Re: [ActiveDir] Macs, LDAP Source
Douglas: I have ~100 10.3.3/5 boxes/users authenticating against AD. Their home dirs are hosted on a w2k3 server and mount upon login. The authentication method is kerberos. Nothing needs to configured on the client side other than the AD plug-in. See: http://www.macdevcenter.com/pub/a/mac/2003/12/09/active_directory.html specifically: Best Of Class Single Sign-On support: Because of its automatic kerberos configuration (on joining the domain, a Kerberos configuration file is generated for the domain in question) users that have signed into a domain do not have to re-authenticate in order to mount shares from other member servers in the domain. confusion: http://www.afp548.com/articles/system/adplugin.html makes it seem like you need to do something else (specifically step #5) to get this to work but this doesn't seem to apply (at least in my environ.). hth, john Douglas M. Long wrote: Yes, I agree, 10.3 is much easier, although in a 2k3 environment you will have problems mounting home drives on a 2k3 server because the mac samba client only use plain text passwords (whereas 2k3 disallows this by default). You can either allow it, which i wouldnt suggest, or mount your home drives on a machine other than 2k3. There is some speculation that 10.3.6 has some improvements in the way samba authenticates, but it is has not been confirmed yet. 10.3.6 is supposed to be out sometime within the next 30 days, if i remember correctly. If you do figure out how to mount home drives on a 2k3 file server with kerberos please let us know. From: [EMAIL PROTECTED] on behalf of Depp, Dennis M. Sent: Fri 10/15/2004 7:23 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Macs, LDAP Source Brian, You might want to look at upgrading to 10.3. Apple has improved on the AD info for 10.3. I've played with it a bit, but not enough to know if the fault tolerance is there or not. Denny -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Thursday, October 14, 2004 10:18 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Macs, LDAP Source My asst managed to get OS X 10.2.SomeInt to authenticate to the AD here. I typed in my username and password and it was just as fast as logging in from an nt class box. Aside from the various implementation issues on the mac side, I have this dilemma: The Mac's are not actually AD aware - they just need an LDAP source. I could buy this cool program called ADmitMac which creates domain accounts for the Macs and emulates an NT box as far as user mgmt goes on the Mac. Cool, but, the quote was nearly as much as I paid for the OS X licenses. So, anyway, the mac needs a explicit dns hostname for ldap. I could give it one DC, but, if hat DC goes down, all my macs are F'ed. So, what I did is setup a round-robin with all the DCs in the site the macs are located in. I'm not totally satisfied with this workaround. It just seems sort of half-ass to me. It requires a certain degree of management, and if one of the DCs is down, a portion for the macs will need to be rebooted until they receive a referral from the DNS server in an order which includes a working DC first. Whilst I am not totally happy 100% with this solution, I don't have a better idea - anybody? I remember hearing about NLB for LDAP, which I think might do the trick, I've never used MS NLB - does it apply to this situation? Thanks. --Brian Desmond [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Payton on the web! www.wpcp.org http://www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- John Singler Systems Administrator School of Veterinary Medicine, University of Pennsylvania 3800 Spruce Street Philadelphia, PA 19104-6044 ph: 215.573.6525 fx: 215.573.8777 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Macs, LDAP Source
Yes, I agree, 10.3 is much easier, although in a 2k3 environment you will have problems mounting home drives on a 2k3 server because the mac samba client only use plain text passwords (whereas 2k3 disallows this by default). You can either allow it, which i wouldnt suggest, or mount your home drives on a machine other than 2k3. There is some speculation that 10.3.6 has some improvements in the way samba authenticates, but it is has not been confirmed yet. 10.3.6 is supposed to be out sometime within the next 30 days, if i remember correctly. If you do figure out how to mount home drives on a 2k3 file server with kerberos please let us know. From: [EMAIL PROTECTED] on behalf of Depp, Dennis M. Sent: Fri 10/15/2004 7:23 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Macs, LDAP Source Brian, You might want to look at upgrading to 10.3. Apple has improved on the AD info for 10.3. I've played with it a bit, but not enough to know if the fault tolerance is there or not. Denny -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Thursday, October 14, 2004 10:18 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Macs, LDAP Source My asst managed to get OS X 10.2.SomeInt to authenticate to the AD here. I typed in my username and password and it was just as fast as logging in from an nt class box. Aside from the various implementation issues on the mac side, I have this dilemma: The Mac's are not actually AD aware - they just need an LDAP source. I could buy this cool program called ADmitMac which creates domain accounts for the Macs and emulates an NT box as far as user mgmt goes on the Mac. Cool, but, the quote was nearly as much as I paid for the OS X