway :) Putting other apps on a server that is designed to be a security server is not best practice on any platform SBS or not.SBS exists because it makes more economic sense thanmom's75 person company buying one server per person to run Microsoft software. It's still aFrankensteinin myopinion. I have a slanted view of course, but I alsoknow some of what goes on to make those apps magically work on the same machine. Security is not my concern in that arena. Availability also comes to mind as something that's at risk if you mix applications with your authentication services. Sadly, I saw this just the other day when a DC that's also a file/print server sigh crashed due to lack of disk space. Somebody got those picturesdown beforeI got to it darn it. I bet they were some good ones ;) Steve, I suggested the othertools because you need an accurate and up to date picture of what's going on. Sites andServices is not going to give you what you need in thiscase. Use ADUC and use the other tools I mentioned. Oh, and don't worry about those on*this* list when it comes to sending yourcompany's private information: we're mostly honest. Those that troll the groups with googMSNSearch on the other hand might be less trustworthy. If you feel you'd like a second set of eyes, I'm happy to help. You can send to me directly and I'll respond directly as well. If you don't trust me, please giveMicrosoft support a call else find somebody who's more familiarwith AD and your situation that can give you that second set of eyes. You're not screwed yet based on the information you've presented. That could change though Al On 10/6/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: Granted external FTP isn't one that SBSers recommend either and we'refreaking out going WHAT ARE YOU THINKING? as well. As we say down here we don't get hacked... we get stupid.Tim Vander Kooi wrote: It's not speed or resources that scare most of us when it comes to sharing DC space with other apps, it's security. With SBS Microsoft has (at least in theory) covered most of those security bases for the admin. The last time I allowed another admin to install FTP on a server he inadvertently put no security on it whatsoever and the company I was with at the time ended up serving up 200 GB of German p0rn. He had lots of fun explaining why our new server had crashed due to lack of diskspace. -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Steve Egan (Temp) Sent: Friday, October 06, 2006 6:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now Well, the servers running the DC, mail, PDC, etc. are quad-processor SuperMicros, so they aren't even sweatin' hard.I'm watching them, they're golden.(Thanks, Susan - we think alike.) (Ahem... don't look now, but we already have 8 IBM e-Business servers (quad xeon) and are getting more.Don' neeed no steeenkin' SBS's!;P ) (Let me just unequivocally state right here that SAP is a 10,000lb gorilla...) Steve Egan Purcell Systems System/Network Administrator desk 509 755-0341 x110 cell 509 475-7682 fax 509 755-0345 -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, October 06, 2006 3:55 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now Yeah next they'll be SBS servers being installed there. (For some of us having our DCs do other things doesn't freak us out as much as it does you big serverland guys) Matt Hargraves wrote: I know you probably haven't been there very long, but what in the heck are they thinking, making DCs mail servers and FTP servers.Might as well load them up with web services next. BTW, you probably shouldn't be posting your infrastructure in a message list. On 10/6/06, *Steve Egan (Temp)* [EMAIL PROTECTED] mailto: [EMAIL PROTECTED] wrote: Al, will do.I tucked FTPSERVER under a desk and forgot about it.Experience has taught
Re: [ActiveDir] Assign User rights overs computers with AD
Just to cover some things:GPOs can make adjustments to computer *or* user object policies. The only way to override these settings is to use the 'loopback processing' option (this can be ugly and I prefer to avoid it). If you have computer settings set on a GPO on an OU, it will only apply to computer objects within that OU, user settings only apply to users within that OU (again, excepting loopback processing within that GPO). This is one of the big reasons why people usually only put computer *or* user objects within a particular OU. It allows you to disable the portion of the GPO that isn't going to get applied to the objects within the OU (disable user settings on GPOs for computer OUs - unless you're using loopback processing and disable computer settings for GPOs on user OUs). There's really no reason to have a computer downloading user settings when it's not necessary and vice-versa. This way, you end up with managing your computer settings separately from your user settings. Common computer settings: Disabling security-related settings, adjusting auditing (event logs, etc) ACLing directories. Common user settings: Setting environmental variables (default home page, home directory, application settings like Office settings, etc...). Usually the only time you want to put user settings on a computer OU (and enable loopback processing) is for kiosk type computers and then you probably want to make sure that you do something to make sure that it doesn't apply for Administrators. It's usually easier to put these settings on an OU for accounts that will be used for that type of workstation though, so you don't have to worry about loopback. As many other people stated though, trying to restrict administrators on workstations will as often as not end up with a series of headaches because of applications that require the user to be a local administrator on the computer. Whether this is because of poor programming on the part of the application developers or something else, it doesn't matter. Unless you know that your users won't need to be local admins, you may want to handle this in a very controlled and well tested manner, possibly testing all of your applications with a non-admin account before pushing this setting out to the users. On 9/29/06, Dave Wade [EMAIL PROTECTED] wrote: I know its over a week since I sent this, but on thinking its probably worth expanding on this. The OU structure is in place to provide two functions:- 1) Delegation of management and administration. 2) Application of Group Policy Now because the OU structure is the ONLY way unless you use some added value tool to provide delegated admin, that needs to be the Primary driver when designing the OU Structure. Soif youwant different people managing Computer and Users, and like me.you like to keep the user and computer policies separate, it makes sense to have Computers and Users in separate OU trees. Because you can't apply a GPO to the Users and Computers containers it also makes sense not to use these OU.s. On the other hand if you have a very devolved management structure, and you are happy with devolved management of the users and computers, then it might make sense to have an OU tree where the top levels represent management units and you store both computers and users in these trees. Personally I don't like this approach, but for some organization structures itmay bebetter... Dave. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dave WadeSent: 23 September 2006 20:50To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Assign User rights overs computers with AD I usually move them out as you can't apply GPO at the computers level... From: [EMAIL PROTECTED] on behalf of Alberto OviedoSent: Fri 22/09/2006 22:40To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Assign User rights overs computers with AD Hey Dave. Do you mean separate trees under root computers? or Create different OU's for computers? On 9/22/06, Al Mulnick [EMAIL PROTECTED] wrote: Separate Trees? That seems a little excessive. Or are we just mixing terms? On 9/21/06, Dave Wade [EMAIL PROTECTED] wrote: I prefer to keep them in seperate trees. In fact we are just doing that at present... From: [EMAIL PROTECTED] on behalf of Alberto Oviedo Sent: Thu 21/09/2006 17:50To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Assign User rights overs computers with ADThanks for your help. really useful.Is it a good practice to move computer objects to OU where the user of the computer resides? On 9/20/06, Dave Wade [EMAIL PROTECTED] wrote:Alberto, Even though we made our users PowerUsers we found that we needed to make a number of tweaks to cater for poorly written applications. I think we now have about a dozen settings for various ill-behaved applications. The majority of these are to
Re: [ActiveDir] User account deletion
>From Microsoft's website: Event ID: 630 Type: Success AuditDescription: User Account Deleted: Target Account Name: %1Target Domain: %2 Target Account ID: %3 Caller User Name: %4 Caller Domain: %5 Caller Logon ID: %6 Privileges: %7Check the security logs on your DCs for 630 events.On 10/6/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: by, you really cannot find it anymore when querying AD ;-) jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Chris PohlschneiderSent: Friday, October 06, 2006 14:34To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] User account deletion Is there a way to tell if a user account has been deleted? Thanks, Chris This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
Re: [ActiveDir] User account deletion
Just an FYI, this event will only be on the DC that the user was connected to when they deleted the account, it won't show up on all DCs, so this could be a relatively daunting task, mattering on your environment (or impossible, if your event logs roll over frequently and you don't save them off to another server or have software that saves them) On 10/6/06, Matt Hargraves [EMAIL PROTECTED] wrote: >From Microsoft's website: Event ID: 630 Type: Success AuditDescription: User Account Deleted: Target Account Name: %1Target Domain: %2 Target Account ID: %3 Caller User Name: %4 Caller Domain: %5 Caller Logon ID: %6 Privileges: %7Check the security logs on your DCs for 630 events. On 10/6/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: by, you really cannot find it anymore when querying AD ;-) jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Chris PohlschneiderSent: Friday, October 06, 2006 14:34To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] User account deletion Is there a way to tell if a user account has been deleted? Thanks, Chris This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
Re: [ActiveDir] Assign User rights overs computers with AD
Yeah, I guess it's one of those If you don't need it, get rid of it things for me.Not going to use it? Just disable it and get rid of the excuse for some half-informed admin from going in and putting settings on there (we all know who they are and probably were him at some point in time, I'm sure I was ;) ) On 10/6/06, Darren Mar-Elia [EMAIL PROTECTED] wrote: Minor nit below. Otherwise, spot on observations. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: Friday, October 06, 2006 7:56 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Assign User rights overs computers with AD Just to cover some things:GPOs can make adjustments to computer *or* user object policies. The only way to override these settings is to use the 'loopback processing' option (this can be ugly and I prefer to avoid it). If you have computer settings set on a GPO on an OU, it will only apply to computer objects within that OU, user settings only apply to users within that OU (again, excepting loopback processing within that GPO). This is one of the big reasons why people usually only put computer *or* user objects within a particular OU. It allows you to disable the portion of the GPO that isn't going to get applied to the objects within the OU (disable user settings on GPOs for computer OUs - unless you're using loopback processing and disable computer settings for GPOs on user OUs). There's really no reason to have a computer downloading user settings when it's not necessary and vice-versa. This won't happen regardless.A computer account would neverdownload user settings, even if the user side of a GPO is enabled. Disabling a GPO side is somewhat meaningless because if the side has no policy in it (i.e. its version is 0) then it won't be processed anyway. The only time this is useful is if you have settings on a side and you, for whatever reason, don't want them to be processed. Its kind of a way of blocking settings that would otherwise be applied by disabling them. This way, you end up with managing your computer settings separately from your user settings. Common computer settings: Disabling security-related settings, adjusting auditing (event logs, etc) ACLing directories. Common user settings: Setting environmental variables (default home page, home directory, application settings like Office settings, etc...). Usually the only time you want to put user settings on a computer OU (and enable loopback processing) is for kiosk type computers and then you probably want to make sure that you do something to make sure that it doesn't apply for Administrators. It's usually easier to put these settings on an OU for accounts that will be used for that type of workstation though, so you don't have to worry about loopback. As many other people stated though, trying to restrict administrators on workstations will as often as not end up with a series of headaches because of applications that require the user to be a local administrator on the computer. Whether this is because of poor programming on the part of the application developers or something else, it doesn't matter. Unless you know that your users won't need to be local admins, you may want to handle this in a very controlled and well tested manner, possibly testing all of your applications with a non-admin account before pushing this setting out to the users. On 9/29/06, Dave Wade [EMAIL PROTECTED] wrote: I know its over a week since I sent this, but on thinking its probably worth expanding on this. The OU structure is in place to provide two functions:- 1) Delegation of management and administration. 2) Application of Group Policy Now because the OU structure is the ONLY way unless you use some added value tool to provide delegated admin, that needs to be the Primary driver when designing the OU Structure. Soif youwant different people managing Computer and Users, and like me.you like to keep the user and computer policies separate, it makes sense to have Computers and Users in separate OU trees. Because you can't apply a GPO to the Users and Computers containers it also makes sense not to use these OU.s. On the other hand if you have a very devolved management structure, and you are happy with devolved management of the users and computers, then it might make sense to have an OU tree where the top levels represent management units and you store both computers and users in these trees. Personally I don't like this approach, but for some organization structures itmay bebetter... Dave. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Dave WadeSent: 23 September 2006 20:50To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Assign User rights overs computers with AD I usually move them out as you can't apply GPO at the computers level...
Re: [ActiveDir] Folder Redirection Issue
If you're using a transform file to deploy, you should be able to define the default file location, either as a variable (%homedrive%) or alternatively, you can install the GPO extensions for MS Office and set the item via GPO and stop worrying, as long as you test it a little bit before deploying it out to everyone. On 10/4/06, Kennedy, Jim [EMAIL PROTECTED] wrote: "Office was deployed to the workstations via group policy using an AIP and MST transform." Bet you will find something in that MST that is pointing to the wrong location. Blow out an Outlook profile on one as a test. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan DeStefano Sent: Wednesday, October 04, 2006 11:02 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Folder Redirection Issue I am having a weird problem with folder redirection. I have set the My Documents redirection to the subfolder of the root drive option and set the path to the homefolders directory (\\servername\homefolders$). This is supposed to redirect users my documents to \\servername\homefolders$\%username%\my documents and it does. The users log onto their PCs and open their My Documents folder fine – and looking at the properties of their my documents folder confirms that the redirection is working properly. The problem is that in certain applications, namely Outlook 2003 (all latest patches and SPs applied). When a user goes to save an attachment, for example, and clicks on my documents in the save dialog, they receive the error "cannot access \\servername\homefolders$, which makes sense since the users do not have access to the homefolders$ share, just to their subfolder. So Outlook, for some reason, is not drilling down into the users my documents in the home folder, but instead is trying to access the root of the homefolders$ share. In other Office apps, the my documents works fine. There are also no event log entries that reference this issue. I am stuck here as I am unable to find any KB articles that discuss this. Does anyone have any suggestions? I have not yet reinstalled Outlook because all other Office apps work fine. Office was deployed to the workstations via group policy using an AIP and MST transform. Any help would be greatly appreciated. Dan DeStefano Info-lution Corporation [EMAIL PROTECTED] http://www.info-lution.com Office: 727 546-9143 FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession.
Re: [ActiveDir] Folder Redirection Issue
Sorry, didn't read thoroughly first (oops). Yeah, it sounds like a perms issue, I usually set the root of my user shares directory to have Read/Traverse perms for users in case of an emergency and/or troubleshooting. It's an administrative share anyway, I can understand the paranoia of also setting it to basically be unbrowsable, but it sounds like you're going 1/2 a step too far (at least for the purposes of the applications in your environment). On 10/5/06, Matt Hargraves [EMAIL PROTECTED] wrote: If you're using a transform file to deploy, you should be able to define the default file location, either as a variable (%homedrive%) or alternatively, you can install the GPO extensions for MS Office and set the item via GPO and stop worrying, as long as you test it a little bit before deploying it out to everyone. On 10/4/06, Kennedy, Jim [EMAIL PROTECTED] wrote: Office was deployed to the workstations via group policy using an AIP and MST transform. Bet you will find something in that MST that is pointing to the wrong location. Blow out an Outlook profile on one as a test. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan DeStefano Sent: Wednesday, October 04, 2006 11:02 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Folder Redirection Issue I am having a weird problem with folder redirection. I have set the My Documents redirection to the subfolder of the root drive option and set the path to the homefolders directory (\\servername\homefolders$). This is supposed to redirect users my documents to \\servername\homefolders$\%username%\my documents and it does. The users log onto their PCs and open their My Documents folder fine – and looking at the properties of their my documents folder confirms that the redirection is working properly. The problem is that in certain applications, namely Outlook 2003 (all latest patches and SPs applied). When a user goes to save an attachment, for example, and clicks on my documents in the save dialog, they receive the error cannot access \\servername\homefolders$, which makes sense since the users do not have access to the homefolders$ share, just to their subfolder. So Outlook, for some reason, is not drilling down into the users my documents in the home folder, but instead is trying to access the root of the homefolders$ share. In other Office apps, the my documents works fine. There are also no event log entries that reference this issue. I am stuck here as I am unable to find any KB articles that discuss this. Does anyone have any suggestions? I have not yet reinstalled Outlook because all other Office apps work fine. Office was deployed to the workstations via group policy using an AIP and MST transform. Any help would be greatly appreciated. Dan DeStefano Info-lution Corporation [EMAIL PROTECTED] http://www.info-lution.com Office: 727 546-9143 FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession.
Re: [ActiveDir] OT: wikis
What's funny is that actual encyclopedias have almost the same level of accuracy as Wikipedia on any particular subject. Part of that is the fact that they're always 1-3+ years out of date when they are published and the other part is that many 'facts' are actually just theories and there are commonly conflicting theories or theories that have been around for 10+ years are assumed correct because the research that proved it wrong hadn't been made widely available to those who were part of the writing of the encyclopedia (or they don't trust the new evidence). Either way, you should try and find multiple sources of information for any subject that you're not familiar with.On 10/5/06, Ramon Linan [EMAIL PROTECTED] wrote:Right, and remember there is not absolute truth!! :) -Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] ] On Behalf Of Greg NimsSent: Thursday, October 05, 2006 11:49 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: wikis It's funny how we quote wikis as definitive sources of information, when they can be edited by anyone and everyone :) Who vets the edits and how much does that person know about the subject matter??Anyone can edit, which is why they are generally correct.When 100,000 people view a record, and 2 people want to change it to be incorrect,999,998 will want to correct it.I wouldn't use a wiki as a great historical or technical source.Butfor encyclopedia entries, which give a good summation of a subject, they are great.List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] OT: wikis
I thought it was 9A:DOn 10/5/06, Laura A. Robinson [EMAIL PROTECTED] wrote: 999,998 + 2 = 1,000,000, not 100,000. ;-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Greg Nims Sent: Thursday, October 05, 2006 11:49 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: wikis It's funny how we quote wikis as definitive sources of information, when they can be edited by anyone and everyone :) Who vets the edits and how much does that person know about the subject matter?? Anyone can edit, which is why they are generally correct. When 100,000 people view a record, and 2 people want to change it to be incorrect, 999,998 will want to correct it. I wouldn't use a wiki as a great historical or technical source.But for encyclopedia entries, which give a good summation of a subject, they are great. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Who keeps creating this folder files?
Turn on security auditing.On 10/5/06, J B [EMAIL PROTECTED] wrote: Argh! On one of our file servers, there is a public directory that allows any authenticated user to do anything within it (minus changing permissions). MP3 files and folders appear there every so often and are removed soon thereafter. Is there some way for me to tell who has created these folders and MP3 files? Every time I check, no one is currently accessing the files - which would be an easy way for me to know...
Re: [ActiveDir] Who keeps creating this folder files?
Magic 8 ball?Security event logs are great things, learning how to search them for the right data can be invaluable and increase the security at your company drastically. It will mean that instead of saying Who did this?, you will know who did it. Instead of going When did that happen?, you'll know when it happened. Unfortunately, you end up having to almost export your event logs to another location to make them searchable on active systems. The only bad part is that, once you get the data, you find yourself sitting there going Oh, that script did it... or worse - I did it?! or something similar. 95% of the time something where you're going Oh yeah, I'm gonna get them this time, you realize that there isn't anyone to get. After a little while you'll stop expecting to 'get them' this time and go OK, what do I need to fix this time and kinda dread the idea of it being someone doing something wrong and hope it's just something that you can fix in 10 minutes because it someone did something wrong, then you have to spend 2-4 hours in meetings discussing why they did it, how they did it, how to avoid it happening again, etc On 10/5/06, J B [EMAIL PROTECTED] wrote: I was hoping that there was some way to see who created it rather than wait until it happened again, or wait until someone accessed it... I'll have to settle for the auditing though. Thanks! - Original Message - From: Brian Desmond To: ActiveDir@mail.activedir.org Sent: Thursday, October 05, 2006 11:14 AM Subject: RE: [ActiveDir] Who keeps creating this folder files?! Set some auditing on the folder that this is happening in and watch the security log for the relevant audits… Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of J BSent: Thursday, October 05, 2006 12:57 PMTo: ActiveDir@mail.activedir.org Subject: [ActiveDir] Who keeps creating this folder files?! Argh! On one of our file servers, there is a public directory that allows any authenticated user to do anything within it (minus changing permissions). MP3 files and folders appear there every so often and are removed soon thereafter. Is there some way for me to tell who has created these folders and MP3 files? Every time I check, no one is currently accessing the files - which would be an easy way for me to know...
