Define within reason. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Monday, October 10, 2005 12:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group
"Is a tool like that something people would be willing to pay for? " Affirmative Mr. joe. (Within reason of course) YMYMYM ___________________________________________________ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, October 09, 2005 11:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group Ah global won't have the issue with primary group since it used the NET* calls. However, it won't catch nesting that is disallowed in NT, those entries will be curiously absent because the NET calls don't know anything about it. If you are simply looking for any change on a group, fire a notification on the changing of the metadata or the USN or the whenChanged stamp. What would I do? The answer is of course, it depends. :o) It depends on what I perceive the risks are and the necessity for protecting things. It could be very little or it could be a lot with several cross checks. Generally, monitoring from multiple angles as well as trying to prevent the possibility of any change is the best solution in my opinion. Sort of like root kit detection, you won't know when looking at things one way, you have to look from different angles and check the shadows. If I really wanted to be sure I would have a service running on every DC that made the sure the group memberships were exactly what I wanted. These would be services that had change notifications set up for each monitored group so AD told me when the group changed versus me looking at it and seeing if something changed on some x interval. But just the same, that service would still look at some very regular very short interval just in case the change notification dorked up and I would do it using multiple interfaces. If I was REALLY being paranoid I would possibly have the service shut down the box if it detected a change being originated on it in case that one box has been somehow compromised. That service might also, for instance, look for certain known vectors and try to clean those up if detected as well. There are other things but the more you tell people about what you are doing to protect a system, the more you tell them on what they may need to do to compromise a system. Is a tool like that something people would be willing to pay for? You set it for how jittery you are about changes to some finite small number of specific groups and depending on the jittery setting it does anything from warn to correct to locking the box down dead from any more mods? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Fontana Sent: Saturday, October 08, 2005 6:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group I'm just using the (I believe) resource kit tool global.exe to return samaccountname of users in the group. A user who has that particular group as primary still shows up. At the time my biggest concern was ANY change. There should not be any changes made to those groups at any time with out my groups knowledge. Obviously if a group (nesting) is added I'll know about it and whip out my ruler to smack someone with. As far as the restricted groups are concerned; when I first added them to the policy it worked like a charm. After some more testing I found it was taking longer than expected...more than 15 minutes. After looking at the policy I saw that I had entered "domain admins" instead of domain\domain admins. I changed it and it never worked. Changed it back to just "domain admins" and again it usually works but I recently saw a user sit in the group for an hour or so before I removed it manually. I was however notified with in a minute of the change. Like I said, it's crude but it get's what I need done. I know that I have to deal with replication time and I could hit a DC that doesn't know about the change immediately which could delay my notification by up to a few minutes, but my biggest concern at this time are certain admins that can add to the DA's group. No need to start down that road...I walked into this and am slowly cleaning up this mess. Who the hell makes a file server a DC... Now...I have to ask...how would Joe do it? ;-) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, October 08, 2005 2:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group What about people who have those groups as a primary group? 30 seconds is a long time, I could be a domain admin and have it not show in the DA member attribute in milliseconds. Also do you chase all nesting? If so how? What do you key your hash/map/associative array/dictionary on so you don't get stuck in a recursive nesting? Name? SamAccountName? Should be using DN if you aren't. When building the list of current unique members do you key off of name, samaccountname? Again, should be using DN if you aren't. The restricted groups GPO should remove a user that isn't in the list within 5 minutes on a DC. But still, in computer and hacking time, that is an eternity. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Fontana Sent: Saturday, October 08, 2005 12:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group Call my method crude and archaic...but I have a box that just runs scripts...all day...nothing else. One of them is to do a simple dump of the domain, enterprise, and schema admins group once every 30 seconds or something and diff it against the previous run. If there's a difference I get an email. This was a 2 minute batch file I put in place because someone was added to the DA's group and decided it would be fun to try and bring up a new domain. I decided to leave it in place cause it just worked; any change to the groups and I get an email with in a few minutes. Already caught a few "mistakes". The restricted groups (which are also in place) have sat for hours and not kicked the "non-specified" user out...then again, sometimes it kicks them out right away. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 07, 2005 8:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group I am. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, October 07, 2005 10:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group Joe, I actually thought you were referring to the somewhat "hidden" primaryGroupID issue in your previous response. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of joe Sent: Fri 10/7/2005 6:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group You have to look at what the scripts and GPOs are actually doing in the background. For instance, gpo simply looks at the LDAP membership of a group, ditto many of the WMI scripts out there that "monitor" group membership. Not all members will be listed there. Unless those items fire at a moment that the user is listed in the member list, they may not capture the info. How long does it take to get yourself into say the domain admins group and it not be listed in the member attribute for domain admins? Maybe milliseconds? How often are the monitors and GPOs firing? Auditing can help here since it will track every change if you are willing to have the overhead of the auditing, but you have to be aware if there are any limitations in your event log scraper tool. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott Sent: Friday, October 07, 2005 4:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group Care to elaborate on what you mean by defeated? Are you suggesting that gpo's can be overridden by a local user w/o admin rights? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, October 06, 2005 7:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group Both can be defeated. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, October 06, 2005 2:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group Use a "restricted group" policy, or use of one Alain Lissor's (lissware.net) scripts. You can find info on either methods by searching through the archives of this list, or you could use google ... ahem ....I meant msn search :) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Devan Pala Sent: Thu 10/6/2005 9:59 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Modifying Domain Admins & Administrators Group Hi, We have about 7 domain administrators in a particular child domain. I just found out someone added the DBA Group to part of the Administrators group in this domain. Not necessary, not required nor is it a policy. Event logs have obviously been overwritten therefore I would like to know the simplest method to avoid this scenario from ever happening again. What are my options? Thank you so much. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