licenses. So, anyway, the mac needs a explicit dns hostname for ldap. I could give it one DC, but, if hat DC goes down, all my macs are F'ed. So, what I did is setup a round-robin with all the DCs in the site the macs are located in. I'm not totally satisfied with this workaround. It just seems sort of half-ass to me. It requires a certain degree of management, and if one of the DCs is down, a portion for the macs will need to be rebooted until they receive a referral from the DNS server in an order which includes a working DC first. Whilst I am not totally happy 100% with this solution, I don't have a better idea - anybody? I remember hearing about NLB for LDAP, which I think might do the trick, I've never used MS NLB - does it apply to this situation? Thanks. --Brian Desmond [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Payton on the web! www.wpcp.org http://www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat
RE: [ActiveDir] Macs, LDAP Source
Brian, You might want to look at upgrading to 10.3. Apple has improved on the AD info for 10.3. I've played with it a bit, but not enough to know if the fault tolerance is there or not. Denny -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Thursday, October 14, 2004 10:18 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Macs, LDAP Source My asst managed to get OS X 10.2.SomeInt to authenticate to the AD here. I typed in my username and password and it was just as fast as logging in from an nt class box. Aside from the various implementation issues on the mac side, I have this dilemma: The Mac's are not actually AD aware - they just need an LDAP source. I could buy this cool program called ADmitMac which creates domain accounts for the Macs and emulates an NT box as far as user mgmt goes on the Mac. Cool, but, the quote was nearly as much as I paid for the OS X licenses. So, anyway, the mac needs a explicit dns hostname for ldap. I could give it one DC, but, if hat DC goes down, all my macs are F'ed. So, what I did is setup a round-robin with all the DCs in the site the macs are located in. I'm not totally satisfied with this workaround. It just seems sort of half-ass to me. It requires a certain degree of management, and if one of the DCs is down, a portion for the macs will need to be rebooted until they receive a referral from the DNS server in an order which includes a working DC first. Whilst I am not totally happy 100% with this solution, I don't have a better idea - anybody? I remember hearing about NLB for LDAP, which I think might do the trick, I've never used MS NLB - does it apply to this situation? Thanks. --Brian Desmond [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Payton on the web! www.wpcp.org http://www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Macs, LDAP Source
Title: Message Just use the DNS name of your domain as the LDAP server. If you are using Microsoft DNS servers, they will sort the response so that DCs in the same subnet as the mac will be first in response. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Thursday, October 14, 2004 9:18 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Macs, LDAP Source My asst managed to get OS X 10.2.SomeInt to authenticate to the AD here. I typed in my username and password and it was just as fast as logging in from an nt class box. Aside from the various implementation issues on the mac side, I have this dilemma: The Macs are not actually AD aware they just need an LDAP source. I could buy this cool program called ADmitMac which creates domain accounts for the Macs and emulates an NT box as far as user mgmt goes on the Mac. Cool, but, the quote was nearly as much as I paid for the OS X licenses. So, anyway, the mac needs a explicit dns hostname for ldap. I could give it one DC, but, if hat DC goes down, all my macs are Fed. So, what I did is setup a round-robin with all the DCs in the site the macs are located in. Im not totally satisfied with this workaround. It just seems sort of half-ass to me. It requires a certain degree of management, and if one of the DCs is down, a portion for the macs will need to be rebooted until they receive a referral from the DNS server in an order which includes a working DC first. Whilst I am not totally happy 100% with this solution, I dont have a better idea anybody? I remember hearing about NLB for LDAP, which I think might do the trick, Ive never used MS NLB does it apply to this situation? Thanks. --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101
RE: [ActiveDir] Macs, LDAP Source
So aside from 10.3 any other ideas? OS X seats are more expensive than what I pay for a Windows seat w/ MSO2003, Exchange CAL, etc. Thanks. --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Thursday, October 14, 2004 9:57 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Macs, LDAP Source 10.3 added a new AD-aware client side user auth protocol. Im not expert, but I have set it up. The fact that I set it up in about 5 mins is a sign that it isnt hard to use. http://www.apple.com/macosx/features/security/ Id give it a try. 10.3.3 I think is the latest. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Thursday, October 14, 2004 9:18 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Macs, LDAP Source My asst managed to get OS X 10.2.SomeInt to authenticate to the AD here. I typed in my username and password and it was just as fast as logging in from an nt class box. Aside from the various implementation issues on the mac side, I have this dilemma: The Macs are not actually AD aware they just need an LDAP source. I could buy this cool program called ADmitMac which creates domain accounts for the Macs and emulates an NT box as far as user mgmt goes on the Mac. Cool, but, the quote was nearly as much as I paid for the OS X licenses. So, anyway, the mac needs a explicit dns hostname for ldap. I could give it one DC, but, if hat DC goes down, all my macs are Fed. So, what I did is setup a round-robin with all the DCs in the site the macs are located in. Im not totally satisfied with this workaround. It just seems sort of half-ass to me. It requires a certain degree of management, and if one of the DCs is down, a portion for the macs will need to be rebooted until they receive a referral from the DNS server in an order which includes a working DC first. Whilst I am not totally happy 100% with this solution, I dont have a better idea anybody? I remember hearing about NLB for LDAP, which I think might do the trick, Ive never used MS NLB does it apply to this situation? Thanks. --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101
RE: [ActiveDir] Macs, LDAP Source
10.3 added a new AD-aware client side user auth protocol. Im not expert, but I have set it up. The fact that I set it up in about 5 mins is a sign that it isnt hard to use. http://www.apple.com/macosx/features/security/ Id give it a try. 10.3.3 I think is the latest. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Thursday, October 14, 2004 9:18 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Macs, LDAP Source My asst managed to get OS X 10.2.SomeInt to authenticate to the AD here. I typed in my username and password and it was just as fast as logging in from an nt class box. Aside from the various implementation issues on the mac side, I have this dilemma: The Macs are not actually AD aware they just need an LDAP source. I could buy this cool program called ADmitMac which creates domain accounts for the Macs and emulates an NT box as far as user mgmt goes on the Mac. Cool, but, the quote was nearly as much as I paid for the OS X licenses. So, anyway, the mac needs a explicit dns hostname for ldap. I could give it one DC, but, if hat DC goes down, all my macs are Fed. So, what I did is setup a round-robin with all the DCs in the site the macs are located in. Im not totally satisfied with this workaround. It just seems sort of half-ass to me. It requires a certain degree of management, and if one of the DCs is down, a portion for the macs will need to be rebooted until they receive a referral from the DNS server in an order which includes a working DC first. Whilst I am not totally happy 100% with this solution, I dont have a better idea anybody? I remember hearing about NLB for LDAP, which I think might do the trick, Ive never used MS NLB does it apply to this situation? Thanks. --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101
RE: [ActiveDir] MACS
Thanks Guys. -Original Message- From: Eric Fleischman [mailto:[EMAIL PROTECTED] Sent: 02 June 2004 17:23 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] MACS I just checked with the PM to see if it aligns with my understanding. At this point no decision has been made. It's still TBD. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Friday, May 28, 2004 11:11 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] MACS It was announced at TechEd (although its second-hand information from one of our PMs; I wasn't at that session.) -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Friday, May 28, 2004 11:44 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] MACS Where did you hear that? Last I heard in the beta group it was to be included in the next 2K/2003 SP's but I am not as well connected as you are :-] Maybe ~eric can answer G -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Friday, May 28, 2004 11:21 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] MACS And, as I understand it, it is not going to be a free download or Resource Kit component any more. MSFT is going to charge for it. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Friday, May 28, 2004 11:19 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] MACS Anyone know where MS are with MACS now? MACS is now called The Microsoft Windows Audit Collection Services (ACS) Release Candidate 1 became available to beta testers at the end of April. ACS Release Candiate changes include: 1) Simplified and updated database schema 2) Updated communcations protocol 3) Complete support for SSL/TLS authentication 4) Improved performance scalability 5) Improved setup experience 6) Improved security (on Windows XP and Windows Server 2003, ACS runs as NetworkService) 7) Improved manageability 8) Database included 9) Many quality stability improvements -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Friday, May 28, 2004 6:04 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] MACS Anyone know where MS are with MACS now? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] MACS