Re: [ActiveDir] OT: Volume licensing activation
I can completely understand Microsoft's point, don't get me wrong.I guess it just kinda gets my goat that they're so tired of people using VLE keys as the new favorite of license violators that they're going to put the onus on the business owners to pay for a new server just to manage Microsoft's licenses. Also, Vista is one thing, but Longhorn? Do they really have that many server instances running with VLE keys that it justifies a company having to pay for 1-10 licensing servers (remember, not everyone is 100% in a single global region) to keep not only my workstations up and running, but the servers too? I just kinda feel like if they're going to go this far, they should provide me with a license appliance to handle every x number of stations. Enough people are paying for software assurance where it seems like it would be a good business move to keep people happy, a little good with the bad I guess. The scary part that I'm wondering about is what they're going to do with the retail/OEM versions of the software. There are enough people out there who will buy a computer but not have an internet connection (yes, I know it's not a *huge* number, the internet is half the reason a lot of people get computers), what are they going to have to do, call MS every 180 days to 'reactivate' their computer? Talk about a pain. My father would just end up giving his computer away if it came to that. Granted, he's 60 and doesn't know a tenth what most people under the age of 30 know about computers, but those are the people who need everything more convenient and less of a hassle. On 10/4/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: Microsoft's Software Protection Platform: Protecting Software andCustomers from Counterfeiters: The company announces innovativetechnology in Windows Vista and Windows Server "Longhorn" to reduce therisk of piracy and software tampering while improving software licensing.: http://www.microsoft.com/presspass/features/2006/oct06/10-04SoftwareProtection.mspxWindows Genuine Advantage : New technology to protect Windows Vista and other products:http://blogs.msdn.com/wga/archive/2006/10/04/New-technology-to-protect-Windows-Vista-and-other-products.aspx Whitepaperhttp://download.microsoft.com/download/c/2/9/c2935f83-1a10-4e4a-a137-c1db829637f5/10-03-06SoftwareProtectionWP.doc As long as it works and works well, and when it's updated it getsdisclosed so that tinfoil folks won't be shutting off auto updatesbecause that's what's happening now.Brian Desmond wrote: *I read through the docs on this vl activation and it's not as bad as it sounds. They're really just trying to protect the keys.* * * *Thanks,* *Brian Desmond* [EMAIL PROTECTED] * * *c - 312.731.3132* * * *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] *On Behalf Of *Matt Hargraves *Sent:* Tuesday, October 03, 2006 1:34 PM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] OT: Volume licensing activation Yeah... MS is going to get really high levels of adoption on this product... Gotta wonder what in the heck they're thinking sometimes. On 10/2/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: http://blogs.zdnet.com/microsoft/?p=26 Mary Jo Foley reports that the next version of Vista will have Volume licensing activation. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx http://www.activedir.org/ml/threads.aspx --Letting your vendors set your risk analysis these days?http://www.threatcode.comIf you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbsList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] OT: Volume licensing activation
Yeah... MS is going to get really high levels of adoption on this product...Gotta wonder what in the heck they're thinking sometimes.On 10/2/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: http://blogs.zdnet.com/microsoft/?p=26Mary Jo Foley reports that the next version of Vista will have Volumelicensing activation.List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Move all OU and USERS from one forest to another forest
I'm not sure if I was going to test for an Exchange environment that I wouldn't want to make sure that, at the very least, I still had the extensions in place for Exchange in the schema. On 10/3/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: Have a look at:http://blogs.dirteam.com/blogs/jorge/archive/2005/11/19/105.aspx http://blogs.dirteam.com/blogs/jorge/archive/2005/11/19/107.aspxjorge-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Ramon LinanSent: Tuesday, October 03, 2006 16:38To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Move all OU and USERS from one forestto another forestHi,I am trying to build a testing environment. I have the production forest and the testing forest, notconnected at all.Is there an easy way of creating all the same OUs and usersfrom one forest to the other?, each forest only have one domain, also, I only interested in moving some of theattributes,i.e. there is no MS exchange in the testingenvironment so I don't care about exchange attributes. I was going to build an script that will read fromproduction LDAP and create objects in the other one, but isthere is already something that, like a tool or script itwill prefer to use it to save time. Can I use ADAM for this?RezumaList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] OT: Volume licensing activation
When you've got 100k workstations in your environment and it takes 2-3 minutes to run through the activation and then however much time to manage the server...100k*2.5 ends up equalling about 2 year's worth of wages for a single employee (call it $120k total). I don't mind them trying to protect keys, but it's not the companies with 1k+ workstations, it's the companies with 50 workstations and 'computer geniuses' (don't you dread it when you hear that phrase - you know something's *really* screwed up) who are using invalid or stolen keys. I know that 120k might be 'beans' to a large company, but reality is that you just increased the deployment cost for a new tool. If I can run XP for an extra 2 years and use the version after Vista, then I just saved my company $120k.. I just paid my salary for the next year probably. This is how management personnel think - that's why we call them 'bean counters' because that 120k means something to them. They know that not using legit versions is not a valid solution, but they also know that saving $120k means something after you do it 10 times (and just saved the company 0.1% off their costs - every little bit counts for accountants).On 10/3/06, Brian Desmond [EMAIL PROTECTED] wrote: I read through the docs on this vl activation and it's not as bad as it sounds. They're really just trying to protect the keys. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Tuesday, October 03, 2006 1:34 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Volume licensing activation Yeah... MS is going to get really high levels of adoption on this product... Gotta wonder what in the heck they're thinking sometimes. On 10/2/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: http://blogs.zdnet.com/microsoft/?p=26 Mary Jo Foley reports that the next version of Vista will have Volume licensing activation. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] SID History.
OK, I think that I pretty much had it figured out, just wanted to get some level of validation.Thanks for all the help.On 9/26/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Matt, I went through a similar 'thought experiment' a few years ago. Whilst I didn't actually test my conclusions, I arrived at the decision that the original domain could actually be completely removed and the SID history data would still be valid and usable to access resources. i.e. there is no need to 'talk' to the DCs in the resource domain(s). Does that help? neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: 25 September 2006 20:55To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] SID History. Yeah, read that document before. It doesn't say whether it's going to go scanning domains for SID History memberships, so I have to assume that unless I have a group that points to a user's SID History SID within that AD environment (or in that authentication chain), then it's not going to add in more SIDs to the user's token. Example: I have a group that points a user's SID history as a ForeignSecurityPrinciple, then it will add in that object.In other words, if user addomain\user1234 is accessing a file that is on server fileserver.addomain.com and only ACLs to groups that are within the local domain that are AD native and those groups only have memberships for the local domain, then is his token going to include his memberships from NTResourcedomain42 and NTResourcedomain78 or just his memberships which reside within addomain.com? On 9/25/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: to read on how the access token is build see: http://download.microsoft.com/download/8/f/3/8f36dfe4-47d0-4775-ad5a-5614384921aa/AccessTokenLimitation.docauthentication across domains depends if NTLM is used (external trusts) or kerberos is used (forest trusts and intra-forest transitive trusts) sIDHistory just adds SIDs to the access token, after that the process is the samejorgeMet vriendelijke groeten / Kind regards,Ing. Jorge de Almeida PintoSenior Infrastructure Consultant MVP Windows Server - Directory ServicesLogicaCMG Nederland B.V. (BU RTINC Eindhoven)( Tel : +31-(0)40-29.57.777( Mobile : +31-(0)6-26.26.62.80* E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Matt HargravesSent: Mon 2006-09-25 19:38To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] SID History.Unfortunately that's not even close to what I was having issues with Joe.I'm more concerned with how tokens are created and whether they will by default query the old resource domains that haven't been migrated into the AD environment. Theoretical situtation:I am a member of 50 groups in my user domain, I'm accessing something in my user domain.We have 150 trusted resource domains where I have 6 group memberships in each through SID history.Is the GC/DC going to query all trusted domains for my memberships through SID history?(resource domains are all NT4 domains) I'm assuming that it's not going to, because of how the authentication path works (resource server - user domain DC - user domain GC - resource server DC, resource server), but everything I've seen never really talks about SID History much. On 9/24/06, joe [EMAIL PROTECTED] wrote:I would recommend poking through the MSDN security docs. It sounds like there is a break in understanding of how the SIDs are used in combination with the DACLS. Start here: http://msdn.microsoft.com/library/default.asp?url="" but poke around that whole area. joe--O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: Thursday, September 21, 2006 4:59 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] SID History. Conceptual situation:User domainResource domain (s)I bring all users into a single AD environment, bringing over SID History information.Now I start moving over file servers from the resource domain to the AD environment.One of the file servers has groups ACL'd from the resource domain.When the server goes to check for access rights, will it pull over *all* group memberships from the appropriate resource domain or simply pull over the single group membership and append that to the user's token? Mostly just looking at SID history impact between semi-active resource domains that are being decomissioned and current domains.Microsoft's site mostly seems to point to groups that are pointing to SID history objects that are within the AD environment, not cross-domain SID history impact. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary
Re: [ActiveDir] DNS entry won't delete
Any chance you can edit the setting so that it points to something not in your network? (ex. you have a 10.x.x.x network, so you reset it to be a 192.168.x.x IP)On 9/26/06, Clingaman, Bruce [EMAIL PROTECTED] wrote: My two DCs are Windows 2003 servers, DNS integrated, Primary,The resiliant entries are from Mac OS X clients and one OS X server. Thedomain name of the entries are from a domain that was renamed. Bruce ClingamanInformation Technology DepartmentPensacola Christian College850.478.8496 ext. 2198[EMAIL PROTECTED]-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Tuesday, September 26, 2006 3:18 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DNS entry won't deleteBruce, try the command that Andrew posted and see what results you get.Other things to check:Are the domains integrated? Primary? How are the reverse and forward zones configured?I'm surprised to hear the record is not in WINS.I assume then thatit's not a Windows server then?What type of server is it? What is theOS?AlOn 9/26/06, Clingaman, Bruce [EMAIL PROTECTED] wrote:I got object not found error. The following script shouldenumerateall the zones on both my DCs: =WScript.Echo Now vbCrLfDCs = Array(dc1,dc2)for i = 0 to UBound(DCs) strDN =CN=MicrosoftDNS,DC=DomainDNSZones,DC=mydomain,DC=intset objColl = GetObject(LDAP:// DCs(i) / strDN) WScript.Echo Entries in DCs(i)WScript.Echo String(30, -)EnumColl objCollWScript.Echo nextSub EnumColl(objColl) for each objEntry in objCollWScript.Echo objEntry.NamenextEnd Sub ==It does not display all the zones, one of which has the entiesinquestion.Bruce ClingamanInformation Technology DepartmentPensacola Christian College 850.478.8496 ext. 2198[EMAIL PROTECTED]-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of AndrewCaceSent: Tuesday, September 26, 2006 9:27 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS entry won't deleteYou can run the following command to see where an update isoriginating.Then, if you have auditing enabled for that operation, you can check theoriginating DC to see who made the change.repadmin /showobjmeta yourdcdc=recordname,dc=yourzone.com,cn=MicrosoftDNS,dc=DomainDNSZones,dc=your domain,dc=comReplace yourdc, etc with appropriate values for your domain.For areverse lookup zone, recordname will be the last octet of the IPaddressand dc= yourzone.com will be something likedc=2.1.10.in-addr.arpa, where2.1.10 is the reverse notation of the first three octets of yourIPaddress.Be sure that you have the partition where the zone is storedcorrect, whether it's DomainDNSZones, ForestDNSZones, or thedomainpartition.The dnsRecord attribute is the one that you areinterestedin.-Andrew From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf OfClingaman,BruceSent: Tuesday, September 26, 2006 8:19 AMTo: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS entry won't deleteI have three DNS entries in my Reverse lookup zone that were forstaticaddresses that won't go away. The problem is one of them shares theaddress and hostname (different domain name, domain was renamed)assigned to anotherserver. When I delete it, it immediatelyreappears.I am unable to determine what is putting these entries back in. Theywere for OS X machines, one is a client, the other was a server.Theclient has been changed to DHCP. The server was reinstalled andgiven adifferent IP address.I have a single level domain with two DCs, one is a WINS server, AD/DNSintegrated.List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] SID History.
Unfortunately that's not even close to what I was having issues with Joe.I'm more concerned with how tokens are created and whether they will by default query the old resource domains that haven't been migrated into the AD environment. Theoretical situtation: I am a member of 50 groups in my user domain, I'm accessing something in my user domain. We have 150 trusted resource domains where I have 6 group memberships in each through SID history. Is the GC/DC going to query all trusted domains for my memberships through SID history? (resource domains are all NT4 domains) I'm assuming that it's not going to, because of how the authentication path works (resource server - user domain DC - user domain GC - resource server DC, resource server), but everything I've seen never really talks about SID History much. On 9/24/06, joe [EMAIL PROTECTED] wrote: I would recommend poking through the MSDN security docs. It sounds like thereis a break in understanding of how the SIDs are used in combination with the DACLS. Start here: http://msdn.microsoft.com/library/default.asp?url=""> but poke around that whole area. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: Thursday, September 21, 2006 4:59 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] SID History. Conceptual situation:User domainResource domain (s)I bring all users into a single AD environment, bringing over SID History information.Now I start moving over file servers from the resource domain to the AD environment. One of the file servers has groups ACL'd from the resource domain. When the server goes to check for access rights, will it pull over *all* group memberships from the appropriate resource domain or simply pull over the single group membership and append that to the user's token? Mostly just looking at SID history impact between semi-active resource domains that are being decomissioned and current domains. Microsoft's site mostly seems to point to groups that are pointing to SID history objects that are within the AD environment, not cross-domain SID history impact.
Re: [ActiveDir] SID History.
Yeah, read that document before. It doesn't say whether it's going to go scanning domains for SID History memberships, so I have to assume that unless I have a group that points to a user's SID History SID within that AD environment (or in that authentication chain), then it's not going to add in more SIDs to the user's token. Example: I have a group that points a user's SID history as a ForeignSecurityPrinciple, then it will add in that object.In other words, if user addomain\user1234 is accessing a file that is on server fileserver.addomain.com and only ACLs to groups that are within the local domain that are AD native and those groups only have memberships for the local domain, then is his token going to include his memberships from NTResourcedomain42 and NTResourcedomain78 or just his memberships which reside within addomain.com?On 9/25/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote:to read on how the access token is build see: http://download.microsoft.com/download/8/f/3/8f36dfe4-47d0-4775-ad5a-5614384921aa/AccessTokenLimitation.docauthentication across domains depends if NTLM is used (external trusts) or kerberos is used (forest trusts and intra-forest transitive trusts) sIDHistory just adds SIDs to the access token, after that the process is the samejorgeMet vriendelijke groeten / Kind regards,Ing. Jorge de Almeida PintoSenior Infrastructure Consultant MVP Windows Server - Directory ServicesLogicaCMG Nederland B.V. (BU RTINC Eindhoven)( Tel : +31-(0)40-29.57.777( Mobile : +31-(0)6-26.26.62.80* E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Matt HargravesSent: Mon 2006-09-25 19:38To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] SID History.Unfortunately that's not even close to what I was having issues with Joe.I'm more concerned with how tokens are created and whether they will by default query the old resource domains that haven't been migrated into the AD environment. Theoretical situtation:I am a member of 50 groups in my user domain, I'm accessing something in my user domain.We have 150 trusted resource domains where I have 6 group memberships in each through SID history.Is the GC/DC going to query all trusted domains for my memberships through SID history?(resource domains are all NT4 domains) I'm assuming that it's not going to, because of how the authentication path works (resource server - user domain DC - user domain GC - resource server DC, resource server), but everything I've seen never really talks about SID History much. On 9/24/06, joe [EMAIL PROTECTED] wrote:I would recommend poking through the MSDN security docs. It sounds like there is a break in understanding of how the SIDs are used in combination with the DACLS. Start here:http://msdn.microsoft.com/library/default.asp?url="" but poke around that whole area. joe--O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: Thursday, September 21, 2006 4:59 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] SID History. Conceptual situation:User domainResource domain (s)I bring all users into a single AD environment, bringing over SID History information.Now I start moving over file servers from the resource domain to the AD environment.One of the file servers has groups ACL'd from the resource domain.When the server goes to check for access rights, will it pull over *all* group memberships from the appropriate resource domain or simply pull over the single group membership and append that to the user's token? Mostly just looking at SID history impact between semi-active resource domains that are being decomissioned and current domains.Microsoft's site mostly seems to point to groups that are pointing to SID history objects that are within the AD environment, not cross-domain SID history impact. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
[ActiveDir] SID History.
Conceptual situation:User domainResource domain (s)I bring all users into a single AD environment, bringing over SID History information.Now I start moving over file servers from the resource domain to the AD environment. One of the file servers has groups ACL'd from the resource domain. When the server goes to check for access rights, will it pull over *all* group memberships from the appropriate resource domain or simply pull over the single group membership and append that to the user's token? Mostly just looking at SID history impact between semi-active resource domains that are being decomissioned and current domains. Microsoft's site mostly seems to point to groups that are pointing to SID history objects that are within the AD environment, not cross-domain SID history impact.
Re: [ActiveDir] Elevating privileges from DA to EA
I agree with the people who are saying Either trust all of them or none of them. Realistically, unless you have a large environment (BTW, some people argue that all but maybe 10 Fortune 100 companies are 'medium' sized and the other 99.% of organizations are 'small'), there should only be a handful of people (3-7?) and some service accounts that require that level of rights.Domain/Enterprise Admins are a tricky bunch and no matter what you do to us, we can take back whatever rights you took away from us very easily, then lock you and everyone else in the world out, destroy the on-site backups and demolish the environment to where it's going to take a major effort to get back to operational status. This would take all take significantly less time than it would take for someone to figure out who is doing what. I like Joe's recommendation of taking everyone that you don't need out of the admins groups and simply granting them various levels of rights with their account. Possibly give everyone a user and admin account (user1234567 and user1234567a), heaven knows it would make troubleshooting a lot easier. That being said, someone asking for their own regional forest? Fine, as long as the person saying that it's necessary is willing to come up with the budget for the additional servers and additional personnel to support that forest and that they understand that they will have 0 admin level rights on anything in the 'main' forest, it wouldn't bother me, just one less thing that I have to worry about managing. Oh yeah, and they have to pay for yearly audits to validate that they are meeting the corporate standards for security at all levels. Then again, most of those items aren't usually my concern. Thank God I'm not in management :DOn 9/15/06, Paul Williams [EMAIL PROTECTED] wrote: Neil, Try a re-read of the first couple of chapters of the first part of the deployment guide book designing and deploying directory and security services. Obviously it doesn't spell out how to do this -it doesn't even allude to how this is done- but does emphasise when and when not to go with the regional domain model. I'm not disputing what anyone is saying here -I agree. I just happen to think the regional model can be a good one, and that if done properly works. Even from a security stand point. The main thing with the regional design is that there's a central group of service admins, or a true delegated model. If you have multiple groups of service admins it can still work, but the issue that has been raised is very real and you probably need to implement processes and monitor against it (if you're forced into such a design by the needs of the business or obtuse upper management ;-). Although it does seem to be possible to implement disparate groups of service admins if you follow the delegation whitepaper (you'll need to improvide, but most of the info. is pertinent), which should put you in a much stronger position from a security stand point. If you can achieve a very small number of people who are actually members of the builtin\Administrators group, and the rest only have delegated permissions and privileges (and preferably very few privileges on the DCs, i.e. no logon locally) you can achieve what you want. Joe's been there and done it... --Paul - Original Message - From: Almeida Pinto, Jorge de To: ActiveDir@mail.activedir.org Sent: Friday, September 15, 2006 8:48 AM Subject: RE: [ActiveDir] Elevating privileges from DA to EA Al - we are designing a forest with regional domains (don't ask!) and one region has suggested it needs to split from this forest since elevating rights in any regional domain from DA to EA (forest wide) is 'simple' [and this would break the admin / support model]. What is being said is very very true. Either you trust ALL Domain Admins (no matter the domain those are in) or you do not trust ANY! Every Domain Admin or ANY person with physical access to a DC has the possibility to turn the complete forest into crap! Because if that was NOT the case the DOMAIN would be the security boundary. Unfortunately it is not! The Forest is the security boundary, whereas EVERY single DC in the forest MUST be protected and EVERY Domain Admin MUST be trusted! I am arguing that it is not simple and am looking for methods which may be used to elevate rights as per the above When you know HOW, it is as easy as taking candy from a baby jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED]Sent: Friday, September 15, 2006 09:36To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Elevating privileges from DA to EA Thanks for responses, all. Al - we are designing a forest with regional domains (don't ask!) and one region has suggested it needs to split from this forest since
Re: [ActiveDir] Specifying builtin accounts in GPO settings.
I think we discovered the problem... things were just locked down a *tad* too much.On 9/13/06, Akomolafe, Deji [EMAIL PROTECTED] wrote: Look at your default recipient policy. What's set there? Just curious. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Matt HargravesSent: Wed 9/13/2006 8:58 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. Non-Exchange privileged users can't access OWA. I thought it was related to the fact that they had removed the M: drive, but that was only a small number of servers, the rest (that also aren't working) are having accessability issues to OWA (though they can still access their mailbox through Outlook). On 9/13/06, Brian Desmond [EMAIL PROTECTED] wrote: On W2000 running OWA on a DC this was an issue … only case I know of. What are the issues you're having? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Wednesday, September 13, 2006 10:49 PM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. We're having some issues with Exchange OWA and MS said something about IWAM when we called them. We're not granting them 'logon via terminal services', just testing 'log on locally', but if it works, that just creates an entire mess that we'd like to avoid. On 9/13/06, Brian Desmond [EMAIL PROTECTED] wrote: No it wouldn't. Why are you giving an IWAM account access to a remote machine? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: mailto:[EMAIL PROTECTED] [mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Wednesday, September 13, 2006 9:35 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. Would something like IWAM_%servername% or something like that work? I really don't want to go throuh and specify 45 account names in the Log on locally right for an OU if I can do it with a more simple command. I'll try just about anything :) Thanks,Matt On 9/12/06, Brian Desmond [EMAIL PROTECTED] wrote: And if you think about it they couldn't – if you have two DCs running IIS they both have IUSR and IWAM accounts in AD, so SIDs have to be different. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: mailto:[EMAIL PROTECTED] [mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Darren Mar-Elia Sent: Tuesday, September 12, 2006 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Specifying builtin accounts in GPO settings. Matt- I don't think these accounts have well-known SIDs, so I'm not sure that's going to help.You can easily verify using psgetsid from Sysinternals. I checked a couple accounts here (though they were domain accounts) and they were not well-knownSIDs. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out http://www.gpoguy.com/-- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide ,the definitiveresource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: Tuesday, September 12, 2006 10:00 AMTo: ActiveDir@mail.activedir.org Subject: [ActiveDir] Specifying builtin accounts in GPO settings. I am trying to specify the builtin IWAM/IUSR accounts in GPO settings. We have a set of servers within an OU where they require the account to have rights on the local servers, call them Server1, Server2, Server3. We obviously don't want to create the setting for IWAM_Server1, IWAM_Server2, etc I believe that this account has a common SID, if I simply do a browse for the account on one machine, will it resolve to SID and apply the setting for all accounts, or is there another way to do this (like specifying Builtin\Administrator would work for the builtin Administrator account) no matter what the name happens to be on a local machine?
