RE: [ActiveDir] os version
Check out gettype from the reskit. It will return a string and an errorlevel based on the OS. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Thursday, August 14, 2003 7:09 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] os version i know this one has probably been done about 500 times already, but was hoping to sound the mailing list out on techniques of differentiating between Windows 2000 / NT4 from login script, given that both Windows 2000 and NT4 return Windows NT from a query of the OS Version environment variable GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Settign password Expiration date
Password policies can only be set at the domain level. Dennis Depp _ From: Erick Christian [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 1:17 PM To: [EMAIL PROTECTED] We are rolling our W2k network out, and have successfully migrated from NT4.0. Previously we had sat our user account's password to expire at the end of the year. However, going through and enabling each individual account is not an option, as of yet I have not found a way in AD to set the PW expiration date for an entire group. If anyone could shed light on this topic I would greatly appreciate it. Erick Christian Chesapeake Board of Education List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Has anyone had a problem with the RPC call to the OS
Title: Message We got smoked yesterday around 1:00. It was difficult to troubleshoot what was going on because I couldn't figure out how it was replicating through the network. Some machines had symptoms and others didn't (some machines had patches applied).Our symptoms included problems with office, problems with Exchange and problems with printing. It was pretty obvious around 4:00 that it was replicating all over the place. Once you've installed the patch I think you still have to delete something from the registry to get the computer from infecting other computers. -Original Message-From: Joe [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 8:50 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Has anyone had a problem with the RPC call to the OS Yusuf, Check out some of the security vulnerability lists like full-disclosure, vulnwatch, vulndiscuss, etc.People are saying that since yesterday sometime, possibly the night before they have been seeing infections and have noticed a considerable increase in hits on their firewalls for RPC ports and other ports used by MSBLASTER. Also some of the other Microsoft MVP's have indicated that they have seen it in their sites as well.Check out http://isc.sans.org/images/port135percent.pngat sans.org and note the huge spike in the number of sources and records. If you have a high number of records/targets but a relatively low number of sources, that is usually normal people or black hats scanning. If you have a high number of sources and records then that is usually a worm or virus. Additionally in the public newsgroups there have been several posts of people complaining of the symptoms of the worm such as why is my machine scanning netbios ports or why is my machine getting an rpc error and rebooting, etc. I haven't gotten to the office yet, but I am expecting that I will be hearing about infections today insideour intranet. joe -- Joe Richards Microsoft MVP Windows Server / Active Directory www.joeware.net -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayet, Yusuf YSent: Tuesday, August 12, 2003 8:02 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] OT: Has anyone had a problem with the RPC call to the OS Hi everyone Curiosity has gotten the better of me and I wanted to know if anyone out there been affected by the virus that does the rpc call to the Operating system? Your comments, Yusuf __ For information about the Standard Bank group visit our web site www.standardbank.co.za__Disclaimer and confidentiality note Everything in this e-mail and any attachments relating to the official business of Standard Bank Group Limited is proprietary to the group. It is confidential, legally privileged and protected by law. Standard Bank does not own and endorse any other content. Views and opinions are those of the sender unless clearly stated as being that of the group. The person addressed in the e-mail is the sole authorised recipient. Please notify the sender immediately if it has unintentionally reached you and do not read, disclose or use the content in any way.Standard Bank can not assure that the integrity of this communication has been maintained nor that it is free of errors, virus, interception or interference.___
Re: [ActiveDir] Who's online
Agung, this was covered recently, mainly centered around the LastLogin attributes in AD. Tio find out who actually has a connection to the server, you can use the built in admin tools to see who has a connection to a share (useful for looking at home drive servers prior to restarts), or use the scripting interfaces to query share connections. Unfortunately there isnt any "easy" way to get this info, as users don't actually "log in" in the strict sense, they initiate a connection to a server (like map a drive, connect to a SQL / Exchange server etc). G. - Original Message - From: Agung Kuswanto NCS To: '[EMAIL PROTECTED]' Sent: Thursday, August 07, 2003 8:39 PM Subject: [ActiveDir] Who's online Hi Is there a way to know who's online on Win2K server? Or to check whether the certain user is online? Does AD store that kind of information? I want to use lastlogin and lastlogoff, but apparently the lastlogoff was never set. Thank you Regards, Agung
RE: [ActiveDir] LDAP LastLogin for Computers
Title: LDAP & LastLogin for Computers I'm getting the computer "lastlogin" attribute, which as I understand it is the most recent time that the workstation authenticated to a domain controller. I believe the oldest this timestamp would be is the last time the machine started up. Also, lastlogin is not a replicated attribute, so you have to check either all of the domain controllers or at a minimum all of the domain controllers in the workstation's site in order to get an accurate value. I'll send you a copy of the script separately. Hunter From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 7:28 PMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] LDAP LastLogin for Computers Hunter, Are you actually querying the workstation, or just the user accounts ? If your finding out when a computer was last logged onto, I would LOVE to have a copy of the script as well (so I can kick our desktop support guys in the bum to clean up *MY* AD) *grin* Glenn [EMAIL PROTECTED] - Original Message - From: Coleman, Hunter To: '[EMAIL PROTECTED]' Sent: Thursday, August 07, 2003 3:48 AM Subject: RE: [ActiveDir] LDAP LastLogin for Computers I've sent you off-list a copy of a script we use to get this information. Hope it helps Hunter From: England, Christopher M [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 8:22 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] LDAP LastLogin for Computers Greetings all, I am trying to pull LDAP queries on computer accounts and I want to find out the last time someone logged into the machine. "WhenModified" is just the computer account object and "LastLogin" is just for user accounts. Am I out of luck? What I have is this: 400 or so computer accounts in one OU (with many sub-OUs) probably need to be 1) moved to a new OU or 2) deleted. #1 happens if they have logged in in say the last few months. #2 if not. Any suggestions would be great! Thanks, Chris - Christopher England Server Administrator MCSA, Server+, Network+, A+ College Information Technology Office Indiana University
[ActiveDir] Scripting ACEs
I'm seeing a discrepancy between setting ACEs through the GUI (Security tab on an object) and setting them through a script. If I go into the Security Tab on an OU and set a Deny ACE for some global group on Change Password and Reset Password for User objects, I end up with a single Deny ACE for those two operations. However, if I script it, I seem to end up with two Deny ACEs, one for Change Password and a second, separate one for Reset Password. I'm only setting a single objectType on the scripted ACE at this point, and having to repeat that code to set the second objectType. Is there a way to specify multiple objectTypes, or am I stuck with a larger DACL if I script the ACEs? Thanks, Hunter List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Choosing between Domain Controllers
Title: Message Answer to question #1.) type "set" at the command prompt, look for LOGONSERVER=server name. Answer to question #2.) \\HKEY_CURRENT_USER\Volatile Environment\LOGONSERVER I'm not sure about changing the reg key or if it defaults back as the environment variable is loaded. Perhaps you can set it as a variable to choose one particular DC, but that would be really bad if that DC happen to be offline. Regards, Dave -Original Message-From: Kevin Felker [mailto:[EMAIL PROTECTED]Sent: Wednesday, August 13, 2003 10:16 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Choosing between Domain Controllers Hi all, We're running two domain controllers on the same domain. My questions are i. what command can you run to see which one your client pc is using ii. how can you change which DC your pc client is using Reason being, I think one of them is slow, and would rather use the other one to test this theory. Thanks Kevin Felker Univ of MSThis e-mail and any accompanying attachments are confidential. The information is intended solely for the use of the individual to whom it is addressed. Any review, disclosure, copying, distribution, or use of this e-mail communication by others is strictly prohibited. If you are not the intended recipient, please notify us immediately by returning this message to the sender and delete all copies. Thank you for your cooperation.
[ActiveDir] Max Connections?
I'm using a Windows 2000 Server computer as a File Server but sometimes people have trouble connecting to it and they are on the local network. This network is very very small (about 10 users) and yet sometimes some people cannot connect to the file server so I'm wondering if there is a Maximum number of connections preventing people from connecting at times or what else can be the problem that people can't see the server? It seems to be unstable. Any ideas or suggestions are appreciated. Thank You - Richard S. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Choosing between Domain Controllers
Title: Message Hi all, Were running two domain controllers on the same domain. My questions are i. what command can you run to see which one your client pc is using ii. how can you change which DC your pc client is using Reason being, I think one of them is slow, and would rather use the other one to test this theory. Thanks Kevin Felker Univ of MS
RE: [ActiveDir] Broken RPC between DC's
You can use PORTQRY to tickle the RPC port 135 and see what is listening. I would also try 137 and 138 UDP respectively. Then check the router configuration to see what it's settings are. Toddler -Original Message- From: Ian Moran [mailto:[EMAIL PROTECTED] Sent: Thursday, August 14, 2003 12:54 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Broken RPC between DC's Strange one this. Two DC's, same site, different subnets separated by a router. Clients on subnet A can net view \\serverB, clients on subnet B can net view \\serverA - but serverA serverB cannot net view each other - iyswim. Almost like a broken netbios channel between just these two servers ServerA can ping ServerB etc WINS is in use and correctly defined in TCP/IP properties Time is accurate on both DC's The error posted is .. C:\net view \\nysdapdcm System error 64 has occurred. The specified network name is no longer available. Ian Moran Konnexion Ltd List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Max Connections?
I would go into the Network Connections and select the network adapter on the server. On the Microsoft File and Print item, select properties. And make sure the settings are optimizes for file and print sharing. Next you could pull up perfmon and see what the network usage is for the box, and number of SMB sessions that are on the box. Also you could be seeing MBLAST related issues. NIC settings on the server could be a problem, if the settings are set to auto negotiate, and the switch port is either not set or set differently. Finally Disk subsystems are very important when you have more than one person connecting to the drive. IDE is optimized for 1 or 2 concurrent users. Toddler -Original Message- From: Richard Sumilang [mailto:[EMAIL PROTECTED] Sent: Thursday, August 14, 2003 1:12 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Max Connections? I'm using a Windows 2000 Server computer as a File Server but sometimes people have trouble connecting to it and they are on the local network. This network is very very small (about 10 users) and yet sometimes some people cannot connect to the file server so I'm wondering if there is a Maximum number of connections preventing people from connecting at times or what else can be the problem that people can't see the server? It seems to be unstable. Any ideas or suggestions are appreciated. Thank You - Richard S. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Max Connections?
