Ethereal, it's free :)
Phil
On 10/11/05, Rocky Habeeb <[EMAIL PROTECTED]> wrote:
[1] Did I mention I don't even have a protocol analyzer or a Fluke
device?
_____________________________________________
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] ] On Behalf Of Rich Milburn
Sent: Tuesday, October 11, 2005 12:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group
Rocky, you should make the time to become familiar with a few of them,
because if you do, you'll see how useful they can be - they can save you
multiples of the time you invested into them, if you admin AD at all
(more than just adding a user and resetting a password here and there :)
-----------------------------------------------------------------------
Rich Milburn
MCSE, Microsoft MVP - Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
----------------------------------------------------------------------
"I am always doing that which I can not do, in order that I may learn
how to do it." - Pablo Picasso
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto: [EMAIL PROTECTED]] On Behalf Of Rocky Habeeb
Sent: Tuesday, October 11, 2005 9:49 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group
joe,
You know this is not possible. No one has your knowledge base! I mean
"no one". You're in a class by yourself. You define the class, it's a
little bit like God. "No one can touch you!" Okay enough adulation.
Anyways, I would hope it would come in between $100 and $500 USD but who
knows how long it will take you to create and perfect it and I, for one,
know, unlike 99.999% of "all" software released, it will >not< have bugs
in it when it's released. Something we can count on with joeware.
Do you know that I have downloaded most of your free tools but have not
used virtually any of them because I simply don't have the knowledge
base? I did use a couple of them during my migration from Forest X to
Forest Y and I sure appreciated them then.
As always,
YMYMYM
Rocky
____________________________________________________
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] ] On Behalf Of joe
Sent: Monday, October 10, 2005 4:45 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group
Define within reason.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto: [EMAIL PROTECTED]] On Behalf Of Rocky Habeeb
Sent: Monday, October 10, 2005 12:33 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group
"Is a tool like that something people would be willing to pay for? "
Affirmative Mr. joe. (Within reason of course)
YMYMYM
___________________________________________________
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] ] On Behalf Of joe
Sent: Sunday, October 09, 2005 11:51 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group
Ah global won't have the issue with primary group since it used the NET*
calls. However, it won't catch nesting that is disallowed in NT, those
entries will be curiously absent because the NET calls don't know
anything about it. If you are simply looking for any change on a group,
fire a notification on the changing of the metadata or the USN or the
whenChanged stamp.
What would I do? The answer is of course, it depends. :o)
It depends on what I perceive the risks are and the necessity for
protecting things. It could be very little or it could be a lot with
several cross checks. Generally, monitoring from multiple angles as well
as trying to prevent the possibility of any change is the best solution
in my opinion. Sort of like root kit detection, you won't know when
looking at things one way, you have to look from different angles and
check the shadows.
If I really wanted to be sure I would have a service running on every DC
that made the sure the group memberships were exactly what I wanted.
These would be services that had change notifications set up for each
monitored group so AD told me when the group changed versus me looking
at it and seeing if something changed on some x interval. But just the
same, that service would still look at some very regular very short
interval just in case the change notification dorked up and I would do
it using multiple interfaces. If I was REALLY being paranoid I would
possibly have the service shut down the box if it detected a change
being originated on it in case that one box has been somehow
compromised. That service might also, for instance, look for certain
known vectors and try to clean those up if detected as well. There are
other things but the more you tell people about what you are doing to
protect a system, the more you tell them on what they may need to do to
compromise a system.
Is a tool like that something people would be willing to pay for? You
set it for how jittery you are about changes to some finite small number
of specific groups and depending on the jittery setting it does anything
from warn to correct to locking the box down dead from any more mods?
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Alex Fontana
Sent: Saturday, October 08, 2005 6:36 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group
I'm just using the (I believe) resource kit tool global.exe to return
samaccountname of users in the group. A user who has that particular
group as primary still shows up. At the time my biggest concern was ANY
change. There should not be any changes made to those groups at any time
with out my groups knowledge. Obviously if a group (nesting) is added
I'll know about it and whip out my ruler to smack someone with.
As far as the restricted groups are concerned; when I first added them
to the policy it worked like a charm. After some more testing I found
it was taking longer than expected...more than 15 minutes. After
looking at the policy I saw that I had entered "domain admins" instead
of domain\domain admins. I changed it and it never worked. Changed it
back to just "domain admins" and again it usually works but I recently
saw a user sit in the group for an hour or so before I removed it
manually. I was however notified with in a minute of the change.