Re: [ActiveDir] Isolating a DC
Isolating via site will still leave the DC available in case of emergencies (your authentication DCs go down), whereas IPSec makes them completely unavailable for any purposes for clients. I've actually never heard of anyone doing this and would consider it a very bad idea unless you have significant redundancy in your 'normal' environment. BTW, from a Microsoft presentation a little over a year ago, they have 4 Exchange server sites, only 1 of them (Redmond) isolates their DCs from authentication and reserves it for Exchange, the other 3 use their Exchange (a *very* DC/GC intensive app) servers for authentication also. Site is only a logical separation. IPSec might as well be a physical barrier. Unless there is a serious reason why you would rather have none of your clients to be able to authenticate instead of authenticating against these DCs (as I said, in case of an emergency), then you should probably avoid putting a IP filter on these boxes. If you isolate via site, then the only way that clients are going to authenticate against them is if all DCs are down in their site, which since you're a single physical site org, means that all of the authentication DCs are down, which is probably a more serious problem than OMG, a (gasp) *user* authenticated against my application DC. On 9/13/06, Lucas, Bryan [EMAIL PROTECTED] wrote: Thanks to all for the responses.This (isolating via ipsec) is probably the right direction for me.We're a single site, single domain at a single physical location, butthe idea of building another site isn't appealing from a keep it simple perspective.Are there any technical reasons why a separate site would be better thanisolation through IPSec?Will I cause clients/apps, who initially don'tknow they are denied, delays when they try to access the ipsec isolated DC?Bryan LucasServer AdministratorTexas Christian University-Original Message-From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of James Eaton-LeeSent: Wednesday, September 13, 2006 5:39 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Isolating a DCAkomolafe, Deji wrote: I highly recommend that you read http://www.windowsitpro.com/articles/print.cfm?articleid=37935 Then, as a fall-back option, look for the isolation using IPSec whitepapers on Microsoft site. I can't find them now, but I know that they exist. They show you how to restrict communication with aspecific server or network using IPSec.I think what you're referring to is the excellent Server and DomainIsolation using IPSec content, at: http://www.microsoft.com/technet/security/topics/architectureanddesign/ipsec/default.mspxIf all you're looking for is host-based firewalling, however, there's other content online that'll explain this a little moreconcisely, such as this presentation from the Virginia Tech WindowsUsers Group: http://vtwug.w2k.vt.edu/pdf/w2k_ipsec_firewall.pdf#search=%22using%20ipsec%20as%20a%20firewall%22And also Using IPSec to Lock Down a Server from technet.. http://www.microsoft.com/technet/itsolutions/network/security/ipsecld.mspxHope that helps!- James.-- James (njan) Eaton-Lee | 10807960 | http://www.jeremiad.org Semper Monemus Sed Non Audiunt, Ergo Lartus - (Jean-Croix)sites: https://www.bsrf.org.uk ~ http://www.security-forums.com ca: https://www.cacert.org/index.php?id=3List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Isolating a DC
Yeah, I didn't mean to sound so negative it just seems like isolating by site (which is a logical, not physical barrier) is a more holistic solution which provides the isolation required, while allowing the DCs to continue to potentially (in an emergency situation) perform the duties of user authentication without having to change anything. The IPSec solution just seems like serious overkill that's unnecessary.On 9/13/06, Akomolafe, Deji [EMAIL PROTECTED] wrote: I thought his original request was to make sure that no other client talks to the isolated server except those permitted. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Matt HargravesSent: Wed 9/13/2006 7:26 AM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Isolating a DC Isolating via site will still leave the DC available in case of emergencies (your authentication DCs go down), whereas IPSec makes them completely unavailable for any purposes for clients. I've actually never heard of anyone doing this and would consider it a very bad idea unless you have significant redundancy in your 'normal' environment. BTW, from a Microsoft presentation a little over a year ago, they have 4 Exchange server sites, only 1 of them (Redmond) isolates their DCs from authentication and reserves it for Exchange, the other 3 use their Exchange (a *very* DC/GC intensive app) servers for authentication also. Site is only a logical separation. IPSec might as well be a physical barrier. Unless there is a serious reason why you would rather have none of your clients to be able to authenticate instead of authenticating against these DCs (as I said, in case of an emergency), then you should probably avoid putting a IP filter on these boxes. If you isolate via site, then the only way that clients are going to authenticate against them is if all DCs are down in their site, which since you're a single physical site org, means that all of the authentication DCs are down, which is probably a more serious problem than OMG, a (gasp) *user* authenticated against my application DC. On 9/13/06, Lucas, Bryan [EMAIL PROTECTED] wrote: Thanks to all for the responses.This (isolating via ipsec) is probably the right direction for me. We're a single site, single domain at a single physical location, butthe idea of building another site isn't appealing from a keep it simple perspective.Are there any technical reasons why a separate site would be better than isolation through IPSec?Will I cause clients/apps, who initially don'tknow they are denied, delays when they try to access the ipsec isolated DC?Bryan LucasServer AdministratorTexas Christian University -Original Message-From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of James Eaton-LeeSent: Wednesday, September 13, 2006 5:39 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Isolating a DCAkomolafe, Deji wrote: I highly recommend that you read http://www.windowsitpro.com/articles/print.cfm?articleid=37935 Then, as a fall-back option, look for the isolation using IPSec whitepapers on Microsoft site. I can't find them now, but I know that they exist. They show you how to restrict communication with aspecific server or network using IPSec.I think what you're referring to is the excellent Server and DomainIsolation using IPSec content, at: http://www.microsoft.com/technet/security/topics/architectureanddesign/i psec/default.mspxIf all you're looking for is host-based firewalling, however, there's other content online that'll explain this a little moreconcisely, such as this presentation from the Virginia Tech Windows Users Group:http://vtwug.w2k.vt.edu/pdf/w2k_ipsec_firewall.pdf#search=%22using%20ips ec%20as%20a%20firewall%22And also Using IPSec to Lock Down a Server from technet.. http://www.microsoft.com/technet/itsolutions/network/security/ipsecld.mspxHope that helps!- James.--James (njan) Eaton-Lee | 10807960 | http://www.jeremiad.org/Semper Monemus Sed Non Audiunt, Ergo Lartus - (Jean-Croix)sites: https://www.bsrf.org.uk/ ~ http://www.security-forums.com/ca: https://www.cacert.org/index.php?id=3List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] DNS Entries --Laptop Users--
I'm not s huge DNS geek, so I'm not sure whether you can do this, but can't you just set the DHCP to have a short expiration (1 hour?) and it will unregister the 'old' entry for a machine? There would be a small amount of vulnerability, but it would go away after the client's reservation expires. On 9/13/06, Ravi Dogra [EMAIL PROTECTED] wrote: No, Laptop Users are getting IP Addresses from my VPN Box and whenthey are on site its DHCP.On machines Register in DNS option Is checked, hence machines areattempting to register its own records in DNS. Although i have made my LAN DHCP to register only its Clients in DNS.Credentials used are abviously my Administrator Account.But Al,The Issue we had is laptop users are using LAN DHCP as well as usingVPN Connection from home. Both are getting registered in My DNS with different IP. Which is obvious.But the thing is SOPHOS gave us this as one of the reasons for mylaptop machines not showing in Sophos Enterprise Console because ituses DNS to build existing machines list. Now everything is working fine and this reason was totally not applicable.but still there are other machines which are only in our network usingonly my LAN DHCP and are not showing up in EC.Sophos Support team is working on this. Thanks and RegardsRavi DograOn 9/13/06, Al Mulnick [EMAIL PROTECTED] wrote: I swear this is the last question and then I'll make a suggestion. :) Is the DHCP server that the remote clients are getting their ip addr's from the same as the one that you are using for lan connected clients? You are obviously allowing the user's machine to update it's own records, but is that consistent or is the DHCP server on the lan registering the records for you possibly under a different set of credentials or in a different zone? On 9/11/06, Ravi Dogra [EMAIL PROTECTED] wrote: yes its correct. No we have mobile users.. On 9/11/06, Al Mulnick [EMAIL PROTECTED] wrote: Besides the obvious of telling Sophos to adjust their management to deal with this, here's what I understand of your problem to date. VPN clients that are also trusted network clients (i.e. mobile users that traverse both trusted and non-trusted networks can end up with seemingly duplicate entries for the same device but different ip addresses. This confuses some antivirus management applications and presumably some management applications such as SMS or similar class of app, that rely on reverse name resolution. Is that correct? Do you have workers that are remote-based only? Al On 9/8/06, Ravi Dogra [EMAIL PROTECTED] wrote:According to Sophos Support if one host has 2 DNS Entries, SophosEnterprise Manager might not be able to detect this Host and auto update will also dont work. As you know jolly;- We are in process of migration from Trend toSophos as our Antivirus Solution. Working on a solution will update soon. ThanksRavi Dogra On 9/8/06, Jaspreet Singh [EMAIL PROTECTED] wrote: Ravi, As Rob said, If your VPN box is forwarding requests to your internal network the your DNS will automatically update the records according to the new IP which in your case is x.x.5.x. Can you explain exactly what is the problem that you are facing due to this? Regards, Jaspreet Singh Jolly On 9/7/06, Al Mulnick [EMAIL PROTECTED] wrote:1. I Didnt understand what exactly u r asking? 2. Yes DHCP Is configured properly. That's not what I asked.I asked if it's updating the records for the device or is it letting the devices update their own? Al On 9/6/06, Ravi Dogra [EMAIL PROTECTED] wrote:1. I Didnt understand what exactly u r asking? 2. Yes DHCP Is configured properly. 3. Yes it is running on DC 4. No, not running any other credential. 5. VPN Machine is entirely a different BOX on other site. 6. It doesnt register in my DNS. (Will extract other information from Site B Admin) update you very soon... Thanks RD List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- Regards, Jaspreet Singh Jolly --Ravi Dogra 9899647200This e-mail, together with any attachments, is confidential. It may beread, copied and used only by the intended recipient. If you have received it in error, please notify the sender immediately by e-mailor telephone. Please then delete it from your computer without makingany copies or disclosing it to any other person. List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- Ravi Dogra
Re: [ActiveDir] Specifying builtin accounts in GPO settings.
Would something like IWAM_%servername% or something like that work? I really don't want to go throuh and specify 45 account names in the Log on locally right for an OU if I can do it with a more simple command. I'll try just about anything :) Thanks,MattOn 9/12/06, Brian Desmond [EMAIL PROTECTED] wrote: And if you think about it they couldn't – if you have two DCs running IIS they both have IUSR and IWAM accounts in AD, so SIDs have to be different. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Darren Mar-Elia Sent: Tuesday, September 12, 2006 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Specifying builtin accounts in GPO settings. Matt- I don't think these accounts have well-known SIDs, so I'm not sure that's going to help.You can easily verify using psgetsid from Sysinternals. I checked a couple accounts here (though they were domain accounts) and they were not well-knownSIDs. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide,the definitiveresource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Tuesday, September 12, 2006 10:00 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Specifying builtin accounts in GPO settings. I am trying to specify the builtin IWAM/IUSR accounts in GPO settings. We have a set of servers within an OU where they require the account to have rights on the local servers, call them Server1, Server2, Server3. We obviously don't want to create the setting for IWAM_Server1, IWAM_Server2, etc I believe that this account has a common SID, if I simply do a browse for the account on one machine, will it resolve to SID and apply the setting for all accounts, or is there another way to do this (like specifying Builtin\Administrator would work for the builtin Administrator account) no matter what the name happens to be on a local machine?
Re: [ActiveDir] Specifying builtin accounts in GPO settings.
We're having some issues with Exchange OWA and MS said something about IWAM when we called them. We're not granting them 'logon via terminal services', just testing 'log on locally', but if it works, that just creates an entire mess that we'd like to avoid. On 9/13/06, Brian Desmond [EMAIL PROTECTED] wrote: No it wouldn't. Why are you giving an IWAM account access to a remote machine? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Wednesday, September 13, 2006 9:35 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. Would something like IWAM_%servername% or something like that work? I really don't want to go throuh and specify 45 account names in the Log on locally right for an OU if I can do it with a more simple command. I'll try just about anything :) Thanks, Matt On 9/12/06, Brian Desmond [EMAIL PROTECTED] wrote: And if you think about it they couldn't – if you have two DCs running IIS they both have IUSR and IWAM accounts in AD, so SIDs have to be different. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Darren Mar-Elia Sent: Tuesday, September 12, 2006 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Specifying builtin accounts in GPO settings. Matt- I don't think these accounts have well-known SIDs, so I'm not sure that's going to help.You can easily verify using psgetsid from Sysinternals. I checked a couple accounts here (though they were domain accounts) and they were not well-knownSIDs. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com -- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide ,the definitiveresource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Tuesday, September 12, 2006 10:00 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Specifying builtin accounts in GPO settings. I am trying to specify the builtin IWAM/IUSR accounts in GPO settings. We have a set of servers within an OU where they require the account to have rights on the local servers, call them Server1, Server2, Server3. We obviously don't want to create the setting for IWAM_Server1, IWAM_Server2, etc I believe that this account has a common SID, if I simply do a browse for the account on one machine, will it resolve to SID and apply the setting for all accounts, or is there another way to do this (like specifying Builtin\Administrator would work for the builtin Administrator account) no matter what the name happens to be on a local machine?
Re: [ActiveDir] Specifying builtin accounts in GPO settings.
Non-Exchange privileged users can't access OWA. I thought it was related to the fact that they had removed the M: drive, but that was only a small number of servers, the rest (that also aren't working) are having accessability issues to OWA (though they can still access their mailbox through Outlook). On 9/13/06, Brian Desmond [EMAIL PROTECTED] wrote: On W2000 running OWA on a DC this was an issue … only case I know of. What are the issues you're having? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Wednesday, September 13, 2006 10:49 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. We're having some issues with Exchange OWA and MS said something about IWAM when we called them. We're not granting them 'logon via terminal services', just testing 'log on locally', but if it works, that just creates an entire mess that we'd like to avoid. On 9/13/06, Brian Desmond [EMAIL PROTECTED] wrote: No it wouldn't. Why are you giving an IWAM account access to a remote machine? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Wednesday, September 13, 2006 9:35 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. Would something like IWAM_%servername% or something like that work? I really don't want to go throuh and specify 45 account names in the Log on locally right for an OU if I can do it with a more simple command. I'll try just about anything :) Thanks, Matt On 9/12/06, Brian Desmond [EMAIL PROTECTED] wrote: And if you think about it they couldn't – if you have two DCs running IIS they both have IUSR and IWAM accounts in AD, so SIDs have to be different. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Darren Mar-Elia Sent: Tuesday, September 12, 2006 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Specifying builtin accounts in GPO settings. Matt- I don't think these accounts have well-known SIDs, so I'm not sure that's going to help.You can easily verify using psgetsid from Sysinternals. I checked a couple accounts here (though they were domain accounts) and they were not well-knownSIDs. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com -- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide ,the definitiveresource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Tuesday, September 12, 2006 10:00 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Specifying builtin accounts in GPO settings. I am trying to specify the builtin IWAM/IUSR accounts in GPO settings. We have a set of servers within an OU where they require the account to have rights on the local servers, call them Server1, Server2, Server3. We obviously don't want to create the setting for IWAM_Server1, IWAM_Server2, etc I believe that this account has a common SID, if I simply do a browse for the account on one machine, will it resolve to SID and apply the setting for all accounts, or is there another way to do this (like specifying Builtin\Administrator would work for the builtin Administrator account) no matter what the name happens to be on a local machine?
[ActiveDir] Specifying builtin accounts in GPO settings.
I am trying to specify the builtin IWAM/IUSR accounts in GPO settings. We have a set of servers within an OU where they require the account to have rights on the local servers, call them Server1, Server2, Server3. We obviously don't want to create the setting for IWAM_Server1, IWAM_Server2, etc I believe that this account has a common SID, if I simply do a browse for the account on one machine, will it resolve to SID and apply the setting for all accounts, or is there another way to do this (like specifying Builtin\Administrator would work for the builtin Administrator account) no matter what the name happens to be on a local machine?
Re: [ActiveDir] Isolating a DC
Your best bet is to place it in a separate site within AD Sites and Services I believe.This is the method that MS recommends for segregating DCs that are used for Exchange servers. On 9/12/06, Lucas, Bryan [EMAIL PROTECTED] wrote: I'd like to isolate a DC from regular user authentication. I only want certain applications/processes using it. Obviously it will need to replicate with the other DC's. I don't have an interface on the firewall to use, so I would probably have to do something software based on the DC itself. Any recommendations on what to read, how to isolate it and what ports are required? Bryan Lucas Server Administrator Texas Christian University
Re: [ActiveDir] Locking Down Wireless
I think this is one of those Why in the heck things. Like Why in the heck would you give someone a laptop with wireless if you don't want them connecting anywhere other than work? and Why in the heck are you giving them a laptop in the first place?. There are some ways to do this, none of them are pretty.1) Specify DNS Server and WINS settings. This is only a little ugly and after a few tries, they'll give up on connecting to anything other than the local network. 2) Disable DHCP and specify everything manually. In a smallish environment this isn't too much of a problem, the larger the environment, the more of a nightmare this becomes. This is really ugly though because now they can't connect to anything that isn't local to their local site. The most obvious solution is to stop giving people laptops. If you don't want them doing things outside of your network, give them desktop computers and you won't have to worry about spending twice as much on hardware and then spending twice as much managing the items also. Lock down the desktop with a lockdown device and forget about this problem. Alternatively, I think you could ACL the directory (or executable) where the application runs from and only allow SYSTEM to run it (this might break it though, so you'd want to do some testing first obviously). I haven't messed with the wireless connection wizard much and you might end up with people installing the wireless connection wizard for their particular wireless card, which would completely defeat the purpose of whatever you're doing anyway, unless they're not local admins. Also, if they are using PC wireless cards, they can simply change PC card ports and they'll get a new device that they can probably configure however they want.On 9/12/06, Dave Wade [EMAIL PROTECTED] wrote: Folks, Have I missed something in the new XPSP2 wireless configuration stuff. As far as I can see you can't prevent users connecting to non-preferred networks, even with Policy lockdown. Even if you hide the networks page on the adaptor, when the user is in a location where this no network, the connection wizard still pops up. Any one any solution to this? Dave Wade Stockport MBC ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you. http://www.stockport.gov.uk **
Re: [ActiveDir] OT: Management Solutions
Yeah, I was thinking a combination of RIS, GPO deployed applications and LANDesk. I've been on projects where we utilized a combination of those methods to manage and deploy software. Worked great and unlike wonderful solutions like SMS, we could put in scripts as part of the application installation that would check to see if the app (patch, service pack, whatever) was installed first. The nice thing about this is that it would allow you to patch up a computer and then put it on the network if you wanted or just stick the box on the network and let the GPO do the work for you. LANDesk does have some weaknesses though, mostly due to information overload.On 9/12/06, Tim Vander Kooi [EMAIL PROTECTED] wrote: Have you looked at the beta for System Center Essentials from Microsoft? I think it would do a lot of what you are looking at. And for far less money than Altiris. Altiris makes a great product, but it is very much on the high end price-wise. Another product I would recommend looking at would be LANDesk, last time I checked they were quite a bit cheaper than Altiris. Tim From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Alan J. Gendron Sent: Tuesday, September 12, 2006 7:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Management Solutions Thanks for the suggestions. I'll go look around further. We're only around a 100+ user shop and while a full-featured solution would be nice, I'm very concerned it would be over-kill and not money well-spent. I want to be a "good steward" of the church's money. Alan Alan J. Gendron Senior Network Specialist Lutheran Church Extension Fund Sunset Corporate Center 10733 Sunset Office Drive St. Louis, MO 63127-1219 314.885.6596 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Brian Desmond Sent: Monday, September 11, 2006 10:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Management Solutions Never used/heard of Kace. Looks like a kind of limited use appliance? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Patrick Paul Sent: Monday, September 11, 2006 10:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Management Solutions Have you tried HelpStar – works great. Inventory - use Kace box running FreeBSD. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Brian Desmond Sent: Monday, September 11, 2006 9:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Management Solutions I use WSUS for patching in some decent size places. My strategy has been to combine a variety of free products into a single system – I've gotten good at it and I've also written glue when I need to. My overall feeling is that I get more flexibility just gluing things together than with a single baked product. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Robert Rutherford Sent: Monday, September 11, 2006 6:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Management Solutions I agree with Brian that Ghost does tend to be the front runner for imaging (IMHO).. I've tested and used many but Ghost is a mature project which does what it says on the tin. You'll be surprised how forgiving it is and how much you can do with varying software and hardware with a little work. In terms of helpdesk… well it's a minefield and a road of I have travelled many times. I have actually found that most of the time it's actually easier to get a dev guy to come in and build a system which actually meets your requirements. I have found this to be cheaper (most of the time) in the larger organisations as every organisation has different SLA's, contracts, processes, methods, etc. I just recommend going onto sourceforge.net and typing 'helpdesk' initially. This should get you going and you may find something that suits your needs or something you can amend to fit. Yes, you can go for the bigger boys, i.e. Hornbill but you'll pay for it….. have a sniff around and see what fits your requirements. In terms of patch deployment… I do like Patchlink. It will give you patch deployment across most applications with good reporting. You also get software and hardware inventory included in the price. Cheers, Rob Robert Rutherford QuoStar Solutions Limited T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Brian Desmond Sent: 11 September 2006 20:26 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Management Solutions I have a lot of experience using Ghost for all of that but helpdesk. Helpdesk I have worked with Peregrine (will empty your
Re: [ActiveDir] W. in hell [List owner]
In case nobody figured it out, this was a mistake. Brandon hasn't been receiving anything from the activedir list. Apparently he's been banned or something. (in case you didn't figure the rest out, I know him and asked if he was the same OP Brandon, which he confirmed) He accidentally added the activedir list to a DL. I can understand blocking someone from sending until something like this is resolved, but he hasn't been receiving anything from the list either. Apparently this is a zero tolerance zone. Oddly enough, that's not in the FAQ, maybe it should be added. MattOn 9/3/06, Tony Murray [EMAIL PROTECTED] wrote: Hey BrandonAmusing though it is, the list is not really the place for this.Tony (list owner)-- Original Message --From: Brandon Pierce [EMAIL PROTECTED]Reply-To: ActiveDir@mail.activedir.orgDate:Sat, 2 Sep 2006 23:13:41 -0600George Bush has a heart attack and dies.He goes to hell, where the Devil is waiting for him.I'm not sure what to do, says the Devil.You're on my list, but I haveno room for you.As you definitely have to stay here, I'm going to have tolet someone else go.I've got three folks here who weren't quite as bad as you.I'll let you decide who leaves.George thought that sounded pretty good, so he agreed.The Devil opened the first room.In it were Richard Nixon and a large poolof hot water.He kept diving in and climbing out, over and over.Such was his fate in hell.No! said George.I don't think so, I'm not a good swimmer and don'tthink I could stay in hot water all day.The Devil led him to the next room.In it was Tony Blair with a sledgehammer and a room full of rocks.All he did was swing the hammer,time after time.No! I've got this problem with my shoulder.I would be in constant agony ifall I could do was break rocks all day. commented George. The Devil opened the third door.In it, George saw Bill Clinton lying onthe floor with his arms staked over his head, and his legs staked in aspread-eagle pose.Bent over him was Monica Lewinsky, doing what she does best.George Bush looked at this in disbelief for a while, and finally said Yeah,I can handle this.The Devil smiled and said, OK, Monica, you're free to go! List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspxSent via the WebMail system at mail.activedir.orgList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] [OT]The last departmental picnic [list owner]
Yeah, I just let him know he messed up on this one. Can't argue with banning him after 2 messups. :(On 9/5/06, Tony Murray [EMAIL PROTECTED] wrote:Not sure what's going on so I have temporarily suspended his subscription. TonyList owner and humourless [EMAIL PROTECTED]Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Exclude from GPO
Yeah, it's called creating a GPO that has that setting disabled (not not defined, disabled).You could always look at it as having to create a whole new GPO because they want to define whatever that object is on everything else. If they didn't want to define that, you'd be golden and wouldn't have to do it. In other words: Remove the setting from everything or you get to create a GPO to disable that setting.On 8/23/06, Harding, Devon [EMAIL PROTECTED] wrote: Is it possible to exclude a group of computers from ONE setting from a particular GPO, but apply everything else in that GPO? I'd have to create a whole new GPO just for one setting. -Devon --- This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
Re: [ActiveDir] Restoring RID
I always recommend transferring FSMO roles from a box before upgrading it, then moving it back after the upgrade is completed successfully.If you've got enough DCs to justify splitting FSMO roles, you've got enough to move it to another box for a week to upgrade the box. On 8/13/06, Chong Ai Chung [EMAIL PROTECTED] wrote: When the RID flexible single-master operations DC is restored, it may use old RID pool values, and it can cause the restored RID flexible single-master operations DC to begin issuing duplicate SIDs. The best way is: -to use another DC to seize the RID master role. - Rebuild the OS on crashed DC and promote it back as Domain Controller - transfer the RID master role back to the rebuild DC. Regards, Ai Chung On 8/14/06, Lucia Washaya [EMAIL PROTECTED] wrote: Colleagues, We have a server which crashed during upgrade (2000 to 2003). Now we want to restore it. Problem is this server is the RID holder and the documentation on the technet says Restoring the RID Master can result in Active Directory data corruption, so it is not recommended. So what is the best way to restore this server? Thank you in advance for your assistance Regards, Lucia WashayaCITS UNIOSILTel.: 022-295-526 xtn. 5497 Int'l Tel.: Via Italy + (39) 083123-5497Via USA +1(212) 963-9588 (after audio response dial 174-5497)==The cobra will bite whether you call it Cobra or Dear Mr. Cobra. ==
Re: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become?