Check the Maximum users at the share level perhaps. That is the only place I can think of to limit it. The other option is to look in perfmon and see if it is an actual I/O issue. Also, make sure the NIC(s) are set to 100/Full duplex. Hope this helps, Dave -Original Message- From: Richard Sumilang [mailto:[EMAIL PROTECTED] Sent: Thursday, August 14, 2003 1:12 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Max Connections? I'm using a Windows 2000 Server computer as a File Server but sometimes people have trouble connecting to it and they are on the local network. This network is very very small (about 10 users) and yet sometimes some people cannot connect to the file server so I'm wondering if there is a Maximum number of connections preventing people from connecting at times or what else can be the problem that people can't see the server? It seems to be unstable. Any ideas or suggestions are appreciated. Thank You - Richard S. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any accompanying attachments are confidential. The information is intended solely for the use of the individual to whom it is addressed. Any review, disclosure, copying, distribution, or use of this e-mail communication by others is strictly prohibited. If you are not the intended recipient, please notify us immediately by returning this message to the sender and delete all copies. Thank you for your cooperation. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Max Connections?
Maybe a DNS in resolving the ip address to the computer name? Can you ping the server from their desks? How are their drives mapped? -Original Message- From: Chianese, David P. [mailto:[EMAIL PROTECTED] Sent: Thursday, August 14, 2003 1:16 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Max Connections? Check the Maximum users at the share level perhaps. That is the only place I can think of to limit it. The other option is to look in perfmon and see if it is an actual I/O issue. Also, make sure the NIC(s) are set to 100/Full duplex. Hope this helps, Dave -Original Message- From: Richard Sumilang [mailto:[EMAIL PROTECTED] Sent: Thursday, August 14, 2003 1:12 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Max Connections? I'm using a Windows 2000 Server computer as a File Server but sometimes people have trouble connecting to it and they are on the local network. This network is very very small (about 10 users) and yet sometimes some people cannot connect to the file server so I'm wondering if there is a Maximum number of connections preventing people from connecting at times or what else can be the problem that people can't see the server? It seems to be unstable. Any ideas or suggestions are appreciated. Thank You - Richard S. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any accompanying attachments are confidential. The information is intended solely for the use of the individual to whom it is addressed. Any review, disclosure, copying, distribution, or use of this e-mail communication by others is strictly prohibited. If you are not the intended recipient, please notify us immediately by returning this message to the sender and delete all copies. Thank you for your cooperation. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Group Policy and IE Zone Security
Title: Message Okay This is what I have found in the userenv.log so far: ProcessGPOs: Processing extension Internet Explorer Branding ProcessGPOs: Extension Internet Explorer Branding skipped with flags 0x7 (Which should be fine since I dont use the GP to brand IE) ProcessGPOs: Processing extension Internet Explorer Branding CompareGPOLists: Different version numbers found ProcessGPOList: Entering for extension Internet Explorer Branding UserPolicyCallback: Setting status UI to Applying Internet Explorer Branding policy... GetHkeyCU: RegOpenKey failed with error 2 LibMain: Process Name: C:\WINNT\system32\rundll32.exe UserPolicyCallback: Setting status UI to Applying your personal settings... ProcessGPOList: Extension Internet Explorer Branding returned 0x0. ProcessGPOs: --- 734 ProcessGPOs: --- Those are the only lines that mention Internet Explorer Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Wednesday, August 13, 2003 12:15 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy and IE Zone Security What you're looking for is any log items from the IE Maintenance extension as it tries to process the policy during user logon. Look for messages as to whether it skipped processing for some reason or couldn't process the policy.
[ActiveDir] how to identify what got changed in a user's account?
Hi, I am trying to identify exactly what got changed in a user's account (W2K domain). I know that a change will create a Security log record, EventID 642, category Account Management, type Success. It will identify the account that got changed (Target Account ID) and who made the change ( Caller User Name). But how do you tell *exactly* what changed? Is there additional logging that must be enabled? Thank for any info! Mike Thommes List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] WOT Unreadable code (was Connection String)
In a secure environment like Todd lives in, it would make the cross-firewall replication a fairly simple matter - one well known port and proper DNS is all that it would take to pass the required replication traffic around. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Sinkewicz, Ursula [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 9:30 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) Roger - Could you say more about the specific issues that an SMTP based intra-site replication could address? Thanks and Regards, Ursula -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 6:59 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) Hmmm... What would make sense to me is if the option for site replication via SMTP actually worked intra-domain rather than cross domain only. That solves probably 90-some percent of the issues involved in site replication. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 4:31 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) Well we are currently redesigning our Site Topology due to several organizations setting up firewalls and thinking they are guarding against Neo and the Matrix Gang. One thing we are working with Microsoft on is optimized Hub and Spoke topology by creating sites for networks that are behind firewalls. We want to address a couple of things here in the design as well. Failover DDNS service, Deployment of an Enterprise Level Directory Tripwire tool, and Enterprise Directory Monitoring. What would be cool is if there was a directory optimization tool as well. One that would set DNS SRV record Priorities. I haven't had a chance to look at the latest version of DT to see if it is in there yet. Part of the Firewall configuration is to set a static port. The question is Is one port enough?. I was reading some Backup Exec Documents and they recommended that their application have at least 20 ports open for their DCOM object. Anyone have experience here and what to help a brother out? Toddler -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 3:58 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) What's up Todd? You have a hankerin' for some chicken? And I probably should stop wasting everyone's inbox capacity with this silliness... Doesn't someone have some AD problems that need fixing? -gil -Original Message- From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 12:31 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) Gil, you should give one out for every Enterprise purchase of Netpro Products. Todd Myrick -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 3:22 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) John, Stella has put the world-famous Official DEC Screaming Yellow Rubber Chicken in the mail, so you should get it by the end of the week or so. When you do get it, be sure to give it a good squeeze. When I spoke at the 2002 AFITC, a general from ACC (I've forgotten his name) told me that someone in his office had received one and the noise was driving him crazy. Scratch the chicken off the list of how to win friends and influence people. -gil -Original Message- From: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 12:01 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) Gil, I'm not THAT old! Man, next you'll be implying that I built the DARPAnet! (and we all know it was Al Gore who's responsible for that!) *grin* Nah, I just have a fondness for old, dead languages and remembered seeing that one before. I actually had a book mark to a history of computing type doc that had this very example of MUMPS code. As for DEC Ottawa, I doubt it, times and budgets being what they are. But I'll take the chicken... sounds like cool geek-schwag :^) John A. Bjelke Unisys 505.853.6774
RE: [ActiveDir] OT: Patch Management
SMS with the SUS Feature Pack. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mitch Reid Sent: Friday, August 08, 2003 3:26 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT: Patch Management Hi, we finally 'found' some money to purchase software that will help with patch management. I was wondering if anybody has suggestions what I should look at (and what not to look at). We have about 300 local servers and a handful more across the WAN. They're NT, 2000 and 2003 in an NT/AD multi-domain configuration. I'm not concerned about workstations for this project. Thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] [OT] RPC DCOM WORM (MSBLASTER)
In case you been sleeping on the RPC DCOM hole (MS03-26), the time to patch was a couple of weeks ago, but if you still didn't... Duck... No actually patch! Now is not the time for your company to discover that a firewall doesn't protect all entrances to your network. http://isc.sans.org/diary.html?date=2003-08-11 Handlers Diary August 11th 2003 Updated August 11th 2003 19:35 EDT RPC DCOM WORM (MSBLASTER) This RPC DCOM worm started spreading early afternoon EDT (evening UTC). At this point, it is spreading rapidly. ** NOTE: PRELIMINARY. Do not base your incidents response solely on this writeup. ** Executive Summary: A worm has started spreading early afternoon EDT (evening UTC Time) and is expected to continue spreading rapidly. This worms exploits the Microsoft Windows DCOM RPC Vulnerability announced July 16, 2003. The SANS Institute, and Incidents.org recommends the following Action Items: * Close port 135/tcp (and if possible 135-139, 445 and 593) * Ensure that all available patches have been applied, especially the patches reported in Microsoft Security Bulletin MS03-026. * This bulletin is available at http://www.microsoft.com/technet/security/bulletin/MS03-026.asp * Infected machines are recommended to be pulled from the network pending a complete rebuild of the system. Increase in port 135 activity: http://isc.sans.org/images/port135percent.png Technical Details: Names and Aliases: W32.Blaster.Worm (symantec),W32/Lovsan.worm (McAfee), WORM_MSBLAST.A (Trend Micro),Win32.Posa.Worm (CA),Lovsan (F-secure), MSBLASTER,Win32.Poza. Infection sequence: 1. SOURCE sends packets to port 135 tcp with variation of dcom.c exploit to TARGET 2. this causes a remote shell on port at the TARGET 3. the SOURCE now sends the tftp get command to the TARGET, using the shell on port , 4. the target will now connect to the tftp server at the SOURCE. The name of the binary is msblast.exe. It is packed with UPX and will self extract. The size of the binary is about 11kByte unpacked, and 6kBytes packed: MD5sum packed: 5ae700c1dffb00cef492844a4db6cd69 (6176 Bytes) So far we have found the following properties: - Scans sequentially for machines with open port 135, starting at a presumably random IP address - uses multiple TFTP servers to pull the binary - adds a registry key to start itself after reboot Name of registry key: SOFTWARE\Microsoft\Windows\CurrentVersion\Run, name: 'windows auto update' Strings of interest: msblast.exe I just want to say LOVE YOU SAN!! billy gates why do you make this possible ? Stop making money and fix your software!! windowsupdate.com start %s tftp -i %s GET %s %d.