I just checked with the PM to see if it aligns with my understanding. At this point no decision has been made. It's still TBD. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Friday, May 28, 2004 11:11 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] MACS It was announced at TechEd (although its second-hand information from one of our PMs; I wasn't at that session.) -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Friday, May 28, 2004 11:44 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] MACS Where did you hear that? Last I heard in the beta group it was to be included in the next 2K/2003 SP's but I am not as well connected as you are :-] Maybe ~eric can answer G -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Friday, May 28, 2004 11:21 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] MACS And, as I understand it, it is not going to be a free download or Resource Kit component any more. MSFT is going to charge for it. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Friday, May 28, 2004 11:19 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] MACS Anyone know where MS are with MACS now? MACS is now called The Microsoft Windows Audit Collection Services (ACS) Release Candidate 1 became available to beta testers at the end of April. ACS Release Candiate changes include: 1) Simplified and updated database schema 2) Updated communcations protocol 3) Complete support for SSL/TLS authentication 4) Improved performance scalability 5) Improved setup experience 6) Improved security (on Windows XP and Windows Server 2003, ACS runs as NetworkService) 7) Improved manageability 8) Database included 9) Many quality stability improvements -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Friday, May 28, 2004 6:04 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] MACS Anyone know where MS are with MACS now? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] MACS
That was the impression I got too, when looking throught the ACS slides (wasn't at the session either): here's what it says on some slides * ACS will ship with MOM management pack * ACS is a Windows platform technology- not a complete solution * ACS is specifically focused on security event collection in high-security environments * MOM 2005 management pack provides a front-end to ACS * ACS provides open interfaces for 3rd party extension [MOM not a requirement] and * Release - TBD (probably pretty soon) * Licensing - TBD = so I'm currently not sure if you basically buy the MOM mgmt pack to get ACS, or vice-versa. But they still seem to be working on the licensing, which would suggest it's not for free. But at least you don't NEED MOM for it. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Samstag, 29. Mai 2004 06:11 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] MACS It was announced at TechEd (although its second-hand information from one of our PMs; I wasn't at that session.) -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Friday, May 28, 2004 11:44 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] MACS Where did you hear that? Last I heard in the beta group it was to be included in the next 2K/2003 SP's but I am not as well connected as you are :-] Maybe ~eric can answer G -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Friday, May 28, 2004 11:21 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] MACS And, as I understand it, it is not going to be a free download or Resource Kit component any more. MSFT is going to charge for it. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Friday, May 28, 2004 11:19 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] MACS Anyone know where MS are with MACS now? MACS is now called The Microsoft Windows Audit Collection Services (ACS) Release Candidate 1 became available to beta testers at the end of April. ACS Release Candiate changes include: 1) Simplified and updated database schema 2) Updated communcations protocol 3) Complete support for SSL/TLS authentication 4) Improved performance scalability 5) Improved setup experience 6) Improved security (on Windows XP and Windows Server 2003, ACS runs as NetworkService) 7) Improved manageability 8) Database included 9) Many quality stability improvements -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Friday, May 28, 2004 6:04 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] MACS Anyone know where MS are with MACS now? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] MACS
Anyone know where MS are with MACS now? MACS is now called The Microsoft Windows Audit Collection Services (ACS) Release Candidate 1 became available to beta testers at the end of April. ACS Release Candiate changes include: 1) Simplified and updated database schema 2) Updated communcations protocol 3) Complete support for SSL/TLS authentication 4) Improved performance scalability 5) Improved setup experience 6) Improved security (on Windows XP and Windows Server 2003, ACS runs as NetworkService) 7) Improved manageability 8) Database included 9) Many quality stability improvements -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Friday, May 28, 2004 6:04 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] MACS Anyone know where MS are with MACS now? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] MACS
And, as I understand it, it is not going to be a free download or Resource Kit component any more. MSFT is going to charge for it. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Friday, May 28, 2004 11:19 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] MACS Anyone know where MS are with MACS now? MACS is now called The Microsoft Windows Audit Collection Services (ACS) Release Candidate 1 became available to beta testers at the end of April. ACS Release Candiate changes include: 1) Simplified and updated database schema 2) Updated communcations protocol 3) Complete support for SSL/TLS authentication 4) Improved performance scalability 5) Improved setup experience 6) Improved security (on Windows XP and Windows Server 2003, ACS runs as NetworkService) 7) Improved manageability 8) Database included 9) Many quality stability improvements -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Friday, May 28, 2004 6:04 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] MACS Anyone know where MS are with MACS now? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] MACS