I'm not sure what else he's running on his DC. He might be running complex intrusion detection software, DNS, WINS, etcI have to assume that he's got 4GB worth of RAM and plenty of 'crap' (ok, maybe not crap, but you know what I'm saying) running on the DC that I'm sure plenty of us would love to see running on a different box. The 1.25GB comment wasn't regarding any limitations to 32-bit Windows. It was more involving I seriously doubt that your DIT is going to double in size unless you're populating as few as possible fields and have like 3 groups per user than anything. You made a comment about him having a large environment with 100k+ users to have a 650MB DIT and I just kinda went Huh? because we're running a 3+GB DIT with just over half that number. Every environment is completely different and there are a lot of different things that impact the DIT outside of user count. Groups, GPOs, OUs, computer objects etc user count might be a reasonable guage, but I don't think that ~6k DIT per user object is a reasonable assumption unless it's a newer environment with a nice spanking new RBS model. On 8/1/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote: Richard doesn't seem to be too keen on giving us further details – too bad. But not sure why you – Matt - are talking about "breaking 1.25 GB" with respects to the 32-bit capabilities. By default 32-bit Win2003 DCs can cache a DIT up to approx. 1.5GB, which grows to 2.6-2.7GB using the /3GB switch (provided sufficient physical memory). But irrespective of these limitations, I'd argue you should move to Win2003 64bit DC anyways if you can. For example if you are doing a hardware refresh at the same time. It is cheaper (meaning you can support more memory for less licensing costs) and it will give you much more room to grow for the future. 64bit drivers for x64 server hardware are no longer an issue and even other important add-ons and management tools such as AV and Backup etc. are catching up quickly. So try not to use the 32bit WinOS versions for AD DCs, even if they still handle the load today – you'll do yourself a favor by moving to 64bit DCs as soon as you can. Time to learn all those little quirks and challenges around handling this OS. This way you'll be best prepared for when you really need to use 64bit Windows for other applications. /Guido From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Tuesday, August 01, 2006 12:02 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become? I guess the gist of what everyone is saying can be summed up with the following: What does the current environment look like? How extensive is your Exchange deployment going to be? Without some of that information, it's only going to be a vague guess that anyone can give. I seriously doubt you need to worry about breaking 1.25 GB, which is still well within the capability of a 32-bit server to handle. On 7/29/06, joe [EMAIL PROTECTED] wrote: To further add to this, it depends considerably on how populated you want your GAL to be. Some people just let the mandatory Exchange attributes get populated, others want the GAL to be the one stop shop for info on employees so everything goes into the GAL which means everything goes into AD. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Grillenmeier, Guido Sent: Friday, July 28, 2006 4:41 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become? Assuming this is after defrag, 650MB without Exchange is quite a large AD – guess you'd be close to 100k users in your forest, if you've used the standard attributes of the objects in AD (and haven't added stuff like thumbnail pictures to your users…). After adding the Exchange schema mods, the DIT shouldn't grow substantially, since AD doesn't use any space for unused attributes – and the Exchange attributes for your object won't be filled magically, until you mail-enable them. But once they are filled, it will impact your AD (e.g. E2k3 adds 130 attributes to the Public Information property set used by user class objects) It is very tough to make a guess at the actual size you'd have with a fully deployed Exchange, but if you do mail-enable the majority of your users (i.e. give them Exchange mailboxes) and add DLs etc. and assuming my guess with 100k users is in the right ballpark your AD DIT would easily grow to 3-5 GB. /Guido From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of RM Sent: Thursday, July 27, 2006 6:46 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become? NTDS.DIT is currently 650megs. Once Exchange has been fully dep
Re: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become?
Just to be honest, it sounds like I made a bad assumption... that AD holds as much information (or more) natively as it does for Exchange. From what Joe is saying, it sounds like Exchange is a huge AD bloat monster. Not that it's a problem for many environments, just the larger ones.I'd be interested to hear about that environment that Joe was talking about where a DIT went from 900MB to 6GB (and was that defragged?). I mean... holding 5x the native infromation of AD in *just* the Exchange extensions? Wow... I'd swear if someone wouldn't send me naughty boy messages. On 8/1/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote: Not disagreeing with you Matt – we're all just in a guess mode without RM providing more information. I love those posts to lists where the original poster never get's back the questions being posted to his questions… Anyways – I just made the point that his DIT size is not small for a company not running Exchange. The number of users given was just an example – more likely 100k vs. 5k users… And naturally most "corporate" environments then have a similar amount of computer accounts and a strongly varying number of groups (totally depends on group model being used). And even if his AD already included Exchange we couldn't easily tell how large his environment is, simply because there are so many dependencies. That's why I gave those numbers using assumptions – certainly nothing to take as a fixed value. Heck, we don't even know his DC version (Win2003 single instance storage of ACE has a huge impact on DIT size) or if he has disabled Distributed Link Tracking (DLT), which adds a ton of garbage to every DC. Provided you have sufficient file servers in your AD and are happily moving data around between the servers (or between volumes), DLT alone can eat up many hundred meg of your AD DIT. Did he defrag or not? Etc. /Guido From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Tuesday, August 01, 2006 10:46 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become? I'm not sure what else he's running on his DC. He might be running complex intrusion detection software, DNS, WINS, etc I have to assume that he's got 4GB worth of RAM and plenty of 'crap' (ok, maybe not crap, but you know what I'm saying) running on the DC that I'm sure plenty of us would love to see running on a different box. The 1.25GB comment wasn't regarding any limitations to 32-bit Windows. It was more involving I seriously doubt that your DIT is going to double in size unless you're populating as few as possible fields and have like 3 groups per user than anything. You made a comment about him having a large environment with 100k+ users to have a 650MB DIT and I just kinda went Huh? because we're running a 3+GB DIT with just over half that number. Every environment is completely different and there are a lot of different things that impact the DIT outside of user count. Groups, GPOs, OUs, computer objects etc user count might be a reasonable guage, but I don't think that ~6k DIT per user object is a reasonable assumption unless it's a newer environment with a nice spanking new RBS model. On 8/1/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote: Richard doesn't seem to be too keen on giving us further details – too bad. But not sure why you – Matt - are talking about breaking 1.25 GB with respects to the 32-bit capabilities. By default 32-bit Win2003 DCs can cache a DIT up to approx. 1.5GB, which grows to 2.6-2.7GB using the /3GB switch (provided sufficient physical memory). But irrespective of these limitations, I'd argue you should move to Win2003 64bit DC anyways if you can. For example if you are doing a hardware refresh at the same time. It is cheaper (meaning you can support more memory for less licensing costs) and it will give you much more room to grow for the future. 64bit drivers for x64 server hardware are no longer an issue and even other important add-ons and management tools such as AV and Backup etc. are catching up quickly. So try not to use the 32bit WinOS versions for AD DCs, even if they still handle the load today – you'll do yourself a favor by moving to 64bit DCs as soon as you can. Time to learn all those little quirks and challenges around handling this OS. This way you'll be best prepared for when you really need to use 64bit Windows for other applications. /Guido From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Tuesday, August 01, 2006 12:02 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become? I guess the gist of what everyone is saying can be summed up with the following: What does the current environment look like? How extensive is your Exchange deployment going to be? Without some of that i
[ActiveDir] Need some user/group tools...
This might be something that I can do with a combination of scripts, though I'm not sure where I'd get them from.1) I need to be able to export a list of users (the userID is fine) with their group memberships. (AD objects) 2) I need to be able to export a list of groups with their list of members and memberships. (AD objects)3) I need to be able to export a list of groups with their list of members and memberships. (NT objects) Once I get all of that information, I need to 'connect the dots' between domains to determine overall group membership (across domains), including nesting. If the tool doesn't exist to do this last part I'm sure I can find someone to do the gruntwork of putting together a _vbscript_ to do the grunt work of it in Access or something like that.Preferably all of this would go into CSV files so that it can go into Access or maybe pull it all into SQL.Thanks for any help that can be provided.
Re: [ActiveDir] 80/20 ..... Was: Read-Only Domain Controller and Server Core
Well, the problem of the postit note is that the people doing it are a bit more circumspect than they used to be. They don't post it with Password: ilikebananas and they don't necessarily put it on their monitor (though it hasn't been that long since I saw that and I always at the very least scold them and always make sure they take it down and throw it away themselves... taking ownership of disposing of eliminating their security risk). They stick it under their keyboards, in the top drawer of their desk... basically taking it out of sight so that we won't catch them. Unfortunately the people who are trying to breach your security are at least smart enough to check the top drawer, under the keyboard, under the monitor, under the paperweight, etc... I for one, would love to see AD related security taken a lot more seriously. Restricting the Domain Admins group members, applying more granular security throughout the environment so that if I need to create computer objects in the User workstations OU, then I can create them there and only there. If I can only change the user's homedrive location, then that's all I get the rights to do. It's only a lot of work when you first implement it and after it's done, then your overhead is mostly done and the minor cost of maintaining it is relatively low. Unfortunately it's difficult to get the momentum going to implement this level of security. As for security models, whether RBS or ABS... problems are abound. RBS is easy to audit, but grants rights that aren't necessarily required. ABS bloats quickly and ends up with someone having membership in many groups that haven't been needed for the past 18 months (or longer) because the group administrator added the user for a one-time reason and never removed them and on the last 18 once per month (or quarter or whatever) security audits, they verified that the user still needs those group memberships, out of sync with reality. Which is better? I think both can be ugly on their face when taken alone. Using a combination of the two is hopefully better (when people aren't getting added into both), but with the volume of data in many environments, it gets more and more difficult to control that data with any reasonable level of confidence, no matter what you do with your security model. On 8/1/06, joe [EMAIL PROTECTED] wrote: Interesting thoughts there...My only tongue in cheek response right off (though this will bubble in myhead for some time) is that most predators are brighter than many peopledoing admin work and we still need them to be able to find the systems... ;o)Raise your hand if in the last year you saw a postit with a password on it?Keep your hand up if you did anything about it like ripping it up andtalking to the person? If your hand went down, was it yours by any chance? How many people now see a security problem and shake their head and say, wowthat isn't good but there isn't anything I can do about it and then continueon your day. That is the kind of stuff that really needs to stop. joe--O'Reilly Active Directory Third Edition -http://www.joeware.net/win/ad3e.htm-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Susan Bradley, CPAaka Ebitz - SBS Rocks [MVP]Sent: Tuesday, August 01, 2006 3:28 PM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] 80/20 . Was: Read-Only Domain Controller andServer CoreOn a totally serious note to Joe's tongue in cheek posting Go to a zoo(1).. and you'll hear stories of how each animal has natural'protection' from their predators.Each animal has evolved to ensure they have some level of camouflage inthe way of color/features etc so that when their predator targets them they attempt to blend into the background.Some plants and animalsdepend on other plants and animals to survive.There's a unique falconthat will only nest in leftover Weaver bird nests.. they don't build their own..but by moving into a Weaver bird area, they act as bouncersat the door and keep out the predators that prey on the Weaver birds.Given that here's what nature does to protect itself what (if anything) has the computing industry done to camouflage to reduce risk?(call me wacko) but it seems to me that we do a lot of footballishtype of security models.. offensive moves and defensive moves.(Isn't RODC a defensive move?)Do we and can we add lessons from nature intofuture networks?(1)Lessons learned from camping in a zoo...yes.. this high maintenancefemale stayed in a tent in a zoo... if you are going to be without power and electricity camping in a zoo at the San Diego Zoo's Wild AnimalPark's Roar and Snore is the way to do it.Matt Hargraves wrote: Joe's blog doesn't seem to say anything about what DSI actually *is*. I'm not seeing it as a security model beyond my impression of it being Don't tell anyone what your security infrastructure looks like or something like that. On 8/1/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]* [EMAIL
Re: [ActiveDir] Need some user/group tools...
That's not even fair I own that book already.I was hoping to avoid doing the scripting part... but that being said, how much of that will work in NT domains to get groups and their members/memberships? On 8/1/06, Michael B. Smith [EMAIL PROTECTED] wrote: You can certainly get all the piece parts from here: http://rallenhome.com/books/adcookbook/code.html And you can use joe's wonderful adfind (or dsquery if you were to insist) to do much of the gruntwork. I show you some examples here: http://blogs.brnets.com/michael/archive/2004/06/24/168.aspx From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: Tuesday, August 01, 2006 7:29 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Need some user/group tools... This might be something that I can do with a combination of scripts, though I'm not sure where I'd get them from.1) I need to be able to export a list of users (the userID is fine) with their group memberships. (AD objects) 2) I need to be able to export a list of groups with their list of members and memberships. (AD objects)3) I need to be able to export a list of groups with their list of members and memberships. (NT objects) Once I get all of that information, I need to 'connect the dots' between domains to determine overall group membership (across domains), including nesting. If the tool doesn't exist to do this last part I'm sure I can find someone to do the gruntwork of putting together a _vbscript_ to do the grunt work of it in Access or something like that.Preferably all of this would go into CSV files so that it can go into Access or maybe pull it all into SQL.Thanks for any help that can be provided.
Re: [ActiveDir] Revoke domain administrator's right to create GPO?
By revoking Domain Admins I mean revoking their membership...On 7/31/06, Matt Hargraves [EMAIL PROTECTED] wrote: I'd think of revoking Domain Admins and grant them their rights via an RBS group in AD. Changing the rights of the builtin admin groups isn't something that you should necessarily do, primarily because so many applications out there require special privileges and fail out because the application doesn't check to see if the user has the required rights, but instead checks to see if they're a member of the Domain Admins group. Domain and Enterprise Admins are a very powerful group of people. If you don't trust them to be able to do what they can do (or better yet, not do what they don't know how to do), then they shouldn't have those rights. I know that it's a constant battle to try and keep our membership in these groups down. Seriously... RBS is your friend. Rip those people out of the Domain Admins group. You can grant them the ability to do whatever they need to on users, computers or even OUs via AD security. Do it there and keep people out of the Domain Admins group if you can. On 7/31/06, Andy Wang [EMAIL PROTECTED] wrote: Hi,I have a Group Policy delegation question. By default, only domain administrators, enterprise administrators, Group Policy Creator Owners, and the operating system can create new Group Policy objects. Since our company has lots of domain administrators, I'm thinking revoke domain administrators rights to create GPOs, then add only several of them to enterprise admin group / Group Policy Creator Owners. Is it possible? Thanks in advance.Andy
Re: [ActiveDir] Revoke domain administrator's right to create GPO?
I'd think of revoking Domain Admins and grant them their rights via an RBS group in AD. Changing the rights of the builtin admin groups isn't something that you should necessarily do, primarily because so many applications out there require special privileges and fail out because the application doesn't check to see if the user has the required rights, but instead checks to see if they're a member of the Domain Admins group. Domain and Enterprise Admins are a very powerful group of people. If you don't trust them to be able to do what they can do (or better yet, not do what they don't know how to do), then they shouldn't have those rights. I know that it's a constant battle to try and keep our membership in these groups down. Seriously... RBS is your friend. Rip those people out of the Domain Admins group. You can grant them the ability to do whatever they need to on users, computers or even OUs via AD security. Do it there and keep people out of the Domain Admins group if you can. On 7/31/06, Andy Wang [EMAIL PROTECTED] wrote: Hi,I have a Group Policy delegation question. By default, only domain administrators, enterprise administrators, Group Policy Creator Owners, and the operating system can create new Group Policy objects. Since our company has lots of domain administrators, I'm thinking revoke domain administrators rights to create GPOs, then add only several of them to enterprise admin group / Group Policy Creator Owners. Is it possible? Thanks in advance.Andy
Re: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become?