%d.%d.%d %i.%i.%i.%i BILLY windows auto update SOFTWARE\Microsoft\Windows\CurrentVersion\Run Existing RPC DCOM snort signatures will detect this worm. The worm is based on dcom.c Once you are infected, we highly recommend a complete rebuild of the site. As there have been a number of irc bots using the exploit for a few weeks now, it is possible that your system was already infected with one of the prior exploits. Do not connect an unpatched machine to a network. The worm may launch a syn flood against windowsupdate.com on the 16th. It has the ability to infect Windows 2000 and XP. The worm uses the RPC DCOM vulnerability to propagate. One it finds a vulnerable system, it will spawn a shell on port and use it to download the actual worm via tftp. The exploit itself is very close to 'dcom.c' and so far appears to use the universal Win2k offset only. Other References: http://www.cert.org/advisories/CA-2003-19.html http://www.microsoft.com/technet/security/bulletin/MS03-026.asp https://tms.symantec.com/members/AnalystReports/030811-Alert-DCOMworm.pd f http://www3.ca.com/virusinfo/virus.aspx?ID=36265 http://www.datafellows.com/v-descs/msblast.shtml http://us.mcafee.com/virusInfo/default.asp?id=descriptionvirus_k=100547 http://www.sarc.com/avcenter/venc/data/w32.blaster.worm.html http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSB LAST.A http://xforce.iss.net/xforce/alerts/id/150 http://vil.nai.com/vil/content/v_100547.htm List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] WOT Unreadable code (was Connection String)
Well, let's think for just a minute about this. If we're talking about a WAN-based network, couldn't the end-point devices (routers, firewall, bastion, etc.) be the terminus for the IPSec tunnel? And, if so, who cares what the clients speak? Seems to me that this would resolve many of the issues with the Windows-only concern. As to the original question, if you're stuck with RPC, then you are going to have a very tough time with a single port. RPC is, for lack of a better term, going to require a crap-load of ports to be open to operate at any where near efficiency. That's why the SMTP between sites has been so highly touted by Roger and others. It works, it's standard - and it has one advantage that RPC really doesn't: It's great for a network where reliability might be a problem and you need a 'storable message' mechanism that will communicate and stop on demand. Random thoughts here Flail away Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Wednesday, August 06, 2003 7:38 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) This still requires a list of semi trusted networks. I am curious would you use the IPSEC to limit the port range to the DC's for replication, or both the client level traffic and the DCs traffic? On problem with client traffic being encrypted is that we support multiple hosts connecting to our domains, (Mac, UNIX, old NTLM clients). I have to be honest, I have spoken with several engineers who have tried to do IPSEC on large scale deployments and they say it is more trouble than it is worth when you are not standardized on Windows 2000 or XP. The problem I am having is that some of the organizations in my operation want to view all traffic from outside their organization as totally untrusted. So basically their security experts want us to identify specific ports and trusted inbound communication from specific host for every domain in the forest. We have about 24 domains, and about 75 DC's. That's one big list to keep maintaining and coordinating for just the DC traffic. We also have 5 Class B address ranges of ports in our design (Remember we are the government) so exposing planning for client exposure is also somewhat an issue. So far I came up with two solutions to this, use DMZ's and limited/Static RPC replication, and allow inbound traffic from trusted networks to community network services (DNS, AD, Exchange Servers, Intranet servers), then separate mission critical servers and clients by connecting them through a second firewall to the border DMZ. Allow all outbound communication to occur, and allow limited inbound from DMZ servers to occur. What this basically will probably require is that AD replication and operations will work as expected for host inside the firewall and traveling users who work at other departments with in the organization. If the organization chooses to limit basically all inbound communication request except from the direct replication partners this potentially can break authentication from outside sources to local resources, provisioning via LDAP, and single sign-on using only Microsoft technology. So if the user ever visits another part of the organization that is behind a closed firewall DMZ design, they will have to VPN into their portion of the network to properly authenticate and access resources. So the question I posed earlier has still gone un-answered. Do you think RPC NTDS and FRS replication is fine with just on port being open, or do you think it would be better to open a range? Thanks, Todd Myrick -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 9:37 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) Correct. One option is to run IPSec tunnels without encryption - that allows for full content inspection while still having reduced requirements for open ports. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 9:12 AM To: ActiveDir Subject: Re: [ActiveDir] WOT Unreadable code (was Connection String) I would like to see his thoughts on the matter. MS's published recommendations for using ipsec tunnels to traverse firewalls is fine between trusted environments, but most trusted environments can create their own vpn tunnels using firewalls more efficiently. And between untrusted environments it would be generally irresponsible (security-wise). -- Sent from my BlackBerry Wireless Handheld -
RE: [ActiveDir] OT: Server Monitoring
Try MOM. http://www.microsoft.com/mom When the email server is down, you can use scripts to send email via SMTP. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Tuesday, August 05, 2003 4:35 PM To: ActiveDir (E-mail) Subject: [ActiveDir] OT: Server Monitoring Mmy company is currently looking for a product that will monitor if the e-mail server and other servers are up or down and then notify me by e-mailing my cell phone. Question 1) What software do you use? 2) How do you get notified by e-mail if your e-mail server is down? Any help is appreciated, I have already looked at Whats Up Gold and Servers Alive. Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDAP LastLogin for Computers
Title: Message Well, "pwdLastChanged" or "LastLogin" or other variations are all for User objects. Oh well, thanks for all your advice, all! Chris -Original Message-From: England, Christopher M Sent: Wednesday, August 06, 2003 9:22 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] LDAP LastLogin for Computers Greetings all, I am trying to pull LDAP queries on computer accounts and I want to find out the last time someone logged into the machine. "WhenModified" is just the computer account object and "LastLogin" is just for user accounts. Am I out of luck? What I have is this: 400 or so computer accounts in one OU (with many sub-OUs) probably need to be 1) moved to a new OU or 2) deleted. #1 happens if they have logged in in say the last few months. #2 if not. Any suggestions would be great! Thanks, Chris - Christopher England Server Administrator MCSA, Server+, Network+, A+ College Information Technology Office Indiana University
RE: [ActiveDir] Anonymous Logon
:o) My security logs are 180MB. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy Sent: Wednesday, August 06, 2003 3:27 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Anonymous Logon I would not have been surprised to see this on a web server, but the domain controllers being audited do not have either www or ftp services running. I was not prepared for the voluminous amount of system and anonymous entries in the log. I've increased the log size to 5MB on each DC and have them scheduled to backup to a remote server every day at 23:55. I'm looking into purchasing a syslog server, it seems the only viable way to manage this mess. -Original Message- From: rick reynolds [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 10:10 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Anonymous Logon If web services or ftp are running on those, both those services allow anon to access the main page, - Original Message - From: Rittenhouse, Cindy [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 1:02 PM Subject: RE: [ActiveDir] Anonymous Logon Rick, The security logs in question are on my Windows 2000 domain controllers, PSDC1 and PSDC2. When I Audit Logon Events, the log fills with Event 538 NT Authority\Anonymous Logon User Logoff: User Name: ANONYMOUS LOGON Domain: NT AUTHORITY Logon ID: (0x0,0xCB82F) Logon Type: 3 and Event 540 NT Authority\System Logons Successful Network Logon: User Name: PSDC1$ Domain: LC_POLICE Logon ID: (0x0,0xCBE63) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: These don't appear to give me any specific information. I need to keep records for 3 years that show when a user logged onto the network and from which workstation. When I audit Account Logon, I get the information, but the user is always System, so there is no easy way to filter for a specific user name. When I use Audit Logon events, I can filter by user name, but I'm filling 75% of the log with Anonymous and System logons. I'm generating about 8MB of security log daily between the two DCs, so I'm not sure what is the most efficient way to configure the audit policy on my DCs. It seems that either way, the logs fill with quite a bit of basically useless information. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Monday, August 04, 2003 18:26 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous Logon Cindy, My initial thought on this, understanding the process, is that everyone is Anonymous when they first hit the server. A record of this 'anonymous' access is made, and the process continues where you actually identify yourself. Clearly, this is going to be different if you are running a web server, where the access might be mostly anonymous, unless set to some manner of authentication (Windows, Basic, etc.) Now, for more detail, if you want to post some of the records that you're seeing (you should be able to follow the authentication trail via the ID's in the audit records) I can help you identify what is going on and what the anonymous access is all about. It would help to know what type of server this is, as well. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy Sent: Monday, August 04, 2003 1:35 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Anonymous Logon I successfully upgraded my NT domain to AD yesterday. I now find my DC security log on the PDC emulator filling up twice a day. It is set to 2048 KB, do not overwrite (I have to save them for 3 years). The majority of events are Anonymous logons. Is it normal to have this quantity of Anonymous logons? Cynthia Rittenhouse MCSE,CCNA LAN Administrator County of Lancaster Lancaster, PA 17602 Phone: (717)293-7274 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info :
RE: [ActiveDir] [OT] RPC DCOM WORM (MSBLASTER)