Where did you hear that? Last I heard in the beta group it was to be included in the next 2K/2003 SP's but I am not as well connected as you are :-] Maybe ~eric can answer G -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Friday, May 28, 2004 11:21 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] MACS And, as I understand it, it is not going to be a free download or Resource Kit component any more. MSFT is going to charge for it. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Friday, May 28, 2004 11:19 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] MACS Anyone know where MS are with MACS now? MACS is now called The Microsoft Windows Audit Collection Services (ACS) Release Candidate 1 became available to beta testers at the end of April. ACS Release Candiate changes include: 1) Simplified and updated database schema 2) Updated communcations protocol 3) Complete support for SSL/TLS authentication 4) Improved performance scalability 5) Improved setup experience 6) Improved security (on Windows XP and Windows Server 2003, ACS runs as NetworkService) 7) Improved manageability 8) Database included 9) Many quality stability improvements -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Friday, May 28, 2004 6:04 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] MACS Anyone know where MS are with MACS now? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] MACS
is there a beta/preview of it for lab testing? Yes there is a Preview Release Beta Program, I got in on it in June 02. My TAM had me fill out a nomination form. I don't know if they are still accepting new participants or not. From: Rich Milburn [mailto:[EMAIL PROTECTED] Sent: Thursday, January 08, 2004 12:46 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] MACS Sounds like MACS does some things certain unnamed products do at a much higher fee. It'd be nice to do some testing and evaluation of it to be ready to go live when the SP1 comes out - is there a beta/preview of it for lab testing? SP1 is not due for some time yet, right? Rich From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Thursday, January 08, 2004 2:37 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 2000 Security Log Rights possible, but not without leaving tracks, as MACS will 1. Detect gaps in the data transmitted from the agent to the collector (which is usually a different machine) and alerts the auditor 2. Signs and encrypts communication between the agent and the collector to ensure that information that is received has not been tampered with 3. Disallows local editing of agent configuration as by default the configuration of the agent can only be modified by the collector /Guido From: Joe [mailto:[EMAIL PROTECTED] Sent: Donnerstag, 8. Januar 2004 03:01 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 2000 Security Log Rights But in the meanwhile, if you grant access to the security logs the person with the access can also clear the security log or write security log entries. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Wednesday, January 07, 2004 5:44 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 2000 Security Log Rights That's where something like MACS comes in (MS Audit Collector Service) - should be available shortly after SP1 for 2003 (but will also collect security logs from 2000 machines). You auditor will then be able to access all collected security event logs from a central database (makes analysis much easier as well). And you don't need to grant them any special rights either. /Guido From: Burkes, Jeremy [contractor] [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 7. Januar 2004 18:14 To: [EMAIL PROTECTED] Subject: [ActiveDir] Windows 2000 Security Log Rights Okay everyone probably a stupid question but here it goes. We have a user who has some rights to domain controllers but not full administrative rights. We want this user to be able to view only the security log. Is there a way to provide just view only rights to the security log. I am assuming this is not possible since it would be in the same section where you find managing auditing and security log in group policy under computer configuration\windows settings\security settings\local policies\user right assignments. But I just wanted to check to see if you guys knew anything different. TIA. Jeremy ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] MACS