I guess the gist of what everyone is saying can be summed up with the following:What does the current environment look like?How extensive is your Exchange deployment going to be?Without some of that information, it's only going to be a vague guess that anyone can give. I seriously doubt you need to worry about breaking 1.25 GB, which is still well within the capability of a 32-bit server to handle.On 7/29/06, joe [EMAIL PROTECTED] wrote: To further add to this, it depends considerably on how populated you want your GAL to be. Some people just let the mandatory Exchange attributes get populated, others want the GAL to be the one stop shop for info on employees so everything goes into the GAL which means everything goes into AD. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Grillenmeier, GuidoSent: Friday, July 28, 2006 4:41 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become? Assuming this is after defrag, 650MB without Exchange is quite a large AD – guess you'd be close to 100k users in your forest, if you've used the "standard" attributes of the objects in AD (and haven't added stuff like thumbnail pictures to your users…). After adding the Exchange schema mods, the DIT shouldn't grow substantially, since AD doesn't use any space for unused attributes – and the Exchange attributes for your object won't be filled magically, until you mail-enable them. But once they are filled, it will impact your AD (e.g. E2k3 adds 130 attributes to the Public Information property set used by user class objects) It is very tough to make a guess at the actual size you'd have with a fully deployed Exchange, but if you do mail-enable the majority of your users (i.e. give them Exchange mailboxes) and add DLs etc. and assuming my guess with 100k users is in the right ballpark your AD DIT would easily grow to 3-5 GB. /Guido From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of RMSent: Thursday, July 27, 2006 6:46 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Exchange rollout - How much larger does NTDS.DIT become? NTDS.DIT is currently 650megs. Once Exchange has been fully deployed, any guesses as to how much larger it will become? Just looking for a ballpark figure... thx, RM
Re: [ActiveDir] schema extensions for Vista wireless networking GP support
I thought all that stuff was part of the Server 2003 R2 schema extensions and would work in XP also.On 7/28/06, Darren Mar-Elia [EMAIL PROTECTED] wrote: In case anyone is interested, here's a doc that describes the AD schema extensions that will be required to support the new wireless networking Group Policy stuff in Vista: http://www.microsoft.com/technet/itsolutions/network/wifi/vista_ad_ext.mspx Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide,the definitiveresource for Group Policy information.
Re: [ActiveDir] OT: HP disk array expansion
I'm not understanding why the OP doesn't just stick the new drives in, create the new RAID set from those, create the drives and restore from tape to the new RAID drives. As long as he does it on a Sunday, it shouldn't really take more than an hour to get the old drives out and the new ones in (and the RAID built), then he just needs to worry about restoring from tape to the new location. On 7/27/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Maybe I misunderstand the post but why re build in this scenario? All the OP needs / wants to do is to add disks and to expand the existing arrays. He requires no or minimal downtime too. This can be achieved as the OP described. FWIW: I have performed this (not in the last 5 years) on many occasions and whilst the process can take some time to complete, it is relatively trivial to accomplish and AFAIK can be performed with zero downtime. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Ed BufordSent: 27 July 2006 00:49To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: HP disk array expansion I would use the ghost method, I've done this numerous times with servers and never ran into a problem. All in all it really is a fast solution. And since you're doing it over the wire you can speed the process up by using gigabit components. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Derek HarrisSent: Wednesday, July 26, 2006 6:12 PMTo: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: HP disk array expansion This sounds like the safest way to do it, but you will have some downtime. I've done it (on a Dell box) the way you described: swapping one disk at a time, and there is downtime that way, too. (in addition to the severe performance hit of the array having to rebuild several times) From: Blair, James [mailto:[EMAIL PROTECTED] ] Sent: Wednesday, July 26, 2006 3:52 PMTo: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: HP disk array expansion James, Have been in a similar situation on numerous occasions with HP ML350 G3/G4's. In our case we installed a firewire card and a Lacie drive or utilised the native USB to portable HD and Acronis True Image. We imaged the disks and then pulled them out and put the new ones in and imaged it back, works nicely…This solution even worked for an Exchange server and if it all fails you can simply put the old disks back in and be back where you started… James From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of James CarterSent: Thursday, 27 July 2006 7:36 AMTo: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: HP disk array expansion Hi, I have a HP ML370 Proliant Server. It currently has 4 x 36GB in a RAID 5 set. I want to upgrade the disk capacity of this server. I have bought 4 x 300gb disks as replacements. At present I have 4 x 36GB disks in the server. I was told I couldreplace one disk in the RAID with a 300GB, let the raid rebuild and do the next disk.Repeat until all of the disks are 300GB and then I can look in the ACU and create a second logical drive that sees all that new space. Can this be done? Anyone know how long it would take to rebuild? currently there is 90gb used in the current volume. My other alternative is to buy a Tape Drive, backup, break array, create new array and then restore but this department don't want any downtime. Anyway shed some light as to which is the best method to take? thanks James __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447
Re: [ActiveDir] Domain Local Groups vs Global Groups
Having went through this quite a bit recently, I'll see if I can give you some help on this. Every security group on a user's token adds about 45 bytes to the token and sometime around 80 security groups, you can expect a token to break 4k and bump up to 8k. This will have the most impact to Exchange until you bump up to Exchange 2007 and 64-bit OS. When debating between server local and domain groups (whether domain global or domain local), you have to decide between ease of management (domain groups) and ease on tokens (server local groups).Ideally, you will have an RBS model in place where a user is a member of a half dozen or so role-based groups which will grant access to shares instead of an Access Based Security (ABS) model. ABS creates a group (or groups) for each resource that needs access defined and then places all users and/or groups within that group. That's great in a user domain/resource domain architecture. If you don't have that though, you are just using a lot of redundant groups. I would recommend securing your shares and/or resources with role-based groups first, then if additional persons need access to a share or resourse, then grant them access through the ABS group at the domain level. Having to connect to 25 different file shares to manage share security is insane and nesting each group into 2-12 other groups ends up with a security model that quickly becomes very convoluted and difficult to map out. The one thing that an ABS model does do is make auditing access easier. But if you're making your day to day management of that model significantly more time consuming (by going with server local groups), then it's probably just easier to start defining items by RBS groups instead anyway. Not to mention that auditing server local groups is almost as much of a pain, if not more of one, as getting a tool that will go out and show you the share-level (or even file/directory level) ACLs ( www.winzero.ca has one).I know that MS recommends local server groups as an alternative when users end up with large amounts of security groups, but I feel that managing those objects is unwieldy enough (particularly in larger environments with a large number of file servers) to where you'd almost need to add a small team just to manage the shares. I'd rather double my number of Exchange servers and have everyone at an 8k tokens than add 4 employees at $x per hour just to manage server local groups. That's my take on it... I'm sure you'll end up with another 20 other opinions from 20 other people though. On 7/26/06, Wyatt, David [EMAIL PROTECTED] wrote: I'd be interested to hear peoples strategy for permissioning windows based file servers when the server is in a Windows 2003 domain. I have read the best practices about putting users into global groups then put the global groups into local groups then permission the resource with the local group. But: 1. Is it better practiceto put the domain local group into a local group on the file server and then use this local group to permission the share/folder? Is this excessive? I have read something about performance or avoiding limits by using the server local group when the access token is created. 2. What shortcomings would there be in putting users into global groups then simply permissioning the global group onto the resource. We only have a single forest/domain. I am also aware of Universal groups but lets put these to one side.for the moment..;-) Thanks David This message contains confidential information and is intended only for the individual or entity named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as an invitation or offer to buy or sell any securities or related financial instruments. GAM operates in many jurisdictions and is regulated or licensed in those jurisdictions as required.
Re: [ActiveDir] Domain Local Groups vs Global Groups
Somehow I avoided answring your question the first time...Going global role-based group and local task-based group is pretty standard in larger environments.You create the global group to hold users and the local group to hold users. The purpose for this is so that you can nest multiple role-based groups into your task-based group and quickly modify the task-based group and have it apply across the share/resource. The only problem with this model is being careful how you quantify when a new task-based group is needed. Be careful not to create a new task-based group (and similarly named role-based group for that task-based group) for everything under the sun or you'll find your users quickly becoming members through nesting of 100+ groups and finding your Exchange servers running out of paged pool memory space. There are plenty of articles on Microsoft's site about Exchange and paged pool memory, you can also look at the Exchange Team Blog site (msexchangeteam.com I think). On 7/26/06, Wyatt, David [EMAIL PROTECTED] wrote: I'd be interested to hear peoples strategy for permissioning windows based file servers when the server is in a Windows 2003 domain. I have read the best practices about putting users into global groups then put the global groups into local groups then permission the resource with the local group. But: 1. Is it better practiceto put the domain local group into a local group on the file server and then use this local group to permission the share/folder? Is this excessive? I have read something about performance or avoiding limits by using the server local group when the access token is created. 2. What shortcomings would there be in putting users into global groups then simply permissioning the global group onto the resource. We only have a single forest/domain. I am also aware of Universal groups but lets put these to one side.for the moment..;-) Thanks David This message contains confidential information and is intended only for the individual or entity named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as an invitation or offer to buy or sell any securities or related financial instruments. GAM operates in many jurisdictions and is regulated or licensed in those jurisdictions as required.
Re: [ActiveDir] Question on restricted group policy.
>From my experience, Restricted Groups settings simply state what the computer (or domain controller if you stick the setting in your DCs GPO) will make sure what the group memberships are going to be when it checks the GPO. If you set the Administrators group to be Domain Admins; groupa; groupb then when the computer applies the GPO settings, it will check to make sure that the local Administrators group (Or domain group for a DC) contains Domain Admins; groupa; groupb; builtin\Administrator. Just so you know, like with any GPO setting, anyone who has the right to change that group can still change it, but when the GPO applies, the group memberships will be verified again, removing whatever was added, or adding whatever was removed. This may be 2 minutes later or 2 hours later. This is the same if you set a service to disabled an administrator can still change it to enabled, but when the GPO goes back through, it will re-disable the service (though if the user also started the service it will remain started until the computer is restarted or someone manually stops it). If you remove the GPO setting, then it simply won't check the group memberships for those groups any more. Or at least that's my interpretation. Kind of like when you move a computer out of an OU where there is a GPO applied to it and into an OU without any GPOs applied to it; it won't change the current settings, though you can now manually change them and they won't be reverted. I guess I think of a GPO being a Go make sure that everything is like this and if it isn't, make it like this kind of thing and that's the way I always see it actually get applied. If the GPO isn't there, then nothing gets altered to a previous state, but it won't continue reverting settings to what the prior GPO settings stated that they would be. On 7/26/06, Derek Harris [EMAIL PROTECTED] wrote: Yes -- I've done that, and that's how it worked for me. From: Darren Mar-Elia [mailto:[EMAIL PROTECTED] ] Sent: Wednesday, July 26, 2006 5:23 PMTo: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on restricted group policy. This somewhat depends upon which side of Restricted Groups you're using (i.e. Members of this Group or This group is a member of). If its the former, and you clear out the users in the list but leave the local Administrators group under control, then it will clear out the members of that local Admin group on the target machines (but will leave the local Administrator account in (always)). If the latter, and you clear out the members of the group, I think what you will find is that those users/groups are simply left in the group that you made them members of. If you simply delete or unlink the GPO, then the groups should be left the way they were before you deleted/unlinked it (i.e. the group membership changes do not get unapplied in the case of restricted group policy). Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com -- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide,the definitiveresource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John StrongoskySent: Wednesday, July 26, 2006 4:08 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Question on restricted group policy. Hey, Created a restricted group policy for my domain that's adds some groups to the local administrators group of the workstations. My question is now management wants me to delete it. If I understand the way this works is that if I delete it then it will delete the groups that were associated with this policy thus leaving nobody in the local admin group. Am I correct... v/r john
Re: [ActiveDir] Domain Local Groups vs Global Groups
environment either. 10,000 empty groups aren't going to significantly affect your environment and if you have 64-bit DCs, 100,000 (or 1,000,000) empty security groups won't significantly impact your environment, so don't hesitate to have them in place so that if you need them, you can use them instead of running around in circles when you *do* find you need them. Do a little work now and save yourself some work later do both, but consider the role-based groups to be the preferred path. On 7/26/06, Dan Holme [EMAIL PROTECTED] wrote: That's what I get for reading my inbox "up"… David: do read my treatise in my earlier email. But Matt Hargraves response did raise the one technical issue I only alluded to: token size. He's right to raise a 'flag' about Exchange. Depending on the complexity of your role-based design and whether you use Exchange (2003 or 2000; 2007 seems to be exempt from this issue) and your Exchange architecture, you do have to watch for the number of total groups a user belongs to. A large number of group memberships will reduce the effective 'maximum users per exchange server' level somewhat… but whether that 'somewhat' would be salient depends on several factors. To "tie together" what Matt discussed and what I proposed, my discussion lays out a design that integrates both RBS and ABS. You definitely want role-based management. Whether you also go to the level I outlined of managing ACLs depends on your environment: more resources; more complex security; and more 'spread out' resources and you'll be better served by the design I described. In a simpler environment (e.g. "we have a departmental share with each department having a subfolder" on the extreme side), you don't necessarily need the ABS layer. Dan From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Wyatt, David Sent: Wednesday, July 26, 2006 8:28 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain Local Groups vs Global Groups I'd be interested to hear peoples strategy for permissioning windows based file servers when the server is in a Windows 2003 domain. I have read the best practices about putting users into global groups then put the global groups into local groups then permission the resource with the local group. But: 1. Is it better practiceto put the domain local group into a local group on the file server and then use this local group to permission the share/folder? Is this excessive? I have read something about performance or avoiding limits by using the server local group when the access token is created. 2. What shortcomings would there be in putting users into global groups then simply permissioning the global group onto the resource. We only have a single forest/domain. I am also aware of Universal groups but lets put these to one side.for the moment..;-) Thanks David This message contains confidential information and is intended only for the individual or entity named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as an invitation or offer to buy or sell any securities or related financial instruments. GAM operates in many jurisdictions and is regulated or licensed in those jurisdictions as required.
Re: [ActiveDir] Test Environments
It sounds like you have a good test environment. The only problem is that people may be scheduling their testing a little too tightly. They need to understand that this is a *TEST* environment. That means it's in a constant state of relative flux and that at any point in time, it could possibly go down for an hour or even possibly a day or two. It will largely be available, but it's not production and they shouldn't be expecting to receive the level of support and uptime that they receive in the production environment. If they expect that, they need to find a way to test outside your test environment. If their schedules are slipping because of the availability of the test environment, then they're not putting enough extra time into their plans and need to start consulting you before deciding when to test and how much time it's going to take. It may sound like I'm being harsh on them, but it sounds like they are really expecting too much from a test environment and that's because there isn't enough consulting occuring. It really sounds like you need to possibly make a Testing calendar so that everyone (or maybe even just you) have a list of applications that are being tested in the environment and when schema updates and other items which can affect multiple tests that are ongoing occur, the relevant persons can be notified so if they need to reschedule their testing or adjust their testing schedule, they can. On 7/25/06, WATSON, BEN [EMAIL PROTECTED] wrote: I was hoping to get some input from some of you to better understand how you handle the design of test environments for application testing. For example, I built a so-called "Offnet" which is a duplicate of our production domain. We have a couple domain controllers restored from tape backup, we have Exchange running, and various other production services using the same domain name and hostnames providing for a very production-like test environment. As time progressed, other production servers duplicated themselves into this test environment and we now have quite a number of people doing the majority of their testing in this environment. Unfortunately, as more and more people have begun to use this environment for testing, we have found that people are beginning to step on each others toes. For instance, I used this test environment to walk through the domain upgrade to 2003 and when there was some downtime other people were unable to do their own testing. So I was curious, how do you handle providing a working test environment for people that need it? At this point, we are trying to determine a better way for people to do their testing away from production. Thanks, ~Ben
Re: [ActiveDir] Enumerating Group type and Mebership...
You either have a small environment or someone wants a document that will be completely outdated 12 minutes after it's compiled.Though just to be honest, I'd love to be able to click on a '+' on groups and show their members and continue to follow the '+' if there is nesting. That would be an awesome feature in the ADUC. Maybe I should submit that feature request to Quest and Microsoft. On 7/25/06, Mike Hogenauer [EMAIL PROTECTED] wrote: I need all Security Groups and Distribution groups – and their members Thanks Laura! From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Laura A. Robinson Sent: Tuesday, July 25, 2006 12:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enumerating Group type and Mebership... What is everything [you] need, specifically? Thanks, Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mike Hogenauer Sent: Tuesday, July 25, 2006 2:49 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Enumerating Group type and Mebership... All, I'm trying to enumerate all groups in my AD environment. I need to get Group name group type and group members for each group… I've tried some sample _vbscript_s from http://www.microsoft.com/technet/scriptcenter/resources/qanda/apr05/hey0419.mspx Then I tried (below) but It still doesn't seem to pull back everything I need- Any help would be great! In a perfect world - J - I need a list of all security groups and distribution groups and their members Thanks, Mike Enumerate Security Groups and Member in Domain csvde -f c:\tmp\SecurityGroups.csv -p subtree -l cn,mail,member -r (|((objectCategory=Group)(objectClass=Group)(|(groupType=-2147483644)(groupType=-2147483646)(groupType=-2147483640 -j c:\tmp Enumerate Distribution Groups and Member in Domain csvde -f c:\tmp\DistributionLists.csv -p subtree -l cn,mail,member -r (|((objectCategory=Group)(objectClass=Group)(|(groupType=8)(groupType=4)(groupType=2 -j c:\tmp
Re: [ActiveDir] Enumerating Group type and Mebership...
Getting a list of groups is easy... getting it all enumerated will be a bit more complex, though not terribly so.The ADUC allows you to create queries and list all security groups. You can then export this list to a file. Once you have the file, you need to import that list into Excel (pretty easy), then run a _vbscript_ against with LDAP or ADSI scripting in it (or something like that) to enumerate group members. If they want nested members also, then you've got a lot more complex issue, but I would just state that it's not practical and let him work with the current list. Hopefully the resulting gargantuan file will be enough to make anyone choke and stop making rediculous requests that they don't understand the futility of. Enumerating 10k groups simply so that you can toss the list out later that week because it's just going to get more and more out of date is worse than silly, it's a waste of company effort (and money). Make it too easy for him to generate that report and soon he'll be wanting to see what items they have access to in the environment, so you'll end up enumerating out all files and shares and rights assignments on computers. On 7/25/06, Mike Hogenauer [EMAIL PROTECTED] wrote: We're medium size – and yes someone does want a current outdated list J - Just trying to make it happen…. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Tuesday, July 25, 2006 2:02 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Enumerating Group type and Mebership... You either have a small environment or someone wants a document that will be completely outdated 12 minutes after it's compiled. Though just to be honest, I'd love to be able to click on a '+' on groups and show their members and continue to follow the '+' if there is nesting. That would be an awesome feature in the ADUC. Maybe I should submit that feature request to Quest and Microsoft. On 7/25/06, Mike Hogenauer [EMAIL PROTECTED] wrote: I need all Security Groups and Distribution groups – and their members Thanks Laura! From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Laura A. Robinson Sent: Tuesday, July 25, 2006 12:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enumerating Group type and Mebership... What is everything [you] need, specifically? Thanks, Laura From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Mike Hogenauer Sent: Tuesday, July 25, 2006 2:49 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Enumerating Group type and Mebership... All, I'm trying to enumerate all groups in my AD environment. I need to get Group name group type and group members for each group… I've tried some sample _vbscript_s from http://www.microsoft.com/technet/scriptcenter/resources/qanda/apr05/hey0419.mspx Then I tried (below) but It still doesn't seem to pull back everything I need- Any help would be great! In a perfect world - J - I need a list of all security groups and distribution groups and their members Thanks, Mike Enumerate Security Groups and Member in Domain csvde -f c:\tmp\SecurityGroups.csv -p subtree -l cn,mail,member -r (|((objectCategory=Group)(objectClass=Group)(|(groupType=-2147483644)(groupType=-2147483646)(groupType=-2147483640 -j c:\tmp Enumerate Distribution Groups and Member in Domain csvde -f c:\tmp\DistributionLists.csv -p subtree -l cn,mail,member -r (|((objectCategory=Group)(objectClass=Group)(|(groupType=8)(groupType=4)(groupType=2 -j c:\tmp
Re: [ActiveDir] Domain Trusts.
Basically we're looking at creating a resource domain because the objects that need to go in that domain really do need to get out of our current user environment.But if you can't move items into a forest without having an automatic 2-way transitive trust, then we might need to just go with a separate forest. We're looking at other options internally and it's possible that we may not need security isolation for these other domains. Time will tell. You've all been very helpful, thank you. Hopefully MS will state in their documentation at some point in time that these trusts can't be altered so that other people don't have to go I know it's automatically created when I create the object, but what can I do with the trust any more :) On 7/22/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote: you might want to describe to us what your actual goal is for creating a non-fully trusted domain in your AD forst. Maybe you can reach a similar goal by using the fairly powerful capabilities in AD to delegate administration of objects within a domain. You can also use these features to hide specific parts of AD from the rest of the organization and thus create a semi-isolated units within a single AD domain. Note that there is no way to fully isolate any objects within a domain or forest from domain or enterprise admins - if you do need full administrative isolation, you have to create multiple forests. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Almeida Pinto, Jorge deSent: Saturday, July 22, 2006 12:45 AMTo: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Trusts. 1-yep 2-yep Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server- Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile: +31-(0)6-26.26.62.80 * E-mail: see sender address From: [EMAIL PROTECTED] on behalf of Matt HargravesSent: Sat 2006-07-22 00:35To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Domain Trusts. So basically there's no way to have a domain in a forest that doesn't fully trust every other domain in the forest?The only way to have a non 2-way trust is to make a separate forest?