Lol... :-) -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 5:41 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] [OT] RPC DCOM WORM (MSBLASTER) In case you been sleeping on the RPC DCOM hole (MS03-26), the time to patch was a couple of weeks ago, but if you still didn't... Duck... No actually patch! Now is not the time for your company to discover that a firewall doesn't protect all entrances to your network. http://isc.sans.org/diary.html?date=2003-08-11 Handlers Diary August 11th 2003 Updated August 11th 2003 19:35 EDT RPC DCOM WORM (MSBLASTER) This RPC DCOM worm started spreading early afternoon EDT (evening UTC). At this point, it is spreading rapidly. ** NOTE: PRELIMINARY. Do not base your incidents response solely on this writeup. ** Executive Summary: A worm has started spreading early afternoon EDT (evening UTC Time) and is expected to continue spreading rapidly. This worms exploits the Microsoft Windows DCOM RPC Vulnerability announced July 16, 2003. The SANS Institute, and Incidents.org recommends the following Action Items: * Close port 135/tcp (and if possible 135-139, 445 and 593) * Ensure that all available patches have been applied, especially the patches reported in Microsoft Security Bulletin MS03-026. * This bulletin is available at http://www.microsoft.com/technet/security/bulletin/MS03-026.asp * Infected machines are recommended to be pulled from the network pending a complete rebuild of the system. Increase in port 135 activity: http://isc.sans.org/images/port135percent.png Technical Details: Names and Aliases: W32.Blaster.Worm (symantec),W32/Lovsan.worm (McAfee), WORM_MSBLAST.A (Trend Micro),Win32.Posa.Worm (CA),Lovsan (F-secure), MSBLASTER,Win32.Poza. Infection sequence: 1. SOURCE sends packets to port 135 tcp with variation of dcom.c exploit to TARGET 2. this causes a remote shell on port at the TARGET 3. the SOURCE now sends the tftp get command to the TARGET, using the shell on port , 4. the target will now connect to the tftp server at the SOURCE. The name of the binary is msblast.exe. It is packed with UPX and will self extract. The size of the binary is about 11kByte unpacked, and 6kBytes packed: MD5sum packed: 5ae700c1dffb00cef492844a4db6cd69 (6176 Bytes) So far we have found the following properties: - Scans sequentially for machines with open port 135, starting at a presumably random IP address - uses multiple TFTP servers to pull the binary - adds a registry key to start itself after reboot Name of registry key: SOFTWARE\Microsoft\Windows\CurrentVersion\Run, name: 'windows auto update' Strings of interest: msblast.exe I just want to say LOVE YOU SAN!! billy gates why do you make this possible ? Stop making money and fix your software!! windowsupdate.com start %s tftp -i %s GET %s %d.%d.%d.%d %i.%i.%i.%i BILLY windows auto update SOFTWARE\Microsoft\Windows\CurrentVersion\Run Existing RPC DCOM snort signatures will detect this worm. The worm is based on dcom.c Once you are infected, we highly recommend a complete rebuild of the site. As there have been a number of irc bots using the exploit for a few weeks now, it is possible that your system was already infected with one of the prior exploits. Do not connect an unpatched machine to a network. The worm may launch a syn flood against windowsupdate.com on the 16th. It has the ability to infect Windows 2000 and XP. The worm uses the RPC DCOM vulnerability to propagate. One it finds a vulnerable system, it will spawn a shell on port and use it to download the actual worm via tftp. The exploit itself is very close to 'dcom.c' and so far appears to use the universal Win2k offset only. Other References: http://www.cert.org/advisories/CA-2003-19.html http://www.microsoft.com/technet/security/bulletin/MS03-026.asp https://tms.symantec.com/members/AnalystReports/030811-Alert-DCOMworm.pd f http://www3.ca.com/virusinfo/virus.aspx?ID=36265 http://www.datafellows.com/v-descs/msblast.shtml http://us.mcafee.com/virusInfo/default.asp?id=descriptionvirus_k=100547 http://www.sarc.com/avcenter/venc/data/w32.blaster.worm.html http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSB LAST.A http://xforce.iss.net/xforce/alerts/id/150 http://vil.nai.com/vil/content/v_100547.htm List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Connection String
From the online help about NameTranslate, VBScript Example (havent tried it, but looks like it should work) Dim nto const ADS_NAME_INITTYPE_SERVER = 2 const ADS_NAME_TYPE_1779 = 1 const ADS_NAME_TYPE_NT4 = 3 server = aDsServer user = jeffsmith dom= Fabrikam passwd = top secret dn = CN=jeffsmith,CN=Users,DC=Fabrikam,DC=COM Set nto = Server.CreateObject(NameTranslate) nto.InitEx ADS_NAME_INITTYPE_SERVER, server, user, dom, passwd nto.Set ADS_NAME_TYPE_1779, dn result = nto.Get(ADS_NAME_TYPE_NT4) - Original Message - From: Roger Seielstad [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 10:31 PM Subject: RE: [ActiveDir] Connection String The only problem with that is you can't call the same methods from VBScript - which is where I seem to need it the most.. Better brush up on my mAd VB.net skilz... -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 8:17 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Connection String Pablo, here is some code I use in VB.NET to do a similar thing, should be convertable to C# without much hassle strUserName = the fully qualified LDAP path of a user or group, ie LDAP://CN=GroupName,DC=testdomain,DC=local 'Constants required, rest are in the online doco for NameTranslate Const ADS_NAME_INITTYPE_GC = 3 Const ADS_NAME_TYPE_1779 = 1 Const ADS_NAME_TYPE_NT4 = 3 Dim Translate As New ActiveDs.NameTranslate Dim strUser As String 'We want to chat to a GC server, any one will do Translate.Init(ADS_NAME_INITTYPE_GC, ) 'Pass in the FQDN name of the object Translate.Set(ADS_NAME_TYPE_1779, Mid(strUserName, 8)) -- the call doesnt like the LDAP:// on the front, so strip it 'Get back the NT v4 Equivalent strUser = Translate.Get(ADS_NAME_TYPE_NT4) Translate = Nothing strUser now = the DOMAIN\UserName pair You can easily go the other way, ie pass in the Domain\username pair, and get back the LDAP path. Its all in the online doco, just do a search for NameTranslate Very cool actually, was hacking around trying to pull apart LDAP strings and massage them myself, this is MUCH easier (and faster) HTH Glenn (lucky you asked today, worked out how to to this last night *grin*) - Original Message - From: Pablo Curello [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 9:44 PM Subject: RE: [ActiveDir] Connection String That's right, but what if the user Pablo Curello is inside an organizational group ? In that case, the LDAP string should be (for example): LDAP://cn=Pablo Curello, ou=Sales, dc=yourdomain, dc=com. It doesnt work with: LDAP://cn=Pablo Curello, dc=yourdomain, dc=com Thanks. -Original Message- From: Costanzo, Ray [mailto:[EMAIL PROTECTED] Sent: Monday, August 04, 2003 2:34 PM To: [EMAIL PROTECTED] I believe that you mean DOMAIN\Username, and if so: Function GetFullName(sUser) Dim sUsername, sDomain sUserInfo = Split(sUser, \) sDomain = sUserInfo(0) sUsername = sUserInfo(1) Set oUser = GetObject(WinNT:// sDomain / sUsername ,user) GetFullName = oUser.Fullname Set oUser = Nothing End Function That will give you the full name, such as: Curello\, Pablo And then you can use: sFullname = GetFullName(pcurello) sLDAP = LDAP://cn=; sFullname ,dc=yourdomain,dc=com How you get the dc= part from the oldschool netbios name, I'm not sure though. And I can't translate this to C for you. :] Ray at work -Original Message- From: Pablo Curello [mailto:[EMAIL PROTECTED] Hello all. Does anybody know how to transform a user's identity DOMAIN/USERNAME to an ldap connection string CN=name, DC=... ? I know how to do it in COM (C++) using IADsNameTranslate interface, but now Im using C#. Thanks. ** ** ** The information contained in this e-mail message is intended only for the personal and confidential use of the recipient(s) named above. Distribution, publication, or retransmission of this message is strictly prohibited. This message may be a bank to client communication and as such is priviliged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail, and delete the original message. The sender of this e-mail specifically opts-out of the Electronic Signatures and Global and National Commerce Act (E-Sign) and
[ActiveDir] changing home drive problem
HI all, I am moving home folders to a new server. Since I have thousands of users I need to script this. The script works fine, however the new home folders don't map until I go into aduc, make a change to the home folders (add a space to the end of the path then delete it) ) and hit apply. I am working with the connect to line. Does anyone have any ideas why this is and more important: how do I get around it? I really don't want to have to open 3000 accts. The script is below: ' 'script to create home folders on new server 'Rick Gasper 'Copyright (c) 2003 '8-7-2003 ' You may use, modify, reproduce, and ' distribute this script in any way you find useful, provided that ' you agree that the copyright owner above has no warranty, obligations, ' or liability for such use. '' 'get users from ad Set Ulist = GetObject(LDAP://OU=test,ou=User-Accts,DC=home,DC=test;) 'startloop For Each Usr In Ulist 'set useracct variable so that the useracct = usr.samaccountname struser = WinNT://server1/ usr.samaccountname ,user strpath = \\server1\staff$\ usr.samaccountname usr.HomeDirectory = strpath usr.HomeDrive = S usr.SetInfo Set objFSO = CreateObject(Scripting.FileSystemObject) Set objFolder = objFSO.CreateFolder(strpath) Set wshShell = WScript.CreateObject(Wscript.Shell) 'create xcalcs scripts struserperms = useracct :rwc /y stradminperms = /G administrators:f useracct :f /y strperms = xcacls strpath stradminperms wshShell.Run strperms Next 'end here Rick Gasper Manager of Network Services King's College Wilkes-Barre PA 18706 Phone: 570-208-5845 Fax: 570-208-5989 [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Connection String
Glenn is that what they make documentation and comments for? Toddler -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 9:38 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Connection String HAHAHAPerl I like to be able to read my code and understand it again in 6 months :) Glenn - Original Message - From: Robbie Allen [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 11:14 PM Subject: RE: [ActiveDir] Connection String Come over to the 'Dark Side' with VB.NET.its nice and warm here *looks at the fires of hell*. Come on guys, why go to VB.NET when you can get most of the benefits of a compiled language and a whole lot more in a lot fewer lines with Perl! muaahh...Muaahh...MUUAAAHH :-) Robbie Allen http://www.rallenhome.com/ -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 8:54 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Connection String Roger, You should be able to convert the Primary Windows NT Account into a Domain\Username pairI did do it some time ago (yeah, it was Ex 5.5 timeframe too)I'll have a dig around (from memory it was using LookupAccountSID *shudder*) If your UPN in 2k and Exchange email address use the same format (ie [EMAIL PROTECTED]), you could cheat a bit, and use the UPN conversion type code: ADS_NAME_TYPE_USER_PRINCIPAL_NAME = 9 User principal name format. For example, [EMAIL PROTECTED] *shrug* might be worth a stab. not sure about mixing NT v4 and 2k servers in the call, I don't think it would work too well (may require AD). Come over to the 'Dark Side' with VB.NET.its nice and warm here *looks at the fires of hell*. G. - Original Message - From: Roger Seielstad [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 10:42 PM Subject: RE: [ActiveDir] Connection String Cool Might be able to stay away from a compiler for another 3 months... I know what it was that didn't work - VBScript can't handle the way Exchange 5.5[1] returns the Primary Windows NT Account attribute - it comes back as a string octet (I think). The VB examples all included the same contstant defs, so I was thinking it was the same thing I looked at a month or two ago. Now I'm wondering if I can just direct translate using the syntax below... I'll have to try that later... -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. [1] Yeah, I'm still running it -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 8:36 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Connection String From the online help about NameTranslate, VBScript Example (havent tried it, but looks like it should work) Dim nto const ADS_NAME_INITTYPE_SERVER = 2 const ADS_NAME_TYPE_1779 = 1 const ADS_NAME_TYPE_NT4 = 3 server = aDsServer user = jeffsmith dom= Fabrikam passwd = top secret dn = CN=jeffsmith,CN=Users,DC=Fabrikam,DC=COM Set nto = Server.CreateObject(NameTranslate) nto.InitEx ADS_NAME_INITTYPE_SERVER, server, user, dom, passwd nto.Set ADS_NAME_TYPE_1779, dn result = nto.Get(ADS_NAME_TYPE_NT4) - Original Message - From: Roger Seielstad [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 10:31 PM Subject: RE: [ActiveDir] Connection String The only problem with that is you can't call the same methods from VBScript - which is where I seem to need it the most.. Better brush up on my mAd VB.net skilz... -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 8:17 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Connection String Pablo, here is some code I use in VB.NET to do a similar thing, should be convertable to C# without much hassle strUserName = the fully qualified LDAP path of a user or group, ie LDAP://CN=GroupName,DC=testdomain,DC=local 'Constants required, rest are in the online doco for NameTranslate Const ADS_NAME_INITTYPE_GC = 3 Const ADS_NAME_TYPE_1779 = 1 Const ADS_NAME_TYPE_NT4 = 3 Dim Translate As New ActiveDs.NameTranslate Dim strUser As String 'We want to chat to a GC server, any one will do Translate.Init(ADS_NAME_INITTYPE_GC, ) 'Pass in the FQDN
