Hey all,
I am looking for a good reference for
Event IDs for the event logs listed above. I seem to be able to
find quite a number for Security Logs these days and some bits and pieces here
and there about the FRS and NTDS. I am familiar with EventID.net and
other sites for
I was able to get a nice list of sources
from EventcombMT. So that will get me started, but if anyone has a good source
with event IDs that would be cool.
Todd
From: Al Mulnick
[mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 24, 2006 9:27
AM
To: ActiveDir@mail.activedir.org
You all knew I had to weigh in on this
subject.
First some reading on the subject is found
here. I think this is what the initial request for information was
for. You might also want to reference the article on lucents site
she points out for what happens when you remove EA from a child
Quick Question,
I was teaching a class the other day when the question came up about
what group scope should you use for delegated permissions of an OU. I
was teaching an earlier class where I explained how to use Domain Local
Groups on Files Shares and Printers to centralize management of these
directly, but the ACLs start getting messy
very quickly. Better to at least aggregate all of those into a single
group to keep the ACLs clean.
Wook
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DNA) [E]
Sent: Wednesday, April 19, 2006 11
Title: RE: [ActiveDir] User Accounts
What are the features of Windows 2003 Server R2 that require
the new AD schema extensions in order to be used in a mixed 2000, 2003, 2003 R2
environment. Specifically I am concerned about the clustering, and new
enterprise printing functions and
]On Behalf Of Myrick, Todd (NIH/CC/DNA) [E]
Sent: Tuesday, March 14, 2006 2:55
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Communication across a trust...with firewalls
You might also want to investigate if you
are using TCP or UDP packets with your authentication request. By default
You might also want to investigate if you
are using TCP or UDP packets with your authentication request. By default Kerberos
uses UDP, so a lot of firewalls will fragment the packets and cause authentication
issues.
Todd Myrick
From:
[EMAIL PROTECTED] [mailto:[EMAIL
Run a portqry on ports 1024 and 1025 from the host to your DC's and from the
server to the workstation to see if you get blocked responses.
I have seen it where Firewall and router jockey's like to block these ports
because they are known ports that viruses use. The problem is the MS RPC
http://www.microsoft.com/technet/technetmag/
Someone in my office just gave me a copy
of this free magazine, and it came with the really neat insert called the Active
Directory Component Jigsaw. It is a wall hanging that outlines all the
AD process graphically. I will try to scan it
Active Directory Component Jigsaw
Subscriptions are free
-to those in the U.S. only :(
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) [E]
Sent: 08 March 2006 16:00
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Technet
Magazine Active
You might try establishing a Preferred
Bridgehead server at the hub and spoke sites (Probably 2 is good), that should
allow you to control who is chosen for replication COs. Also you
might also consider DNS record weights if you would like to lower the priority of
the DCs running DDNS for
http://www.windowsdevcenter.com/pub/a/windows/2006/03/07/group-policy-in
-windows-vista.html
Pretty good article,
Todd Myrick
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
and have
already made a scan into JPG format of it. Contact me off list if you are
interested.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) [E]
Sent: Wednesday, March 08, 2006
11:19 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Technet
To add my 2 cents.
Add Anti-virus and Anti-Spywear
detection.
Configure and backup your event
logs. At remote sites, I would recommend collecting the event logs
on a faster rotation.
Add monitoring, You want to
monitor account lockout events and have notification
(NIH/CC/DNA) [E] [EMAIL PROTECTED] wrote:
Agreed.
Not a big fan of the
Lag-Site, I think it potentially has the ability to create more
problems. At least MS added some limited functionality in 2003, now if
they would just finish the job in Vista this topic might goto rest. (Are
you
)
And if you do a/v ensure that the needed folders and files are excluded
(see prior posts in this forum about the KB articles regarding how to
set up a/v on a domain controller and Exchange servers)
Myrick, Todd (NIH/CC/DNA) [E] wrote:
To add my 2 cents.
1. Add Anti-virus and Anti-Spywear detection
Things I like to know about.
Administration Events
OU creations/deletions/mods
Critical Security Group Modifications
GPO Creation/deletion/mods and Linking
Domain Administrator Logins and from where
Password changes on critical accounts
Domain Activities
Got one word for you Replication!
Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
From: [EMAIL PROTECTED] on behalf of Myrick, Todd
(NIH/CC/DNA) [E]
Sent: Mon 3/6/2006 10:36 AM
To: ActiveDir
That is interesting Who established the forest? Cause if it was them,
they have issues. If it was you all, then just do a AD Clean-up operation and
remove the domain and domain controllers from your directory. Also be prepared
to hear from them soon... :)
Todd Myrick
Brian,
I never did this, but I guess I should try it if one domain tree
established the forest, another domain tree is added, but then the initial tree
is removed won't that cause problems for the other domain tree, even if
they clean up the forest and seize the FSMO roles. The
Agreed.
Not a big fan of the Lag-Site,
I think it potentially has the ability to create more problems. At least
MS added some limited functionality in 2003, now if they would just finish the
job in Vista this topic might goto rest. (Are you there Stewart?)
I do see value in Creative
could seepropagation time becoming
longer and longer.
So, when I see Brian mention rate-limit commands for cisco,Ichuckle.
:*)
(Brian nothing wrong with rate-limit, just a cross-reference in my
mind)
--
Kamlesh
On 1/21/06, Myrick,
Todd (NIH/CC/DNA) [E
But at least you're not bitter...
-g
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) [E]
Sent: Friday, January 20, 2006
12:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:
Gauging AD experience
In my experience, when good
Got one word for you...
Interns
There are so many people trying to get into this field, you should be
able to hire a couple for a nominal fee to gain experience. Granted you
could create twice as much work, but the payoffs could be extra time
off, and being able to do things you rather do then
In my experience, when good directories go
bad, it is usually due to three things.
Firewalls
Firewalls
Did I list firewalls?
Runner ups would be ADC for Exchange,
Clowns posing as Administrators, Clowns posing as DNS experts, Clowns posing as
Security experts, and no disaster
I am not a big fan of having to use the registry editor to set fixed RPC
ports. It would be nice if during the DCPROMO process you could set the
ports with in the GUI or Script. Recently I have been using GPO's to make
the settings changes.
A nicer tool for deleting orphan/linger objects would
Hey all,
Have a quick question about Domain DFS
roots. If you have about 3000 users, do you recommend hosting the DFS root on
DCs or having dedicated boxes to host the Domain DFS roots? Since the
root is mainly just doing referrals, my though is that as long as you have
] On
Behalf Of Myrick, Todd (NIH/CC/DNA)
Sent: 03 August 2005 12:23
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Domain DFS
Roots hosted on DC
Hey all,
Have a quick question about Domain DFS
roots. If you have about 3000 users, do you recommend hosting the DFS
root on DC's
Agreed,
It would help if the technology was a
little less open ended and required some fail safes to be bypassed in order to
establish a design that is not optimal or has potential for long term
consiquences. If MS would put warnings within the wizards and require
checkboxes to be
Domain password policies are only set at
the domain level. You cant set them at the forest or site level.
You can over-ride the domain policy for password policy on Workstations and Member
Servers in the Domain, but you will have to house them in a OU.
Todd
From: Piper,
This is good to know, I will update my calendar.. :)
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Monday, August 01, 2005 10:16 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Chris Ryan is out of the office.
I will be out of the office
or simply reboot your DC to make sure
these changes are made. Then create one user account and set a password of 6
characters. That would be worked.
Cheers,
Yann
De:
[EMAIL PROTECTED] de la part de Myrick, Todd (NIH/CC/DNA)
Date: lun. 01/08/2005 16:15
À: ActiveDir
Speaking from Experience. I agree with Guido and Joe
The AD Architecture at my organization does use the place holder domain, and
also has multiple trees.
The justification back in 2000 was that several of the organizations wanted
the Enterprise roles separated and hidden as best as possible
Title: RE: [ActiveDir] OT: new job
One thing we do is a Public Folder
system. Each Server gets a PF, and an email address assigned to the
server. I create a subfolder for alerts. The idea is when I make
changes to the server, I will send an email to the team and cc the server PF in
the
.
-Original Message-
From: Myrick, Todd (NIH/CC/DNA)
[mailto:[EMAIL PROTECTED]
Sent: Tuesday, July 26, 2005 7:51
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: new
job
One thing we do is a Public Folder
system. Each Server gets a PF, and an email address assigned to the
server
Since I work for the Government, I am all about not taking risk with my
employment :)
Since you are going to be entering into a sticky situation, I would ask
myself the following questions.
Why does the company want to cut their ties with outsourcer? Are they
unhappy with the SLA? Is it costing
I would just goto their website and join
the VMTN. You can setup threads to notify you if you want. The also
have a NNTP server, but I think their portal is much better. You can also
create one of your own using MSN, Yahoo, or Google groups.