Re: [ActiveDir] Raid 1 tangent -- Vendor Domain
Just as an FYI: I've seen 64-bit DCs run and I have one thing that I can recommend to everyone:Go 64-bits as soon as possible. There are hundreds of benefits on the server side when going 64-bits, whether it's Exchange (yay for 2007) or your DCs, the performance level is just staggering compared to a 32-bit OS. All your former large application limitations just kinda disappear, unless it's an application-based limitation. No 3GB limitation on the application memory size, no paged pool memory limitation for connections (this hits Exchange first) It's like you're crippling your hardware by staying 32-bits nowadays if you don't have to. On 7/22/06, joe [EMAIL PROTECTED] wrote: That's a command line guy for you...:o)The thing is that I type in a very odd way two, my whole right hand just oneor two fingers from my left hand. People tend to get a bit confused whenthey see me type. joe--O'Reilly Active Directory Third Edition -http://www.joeware.net/win/ad3e.htm-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Kevin GentSent: Saturday, July 22, 2006 7:29 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Raid 1 tangent -- Vendor Domainjoe,you must type really, really fast- Original Message -From: Albert Duro [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSent: Saturday, July 22, 2006 7:06 PMSubject: Re: [ActiveDir] Raid 1 tangent -- Vendor Domain no debate from me.I was just asking.Thank you for the lesson. - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Saturday, July 22, 2006 9:48 AM Subject: RE: [ActiveDir] Raid 1 tangent -- Vendor Domain Mirrors don't scale. Microsoft's deployment doc mostly just talks about using mirrors (small nod to RAID 10/0+1) so everyone thinks that they should build their Corporate DCs on mirrors, usually 3 - OS, Logs, and DIT. Very few people if anyone would build a corporate Exchange Server on mirrors... Why not? The DB is the same under both of them... What is critical to Exchange? IOPS and that means spindles. If something is really beating on AD and the entire DIT can't be cached, IOPS are critical to AD as well. The main difference is that AD is mostly random read and Exchange is heavy writing and reading. The exception to this is the edge case of Eric's big DIT[1] in which he dumped 2TB of data into AD in a month at which point he did something that few people see, pushed the IOPS on the log drive through the roof. In a smaller environment (very low thousands), or for a low use DC (small WAN site), or a DC with a DIT fully cached a RAID-1 drive for DIT will probably be sufficient, you will note that the only numbers mentioned in the deployment guide are about 5000[2]... That usually means a small DIT and it is extremely likely that a K3 DC will cache the entire DIT. Plus the usage is probably such that the IO capability of two spindles will likely be ok. Let me state though that even in a small user environment if there was an intensive directory based app or a buttload of data that pushes the DIT into GB's instead of MBs I would still be watching my disk queueing pretty close as well as the Read and Write Ops. AD admins who aren't running directory intensive apps (read as Exchange 2000+) usually don't see any issues but then again most aren't looking very closely at the counters because they haven't had a reason too and even if they had some short lived issues they probably wouldn't go look at the counters. At least that has been my experience in dealing with companies. I will admit that prior to implementing Exchange when I did AD Ops with a rather large company I didn't once look at the disk counters, didn't care, everything ran perfectly well and about the only measure of perf was replication latency and does ADUC start fast enough and it always was fine there unless there were network related issues or a DC was having hardware failure. Enter Exchange... Or some other app that pounds your DCs with millions of queries a day and tiny little bits of latency that you didn't previously feel start having an impact. You won't feel 70-80ms of latency in anything you are doing with normal AD tools or NOS ops, not at all. You will feel that with Exchange (and other heavy directory use apps), often with painful results unless it isn't consistent and the directory can unwind itself again and hence allow Exchange to then unwind itself. Now let me point out, I don't deal with tiny companies for work, small to me is less than 40-50k. The smallest I tend to deal with is about 30k. I usually get called to walk in to Exchange issues where Exchange is underperforming or outright hanging, sometimes for hours at a time. There can be all sorts of issues causing this such as O poor disk subsystem design for Exchange (someone say got fancy with a SAN layout and really didn't know what they were doing seems to be popular here) O hardware/drivers on the
Re: [ActiveDir] Raid 1 tangent -- Vendor Domain
That being said wait on 64-bits for the client side until you know, unequivocably, that all of the software that your clients need is supported and stable on a 64-bit OS. The performance boost isn't that big of a deal, just to be honest. On 7/23/06, Matt Hargraves [EMAIL PROTECTED] wrote: Just as an FYI: I've seen 64-bit DCs run and I have one thing that I can recommend to everyone:Go 64-bits as soon as possible. There are hundreds of benefits on the server side when going 64-bits, whether it's Exchange (yay for 2007) or your DCs, the performance level is just staggering compared to a 32-bit OS. All your former large application limitations just kinda disappear, unless it's an application-based limitation. No 3GB limitation on the application memory size, no paged pool memory limitation for connections (this hits Exchange first) It's like you're crippling your hardware by staying 32-bits nowadays if you don't have to. On 7/22/06, joe [EMAIL PROTECTED] wrote: That's a command line guy for you...:o)The thing is that I type in a very odd way two, my whole right hand just oneor two fingers from my left hand. People tend to get a bit confused whenthey see me type. joe--O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm-Original Message-From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of Kevin GentSent: Saturday, July 22, 2006 7:29 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Raid 1 tangent -- Vendor Domainjoe,you must type really, really fast- Original Message -From: Albert Duro [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSent: Saturday, July 22, 2006 7:06 PMSubject: Re: [ActiveDir] Raid 1 tangent -- Vendor Domain no debate from me.I was just asking.Thank you for the lesson. - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Saturday, July 22, 2006 9:48 AM Subject: RE: [ActiveDir] Raid 1 tangent -- Vendor Domain Mirrors don't scale. Microsoft's deployment doc mostly just talks about using mirrors (small nod to RAID 10/0+1) so everyone thinks that they should build their Corporate DCs on mirrors, usually 3 - OS, Logs, and DIT. Very few people if anyone would build a corporate Exchange Server on mirrors... Why not? The DB is the same under both of them... What is critical to Exchange? IOPS and that means spindles. If something is really beating on AD and the entire DIT can't be cached, IOPS are critical to AD as well. The main difference is that AD is mostly random read and Exchange is heavy writing and reading. The exception to this is the edge case of Eric's big DIT[1] in which he dumped 2TB of data into AD in a month at which point he did something that few people see, pushed the IOPS on the log drive through the roof. In a smaller environment (very low thousands), or for a low use DC (small WAN site), or a DC with a DIT fully cached a RAID-1 drive for DIT will probably be sufficient, you will note that the only numbers mentioned in the deployment guide are about 5000[2]... That usually means a small DIT and it is extremely likely that a K3 DC will cache the entire DIT. Plus the usage is probably such that the IO capability of two spindles will likely be ok. Let me state though that even in a small user environment if there was an intensive directory based app or a buttload of data that pushes the DIT into GB's instead of MBs I would still be watching my disk queueing pretty close as well as the Read and Write Ops. AD admins who aren't running directory intensive apps (read as Exchange 2000+) usually don't see any issues but then again most aren't looking very closely at the counters because they haven't had a reason too and even if they had some short lived issues they probably wouldn't go look at the counters. At least that has been my experience in dealing with companies. I will admit that prior to implementing Exchange when I did AD Ops with a rather large company I didn't once look at the disk counters, didn't care, everything ran perfectly well and about the only measure of perf was replication latency and does ADUC start fast enough and it always was fine there unless there were network related issues or a DC was having hardware failure. Enter Exchange... Or some other app that pounds your DCs with millions of queries a day and tiny little bits of latency that you didn't previously feel start having an impact. You won't feel 70-80ms of latency in anything you are doing with normal AD tools or NOS ops, not at all. You will feel that with Exchange (and other heavy directory use apps), often with painful results unless it isn't consistent and the directory can unwind itself again and hence allow Exchange to then unwind itself. Now let me point out, I don't deal with tiny companies for work, small to me is less than 40-50k. The smallest I tend to deal with is about 30k. I usually get called to walk in to Exchange issues where Exchange
Re: [ActiveDir] Raid 1 tangent -- Vendor Domain
It's not that big of a deal for client software (last message)On 7/23/06, Matt Hargraves [EMAIL PROTECTED] wrote:That being said wait on 64-bits for the client side until you know, unequivocably, that all of the software that your clients need is supported and stable on a 64-bit OS. The performance boost isn't that big of a deal, just to be honest. On 7/23/06, Matt Hargraves [EMAIL PROTECTED] wrote: Just as an FYI: I've seen 64-bit DCs run and I have one thing that I can recommend to everyone:Go 64-bits as soon as possible. There are hundreds of benefits on the server side when going 64-bits, whether it's Exchange (yay for 2007) or your DCs, the performance level is just staggering compared to a 32-bit OS. All your former large application limitations just kinda disappear, unless it's an application-based limitation. No 3GB limitation on the application memory size, no paged pool memory limitation for connections (this hits Exchange first) It's like you're crippling your hardware by staying 32-bits nowadays if you don't have to. On 7/22/06, joe [EMAIL PROTECTED] wrote: That's a command line guy for you...:o)The thing is that I type in a very odd way two, my whole right hand just oneor two fingers from my left hand. People tend to get a bit confused whenthey see me type. joe--O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm-Original Message-From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of Kevin GentSent: Saturday, July 22, 2006 7:29 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Raid 1 tangent -- Vendor Domainjoe,you must type really, really fast- Original Message -From: Albert Duro [EMAIL PROTECTED] To: ActiveDir@mail.activedir.orgSent: Saturday, July 22, 2006 7:06 PMSubject: Re: [ActiveDir] Raid 1 tangent -- Vendor Domain no debate from me.I was just asking.Thank you for the lesson. - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Saturday, July 22, 2006 9:48 AM Subject: RE: [ActiveDir] Raid 1 tangent -- Vendor Domain Mirrors don't scale. Microsoft's deployment doc mostly just talks about using mirrors (small nod to RAID 10/0+1) so everyone thinks that they should build their Corporate DCs on mirrors, usually 3 - OS, Logs, and DIT. Very few people if anyone would build a corporate Exchange Server on mirrors... Why not? The DB is the same under both of them... What is critical to Exchange? IOPS and that means spindles. If something is really beating on AD and the entire DIT can't be cached, IOPS are critical to AD as well. The main difference is that AD is mostly random read and Exchange is heavy writing and reading. The exception to this is the edge case of Eric's big DIT[1] in which he dumped 2TB of data into AD in a month at which point he did something that few people see, pushed the IOPS on the log drive through the roof. In a smaller environment (very low thousands), or for a low use DC (small WAN site), or a DC with a DIT fully cached a RAID-1 drive for DIT will probably be sufficient, you will note that the only numbers mentioned in the deployment guide are about 5000[2]... That usually means a small DIT and it is extremely likely that a K3 DC will cache the entire DIT. Plus the usage is probably such that the IO capability of two spindles will likely be ok. Let me state though that even in a small user environment if there was an intensive directory based app or a buttload of data that pushes the DIT into GB's instead of MBs I would still be watching my disk queueing pretty close as well as the Read and Write Ops. AD admins who aren't running directory intensive apps (read as Exchange 2000+) usually don't see any issues but then again most aren't looking very closely at the counters because they haven't had a reason too and even if they had some short lived issues they probably wouldn't go look at the counters. At least that has been my experience in dealing with companies. I will admit that prior to implementing Exchange when I did AD Ops with a rather large company I didn't once look at the disk counters, didn't care, everything ran perfectly well and about the only measure of perf was replication latency and does ADUC start fast enough and it always was fine there unless there were network related issues or a DC was having hardware failure. Enter Exchange... Or some other app that pounds your DCs with millions of queries a day and tiny little bits of latency that you didn't previously feel start having an impact. You won't feel 70-80ms of latency in anything you are doing with normal AD tools or NOS ops, not at all. You will feel that with Exchange (and other heavy directory use apps), often with painful results unless it isn't consistent and the directory can unwind itself again and hence allow Exchange to then unwind itself. Now let me point out, I don't deal with tiny companies for work, small to me is less than
Re: [ActiveDir] Domain Trusts.
Go to google, type in Token limitation and click on the first item...On 7/23/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote: because the objects that need to go in that domain really do need to get out of our current user environment. Matt, this doesn't yet sound to me like administrative isolation. Really depends on what you mean with user environment. If these objects should not be administered by the same admins, then it's likely a case for isolation. If the objects should not be accessible for the normal users (incl. the servers or other resources that the objects represent), then it's a case for ACLing and configuring your AD and GPOs. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: Sunday, July 23, 2006 5:10 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Domain Trusts. Basically we're looking at creating a resource domain because the objects that need to go in that domain really do need to get out of our current user environment.But if you can't move items into a forest without having an automatic 2-way transitive trust, then we might need to just go with a separate forest. We're looking at other options internally and it's possible that we may not need security isolation for these other domains. Time will tell. You've all been very helpful, thank you. Hopefully MS will state in their documentation at some point in time that these trusts can't be altered so that other people don't have to go I know it's automatically created when I create the object, but what can I do with the trust any more :) On 7/22/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote: you might want to describe to us what your actual goal is for creating a non-fully trusted domain in your AD forst. Maybe you can reach a similar goal by using the fairly powerful capabilities in AD to delegate administration of objects within a domain. You can also use these features to hide specific parts of AD from the rest of the organization and thus create a semi-isolated units within a single AD domain. Note that there is no way to fully isolate any objects within a domain or forest from domain or enterprise admins - if you do need full administrative isolation, you have to create multiple forests. /Guido From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Almeida Pinto, Jorge deSent: Saturday, July 22, 2006 12:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Trusts. 1-yep 2-yep Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server- Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile: +31-(0)6-26.26.62.80 * E-mail: see sender address From: [EMAIL PROTECTED] on behalf of Matt HargravesSent: Sat 2006-07-22 00:35To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Domain Trusts. So basically there's no way to have a domain in a forest that doesn't fully trust every other domain in the forest?The only way to have a non 2-way trust is to make a separate forest?
Re: [ActiveDir] OT: Interview Techniques
Is he a manager or a technical lead? There's a world of difference between the two.Technical leads have many of the responsibilities of a manager (handing out tasks, interfacing with upper management, discipline, etc...) but also have to be able to 'get their hands dirty', in other words, they basically have to be very strong technically. If you're interviewing for a manager who isn't going to be doing anything technical, then just make sure that A) you don't grant him schema/enterprise admin rights, so that he can't screw everything up on you and B) He knows enough to where you're not holding his hand in *every* discussion that goes down the technical path. If he's a technical lead... he should know how to deal with people and know nearly as much as you do, if not more. If he's going to be digging into AD and having to work on fixing problems when they appear, then you need to make sure that he's not going to screw things up because he's trying to remember what they taught him in that 2-week class 8 months ago. On 7/23/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: AllI am currently in the process of interviewing jobcandidates who if successful will become my boss ;-)Basically the manager who will be his boss has askedme to do the technical side of the interview and check if the candidates are OK. I've had the pleasure ofinterviewing 2 so far and they were pretty weaktechnically. I am not sure if I have been spoilt bythe creme-de-la-creme here but I did check them a little thoroughly especially with the candidate whowas bold enough to mention under key skills verystrong knowledge of windows 2000/2003 ActiveDirectory.Now I am definitely no expert, but if someone is bold enough to claim that, he better not buckle up underpressure and reply that the questions I am asking areonly worthy knowledge to those working at Microsoft.And this is the reply I got when I asked him what the FSMO roles did. Actually, I got a little miffed as theguys had the audacity to demand pretty much twice thepay I am getting and were paper MCSE's.The feedback we received from the candidatesafterwards said the interview style was . aggressive.So, my question to you guys is, if you interviewingsomeone for a Windows tech-lead position (with focuson AD), how technical would you want him to be? Thisis a guy who would be steering the design of an infrastructure to support tens of thousands of users.CheersMudha{Newbie AD Guru wannabe ;0) }__Do You Yahoo!?Tired of spam?Yahoo! Mail has the best spam protection around http://mail.yahoo.comList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Domain Trusts.
I was just curious if I could avoid the 2-way transitive trust. Current resources in domains for those resources are being moved into AD. Many have 1-way trusts and we'd like to keep that status if possible. I was hoping I could do it in the same forest, but since that's not possible we just have to make sure that the situation is evaluated by more parties and there is concensus on what we're going forward with. I guess I shouldn't have said 'moved out of...' as 'avoided being brought into...' though some of the resources are already in the user environment and mattering on the way that we go, will possibly need to be moved out eventually, for consistency's sake. On 7/23/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote: Matt, I'm quite aware of the token limitations in AD (and the lovely attack vectors around this feature) - however, creating a separate domain for this reason would fall under administrative isolation, which is not how you've phrased your previous reply. So I'm a little but puzzled as to what your real goal is. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: Sunday, July 23, 2006 7:01 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Domain Trusts. Go to google, type in Token limitation and click on the first item... On 7/23/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote: because the objects that need to go in that domain really do need to get out of our current user environment. Matt, this doesn't yet sound to me like administrative isolation. Really depends on what you mean with user environment. If these objects should not be administered by the same admins, then it's likely a case for isolation. If the objects should not be accessible for the normal users (incl. the servers or other resources that the objects represent), then it's a case for ACLing and configuring your AD and GPOs. /Guido From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: Sunday, July 23, 2006 5:10 PM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Domain Trusts. Basically we're looking at creating a resource domain because the objects that need to go in that domain really do need to get out of our current user environment.But if you can't move items into a forest without having an automatic 2-way transitive trust, then we might need to just go with a separate forest. We're looking at other options internally and it's possible that we may not need security isolation for these other domains. Time will tell. You've all been very helpful, thank you. Hopefully MS will state in their documentation at some point in time that these trusts can't be altered so that other people don't have to go I know it's automatically created when I create the object, but what can I do with the trust any more :) On 7/22/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote: you might want to describe to us what your actual goal is for creating a non-fully trusted domain in your AD forst. Maybe you can reach a similar goal by using the fairly powerful capabilities in AD to delegate administration of objects within a domain. You can also use these features to hide specific parts of AD from the rest of the organization and thus create a semi-isolated units within a single AD domain. Note that there is no way to fully isolate any objects within a domain or forest from domain or enterprise admins - if you do need full administrative isolation, you have to create multiple forests. /Guido From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Almeida Pinto, Jorge deSent: Saturday, July 22, 2006 12:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Trusts. 1-yep 2-yep Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server- Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile: +31-(0)6-26.26.62.80 * E-mail: see sender address From: [EMAIL PROTECTED] on behalf of Matt HargravesSent: Sat 2006-07-22 00:35To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Domain Trusts. So basically there's no way to have a domain in a forest that doesn't fully trust every other domain in the forest?The only way to have a non 2-way trust is to make a separate forest?
Re: [ActiveDir] back up strategies
What is your plan? Do you want speed in restoration or backup? Do you have a 24-hour facility or is it an 8-hour facility? Do you have a tape changer or a single tape unit (changing tapes daily)?If you have an 8-hour facility and the server is close to you, then weekend fulls and differentials is fine. If you have a 24-hour facility, then weekend full and incrementals might be the way to go. If you want to be able to have quick full system restores, then daily full backups is the best, but if you have a 24-hour facility then it's not practical and you're better off going with differentials throughout the week (2-tape restore). I generally recommend more tapes, though. Something more like 20 daily tapes and 5 weekly tapes so that you can always go back at least a month. You don't always realize that something needs to be restored immediately and being able to go back 3-4 weeks without going to the previous month's 'master' backup tape is always nice. Tapes don't cost *that* much and if going back 3 weeks can save an engineer 30 hours of work on a CAD drawing, then it's a good plan. But if you can only go back 1 and a half or 4 weeks back... you just lost 30 hours worth of work at around $75-100 per hour, that's between $2250 and 3k saved by one restoration. On 7/23/06, Quatro Info [EMAIL PROTECTED] wrote: Hi all,I am interested in your stories about back up strategies / procedures with all advantages and disadvantages involved.For example:Set up-Weekends full backups 2 tapes-Working days incremental5 tapes -monthly full backups...12 tapes...1 each month.Which strategy is most efficient and reliable?When do you use full, copy, differential, incremental or daily? (Considering windows backup utility)Which software do you use? How often do you test a restore? (a few files)How often do you perform a full restore?If exchange or sql server is involved. For example with veritas remote agents. How often do you perform a restore on exchange databases / sql server databases?Do you keep an exact copy of the backup hardware involved on a external location in case of fire/ theft?All info is very appreciated.Thanks! JorreList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] OT: Interview Techniques
So basically it sounds like you need a technically savvy person who has very good understanding of AD, but is going to come back to you with any concerns about a design direction that you've come up with instead of going through and revamping it completely... 'basic user' or 'admins'... ROFLMAO Schema updates are uncommon enough to where nobody really needs that level of access on a day-to-day basis. My description of a technical lead was because I've run into companies where they expect their manager for the IT department to basically be the 3rd/4th level of support for problems. They expect the manager to do the 'heavy lifting' on the technical side of things and basically be a technical lead *and* a manager. I tend to agree that running into someone who can do both is like finding a roc's tooth. They're out there, just few and far between. On 7/23/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: LOL. Yeah. Never a good idea to have customised BIG AL number plates.;-)On 7/23/06, joe [EMAIL PROTECTED] wrote: Yeah Al interviewed me once and I didn't get the job because I started crying. I found his car in the parking lot and punched holes in the tires. :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htmFrom: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Al Mulnick Sent: Sunday, July 23, 2006 1:54 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Interview Techniques LOL.If it's for a technical position, then I have no qualms of trying to make the interviewed candidate cry. May as well see what they do with pressure. I can usually tell in the first few minutes how a person thinks and how well they know the subject matter.But I like to see how they react and how they deal with questions.Are they going to fold? Are they going to buckle? Are they going to lie and BS an answer?The last is the worst thing they can ever do.I demand honesty in the work I do.If you BS me, you'll be done before you go a step further. If you tell the truth and let me know that you don't know, I'll at the very least have respect for you because I know that nobody can know it all, and I konw that the interviewer is going to ask a question that sticks in their mind as something that stumped them for a while. Either consciously or sub-consciously. I like to ask leading questions and I like to pick at the things on the resume to verify that what they wrote is what they are capable of doing. Since this is a tech lead position, I expect a broad and deep set of knowlede and I expect that the characteristics of the person are such that they can easily refer to the SME (subject-matter expert) for particular subsystems without getting uptight about not knowing the answer themselves. It really could suck if you brought somebody in who was too uptight and insecure to let you do your job. They should be trying to help you advance vs. holding you back and causing hate and discontent. My $0.04 worth anyway. Al On 7/23/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: All I am currently in the process of interviewing job candidates who if successful will become my boss ;-) Basically the manager who will be his boss has asked me to do the technical side of the interview and check if the candidates are OK. I've had the pleasure of interviewing 2 so far and they were pretty weak technically. I am not sure if I have been spoilt by the creme-de-la-creme here but I did check them a little thoroughly especially with the candidate who was bold enough to mention under key skills very strong knowledge of windows 2000/2003 Active Directory. Now I am definitely no expert, but if someone is bold enough to claim that, he better not buckle up under pressure and reply that the questions I am asking are only worthy knowledge to those working at Microsoft. And this is the reply I got when I asked him what the FSMO roles did. Actually, I got a little miffed as the guys had the audacity to demand pretty much twice the pay I am getting and were paper MCSE's. The feedback we received from the candidates afterwards said the interview style was . aggressive. So, my question to you guys is, if you interviewing someone for a Windows tech-lead position (with focus on AD), how technical would you want him to be? This is a guy who would be steering the design of an infrastructure to support tens of thousands of users. Cheers Mudha {Newbie AD Guru wannabe ;0) } __ Do You Yahoo!? Tired of spam?Yahoo! Mail has the best spam protection around http://mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Domain Trusts.