RE: [ActiveDir] LDAP LastLogin for Computers
Title: Message Well, that wouldn't be the first time :-) At some point I suspect I'll *need* to query for a non-replicated attribute, so it's not a totally wasted effort. Your suggestion is a better fit in this case, though.Back to visual notepad Cheers, Hunter From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2003 7:12 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] LDAP LastLogin for Computers You're doing this the hard way. Its far easier to know that computers will change their password automatically after 30 days. Look for any computer account with a password age say greater than 90 days and then take action. Keep in mind also that password age (in the form of the date the password was last set) is a replicated attribute within a domain, so you only need to query a single DC. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Coleman, Hunter [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 10:10 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] LDAP LastLogin for Computers I'm getting the computer "lastlogin" attribute, which as I understand it is the most recent time that the workstation authenticated to a domain controller. I believe the oldest this timestamp would be is the last time the machine started up. Also, lastlogin is not a replicated attribute, so you have to check either all of the domain controllers or at a minimum all of the domain controllers in the workstation's site in order to get an accurate value. I'll send you a copy of the script separately. Hunter From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 7:28 PMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] LDAP LastLogin for Computers Hunter, Are you actually querying the workstation, or just the user accounts ? If your finding out when a computer was last logged onto, I would LOVE to have a copy of the script as well (so I can kick our desktop support guys in the bum to clean up *MY* AD) *grin* Glenn [EMAIL PROTECTED] - Original Message - From: Coleman, Hunter To: '[EMAIL PROTECTED]' Sent: Thursday, August 07, 2003 3:48 AM Subject: RE: [ActiveDir] LDAP LastLogin for Computers I've sent you off-list a copy of a script we use to get this information. Hope it helps Hunter From: England, Christopher M [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 8:22 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] LDAP LastLogin for Computers Greetings all, I am trying to pull LDAP queries on computer accounts and I want to find out the last time someone logged into the machine. "WhenModified" is just the computer account object and "LastLogin" is just for user accounts. Am I out of luck? What I have is this: 400 or so computer accounts in one OU (with many sub-OUs) probably need to be 1) moved to a new OU or 2) deleted. #1 happens if they have logged in in say the last few months. #2 if not. Any suggestions would be great! Thanks, Chris - Christopher England Server Administrator MCSA, Server+, Network+, A+ College Information Technology Office Indiana University
RE: [ActiveDir] OT: Packaging Software for Deployment
Justin, Being a part of your HIPAA requirement solution, it would be somewhat imperative to get it righ the first time and know that you're in compliance, right? Given that, and the specifics of compliance under HIPAA (generally impossible, so why try) I'd suggest a mechanism that is going to log proper installation and confirmation of delivery and execution. This means, to me at least, that you're going to need much more than what GP could provide. Me - I'd be doing this manually with people eyeballing it. If it absolutely, positively has got to be there tomorrow... Bad joke - Never mind. You get what I mean, right? You don't have SMS, as I remember, so that not an option either. You really don't have much else left to ensure installation. How's your weekend looking? ;-) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, August 07, 2003 7:56 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: Packaging Software for Deployment It is a generic button plugin for outlook from the company certified mail.com www.certifiedmail.com This is our HIPAA solution for secure e-mail. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 6:15 PM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] OT: Packaging Software for Deployment Justin, What product is it? If it is Adobe Acrobat Reader, Winzip, DirectX, Windows Media Player etc. there are alternate methods available. James -Original Message- From: Darren Mar-Elia [mailto:[EMAIL PROTECTED] Sent: Thursday, 7 August 2003 7:04 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Packaging Software for Deployment I believe that the last time I tried using a ZAP file, it didn't take UNCs, only drive letters (e.g. z:\myapp\setup.exe). Probably worth testing yourself though, since its been a while. As Rod's webpage notes, ZAP files don't provide privilege escalation like MSIs do. So, the user will need to have proper permissions on the workstation for the installation to complete successfully. Frankly, its probably worth it to you to repackage the app in MSI format. WinInstall LE usually works ok for basic snapshots and its free on the Win2K Server CD or, an updated version here: http://www.ondemandsoftware.com/freele2003/wifam.asp -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 1:38 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: Packaging Software for Deployment The setup command part, would that be the UNC path to the install? Also, will the install run as administrator or as the user? Will the user be prompted to do anything during installation? -Original Message- From: Rod Trent [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 3:40 PM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] OT: Packaging Software for Deployment You can use a .Zap file: http://www.myitforum.com/articles/6/view.asp?id=648 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Wednesday, August 06, 2003 3:05 PM To: ActiveDir (E-mail) Subject: [ActiveDir] OT: Packaging Software for Deployment Hello Everyone, I have a install that I need to push out to all users and would like to do it through GPO. However there is no MSI file associated with this install, it is just a EXE. How can I push this out through a GPO? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ:
RE: [ActiveDir] Password Lookup
Title: Message Ryan, If you're asking this because you're doing a security/password strength analysis sweep, you can use a couple of different tools to do this (all of which will rely on administrative privileges to AD). Tools like PWDUMP2 have been updated to pull password hashes from the active directory, which can then be used with tools like LC4 and John the Ripper to do the actual dictionary attacks. pwdump2 http://razor.bindview.com/tools/desc/pwdump2_readme.html John the Ripper http://www.openwall.com/john/ LC4 http://www.atstake.com/research/lc/ http://www.atstake.com/research/lc/download.html samdump http://www.atstake.com/research/lc/dist/samdump.zip Hope this helps, Richard From: Robbie Allen Sent: Tuesday, August 05, 2003 10:27 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Password Lookup I don't believe MS does, but there are a few scripts/tools on the net that can be used to do it. Have you enabled password complexity, which prevents the use of dictionary passwords? Do you have account lockout enabled? It is much harder (i.e. time consuming)to perform dictionary attacks against AD if account lockout is turned on. Robbie Allen http://www.rallenhome.com/ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 10:15 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Password LookupDoes anyone know if Microsoft provides provisions for doing dictionary lookups on passwords? Thanks!Ryan McDonaldSystems AdministratorThe Bankers Bank
RE: [ActiveDir] Groups and OU's
Title: Message I'd suggest doing whatever makes sense to you, really. We have4 basic OU's - Employees, Workstations, Servers and Groups. Part of my rationale for having a separate OU for Groups is that I also maintain a separate recipients container in Exchange 5.5 for Distribution Lists (we tend to have a lot of them). I'm thinking that will make the ADC run a bit cleaner when we flip that switch. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Ellis, Debbie [mailto:[EMAIL PROTECTED] Sent: Friday, August 08, 2003 4:20 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Groups and OU's Is it advisible to have an OU for Groups? What are the pros and cons? I want a very simple and basic OU structure.
RE: [ActiveDir] How to force RID master change
NTDSUTIL.EXE, follow the prompts to seize the roll. NOTE: Once you seize this roll make sure the dead RID is offline and fdisk'd as you never want that server to come back and start servicing DC's with its old RID pool. The new RID master will artificially inflate the RID pool to a higher number and if per chance the old RID master comes back online in the future it could potentially catch up to the new RID master and issue duplicates. That is a big mess you don't want to get into. Regards, Dave -Original Message- From: EN [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 1:27 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] How to force RID master change MessageIm searching the knowledgebase,but I thought maybe someone had something I could use here as well. Well, one of my DCs just died, hard drive failed completely. Fine. I have another DC, but now I can't change the RID role. I could change the GC, PDC and infrastructure, but the RID master can't be changed, and it states on the tab server is offline. Can't change roles What's the best way to force the change? Thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any accompanying attachments are confidential. The information is intended solely for the use of the individual to whom it is addressed. Any review, disclosure, copying, distribution, or use of this e-mail communication by others is strictly prohibited. If you are not the intended recipient, please notify us immediately by returning this message to the sender and delete all copies. Thank you for your cooperation. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Max Connections?