Title: Message MACS is in Beta and AFAIK Microsoft is still accpeting Beta customers. -gil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich MilburnSent: Thursday, January 08, 2004 1:46 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] MACS Sounds like MACS does some things certain unnamed products do at a much higher fee. It'd be nice to do some testing and evaluation of it to be ready to go live when the SP1 comes out - is there a beta/preview of it for lab testing? SP1 is not due for some time yet, right? Rich From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Thursday, January 08, 2004 2:37 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Windows 2000 Security Log Rights possible, but not without leaving tracks, as MACS will 1. Detect gaps in the data transmitted from the agent to the collector (which is usually a different machine) and alerts the auditor2. Signs and encrypts communication between the agent and the collector to ensure that information that is received has not been tampered with3. Disallows local editing of agent configuration as by default the configuration of the agent can only be modified by the collector /Guido From: Joe [mailto:[EMAIL PROTECTED] Sent: Donnerstag, 8. Januar 2004 03:01To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Windows 2000 Security Log Rights But in the meanwhile, if you grantaccess to the security logs the person with the access can also clear the security log or write security log entries. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Wednesday, January 07, 2004 5:44 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Windows 2000 Security Log Rights That's where something like MACS comes in (MS Audit Collector Service) - should be available shortly after SP1 for 2003 (but will also collect security logs from 2000 machines). You auditor will then be able to access all collected security event logs from a central database (makes analysis much easier as well). And you don't need to grant them any special rights either. /Guido From: Burkes, Jeremy [contractor] [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 7. Januar 2004 18:14To: [EMAIL PROTECTED]Subject: [ActiveDir] Windows 2000 Security Log Rights Okay everyone probably a stupid question but here it goes. We have a user who has some rights to domain controllers but not full administrative rights. We want this user to be able to view only the security log. Is there a way to provide just view only rights to the security log. I am assuming this is not possible since it would be in the same section where you find managing auditing and security log in group policy under computer configuration\windows settings\security settings\local policies\user right assignments. But I just wanted to check to see if you guys knew anything different. TIA. Jeremy ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.
RE: [ActiveDir] MACS
At this time they are not accepting any more applications. You can always try to appeal through your TAM though :) /Siddharth On Thu, 8 Jan 2004, Free, Bob wrote: is there a beta/preview of it for lab testing? Yes there is a Preview Release Beta Program, I got in on it in June 02. My TAM had me fill out a nomination form. I don't know if they are still accepting new participants or not. From: Rich Milburn [mailto:[EMAIL PROTECTED] Sent: Thursday, January 08, 2004 12:46 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] MACS Sounds like MACS does some things certain unnamed products do at a much higher fee. It'd be nice to do some testing and evaluation of it to be ready to go live when the SP1 comes out - is there a beta/preview of it for lab testing? SP1 is not due for some time yet, right? Rich From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Thursday, January 08, 2004 2:37 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 2000 Security Log Rights possible, but not without leaving tracks, as MACS will 1. Detect gaps in the data transmitted from the agent to the collector (which is usually a different machine) and alerts the auditor 2. Signs and encrypts communication between the agent and the collector to ensure that information that is received has not been tampered with 3. Disallows local editing of agent configuration as by default the configuration of the agent can only be modified by the collector /Guido From: Joe [mailto:[EMAIL PROTECTED] Sent: Donnerstag, 8. Januar 2004 03:01 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 2000 Security Log Rights But in the meanwhile, if you grant access to the security logs the person with the access can also clear the security log or write security log entries. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Wednesday, January 07, 2004 5:44 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 2000 Security Log Rights That's where something like MACS comes in (MS Audit Collector Service) - should be available shortly after SP1 for 2003 (but will also collect security logs from 2000 machines). You auditor will then be able to access all collected security event logs from a central database (makes analysis much easier as well). And you don't need to grant them any special rights either. /Guido From: Burkes, Jeremy [contractor] [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 7. Januar 2004 18:14 To: [EMAIL PROTECTED] Subject: [ActiveDir] Windows 2000 Security Log Rights Okay everyone probably a stupid question but here it goes. We have a user who has some rights to domain controllers but not full administrative rights. We want this user to be able to view only the security log. Is there a way to provide just view only rights to the security log. I am assuming this is not possible since it would be in the same section where you find managing auditing and security log in group policy under computer configuration\windows settings\security settings\local policies\user right assignments. But I just wanted to check to see if you guys knew anything different. TIA. Jeremy ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