Thanks, that's exactly what I was looking for. Oddly enough, it's somewhere on MS's site, though my 5-8 queries never came up with it (the wonderful joys of searching on microsoft.com). Now I can give them 2 options separate forest with a 1-way trust or a subdomain (since there really isn't a difference between a separate tree and a subdomain). On 7/24/06, Steve Linehan [EMAIL PROTECTED] wrote: I believe that the documentation that you are looking for that describes these transitive trusts and the inability to alter them is contained here:From: http://technet2.microsoft.com/WindowsServer/en/library/f5c70774-25cd-4481-8b7a-3d65c86e69b11033.mspxAutomatic TrustsBy default, two-way transitive trusts are automatically created when a new domain is added to a domain tree or forest root domain by using the Active Directory Installation Wizard. The two default trust types are parent-child trusts and tree-root trusts. Parent-child trustA parent-child trust relationship is established whenever a new domain is created in a tree. The Active Directory installation process automatically creates a trust relationship between the new domain and the domain that immediately precedes it in the namespace hierarchy (for example, corp.tailspintoys.com is created as the child of tailspintoys.com). The parent-child trust relationship has the following characteristics: *It can exist only between two domains in the same tree and namespace.*The parent domain is always trusted by the child domain.*It must be transitive and two-way. The bidirectional nature of transitive trust relationships allows the global directory information in Active Directory to replicate throughout the hierarchy. Tree-root trustA tree-root trust is established when you add a new domain tree to a forest. The Active Directory installation process automatically creates a trust relationship between the domain you are creating (the new tree root) and the forest root domain. A tree-root trust relationship has the following restrictions: *It can be established only between the roots of two trees in the same forest.*It must be transitive and two-way.Thanks,-Steve From: [EMAIL PROTECTED] on behalf of Matt HargravesSent: Sun 7/23/2006 10:09 AMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Domain Trusts.Basically we're looking at creating a resource domain because the objects that need to go in that domain really do need to get out of our current user environment. But if you can't move items into a forest without having an automatic 2-way transitive trust, then we might need to just go with a separate forest.We're looking at other options internally and it's possible that we may not need security isolation for these other domains.Time will tell. You've all been very helpful, thank you.Hopefully MS will state in their documentation at some point in time that these trusts can't be altered so that other people don't have to go I know it's automatically created when I create the object, but what can I do with the trust any more :) On 7/22/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote:you might want to describe to us what your actual goal is for creating a non-fully trusted domain in your AD forst.Maybe you can reach a similar goal by using the fairly powerful capabilities in AD to delegate administration of objects within a domain. You can also use these features to hide specific parts of AD from the rest of the organization and thus create a semi-isolated units within a single AD domain. Note that there is no way to fully isolate any objects within a domain or forest from domain or enterprise admins - if you do need full administrative isolation, you have to create multiple forests. /GuidoFrom: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Almeida Pinto, Jorge deSent: Saturday, July 22, 2006 12:45 AMTo: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Trusts.1-yep2-yepMet vriendelijke groeten / Kind regards,Ing. Jorge de Almeida PintoSenior Infrastructure Consultant MVP Windows Server - Directory ServicesLogicaCMG Nederland B.V. (BU RTINC Eindhoven)(Tel : +31-(0)40-29.57.777(Mobile : +31-(0)6- 26.26.62.80 http://26.26.62.80/* E-mail : see sender addressFrom: [EMAIL PROTECTED] on behalf of Matt HargravesSent: Sat 2006-07-22 00:35To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Domain Trusts. So basically there's no way to have a domain in a forest that doesn't fully trust every other domain in the forest?The only way to have a non 2-way trust is to make a separate forest? List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Domain Trusts.
I've done some looking around on Microsoft's site, but can't find the information that I need.What can be done with/to the automatic trusts that are created when a new tree is created in a forest and/or a new subdomain is created? I understand that 2-way transitive trusts are created, but can I break that or alter it in any way and if so, what way can those trusts be changed?One other quick question, as long as I'm asking what is the impact to a parent domain's DIT database when you create a subdomain, if any?
Re: [ActiveDir] Domain Trusts.
So basically there's no way to have a domain in a forest that doesn't fully trust every other domain in the forest?The only way to have a non 2-way trust is to make a separate forest?
Re: [ActiveDir] Virtual DCs
I'd say that it should depend on the size of your environment.I've seen the difference in performance between a 64-bit DC and a 32-bit DC in a large environment and unless a VM can run with enough RAM to load your entire DIT database in RAM, then a VM would be a poor idea, IMO. In other words: Small environments, go virtual with 2-4GB of RAM and you should be fine.Larger environments where the DIT database is getting over 2GB in size, you will probably be better off going with physical machines and considering 64-bit DCs if your DIT is breaking 3GB of size. The only recommendation that I'd put out there is to make sure that the physical boxes you're running your VMs on has more than enough bandwidth to do the job. In other words: Test a whole lot before you go forward with a plan to do it and make sure that you've got redundancy in place because you now have 2 more points of failure on a single DC: The OS that it's sitting on and the VMWare application. On 7/19/06, Al Mulnick [EMAIL PROTECTED] wrote: The voice of reason? WTF? ;-) Identifying return on effort is a great way to start any project. I highly recommend (and get beaten soundly for) it. Brett, one additional thought on the Forest-On-A-Box idea: for remote sites that need a single server from a performance perspective, but need multiple forest NC's represented, this presents an opportunity to deploy more Microsoft DC's without additional hardware constraints. Since some of your brethren are advocating multiple forest deployments where once multiple domains existed, and because of WAN traffic limitations, virtualization offers a great way to make this happen without 4 extra physicals in the geo. This scenario requires an all-or-nothing approach to the DC - it either works or doesn't and that's all they really care about. Backups of that particular set of DC's wasn't likely going to happen anyway, and they very likely would not have anyone local that they'd trust to restore the machine either and may not even want those people to have local server access. Offering a way to add in F/P plus the other forests and it'sa compelling branch office forest-on-a-box with F/P solution. Oh, the other product(s) you asked about is likely VMware Server http://www.vmware.com/products/- Note that the virtualization software is also listed as a freely available option, although I have not personally seen what that entails at this point. They tend to make quality stuff though. -ajm On 7/19/06, Alex Alborzfard [EMAIL PROTECTED] wrote: As others have suggested, virtualizing your DCs is obviously a viable option. However, before doing so, I think you (or your management) first need to identify what you are trying to get out of it. Companies implement virtualization mainly for hardware consolidation reasons. There are other valid reasons such as saving time $$ in server provisioning/administration, redundancy, and disaster recovery. Speaking from experience with my clients, the decision to go virtual or not should be based on two factors: the physical requirement for the server and number of users or amount of activity on the server. The rule of thumb is to virtualize a server if it is currently under-utilized from CPU/Memory standpoint. So except for heavily used Exchange, SQL, or Citrix servers, almost all servers can be good candidates to be virtual. Almost all AD DCs fall within this category. If your management is considering building a solid virtualization environment, I would recommend going with VMware (ESX) solution, especially if you have SAN. It may not be free and there is a bigger learning curve involved, but you get the best bang for your buck especially in an enterprise environment because of its many advanced features and complementing technologies such as Virtual Center, VMotion, P2V, etc. To me it's like the difference between using Terminal Server and Citrix. If however this is a one-time, ad-hoc effort, you can go with either VMware or MS server solutions. In either case, if your box is beefed up (has at least 2GB of RAM), with VMware Server you can get away with putting all DCs as VMs on one box. If you have SAN and ESX, you can even boot all your VMs from it and resolve your redundancy concerns. With MS, I would probably split them across 2 boxes. Just my 2 cents! Alex From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] ] On Behalf Of Brad SmithSent: Wednesday, July 19, 2006 6:51 AM To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual DCs I would definitely back the use of VM's on this one, although I would definitely keep one or two DC's present. I have personally done the rounds with MS on this, and we ended up wit 5 physical DC's, and 38 Virtual ones. There were two reasons we retained physical DC's: 1) At the time (a couple of months ago), different staff in MS interpreted their own support policy differently, and they couldn't (and still haven't) resolved it. To ensure we had a supported
Re: [ActiveDir] Virtual DCs
Actually... thinking more about it, I think I'd rather go VMware for something else on a physical DC. In other words: load up a low utilization server on a VM inside a DC. This reduces your vulnerability, IMO. On 7/19/06, Matt Hargraves [EMAIL PROTECTED] wrote: I'd say that it should depend on the size of your environment.I've seen the difference in performance between a 64-bit DC and a 32-bit DC in a large environment and unless a VM can run with enough RAM to load your entire DIT database in RAM, then a VM would be a poor idea, IMO. In other words: Small environments, go virtual with 2-4GB of RAM and you should be fine.Larger environments where the DIT database is getting over 2GB in size, you will probably be better off going with physical machines and considering 64-bit DCs if your DIT is breaking 3GB of size. The only recommendation that I'd put out there is to make sure that the physical boxes you're running your VMs on has more than enough bandwidth to do the job. In other words: Test a whole lot before you go forward with a plan to do it and make sure that you've got redundancy in place because you now have 2 more points of failure on a single DC: The OS that it's sitting on and the VMWare application. On 7/19/06, Al Mulnick [EMAIL PROTECTED] wrote: The voice of reason? WTF? ;-) Identifying return on effort is a great way to start any project. I highly recommend (and get beaten soundly for) it. Brett, one additional thought on the Forest-On-A-Box idea: for remote sites that need a single server from a performance perspective, but need multiple forest NC's represented, this presents an opportunity to deploy more Microsoft DC's without additional hardware constraints. Since some of your brethren are advocating multiple forest deployments where once multiple domains existed, and because of WAN traffic limitations, virtualization offers a great way to make this happen without 4 extra physicals in the geo. This scenario requires an all-or-nothing approach to the DC - it either works or doesn't and that's all they really care about. Backups of that particular set of DC's wasn't likely going to happen anyway, and they very likely would not have anyone local that they'd trust to restore the machine either and may not even want those people to have local server access. Offering a way to add in F/P plus the other forests and it'sa compelling branch office forest-on-a-box with F/P solution. Oh, the other product(s) you asked about is likely VMware Server http://www.vmware.com/products/- Note that the virtualization software is also listed as a freely available option, although I have not personally seen what that entails at this point. They tend to make quality stuff though. -ajm On 7/19/06, Alex Alborzfard [EMAIL PROTECTED] wrote: As others have suggested, virtualizing your DCs is obviously a viable option. However, before doing so, I think you (or your management) first need to identify what you are trying to get out of it. Companies implement virtualization mainly for hardware consolidation reasons. There are other valid reasons such as saving time $$ in server provisioning/administration, redundancy, and disaster recovery. Speaking from experience with my clients, the decision to go virtual or not should be based on two factors: the physical requirement for the server and number of users or amount of activity on the server. The rule of thumb is to virtualize a server if it is currently under-utilized from CPU/Memory standpoint. So except for heavily used Exchange, SQL, or Citrix servers, almost all servers can be good candidates to be virtual. Almost all AD DCs fall within this category. If your management is considering building a solid virtualization environment, I would recommend going with VMware (ESX) solution, especially if you have SAN. It may not be free and there is a bigger learning curve involved, but you get the best bang for your buck especially in an enterprise environment because of its many advanced features and complementing technologies such as Virtual Center, VMotion, P2V, etc. To me it's like the difference between using Terminal Server and Citrix. If however this is a one-time, ad-hoc effort, you can go with either VMware or MS server solutions. In either case, if your box is beefed up (has at least 2GB of RAM), with VMware Server you can get away with putting all DCs as VMs on one box. If you have SAN and ESX, you can even boot all your VMs from it and resolve your redundancy concerns. With MS, I would probably split them across 2 boxes. Just my 2 cents! Alex From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] ] On Behalf Of Brad SmithSent: Wednesday, July 19, 2006 6:51 AM To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual DCs I would definitely back the use of VM's on this one, although I would definitely keep one or two DC's present. I have personally done the rounds with MS on this, and we ended up wit 5 physical DC's
Re: [ActiveDir] Home directories issue
For some odd reason Google didn't show me your original message (it hides 'quoted' material for some messsages). I didn't see that portion of your message (that it was intermittent) and was trying to think of what all things would cause this. There are a few questions that I have:1) Are they always connecting from the same computer.2) Are you using DHCP or static mapping?3) AD Integrated DNS?I'll look around and see what I run into. I haven't run into this personally (intermittent mapping of home drives) and just to be honest, I use a \\servername\driveletter$\directory mapping for my home drive (mostly so that I can always reach a particular drive location when on a network without having to share it out) and even I don't see it with this somewhat non-standard homedrive location type. On 7/16/06, Arnold Arce [EMAIL PROTECTED] wrote: Taking everything you said, why would this problem be intermittent and not every single time the user logs in? From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Sunday, July 16, 2006 6:03 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Home directories issue Well, when you're mapping to \\server\share\directory, if the user has permission issues at the directory level (their actual home share location), I believe that it will simply map to the share and not go into the directory. Make sure that you have granted all users Full Control at the share level. You don't need to grant them anything more than Read at the NTFS level (since I believe the System account creates their home directory), but to have full control (which is required for the home drive location), you have to be *able* to have full control and you can only have full control on a share if *both* the Share-level permissions and the directory level permissions state that. Example: The \\server01\users share is located on the E drive in the directory users. You can have the perms on that directory to be Administrators: Full, System: Full, Everyone: Read, the System will create the user directories (E:\users\joebloe\) and grant the required permissions for that directory (full control for joebloe). However, if the share perms state Change or Read Only, then the user can only have that level *or lower* of effective permissions on the files. So even if joebloe has Full Control on his directory, if the share says Everyone: Change, then his effective permissions on everything in that share (including his directory) won't ever be more than Change. You could actually have E:\users shared out as \\server01\users and \\server01\home and if you have everyone as Change on the users share and Full Control on the home share, even though it's the exact same location on the system and the NTFS permissions haven't changed, the people who are mapped to \\server01\home will work, while the people who are mapped to \\server01\users won't work. Change everyone's mapping to \\server01\home (or change \\server01\users to have Everyone: Full) and they will all work. Some of this is speculation and while I seem to remember running into this in someone's network before, that was something like 6 years ago and haven't run into it since. I could be mistaken. On 7/16/06, Arnold Arce [EMAIL PROTECTED] wrote: Has any headway been made with this problem? I can't find any solutions out there. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Conrad, Daniel C Mr. Nortel PEC Solutions Sent: Tuesday, December 13, 2005 3:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Home directories issue It's all AD on 2k3 with XP Pro clients, connecting to a real share (both by IP and NetBIOS to ensure name resolution isn't an issue. No DFS. On behalf of Jerry Dan Nortel PEC Solutions From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Dan Holme Sent: Tuesday, December 13, 2005 12:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Home directories issue %USERNAME% won't help, as it is translated on the fly to the user's name the moment you use it, so it ends up joe.user anyway. Are your users having the problem using W2K or later, I assume? (if not, there's your answer) And you ARE using a real share, not a DFS root share, right? From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Arnold Arce Sent: Monday, December 12, 2005 9:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Home directories issue I have experienced this same problem. Usually logging off and logging on fixes it. I need to find a better answer. I'll try the %USERNAME% variable like someone else suggested. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Condra, Jerry W Mr HP Sent: Monday, December 12, 2005 3:42 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Home directories issue Hoping someone has seen
Re: [ActiveDir] OT: Command line for exchange
She's talking about Exchange 2007. Go look at the ms Exchange blog site and you'll see some references. (http://msexchangeteam.com/default.aspx)The nice thing about it is that most everything that I saw that they were doing with a command line you could do with the GUI. The only difference is that you can script something in a command line, while building scripting for a GUI is a lot more of a pain and a lot less reliable. Here's a good reference link:http://www.microsoft.com/technet/scriptcenter/scripts/message/exch2007/default.mspx?mfr=true I think that has a list of most all of the commands that you can do in the exchange command line. Again though, while you *can* do a lot of the stuff in Exchange 2007 with scripts, I believe that you can do more (everything) in the GUI. A lot more. From one of the demos on the exchange team blog site, I believe that if you do something in the GUI, it will create a command in the CLI window and you can evaluate what it is and how it works. Looks really interesting to me and I'm about as far as you can get from a 'script kiddie'. On 7/15/06, Brian Desmond [EMAIL PROTECTED] wrote: Command line for Exchange.. .yuck?There isn't one to speak of now, although Monad had some fundamentalissues last I saw/heard as far as the utility of the commands in largeenvironments. Thanks,Brian Desmond[EMAIL PROTECTED]c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED]] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Saturday, July 15, 2006 9:13 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Command line for exchange Download details: Introduction to the Exchange Management Shell: http://www.microsoft.com/downloads/details.aspx?familyid=1dc0f61b-d30f- 44a2-882e-12ddd4ee09d2displaylang=en Command line for Exchange.. .yuck -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Clean install VS Upgrade of Windows 2003
There are a few times where upgrading is easier than installing fresh and doesn't have that big of an impact... but most times I prefer to simply install fresh.There are only a few examples of where I think that upgrading is better or easier overall: 1) Workstations -- I'd rather upgrade a Win2k Pro (or even WinXP Home) box than reinstall the OS *and* all the software and worry about user settings/data.2) When a piece of software requires an in-place upgrade instead of allowing a multi-homed approach. Not a large number of these, but enough to where most people should check their software to see if it will support being migrated to another box (the fresh install) while live. Other than those 2 (there are a few others like the example given by Jorge), there aren't many reasons to not install fresh and sometimes upgrading ends up with other problems appearing that weren't there before. On 7/16/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: Personally I hate OS upgrades and try hard to avoid them and prefer to choose a fresh clean install... Although supported when upgrading an OS old stuff from the previous OS is kept and besides that you might run into issues because of incompatibilities with software, drivers, etc. A clean install in combination the migration of the stuff hosted on the old server to the new server gives you a phased approach. Upgrading directly impacts the server and if the upgrade fails you might end up with a trouble server. IMHO:* avoid OS upgrades when possible and only use it when really necessary (like for example NT4 PDC - W2K3 DC, which is mandatory)Met vriendelijke groeten / Kind regards,Ing. Jorge de Almeida Pinto Senior Infrastructure ConsultantMVP Windows Server - Directory ServicesLogicaCMG Nederland B.V. (BU RTINC Eindhoven)( Tel : +31-(0)40-29.57.777( Mobile : +31-(0)6- 26.26.62.80* E-mail : see sender addressFrom: [EMAIL PROTECTED] on behalf of Bahta, Nathaniel V CTR USAF NASIC/SCNA Sent: Sun 2006-07-16 20:53To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Clean install VS Upgrade of Windows 2003Hey all,Does anyone have any comments/articles, etc on the benefits or concerns of a clean install of Windows 2003 Server VS an Upgrade?My opinion is that doing a clean install keeps system root clean.It also pristinely adopts the security best practices of 2003 Server.Disk performance will improve as well.Does anyone have anything they can add to this?I have migrated a great portion of my network in a clean install path, and now it is coming into question why did I not choose the upgrade path. Any comments would be greatly appreciated,Thanks,NateThis e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
Re: [ActiveDir] Home directories issue