I went there and the radio button is set to Maximize data throughput for file sharing. This problem starter happening before the blaster worm went out. Where would I check is the settings are set to auto negotiate and the set port thing? Thanks - Richard S. On Thursday, August 14, 2003, at 10:33 AM, Myrick, Todd (NIH/CIT) wrote: I would go into the Network Connections and select the network adapter on the server. On the Microsoft File and Print item, select properties. And make sure the settings are optimizes for file and print sharing. Next you could pull up perfmon and see what the network usage is for the box, and number of SMB sessions that are on the box. Also you could be seeing MBLAST related issues. NIC settings on the server could be a problem, if the settings are set to auto negotiate, and the switch port is either not set or set differently. Finally Disk subsystems are very important when you have more than one person connecting to the drive. IDE is optimized for 1 or 2 concurrent users. Toddler -Original Message- From: Richard Sumilang [mailto:[EMAIL PROTECTED] Sent: Thursday, August 14, 2003 1:12 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Max Connections? I'm using a Windows 2000 Server computer as a File Server but sometimes people have trouble connecting to it and they are on the local network. This network is very very small (about 10 users) and yet sometimes some people cannot connect to the file server so I'm wondering if there is a Maximum number of connections preventing people from connecting at times or what else can be the problem that people can't see the server? It seems to be unstable. Any ideas or suggestions are appreciated. Thank You - Richard S. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDAP LastLogin for Computers
Title: Message One way to go about it would be to turn up the auditing andquery the event log on the machine for login success/failure events. John A. Bjelke Unisys 505.853.6774 [EMAIL PROTECTED] "Many of life's failures are people who did not realize how close they were to success when they gave up." -Thomas Edison -Original Message-From: England, Christopher M [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 8:22 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] LDAP LastLogin for Computers Greetings all, I am trying to pull LDAP queries on computer accounts and I want to find out the last time someone logged into the machine. "WhenModified" is just the computer account object and "LastLogin" is just for user accounts. Am I out of luck? What I have is this: 400 or so computer accounts in one OU (with many sub-OUs) probably need to be 1) moved to a new OU or 2) deleted. #1 happens if they have logged in in say the last few months. #2 if not. Any suggestions would be great! Thanks, Chris - Christopher England Server Administrator MCSA, Server+, Network+, A+ College Information Technology Office Indiana University
RE: [ActiveDir] Non-dictionary passwords
Title: Message You can't do this natively but you can write a password filter DLL to hook into the LSASS to do it. It isn't a trivial experiment as bad code will do bad things since it is running as LSASS and when LSASS gets cranky, blue tends to be your predominant screen theme color. There are some third party tools out there but I have never investigated them to see how good they are. Note that they tend to be licensed by both number of users and number of domain controllers because the DLL must be loaded on every DC. joe -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, August 05, 2003 4:59 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Non-dictionary passwordsDoes anyone know if you can setup AD so that when someone changes there password it will not let them change it with a dictionary word? Because $password1 will work if you have it set to "Password must meet complexity requirements" if not what is a good software to do this with? Thanks again!Ryan McDonaldSystems AdministratorThe Bankers Bank770-805-2304
[ActiveDir] OT: Patch Management
Hi, we finally 'found' some money to purchase software that will help with patch management. I was wondering if anybody has suggestions what I should look at (and what not to look at). We have about 300 local servers and a handful more across the WAN. They're NT, 2000 and 2003 in an NT/AD multi-domain configuration. I'm not concerned about workstations for this project. Thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] How to force RID master change
One thing to do is use NTDSUTIL to sieze the RID master role. Remove all references to the failed DC in AD (ADSI edit, Sites and Services, DNS,) Let replication update all DC's. You should then be able to bring the server back using it's original name. HTH -Original Message- From: EN [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 10:39 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] How to force RID master change Thanks, I have a question though. I want to still use this server. I got a completely new HD in there now, and I want to use the same name. Bad idea? What should I really do, this is the first time this has happened and I haven't read of what should be done when something like this occurs. Ernesto - Original Message - From: Chianese, David P. [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 12:33 PM Subject: RE: [ActiveDir] How to force RID master change NTDSUTIL.EXE, follow the prompts to seize the roll. NOTE: Once you seize this roll make sure the dead RID is offline and fdisk'd as you never want that server to come back and start servicing DC's with its old RID pool. The new RID master will artificially inflate the RID pool to a higher number and if per chance the old RID master comes back online in the future it could potentially catch up to the new RID master and issue duplicates. That is a big mess you don't want to get into. Regards, Dave -Original Message- From: EN [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 1:27 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] How to force RID master change MessageIm searching the knowledgebase,but I thought maybe someone had something I could use here as well. Well, one of my DCs just died, hard drive failed completely. Fine. I have another DC, but now I can't change the RID role. I could change the GC, PDC and infrastructure, but the RID master can't be changed, and it states on the tab server is offline. Can't change roles What's the best way to force the change? Thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any accompanying attachments are confidential. The information is intended solely for the use of the individual to whom it is addressed. Any review, disclosure, copying, distribution, or use of this e-mail communication by others is strictly prohibited. If you are not the intended recipient, please notify us immediately by returning this message to the sender and delete all copies. Thank you for your cooperation. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Broken RPC between DC's
Strange one this. Two DC's, same site, different subnets separated by a router. Clients on subnet A can net view \\serverB, clients on subnet B can net view \\serverA - but serverA serverB cannot net view each other - iyswim. Almost like a broken netbios channel between just these two servers ServerA can ping ServerB etc WINS is in use and correctly defined in TCP/IP properties Time is accurate on both DC's The error posted is .. C:\net view \\nysdapdcm System error 64 has occurred. The specified network name is no longer available. Ian Moran Konnexion Ltd List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] [OT] RPC DCOM WORM (MSBLASTER)
Charles, Our remote satellite sites were hit and infected 3/7 (broadband satellite), Internally no problems. Info @: Trend describes best way to do a manual removal. Easy Way: If you were infected and PC keeps restarting goto Services-Remote Procedure Call (RPC). Right Mouse Click goto Properties, goto Recovery tab and choose Take No Action for all three options, hit Apply. This will give you enough time to apply Microsoft patch Goto Task Manager-Processes tab. End MBLAST.exe process/task dependant on OS. Goto Regedit32.exe HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun. In the right panel, locate and delete the entry: windows auto update = MSBLAST.EXE Update virus defs and do a full system scan. http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST .A http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html Patch, choose OS, @: http://support.microsoft.com/?kbid=823980 Hope that no one is affected too badly by this one. James -Original Message- From: Charles Campbell [mailto:[EMAIL PROTECTED] Sent: Tuesday, 12 August 2003 11:12 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] [OT] RPC DCOM WORM (MSBLASTER) I've been getting hammered on this one myself... My firewall logs are packed with hits to ports 135 and 445. Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Monday, August 11, 2003 19:41 To: [EMAIL PROTECTED] Subject: [ActiveDir] [OT] RPC DCOM WORM (MSBLASTER) In case you been sleeping on the RPC DCOM hole (MS03-26), the time to patch was a couple of weeks ago, but if you still didn't... Duck... No actually patch! Now is not the time for your company to discover that a firewall doesn't protect all entrances to your network. http://isc.sans.org/diary.html?date=2003-08-11 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Turn off account lockout feature on a account.
Title: Message Does anyone know how to disable account lockout restrictions on a account Like a service account, but leave the rest of the accounts with the ability to be locked out? Thanks, Toddler
RE: [ActiveDir] LDAP search filter for enabled accounts ?
Jerry - Thanks ! Works like a charm. Dave -Original Message- From: Jerry Welch [mailto:[EMAIL PROTECTED] Sent: Thursday, August 14, 2003 1:55 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP search filter for enabled accounts ? Dave, As I understand it, the following identifies a user account that is disabled: (userAccountControl:1.2.840.113556.1.4.803:=2) That is, the account is disabled when this value is set to 2. To exclude disabled accounts you would use the following string, plus any other filters you want to apply: (!(userAccountControl:1.2.840.113556.1.4.803:=2)) Jerry Welch CPS Systems -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Fugleberg, David A Sent: Thursday, August 14, 2003 1:59 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] LDAP search filter for enabled accounts ? Is there anything I can use in a LDAP search filter to include only accounts that are enabled ? For example, a filter like ((objectclass=user)(objectcategory=person)(physicalDeliveryOfficeName=MSPJ) ) will find all user objects whose office is in building MSPJ - I'd like to add an argument that limits this to user objects that meet that condition that are enabled. Dave List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Choosing between Domain Controllers
From the command prompt on the client machine you can type set This will give you the local variables including the login domain controller. Hope this helps. James R. Day (202) 354-1464 [EMAIL PROTECTED] |-+-- | | Kevin Felker | | | [EMAIL PROTECTED]| | | .edu | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 08/13/2003 09:15 AM EST| | | Please respond to | | | ActiveDir | |-+-- --| | | | To: [EMAIL PROTECTED] | | cc: | | Subject: [ActiveDir] Choosing between Domain Controllers | --| Hi all, We're running two domain controllers on the same domain. My questions are i. what command can you run to see which one your client pc is using ii. how can you change which DC your pc client is using Reason being, I think one of them is slow, and would rather use the other one to test this theory. Thanks Kevin Felker Univ of MS List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Who's online
Hi Agung, I think the command is used on the local computer only. But I think you could download the freeware from Sysinternals (www.sysinternals.com) named psexec and then use the following syntax: psexec \\ComputerName net session Mike Thommes -Original Message- From: Agung Kuswanto NCS [mailto:[EMAIL PROTECTED] Sent: Thu 8/7/2003 9:21 PM To: '[EMAIL PROTECTED]' Cc: Subject: RE: [ActiveDir] Who's online Thanks for all enlighten!!! Can this command be called from machine other than the server it self? Best regards, Agung -Original Message- From: Thommes, Michael M. [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2003 8:55 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Who's online What about using a net session command? Mike Thommes -Original Message- From: Chianese, David P. [mailto:[EMAIL PROTECTED] Sent: Thu 8/7/2003 7:13 AM To: '[EMAIL PROTECTED]' Cc: Subject: RE: [ActiveDir] Who's online I use the old NT 4.0 server manager to determine what shares are in use. That give's you some visibility. Dave -Original Message- From: Agung Kuswanto NCS [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2003 6:40 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Who's online Hi Is there a way to know who's online on Win2K server? Or to check whether the certain user is online? Does AD store that kind of information? I want to use lastlogin and lastlogoff, but apparently the lastlogoff was never set. Thank you Regards, Agung This e-mail and any accompanying attachments are confidential. The information is intended solely for the use of the individual to whom it is addressed. Any review, disclosure, copying, distribution, or use of this e-mail communication by others is strictly prohibited. If you are not the intended recipient, please notify us immediately by returning this message to the sender and delete all copies. Thank you for your cooperation. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] VBscript Help
