|
Is the audit policy at the domain or OU level over riding
the local policy settings?
Generate a RSOP report to determine the effective
settings.
neil
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta Nathaniel V Contractor NASIC/SCNA Sent: 06 December 2005 14:26 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Auditing permissions changes to a folder/disk/file All,
I am trying to audit changes to the permissions to a
folder. So far:
I have changed the local computer audit policy to audit
success and failures of object access.
I have enabled auditing on a folder for Everyone and put a
check in the box for Change Permissions success and
failures.
I then change the permissions on the
folder.
Security log for the system does not log
anything.
Any thoughts on what step I may have missed or what could
cause the Security log to not log any data?
Nate From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme Sent: Monday, December 05, 2005 6:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Saved Query for Distinguished Name Contains Thanks!!!! For the
scoop, Joe!!! And yes, I LOVE ADFIND,
but it doesn’t provide a result set within the MMC… I’m trying to do an MMC (AD
UC snap-in) Saved Query as the basis for a custom Taskpad … Sorry I wasn’t clear
about that. Guess I’m out of luck. Thanks again,
though! At least I know not to keep beating my head against the
wall! Dan From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of joe It seems I have been
answering a lot of questions like this lately... You can not put parts
of the DN into the LDAP query. The only way to control what branches a query
looks at are 1.
Permissions 2. Search
base 3. Search
scope. You need to be the most
specific you need to be to either include or exclude various branches of the
tree. That being said,
someone who wanted to have those specific branches filtered out or filtered in
to the outputted return set but didn't mind actually returning a lot more data
could look to see if they can find a tool that was written by someone bright
enough to add options to let you do that. Hey there is one... It
is called adfind and has excldn and incldn switches to allow you to specify
portions of a DN of objects you would like outputted.
FYI, there is a bug in
the objects returned counter when using incldn, I have to go in and fish it out
of there. It is because I cut and pasted the excldn code to produce the incldn
section. ;o) Anyway, your query
would look something like adfind -default -f
objectcategory=computer -incldn ou=workstations Keep in mind though
that every computer in your org will be passed back to your client so if you
have 100k computers and only 10 are in the ou=workstations ou's it will seem
AWFULLY SLOW.... There is no way for me to get around
that.
joe From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Hey,
all! I am trying to create a
saved query to pull out computers that exist within a WORKSTATIONS ou; and that
OU may exist within several higher-level OUs, i.e. distinguishedName=*OU=Workstations* but the Saved Queries
interface in ADUC doesn’t seem to like distinguishedName (I’ve also tried dn=
and DN=). Any ideas, please? PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
|
- [ActiveDir] Auditing permissions c... Bahta Nathaniel V Contractor NASIC/SCNA
- RE: [ActiveDir] Auditing perm... neil.ruston