Toddler
From:
[EMAIL PROTECTED]
Well if stuff like this keeps happening, http://www.msnbc.msn.com/id/8655541/
They are probably going to need more IT
people to keep an eye out on all those crazies.
I hope they catch the clowns that keep
doing this.
Toddler
From: Tony Murray
[mailto:[EMAIL PROTECTED]
Hey All,
Been a while... Got a problem.
I am being tasked to work on an automated provisioning system for network
resources. Obviously AD will be the security provider HUB. I would also
like to be able to use DFS as the HUB for access to shared network data.
The problem is that we have a large
: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DNA)
Sent: 14 July 2005 11:51
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DFS Client for Mac and UNIX
Hey All,
Been a while... Got a problem.
I am being tasked to work on an automated provisioning system
a note
to seeif they can be helpful here.
Possibly this one forMac users (if the above doesn't
help) http://www.thursby.com/products/dave.html
My $0.04 anyway.
Al
From:
[EMAIL PROTECTED] on behalf of Myrick, Todd (NIH/CC/DNA)
Sent: Thu 7/14/2005
Okay time to weigh in here.
You don't need WINS to establish the trust in my experience. You do need
connectivity though, if your trust is going through a firewall you might
encounter UDP fragmentation, port blocking, etc ... so you will want to
force the use of TCP protocol on your DC's for
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DNA)
Sent: Friday, May 20, 2005 11:59 AM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag siteWhy?
I disagree that Lag sites
- regardless of those that have supported you in the
past. Hopefully then - we can put this behind us. Me, I'll keep doing
what has been successful for me for two years, thank you.
-rtk
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Myrick, Todd
(NIH/CC/DNA)
Sent: Friday, May
Instead of Lag Site, we do have a site and domain dedicated to Root
operations. I think of this as the Quarterback strategy. Don't let it get
sacked.
We have two DC's dedicated to Root AD functions in their own namespace. The
Enterpise functions are Schema extension, forest Security
Of Myrick, Todd
(NIH/CC/DNA)
Sent: Thursday, May 19, 2005 8:34 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag siteWhy?
Is it cheaper and more efficient to go the replication lag site route than
buy a proper backup and object level restore solution
happens just before a lag site happens to
replicate. Someone detailed this earlier, and it's a good note!
Dan
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
mailto:[EMAIL PROTECTED] ] On Behalf Of Myrick, Todd
(NIH/CC/DNA)
Sent: Thursday, May 19, 2005 6:34 AM
Is it cheaper and more efficient to go the replication lag site route than
buy a proper backup and object level restore solution?
I mean not to toot a vendor's horn, but Quest recovery manager turns the
process of restoring objects into a 15 minute click click operation. I
would hate to think
There are two reasons why you select preferred BHS.
1. You have some security / political requirement to direct traffic to a
particular server. (Firewall, Core service DC vs child domain).
2. You don't want the other servers to be targets as BHS. (Underpowered
box, etc.)
Todd Myrick
anymore. Thanks again!
-DaveC
Reuters CIO Infrastructure
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DNA)
Sent: Tuesday, March 29, 2005 6:54 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Bridgehead in a single-server
You might want to check for Event ID 630
on all your DCs using eventcmb.
Here is a good article that list all the
Event IDs for specific account operations. http://www.rippletech.com/PDF/New/SOX/Auditing%20Best%20Practices.pdf
If you arent backing up your security
event logs on your
Interesting tagline
I prefer
Netdom query trust
Toddler
-Original Message-
From: Matt Brown [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 29, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Site Confusion
All 3 of my sites (A,B,C) have GC in them and
Title: Message
IS Spam Filtering a possible cause?
Todd
From: joe [mailto:[EMAIL PROTECTED]
Sent: Thursday, March 24, 2005
10:39 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP NTLM
Authed Channel Encryption Question was LDAPS part 2
That is exactly
for this thread...
:o)
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA)
Sent: Thursday, March 24, 2005
11:24 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP NTLM
Authed Channel Encryption Question was LDAPS part 2
IS Spam Filtering
http://redmondmag.com/features/article.asp?EditorialsID=222
Use this article to help you troubleshoot the issue. I would also make sure
the DC and ping the host, and make sure none of the IP ports are blocked.
Thanks,
Todd
-Original Message-
From: Umer Y. [mailto:[EMAIL PROTECTED]
Yeah this is the best way to control it IMHO.