On a last note, the Windows Scripting Guide is online at MS wrap warning http://www.microsoft.com/technet/treeview/default.asp?url=/technet/scriptcen ter/scrguide/sas_roa_overview.asp In case you forget the book at home or are broke. :) -sp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, August 08, 2003 6:41 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] VBscript Help Many thanks for all the pointers. I better order some of the books :-) and read them, QUICK! Jacqui from:Gil Kirkpatrick [EMAIL PROTECTED] date:Thu, 07 Aug 2003 17:36:25 to: [EMAIL PROTECTED] subject: RE: [ActiveDir] VBscript Help Alain Lissoir's two books are great: Understanding WMI Scripting Leveraging WMI Scripting -gil Gil Kirkpatrick CTO, NetPro -Original Message- From: Raymond McClinnis [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2003 8:29 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] VBscript Help Jacqui, I feel your pain; I read your e-mail and thought I had written it :-). I went to a book store and picked up Microsoft's Windows 2000 Scripting Guide I have had really good luck with it, although everything I need isn't in there, I have been able to find what else I need on the web or by asking the very knowledgeable folks on this list. Hope that helps a little... Thanks, Raymond McClinnis Network Administrator Provident Credit Union -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, August 07, 2003 3:20 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] VBscript Help I seem to be have to report more and more information on the AD. As I am not from a scripting/programming background writing VBscripts is a little bit trial and error. Can anyone recommend any Web resources, books etc that will help me. The way I normally achieve my end result is by trawling the web and finding a script that does part of what I wish it to do, trying to work out what it does exactly, then amending or adding bits (usually from another script). The problem I feel I have is understanding things like the core components of a script, correct syntax say for LDAP queries and object/property names. I would really like to understand what I am doing and be able to achieve simpler scripts from scratch rather than having to rip off others hard work. Many thanks, Jacqui List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail- archive.com/[EMAIL PROTECTED]/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail- archive.com/[EMAIL PROTECTED]/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail- archive.com/[EMAIL PROTECTED]/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] LDAP LastLogin for Computers
Title: LDAP LastLogin for Computers Greetings all, I am trying to pull LDAP queries on computer accounts and I want to find out the last time someone logged into the machine. WhenModified is just the computer account object and LastLogin is just for user accounts. Am I out of luck? What I have is this: 400 or so computer accounts in one OU (with many sub-OUs) probably need to be 1) moved to a new OU or 2) deleted. #1 happens if they have logged in in say the last few months. #2 if not. Any suggestions would be great! Thanks, Chris - Christopher England Server Administrator MCSA, Server+, Network+, A+ College Information Technology Office Indiana University
Re: [ActiveDir] Who's online
Agung This was covered fairly comprehensively in a thread a few days ago. Look in the archives for the subject Users Logged In on 29.07.03. The lastLogoff attribute is not used. There is very little MS documentation on this. Tony -- Original Message -- From: Agung Kuswanto NCS [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 7 Aug 2003 18:39:39 +0800 Hi Is there a way to know who's online on Win2K server? Or to check whether the certain user is online? Does AD store that kind of information? I want to use lastlogin and lastlogoff, but apparently the lastlogoff was never set. Thank you Regards, Agung List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OT: Server Monitoring
Justin, servers alive does report status to a web page, so that may be the easiest way to see if your exchange servers are alive. I understand the problem, you want to receive Email to your mailbox if a server is down, BUT if its the exchange server you cant get any mail. The problem is that if the exchange server is down, an SMTP script isnt going to do anything if the intended destination for the message is your exchange server, the message just cant get there. There are some command line smtp mailer (like blat), that you can use with SAlive to shoot messages directly at any SMTP server. The only options I can think of at the moment are: 1. set up a freee mailbox on one of the service providers (hotmail etc), and get alerts sent there (servers alive can just shoot all SMTP status messages direct to the internet SMTP server - so doesn't matter if exchange is down). Not a big fan of this as your internal status messages get shot to the internet. 2. set up an internal SMTP + POP3 server that receives these messages (again, wont matter if exchange is down), but means you will need a second account to read these messages (like a second mailbox profile in outlook, or something like outlook express). 3. use an SMTP - SMS gateway and shoot the status messages to your mobile phone (again, just shoot the status message directly to the internet, and it will route it to the SMS gateway). 4. Use ServersAlive net send option and send a broadcast message to your NT Account. 5. if you have a seperate gateway exchange server (one that just handles MTA traffic), create / move a mailbox onto that so it can receive the status messages. This way, you will get alerts if the mailbox server is down for the organisation, but you still wont get messages if the gateway server is down (and would need to implement something like one of the other suggestions) We do something similar to 5, however we have 8 exchange servers. Our scripts know which servers are down, and send messages to the mailboxes located on those servers that are still running, and have a monitoring service that is logged into all of these mailboxes at the same time. So we are ok until ALL exchange servers go down (which hasnt happened yet *touch wood*) Glenn - Original Message - From: Salandra, Justin A. [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 11:40 PM Subject: RE: [ActiveDir] OT: Server Monitoring I want to check exchange servers and file servers to see if the server itself is up or down and then get notified. Monitoring the file servers works great with servers alive, but if the exchange server is down then I won't get a page. All my users send mail via the exchange server. No one uses any other type of SMTP mail and we do not rely on the ISP for anything but connectivity. Does anyone have a SMTP script that I might be able to use to send notifications if the mail server is down? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 7:47 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] OT: Server Monitoring MOM is probably a bit of overkill for something that simple (although thats what I use) Justin, the products you've looked at should be able to do it, you just need to set up some alternative SMTP routing if the email server is down. Can you send SMTP mail directly upstream to your ISP from another machine, or only from the email server ? What exactly are you trying to check ? Is it an exhcange server and you want to check individual stores / connections ? do you just want to check an smtp server ? G. - Original Message - From: Rod Trent [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 8:06 AM Subject: RE: [ActiveDir] OT: Server Monitoring Try MOM. http://www.microsoft.com/mom When the email server is down, you can use scripts to send email via SMTP. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Tuesday, August 05, 2003 4:35 PM To: ActiveDir (E-mail) Subject: [ActiveDir] OT: Server Monitoring Mmy company is currently looking for a product that will monitor if the e-mail server and other servers are up or down and then notify me by e-mailing my cell phone. Question 1) What software do you use? 2) How do you get notified by e-mail if your e-mail server is down? Any help is appreciated, I have already looked at Whats Up Gold and Servers Alive. Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm
Re: [ActiveDir] Anonymous Logon
Can vouch for the Kiwi server. Works great, and even better its free. G. - Original Message - From: Free, Bob [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, August 07, 2003 6:49 AM Subject: RE: [ActiveDir] Anonymous Logon Since I'll need a syslog server, I'd like one that will also work with the logs on our Cisco devices? Sorry on monitorware, but KIWI is a very popular free Win32 implementation with folks in mixed MS/Cisco environments who just want to syslog, say Windows, Cisco routers and PIX's. http://www.kiwisyslog.com/ There are some great papers at SANs to get you going- http://www.sans.org/rr/catindex.php?cat_id=33 Case Study: Using Syslog in a Microsoft Cisco Environment Dan Rathbun, June 27, 2003 A Security Analysis of System Event Logging with Syslog Kenneth Nawyn, June 27, 2003 Centralizing Event Logs on Windows 2000 Gregory Lalla, GSEC April 4, 2003 Effective Logging Use of the Kiwi Syslog Utility Brian R. WilkinsCNE/ MCSE/ CCNP/ CISSP, June 7, 2002 Importance of Understanding Logs from an Information Security Standpoint Stewart Allen, October 5, 2001 Cisco Pix: Logging and Beyond Ben Carlsrud, September 26, 2001 -Original Message- From: Rittenhouse, Cindy [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 1:11 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Anonymous Logon Does anyone have any experience with MonitorWare. Since I'll need a syslog server, I'd like one that will also work with the logs on our Cisco devices? -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 23:03 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous Logon Cindy, If you're going to have to keep all audit entries, you're going to have a tough time. I can help decipher these records for you (I do a lot of this!), but in a nutshell you've recorded a successful logoff (the Event 538) and a successful network logon via the Kerberos authentication package by the user PSDC1 - who looks to be a machine. In fact, one of your DCs. Yes, they do logon and logoff of the domain - typically to connect to services that it needs. This one (the Event 540) was a logon to the domain, where the previous was not a logoff from the domain proper. A Logon type 3 tells you that it was via the network, while a type 2 is interactive (too bad you can't tell if it was actually at the console). Less common types are 4 (batch), 5 (service), 7 (unlocked workstation), 8 (plaintext password) or 9 (impersonated logon). The Logon process and authentication package notes what type of process was spawned to authenticate the user from the point it connected to the session through authentication. You might see Kerberos (network), NTLM (network), or User32/Negotiate (Local). Realm associated events to MIT Kerberos realms should record as Kerberos authentication. Bottom line: Ignore the SYSTEM (usually a service doing what it needs) and the machine name events logging on. They are irrelevant and generally service and process related to normal operation of the network. Do, however, take note of the user logon and logoffs. The Logon ID field will stay with the user from Logon through the logoff of this session. You should be able to always associate a 540 Event to a corresponding 538 Event. However, be vigilant that a 538 is not always the same. One might indicate a network logoff, one might indicate and net use disconnection and another might record an Interactive logoff or an auto disconnect. As to what to do about spurious events that mean nothing when dealing with user activity, I'd suggest a more manageable solution such as a syslog server for Windows events and filter the records that you want going to the syslog server. This not only collects all of the server's audit events at one place but also allows you to get rid of the events that play no part in true auditing of the server. Do a Google search on Windows Syslog and you'll find a number of options - one of which should suit. Hope this helps! Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy Sent: Tuesday, August 05, 2003 3:03 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Anonymous Logon Rick, The security logs in question are on my Windows 2000 domain controllers, PSDC1 and PSDC2. When I Audit Logon Events, the log fills with Event 538 NT Authority\Anonymous Logon User Logoff: User Name: ANONYMOUS LOGON Domain: NT AUTHORITY Logon ID: (0x0,0xCB82F) Logon Type: 3 and Event 540 NT Authority\System Logons Successful Network Logon: User Name: PSDC1$ Domain: LC_POLICE Logon ID: (0x0,0xCBE63) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: These don't appear to give me any specific information. I need
RE: [ActiveDir] OT: Packaging Software for Deployment
I believe that the last time I tried using a ZAP file, it didn't take UNCs, only drive letters (e.g. z:\myapp\setup.exe). Probably worth testing yourself though, since its been a while. As Rod's webpage notes, ZAP files don't provide privilege escalation like MSIs do. So, the user will need to have proper permissions on the workstation for the installation to complete successfully. Frankly, its probably worth it to you to repackage the app in MSI format. WinInstall LE usually works ok for basic snapshots and its free on the Win2K Server CD or, an updated version here: http://www.ondemandsoftware.com/freele2003/wifam.asp -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 1:38 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: Packaging Software for Deployment The setup command part, would that be the UNC path to the install? Also, will the install run as administrator or as the user? Will the user be prompted to do anything during installation? -Original Message- From: Rod Trent [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 3:40 PM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] OT: Packaging Software for Deployment You can use a .Zap file: http://www.myitforum.com/articles/6/view.asp?id=648 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Wednesday, August 06, 2003 3:05 PM To: ActiveDir (E-mail) Subject: [ActiveDir] OT: Packaging Software for Deployment Hello Everyone, I have a install that I need to push out to all users and would like to do it through GPO. However there is no MSI file associated with this install, it is just a EXE. How can I push this out through a GPO? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Packaging Software for Deployment
Is there a program that I can use that will generate the zap file for me? -Original Message- From: Sullivan, Kevin [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 3:18 PM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] OT: Packaging Software for Deployment Look at kb 231747. You need to create a .zap file to push an EXE. Not as much flexibility but it is a work around. Kevin -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 3:05 PM To: ActiveDir (E-mail) Hello Everyone, I have a install that I need to push out to all users and would like to do it through GPO. However there is no MSI file associated with this install, it is just a EXE. How can I push this out through a GPO? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Turn off account lockout feature on a account.