Like I said, it's crude but it get's what I need done. I know that I
have to deal with replication time and I could hit a DC that doesn't
know about the change immediately which could delay my notification by
up to a few minutes, but my biggest concern at this time are certain
admins that can add to the DA's group. No need to start down that
road...I walked into this and am slowly cleaning up this mess. Who the
hell makes a file server a DC...
Now...I have to ask...how would Joe do it? ;-)
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of joe
Sent: Saturday, October 08, 2005 2:31 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group
What about people who have those groups as a primary group? 30 seconds
is a long time, I could be a domain admin and have it not show in the DA
member attribute in milliseconds. Also do you chase all nesting? If so
how? What do you key your hash/map/associative array/dictionary on so
you don't get stuck in a recursive nesting? Name? SamAccountName? Should
be using DN if you aren't. When building the list of current unique
members do you key off of name, samaccountname? Again, should be using
DN if you aren't.
The restricted groups GPO should remove a user that isn't in the list
within 5 minutes on a DC. But still, in computer and hacking time, that
is an eternity.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Alex Fontana
Sent: Saturday, October 08, 2005 12:45 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group
Call my method crude and archaic...but I have a box that just runs
scripts...all day...nothing else. One of them is to do a simple dump of
the domain, enterprise, and schema admins group once every 30 seconds or
something and diff it against the previous run. If there's a difference
I get an email. This was a 2 minute batch file I put in place because
someone was added to the DA's group and decided it would be fun to try
and bring up a new domain. I decided to leave it in place cause it just
worked; any change to the groups and I get an email with in a few
minutes. Already caught a few "mistakes".
The restricted groups (which are also in place) have sat for hours and
not kicked the "non-specified" user out...then again, sometimes it kicks
them out right away.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] ] On Behalf Of joe
Sent: Friday, October 07, 2005 8:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group
I am.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] ] On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, October 07, 2005 10:20 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group
Joe,
I actually thought you were referring to the somewhat "hidden"
primaryGroupID issue in your previous response.
Sincerely,
D�j� Ak�m�l�f�, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________
From: [EMAIL PROTECTED] on behalf of joe
Sent: Fri 10/7/2005 6:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group
You have to look at what the scripts and GPOs are actually doing in the
background. For instance, gpo simply looks at the LDAP membership of a
group, ditto many of the WMI scripts out there that "monitor" group
membership. Not all members will be listed there. Unless those items
fire at a moment that the user is listed in the member list, they may
not capture the info. How long does it take to get yourself into say the
domain admins group and it not be listed in the member attribute for
domain admins? Maybe milliseconds? How often are the monitors and GPOs
firing? Auditing can help here since it will track every change if you
are willing to have the overhead of the auditing, but you have to be
aware if there are any limitations in your event log scraper tool.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] ] On Behalf Of Crawford, Scott
Sent: Friday, October 07, 2005 4:40 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group
Care to elaborate on what you mean by defeated? Are you suggesting that
gpo's can be overridden by a local user w/o admin rights?
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of joe
Sent: Thursday, October 06, 2005 7:28 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group
Both can be defeated.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, October 06, 2005 2:23 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group
Use a "restricted group" policy, or use of one Alain Lissor's
(lissware.net) scripts.
You can find info on either methods by searching through the archives of
this list, or you could use google ... ahem ....I meant msn search :)
Sincerely,
D�j� Ak�m�l�f�, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________
From: [EMAIL PROTECTED] on behalf of Devan Pala
Sent: Thu 10/6/2005 9:59 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Modifying Domain Admins & Administrators Group
Hi,
We have about 7 domain administrators in a particular child domain. I
just found out someone added the DBA Group to part of the Administrators
group in this domain. Not necessary, not required nor is it a policy.
Event logs have obviously been overwritten therefore I would like to
know the simplest method to avoid this scenario from ever happening
again.
What are my options?
Thank you so much.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
-------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE-------
PRIVILEGED /
CONFIDENTIAL INFORMATION may be contained in this message or any
attachments.
This information is strictly confidential and may be subject to
attorney-client
privilege. This message is intended only for the use of the named
addressee. If
you are not the intended recipient of this message, unauthorized
forwarding,
printing, copying, distribution, or using such information is strictly
prohibited and may be unlawful. If you have received this in error, you
should
kindly notify the sender by reply e-mail and immediately destroy this
message.
Unauthorized interception of this e-mail is a violation of federal
criminal law.
Applebee's International, Inc. reserves the right to monitor and review
the
content of all messages sent to and from this e-mail address. Messages
sent to
or from this e-mail address may be stored on the Applebee's
International, Inc.
e-mail system.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