Well, when you're mapping to \\server\share\directory, if the user has permission issues at the directory level (their actual home share location), I believe that it will simply map to the share and not go into the directory. Make sure that you have granted all users Full Control at the share level. You don't need to grant them anything more than Read at the NTFS level (since I believe the System account creates their home directory), but to have full control (which is required for the home drive location), you have to be *able* to have full control and you can only have full control on a share if *both* the Share-level permissions and the directory level permissions state that. Example:The \\server01\users share is located on the E drive in the directory users. You can have the perms on that directory to be Administrators: Full, System: Full, Everyone: Read, the System will create the user directories (E:\users\joebloe\) and grant the required permissions for that directory (full control for joebloe). However, if the share perms state Change or Read Only, then the user can only have that level *or lower* of effective permissions on the files. So even if joebloe has Full Control on his directory, if the share says Everyone: Change, then his effective permissions on everything in that share (including his directory) won't ever be more than Change. You could actually have E:\users shared out as \\server01\users and \\server01\home and if you have everyone as Change on the users share and Full Control on the home share, even though it's the exact same location on the system and the NTFS permissions haven't changed, the people who are mapped to \\server01\home will work, while the people who are mapped to \\server01\users won't work. Change everyone's mapping to \\server01\home (or change \\server01\users to have Everyone: Full) and they will all work. Some of this is speculation and while I seem to remember running into this in someone's network before, that was something like 6 years ago and haven't run into it since. I could be mistaken. On 7/16/06, Arnold Arce [EMAIL PROTECTED] wrote: Has any headway been made with this problem? I can't find any solutions out there. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Conrad, Daniel C Mr. Nortel PEC Solutions Sent: Tuesday, December 13, 2005 3:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Home directories issue It's all AD on 2k3 with XP Pro clients, connecting to a real share (both by IP and NetBIOS to ensure name resolution isn't an issue. No DFS. On behalf of Jerry Dan Nortel PEC Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan Holme Sent: Tuesday, December 13, 2005 12:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Home directories issue %USERNAME% won't help, as it is translated "on the fly" to the user's name the moment you use it, so it ends up joe.user anyway. Are your users having the problem using W2K or later, I assume? (if not, there's your answer) And you ARE using a "real" share, not a DFS root share, right? From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Arnold Arce Sent: Monday, December 12, 2005 9:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Home directories issue I have experienced this same problem. Usually logging off and logging on fixes it. I need to find a better answer. I'll try the %USERNAME% variable like someone else suggested. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Condra, Jerry W Mr HP Sent: Monday, December 12, 2005 3:42 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Home directories issue Hoping someone has seen this problem before. Users are mapping home folders using AD profile tab which maps X: to \\servername\home\joe.user . Occasionally, upon logon, users will map to \\servername\home and not all the way to their own home directory. I've seen several blogs and the same problem posted elsewhere but no cause or solution. Thanks Jerry
Re: [ActiveDir] Object Auditing
I am simply pointing out his options. If you noticed, my first recommendation was to ACL his AD structure so that only a very small number of people could perform that type of task.I'm definitely not going to say that tools should be the savior for people who make mistakes, but they're darned nice and can save a lot of time and/or money when they can be appropriately utilized. On 7/15/06, joe [EMAIL PROTECTED] wrote: Again, this is after the fact and requires you to bring things back so there is going to be a period where someone somewhere isn't doing the job they are being paid to do and depending on the person and the company the consequences could be dire. Much better to disallow the mistake in the first place. Would it surprise you to know that I ran a Fortune 5Forest (and prior to that an NT4 multimaster environment)with just under 400 DCs globally and some 250,000 users and who knows how manyhundreds of thousands of machines and100k+ groupswith three domain admins across the entire thing all locatedwithin 10 feet of each other and not once, not a single time, not ever, did we have to restore a single object in that time.We had no fancy expensive auditing tools, we had no fancy expensive recovery tools, we had no fancy expensive management tools, we had no fancy expensive monitoring tools yet it was without a single exception the best running AD I have seen to date and at this point I have seen quite a few ADs both through work (I am a consultant now) and the untold number of emails I have received from folks concerning my tools or just asking questions. This is all about the quality of the people you let put a gun to the head of your Active Directory environment. I would much rather listen to people bitch and moan that they can't do their jobs than clean up after them when they screw something up. In the end, it is much less work and much easier to keep SLAs. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: Saturday, July 15, 2006 3:12 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Object Auditing There are tools out there by Quest software (www.quest.com) that will allow both auditing (InTrust for AD) and recovery of altered or deleted items (Recovery Manager for AD). RMAD is really nice in that you can restore a deleted userID or group and get back all of the properties, including things such as the original SID. I believe that ITAD also has a monitoring tool that you can run that will let you know if something is changed, though I don't have experience with that aspect of the tool, only the auditing aspect. On 7/15/06, joe [EMAIL PROTECTED] wrote: I have to say I agree quite strongly with this. Auditing is nice and all but it only points at who made mistakes, it doesn't help prevent them (what of the fine admin had deleted the OU instead of moving, auditing sure would have helped there...). If you have an entirely ad hoc fly by the seat of your pants structure you can't do much about it other than try to figure out what you really need and implement something that isn't ad hoc fly by the seat of your pants. But if you have a fixed structure, lock down who can do things. 3-5 DA's tops even for VERY large orgs. 3 actual engineers I found to be quite sufficient and honestly for a majority of the work they didn't even need to be DAs. The best most stable deployments I have seen for AD used fixed OU structures and simply added a new copy of the fixed structure for each new site or group or whatever the administrative breakup was done by. This can be scripted and then setting up a new OU structure for a new group/site is a simple script that takes seconds to run and people with high level rights aren't mucking around directly in AD with a GUI that can help them make easy point and click mistakes. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: Thursday, July 13, 2006 5:12 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Object Auditing Well, you could always ACL your AD better and make it where only a small number (2 or 3 accounts) of users can make AD organizational changes. Moving, creating and deleting OUs isn't necessary that often to where it's really all that necessary of a right for most admins. I think that in our environment (with a very large number of OUs), I have only had maybe 1 or 2 occasions to ever move an OU, if that. That being said... mistakes happen and these things are going to occur. Hopefully very, very infrequently.There are tools out there to monitor AD for changes like this, I guess the question is whether it's worth the
Re: [ActiveDir] Loopback Processing Problem
I usually don't like loopback. It's just kinda messy in most situations.But for reference to Darren's question, you might want to look at:http://support.microsoft.com/?id=231287 On 7/13/06, Darren Mar-Elia [EMAIL PROTECTED] wrote: Pat- Have you tried using GPMC's GP Results wizard to ensure that the loopback policy is actually applying to the computers? Also, are you using merge or replace loopback? Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Piper, PatSent: Thursday, July 13, 2006 9:48 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Loopback Processing Problem I am hoping someone can help us out with a loopback processing issue we are having. We are trying to add our lab computers to our Active Directory and are going to have our students login using their child domain credentials. All the computers are added as objects to the child domain that the students belong to. We want to manage group policy by applying it to the computers and not to the users, this enables us to do things like locking down the background image for all computers regardless of the logged on user. No matter what we try our policies are not being applied and we can't get we want user policies to apply to computer objects. When local security policies are applied they work, when user policies are applied they work, which means that the computer is communicating with the domain properly. We've read through the following article from Microsoft but are not having any luck finding good troubleshooting steps for this. Does anyone know of any "gotchas" for loopback processing or of a good troubleshooting guide? Loopback processing of Group Policy http://support.microsoft.com/?id=231287 Pat - Desktop Server Services Keene State College Keene, NH 03435-2615 603 358-2172 Beware the lollipop of mediocrity; lick it once and you'll suck forever. - Brian Wilson.
Re: [ActiveDir] Object Auditing
Well, you could always ACL your AD better and make it where only a small number (2 or 3 accounts) of users can make AD organizational changes. Moving, creating and deleting OUs isn't necessary that often to where it's really all that necessary of a right for most admins. I think that in our environment (with a very large number of OUs), I have only had maybe 1 or 2 occasions to ever move an OU, if that. That being said... mistakes happen and these things are going to occur. Hopefully very, very infrequently.There are tools out there to monitor AD for changes like this, I guess the question is whether it's worth the money or not. It's possible that you might want to get them just so you can start monitoring and auditing your environment (which many organizations don't do). On 7/13/06, Myrick, Todd (NIH/CC/DCRI) [E] [EMAIL PROTECTED] wrote: You best bet to learn how to audit changes is to standup a Virtual AD turn on Directory auditing, and Make the changes you would like to track to see what event ID and messages are generated. Then you can use Microsofts Eventcombmt tool to search your DC's for the information. We use the Quest Intrust product here for Monitoring and Auditing… At the parent level they used Netpro for AD monitoring and Intrust for auditing, I think they want to switch to using the NETPRO product for auditing though. Both companies offer very good solutions. It is pretty hard to make a bad decision here. There are some advantages with regards to cross platform support with Intrust, but that has nothing to do with AD. The shop I am in now uses several platforms, so that is what drove our decision. Todd From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 13, 2006 3:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Object Auditing I'd have to check out myself if an OU move is possible to audit with the built-in auditing events - I'm pretty sure though it is possbile with AD specific auditing software such as NetPro's ChangeAuditor AD and Quest's Intrust for AD. you may also want to disable drag drop in your forest, simply by configuring the following (works for Win2003 SP1 - a pre-SP1 fix should be available as well): o use ADSIEDIT, LDPor equivalent tool o locate flags attribute of DisplaySpecifiers container in config. NC · set bit 0 to 1 o drag and drop now disabled /Guido From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Clay, Justin (ITS) Sent: Donnerstag, 13. Juli 2006 20:25 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Object Auditing Is it possible to audit the creation/deletion and more importantly, the movement of OUs? One of our admins dragged and dropped an entire OU into another OU that had a desktop lockdown GPO linked to it, thereby locking down the PCs of a bunch of important people, and making them very upset. I have Account Management and Object Access auditing on, but I don't see anything on any of our DCs that show anything about the OU or any of its objects moving. Is there something else I need to enable to audit these types of events? Is it even possible? Thanks, Justin Clay ITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
Re: [ActiveDir] Kerberos MaxTokenSize and too many groups issues
Good news is, if you look around on the Exchange team blog site, you'll find articles about Exchange 2007 on 64-bit Windows (it's not going to support a 32-bit OS) and basically the paged pool memory issue goes away completely (lots more room for that stuff when we're talking about 64-bit addressing). Only problem with that is that you have to make sure that your spam filtering and antivirus software will support it. Once you have your antivirus and spam support for Exchange 2007, I honestly can't think of a good reason to stick with Exchange 2000 or 2003 any more. On 7/12/06, Freddy HARTONO [EMAIL PROTECTED] wrote: Thanks guys, really helpful didnt know how bad things can be with those huge groups...like poolpaged memory issues Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785
Re: [ActiveDir] Multihomed Domain Controllers
I've never seen a problem with doing this stuff before and there are actually some backup solution providers that recommend using a paralell network for backup data to transmit across.That being said, I think the most important thing for you to make sure that you're *not* doing is testing it out on your FSMO roles holder. Do it with a non-GC domain controller first, then move up to a GC and after all of your DCs are working on the paralell network for backups, I'd probably move FSMO roles over to one of them that is working and move the last GC over (then move back the FSMO roles, if you have some old software that's hardcoded to the 'PDC'). On 7/12/06, Kevin Brunson [EMAIL PROTECTED] wrote: The one gotcha I have seen (only once though), was that somehow multihoming a 2000 DC corrupted a couple of registry keys. I think KB 888048 appeared a few days after the 8 hour phone call with MS. Basically the dc no longer had a DNS name. Needless to say that caused problems. But as long as you know which registry keys to change if it goes bad, you should be fine. I have seen a multitude of multihomed domain controllers since with no issues. Kevin Brunson From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Jeff Green Sent: Wednesday, July 12, 2006 5:43 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other gotchas ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error. Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd.
Re: [ActiveDir] Multihomed Domain Controllers
Not so sure I agree with that. Thin clients work just fine, require less maintenance and can be replaced in 5 minutes, vs. the 3 hour argument that you'll get if you try replacing someone's desktop because they saved 19 items that have nothing to do with their job on the local hard drive. Then again, desktops are about as expensive nowadays as thin clients, so the justification for thin clients isn't what it used to be.
Re: [ActiveDir] Planning for the future
I guess it really comes down to one thing:What does your employer want?If they want to be able to sell off the asset quickly and smoothly, a trusted peer forest is the way to go. If they want to save money now, then just build some OUs and go that direction. Make sure that they know the differences though:Moving 10-30 computers into a new domain isn't just a 2 minute move, unless you really don't care about the user's former profiles. 'Give them their e-mail' might sound really nice if you don't care about them either. Severing the users from their domain severs them from other things that are behind the scenes, their SID and the Exchange infrastructure (if you are using Exchange). Going with an OU to handle the computers and users is easy now, but it's not pretty or simple. Going with a separate peer domain/forest allows you to sever them very smoothly (break trust) and the users actually continue to work exactly as they did before, except that they can't access any resources on your existing domain. I'll be honest... a lot of people are more concerned with saving money than they are in making sure that an asset has the capability to be completely independent of the parent organization.My recommendation is based upon what several companies that I've worked for do when they start up divisions that might be spun off later or even with assets which they acquire. On 7/12/06, Al Mulnick [EMAIL PROTECTED] wrote: I agree with Jorge but I think it pertinent to add that you would likely want to gain some perspective: You are asking about a configuration for something that might happen in the distant future or not to distant future. You're trying to future proof your design/deployment centered around 30 sec prins, possibly 60 if they bring computing hardware with them. Using an OU, you can satisfy today's needs, and you can adjust to whatever their future demands become. If they decide in the future to go with linux as their standard, then you'll not have wasted a moments time or a penny of hardware to satisfy what might have been. If they decide to go with Active Directory, what exactly do you want them to take with them? If you give them their own forest, you *could* just cut the ties and no worries. But the administrative headache that goes with that is formidable. It must be dealt with and it will always be different and require special handling, additional resources, and a different skill set than an OU would require. Separate forests offer few benefits from what I can see of this situation, but weigh that carefully. If they decide to split company and go their own way to a new AD forest, you can use migration utilities to give them the sec prins (if they wnat them; it would be easier to just create new ones IMHO) and give them their mail data and be done. 30 users is too small a number in my opinion to want to worry about separate forests etc. On 7/12/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: an OU with the objects needed for those people (users, groups, computers) would be enough. Imagine a domain with at least 2 DCs for just 30 peoples with no special requirements while other domain(s) exist Met vriendelijke groeten / Kind regards,Ing. Jorge de Almeida PintoSenior Infrastructure ConsultantMVP Windows Server - Directory ServicesLogicaCMG Nederland B.V. (BU RTINC Eindhoven)( Tel : +31-(0)40- 29.57.777( Mobile : +31-(0)6-26.26.62.80* E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Larry WahlersSent: Wed 2006-07-12 19:18To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Planning for the future Esteemed colleagues,We have a radio station that is currently part of our denomination thatwe want to finally put on our network. They are located about 20 milesfrom our headquarters. However, there has been talk for many, many years about selling off this radio station, but that hasn't come to pass yet.My question is, if we put them in their own domain in our existingforest, would that make it easier to get them into their own forest if they should some day no longer be a part of us? If not, what's the bestway to plan for a possible future in which these 30 people might nolonger be working for us?Many thanks in advance.-- Larry Wahlers Concordia TechnologiesThe Lutheran Church - Missouri Synodmailto:[EMAIL PROTECTED] direct office line: (314) 996-1876List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
Re: [OT]Re: [ActiveDir] Multihomed Domain Controllers
Fortunately, unless you know who has the data that you want to steal, the chances of any actual confidential data being stolen to the thieve's benefit is pretty slim. Even if you do find data that a competitor would want, most companies today are pretty hesitant about taking confidential information. Didn't you hear about Pepsi turning in that guy who was going to sell them confidential information from Coca Cola? The information that people are really worried about is controlled by the people who are usually more paranoid than we are the accountants ;)On 7/12/06, Al Mulnick [EMAIL PROTECTED] wrote: Confidential data? Can you, in three minutes or less recite your companies confidential data policies if you were asked? Can you explain them to the users in your company (fair enough, I know you're a tech company; I've heard of you)? Or are your company classified docs going home on usb sticks and cd's or dvd's or in email and web uploads? I wonder though, desktop machines guarded by the cleaning crew are better? What about smart phones? Those keep you up late at night as well? :) We're easily years away from widespread use and adoption of things like bit-locker. With cross-platform usage, not sure the value outside of the sphere of windows desktops that have been upgraded (that's a what? 5 year cycle at many companies?)either but leave that for another time My preference is to embrace the new technology and find ways to mitigate the risks. Laptops are here to stay and although they go missing, that to me is not enough of a reason to not want to use them. I've seen instances of desktops that grow legs and go missing as well. Some might argue that VPN usage to non-company assets (those not ownedAND managed by the company) are enough to give you the heebie jeebies. I don't see bit-locker solving those issues. Know something different? On 7/12/06, Kurt Falde [EMAIL PROTECTED] wrote: Great so we can have even more people taking confidential data home with them and getting their laptops stolen from their cars J Until we get Vista BitLocker and laptops that utilize it across the board I would be extremely paranoid about laptops all over. Kurt Falde From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Wednesday, July 12, 2006 5:06 PM To: ActiveDir@mail.activedir.org Subject: [OT]Re: [ActiveDir] Multihomed Domain Controllers I know we're drifting off-topic, but I read this and started thinking: laptops. Why bother with desktops? On 7/12/06, Matt Hargraves [EMAIL PROTECTED] wrote: Not so sure I agree with that. Thin clients work just fine, require less maintenance and can be replaced in 5 minutes, vs. the 3 hour argument that you'll get if you try replacing someone's desktop because they saved 19 items that have nothing to do with their job on the local hard drive. Then again, desktops are about as expensive nowadays as thin clients, so the justification for thin clients isn't what it used to be.
Re: [ActiveDir] Kerberos MaxTokenSize and too many groups issues
Not sure where you're at with the number of groups per user.I like to think of the initial setting for token size as a way of saying You really need to get your security model under control or fix this user's group memberships. At 12k, you shouldn't really be pushing the limit until you're around 250 groups for a user. Bumping up to a larger token size is fine to fix your short-term issue, but ends up with users being members of potentially excessive (and possibly unnecessary) groups. It's one of those squeaky wheel things, where if it don't squeak, nobody's going to think about it. I'd recommend that in most situations you shouldn't modify the setting, simply so that your group memberships don't get out of hand, but if you find it's necessary, you should modify it in small increments (16k, then 20k), every 4k should allow you to fit into another 80 groups or so. Another good reason to limit the amount that you let your tokens grow is that Exchange on 32-bit OS will use several tokens per user and there is only around 150MB available (give or take) available in Paged Pool memory for tokens. Once you break that limit, you end up with your servers crashing. If you are running 12k tokens, you're cutting your maximum user count per Exchange server to a third of what you could fit on the server at 4k tokens (not counting other issues that would limit the Exchange server). Toss in other applications that leverage Exchange (instant messaging, some voicemail systems, blackberry type services, etc...) and your users are using 6-10 tokens and they're 12k per user... potentially cutting your user count on an Exchange server down to 1500-2000 per server before things start getting ugly. Keep your token sizes (and security group memberships) under control and you should be able to keep the Exchange user count per server up closer to 4k+. Also, there is an absolute number of SIDs that a user token can handle before the userID will break (which isn't pretty), regardless of whether they're security groups or distribution list groups.Read the following: (token SID limitation)http://www.microsoft.com/downloads/details.aspx?FamilyID=22dd9251-0781-42e6-9346-89d577a3e74aDisplayLang=en (Exchange issues with token size and paged pool memory)http://support.microsoft.com/kb/912376(good article about Exchange related token information) http://msexchangeteam.com/archive/2005/12/07/415733.aspxMattOn 7/11/06, Paul Williams [EMAIL PROTECTED] wrote: You might also want to review this interesting white paper: -- http://www.microsoft.com/downloads/details.aspx?FamilyID=22dd9251-0781-42e6-9346-89d577a3e74aDisplayLang=en (that took me ages to find so please read it ;-) --Paul - Original Message - From: Kurt Falde To: ActiveDir@mail.activedir.org Sent: Tuesday, July 11, 2006 2:24 AM Subject: RE: [ActiveDir] Kerberos MaxTokenSize and too many groups issues Tokensz http://www.microsoft.com/downloads/details.aspx?FamilyID=4a303fa5-cf20-43fb-9483-0f0b0dae265cDisplayLang=en Kurt Falde From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Freddy HARTONOSent: Monday, July 10, 2006 9:16 PMTo: ActiveDir@mail.activedir.org Subject: [ActiveDir] Kerberos MaxTokenSize and too many groups issues Hi all Have a badly designed applications which is tapping on AD memberships for its grouping rights and user memberships to define their roles and permissions and today found out that one of the user is unable to access the application, but standard logon access to exchange mailbox etc are working fine. Digging further im seeing quite a few errors on eventlog (details below) - then did a registry key of MaxTokenSize as below and everything seems to works fine. Also prior to this, running gpresult on the machine doesn't give any result at all. Question - I was under the assumptions that this applies to Win 2000 only, not xp or 2003, but apparently this does? Also if I remembered correctly there's a command or tool to calculate the tokensize of a user anybody has that tool again pls? MaxTokenSize regkey http://support.microsoft.com/?id=263693 Event Type: Error Event Source: Userenv Event Category: None Event ID: 1000 Date: 7/7/2006 Time: 5:07:09 AM User: NT AUTHORITY\SYSTEM Computer: XX Description: Windows cannot determine the user or computer name. Return value (14). Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785