-Original Message-
From: Boswell, Richard [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 09, 2005 11:24 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] deny internet
Just use IPSec filters --
How about using a GPOs restricted
group feature and only granting Enterprise Administrators the ability to manage
that GPO. You could set that on the Site Level (Although I am not a big
fan of Site level GPOs)
Todd Myrick
MVP
From: Ruston, Neil
[mailto:[EMAIL PROTECTED]
By default I dont believe so.
There are some published ways to control power on PCs using a GPO, You
will have to search for them; I would check out the EPAs website. Also
some of the third-party GPO companies have solutions. I know for a fact
Desktop Standard has one. You might also check
Is everyone getting this messages?
If so, is there a way to unsubscribe this guy from the list?
Thanks,
Todd
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: None
To: Myrick, Todd (NIH/CC/DNA)
Subject: Delivery failure
Message from yahoo.com.
Unable
We did something here for our MAC users that using BV-Control, and some sort
of scripting notification process. I am sure you could use any decent
reporting tool to generate the list of possible expired accounts, and then a
CLI mail tool like postie to sent out notification. You can also try to
One sorta word for you Gil...
PDF
Toddler
-Original Message-
From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED]
Sent: Monday, March 07, 2005 12:56 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory and LDAP
Stella has been scrounging the dusty antiquarian
Sounds like a Job for GPO's, and IPSEC Filters.
Use the GPO's to enforce Account Policies, and to set local admin passwords.
3rd Party - ADD-ons to GPO's give you even more power to control
configurations as well. Like the ability to push certain files to machines.
Use the IPSEC Filter to only
Account Policy for users can only be set
at the domain level.
I believe it is possible to set Local Account
Policy on groups of Workstations and servers via GPO, but all domain credentials
will use the domain account policy.
Thanks,
Todd Myrick
From: Senthil Kumar
Title: Message
It is a big meeting of AD experts with a guy
holding a rubber chicken leading the discussions.
Todd
From: Ken Cornetet
[mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 01, 2005 8:49
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DEC
questions
For a cost conscious and hands on types, Joe's tools and Robbie Allen's
scripts are the best value. I am a Buy-Guy though, and for bulk
administration, and delegation of bulk administration to those that are not
that AD Savvy, I like AD Toolkit http://www.javelinasoftware.com
AD Toolkit offers
. :)
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DNA)
Sent: Tuesday, March 01, 2005 11:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] The missing fields
For a cost conscious and hands on types, Joe's tools
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DNA)
Sent: Tuesday, March 01, 2005 11:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] The missing fields
For a cost conscious and hands on types, Joe's tools
I think dynamically registered records are
tagged with the system, manually modified are tagged using the admins ID.
(I am using my rusty memory for this reference, so you will want to test my
theory). Also you might have to turn up the AD logging to get the info
you are looking for. All
|
---
---|
is there some way to win that rubber chicken? ;-))
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DNA)
Sent: Tuesday, March 01, 2005 14:55
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DEC
I think you might want to investigate using a VPN to connect your DC to the
other DC's.
http://infosecuritymag.techtarget.com/2003/mar/surgeongeneral.shtml
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/ac
tivedirectory/deploy/depovg/advpnddd.mspx
Couple words of
You might look at the AD toolkit from www.javelinasoftware.com if you
want to manually do it.
Quest / Aelita have a tool called
collaboration services that syncs GALs. http://wm.quest.com/products/collaborationservicesexchange/
Todd Myrick
MVP Directory Services
From:
Account Operators Local Group I think.
Must us ADUC, you might have to grant permissions to the group if inheritance
is blocked on some OUs.
Todd Myrick
From: Tim Foster [mailto:[EMAIL PROTECTED]
Sent: Monday, February 28, 2005
9:08 AM
To: ActiveDir@mail.activedir.org
Is it possible to change the error message you get when you set a password
to something that isn't compliant to the password policy. A couple of
people on my team think it is a registry setting in NT 4.
Thanks,
Todd Myrick
List info : http://www.activedir.org/List.aspx
List FAQ:
] Change the Password Error Message
Nope.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DNA)
Sent: Monday, February 28, 2005 11:03 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Change the Password Error Message
Title: Disabling Inactive Users
James,
I would like to just expand a little on
what Gil said about Javelinas product. http://www.Javelinasoftware.com AD
Toolkit is the Hyena of reporting / bulk AD Administration tools. It is extremely
useful and has the ability to schedule the execution
Dude,
I love the marketing T-shirt for your new
GPO tool, how did you get that by?
Todd
77 matches
Mail list logo