Title: Message That's a good question - does administrator not get locked out because of something within its user object, or is that hard coded into the LSASS portions of things? -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Friday, August 08, 2003 3:43 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Turn off account lockout feature on a account. Exchange 5.5 uses a standard NT user account with rights assigned to it as a system account. So it is susceptible to account lockout policies, unless you use administrator. Exchange 2000 changed to using the local system. Todd Myrick -Original Message-From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Friday, August 08, 2003 2:51 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Turn off account lockout feature on a account. 'system account' what? Not following you here, Rick. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rick reynoldsSent: Friday, August 08, 2003 12:03 AMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] Turn off account lockout feature on a account. system account - Original Message - From: Myrick, Todd (NIH/CIT) To: '[EMAIL PROTECTED]' Sent: Thursday, August 07, 2003 9:54 PM Subject: RE: [ActiveDir] Turn off account lockout feature on a account. Thanks Joe, Just wanted to know if there might be someone who figured it out. Damn Exchange 5.5! Toddler -Original Message-From: Joe [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2003 11:36 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Turn off account lockout feature on a account. Unfortunately this is not possible from anything I have ever seen. Be tricky and try to figure out how to make the service *safely* use the machine account (but not on a DC)... I don't think those can be locked out (though that is me guessing). -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT)Sent: Thursday, August 07, 2003 10:14 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Turn off account lockout feature on a account. Does anyone know how to disable account lockout restrictions on a account Like a service account, but leave the rest of the accounts with the ability to be locked out? Thanks, Toddler
RE: [ActiveDir] Group Policy
I would like a copy of that as well. [EMAIL PROTECTED] Ryan McDonald Systems Administrator The Bankers Bank Ellis, Debbie [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 08/06/2003 07:23 AM Please respond to ActiveDir To:[EMAIL PROTECTED] cc: Subject:RE: [ActiveDir] Group Policy Could you please send it to [EMAIL PROTECTED] Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 2:23 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy We do. It is our way to display the GPO's in human readable format. Dan -Original Message- From: Ellis, Debbie [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 10:32 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Group Policy Does anyone have a Group Policy Spreadsheet ? List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] how to identify what got changed in a user's account?
Unfortunately you can't. You have all of the info you are going to get at the present time. Joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, August 12, 2003 9:32 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] how to identify what got changed in a user's account? Hi Joe, I've had a chance to chronologically sort the records produced by the repadmin /showmeta command. I now understand that the metadata contains the change date for a particular attribute (you said that, didn't you!). However, none of the records that I have been able to lay my hands on seem to be able to tell me what I am looking for - which is who and when someone set an account so that the password never expires. Both the security record originally produced says the user account changed and the metadata says that the userAccountControl attribute changed. Both are pretty generic. How would I find out the specifics - specifically when the password never expires bit (part of the userAccountControl attribute) got changed? Thanks for any info! Mike Thommes -Original Message- From: Thommes, Michael M. Sent: Monday, August 11, 2003 8:01 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] how to identify what got changed in a user's account? Hi Joe, Thanks! That was the piece I needed. I now have a complete record of everything that was changed on that user object. Now to digest it... Mike Thommes -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Mon 8/11/2003 6:31 PM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] how to identify what got changed in a user's account? I just realized my answer wasn't complete unless you already knew what the meta data output looks like... Basically it will tell you the originating change time/date/where stamp for every attribute of a given object. Ex: F:\Dev\cpp\GetSysInforepadmin /showmeta dc=joehome,dc=com DsBindWithCred to localhost failed with status 1753 (0x6d9): There are no more endpoints available from the endpoint mapper. 34 entries. Loc.USN Originating DC Org.USN Org.Time/Date Ver Attribute === === = = === = 1154 Default-First-Site-Name\W2KASDC1 1154 2001-03-24 00:15:461 objectClass 6143 Default-First-Site-Name\W2KASDC1 6143 2001-05-16 20:49:141 description 1154 Default-First-Site-Name\W2KASDC1 1154 2001-03-24 00:15:461 instanceType 1154 Default-First-Site-Name\W2KASDC1 1154 2001-03-24 00:15:461 whenCreated 1162127 Default-First-Site-Name\W2KASDC1 1162127 2002-10-14 20:18:013 nTSecurityDescriptor 1154 Default-First-Site-Name\W2KASDC1 1154 2001-03-24 00:15:461 name 1473 Default-First-Site-Name\W2KASDC1 1473 2001-03-24 00:20:262 creationTime 1409 Default-First-Site-Name\W2KASDC1 1409 2001-03-24 00:16:001 forceLogoff 1213281 Default-First-Site-Name\W2KASDC1 1213281 2003-05-03 21:42:575 lockoutDuration 1409 Default-First-Site-Name\W2KASDC1 1409 2001-03-24 00:16:001 lockOutObservationWindow 9293 Default-First-Site-Name\W2KASDC1 9293 2001-06-23 19:56:132 lockoutThreshold 36084 Default-First-Site-Name\W2KASDC1 36084 2001-10-21 11:59:092 maxPwdAge 1203175 Default-First-Site-Name\W2KASDC1 1203175 2003-03-20 21:22:332 minPwdAge 1221236 Default-First-Site-Name\W2KASDC1 1221236 2003-06-03 23:54:283 minPwdLength 1409 Default-First-Site-Name\W2KASDC1 1409 2001-03-24 00:16:001 modifiedCountAtLastProm 1409 Default-First-Site-Name\W2KASDC1 1409 2001-03-24 00:16:001 nextRid 1409 Default-First-Site-Name\W2KASDC1 1409 2001-03-24 00:16:001 pwdProperties 36084 Default-First-Site-Name\W2KASDC1 36084 2001-10-21 11:59:093 pwdHistoryLength 1156 Default-First-Site-Name\W2KASDC1 1156 2001-03-24 00:15:461 objectSid 1409 Default-First-Site-Name\W2KASDC1 1409 2001-03-24 00:16:001 oEMInformation 1409 Default-First-Site-Name\W2KASDC1 1409 2001-03-24 00:16:001 uASCompat 1409 Default-First-Site-Name\W2KASDC1 1409 2001-03-24
RE: [ActiveDir] NTDS Database Error
Unfortunately eventid 1168 is a catchall event for many AD internal blowups where most often I have seen them when the DIT can't be read or has found an inconsistency. Najem: Those two events seem to be separated by quite a bit of time in the time stamp, do you think they are related? joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Wednesday, August 06, 2003 4:25 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] NTDS Database Error I went to www.eventid.net and searched and found the following Event ID: 1168 Source NTDS General Type Error Description Error error code(hex error code) has occurred (Internal ID hex code). Please contact Microsoft Product Support Services for assistance. Error 1032 - See Q280364 Q265089. Error -1811 - See Q280364. Source NTDS Inter-site Type Error Description Error 82(52) has occurred (Internal ID 11000250). Please contact Microsoft Product Support Services for assistance. Error -2146893020(80090324) has occurred (Internal ID 11000251). Please contact Microsoft Product Support Services for assistance. Error 997(3e5) has occurred (Internal ID 11000252). Please contact Microsoft Product Support Services for assistance. Comments: According to Microsoft Service Pack 2 is the fix these errors. These may occur because the NT Directory Service Agent (NTDSA) fails to maintain exclusive control of port 389. Therefore, any other application that attempts to setup a listener on port 389 succeeds and gains control of the port from the NTDSA. (i.e. any LDAP server). Links Q266657 -Original Message- From: Najem Oulad Ali [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 4:13 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] NTDS Database Error Hi, Can somebody tell me if this message's to be concerned ? This message's appeared on one of the 4 DC's we have, and it's the on who a have upgrated with SP4. The message's appears after one of the Frontoffice employees opens the AD. Event Type: Error Event Source: NTDS Database Event Category: Internal Processing Event ID: 1168 Date: 6-8-2003 Time: 8:20:43 User: N/A Computer: ServerName Description: Error 8430(20ee) has occurred (Internal ID 20612ee). Please contact Microsoft Product Support Services for assistance. Event Type:Failure Audit Event Source: Security Event Category: Directory Service Access Event ID: 565 Date: 6-8-2003 Time: 10:09:20 User: FMG-UVA\ijarmontchik Computer: REA04 Description: Object Open: Object Server: DS Object Type:%{----} Object Name:OU=Almere,OU=Medewerkers,DC=fmg,DC=uva,DC=nl New Handle ID: 0 Operation ID: {0,189304343} Process ID: 288 Primary User Name: REA04$ Primary Domain: FMG-UVA Primary Logon ID: (0x0,0x3E7) Client User Name: ijarmontchik Client Domain: FMG-UVA Client Logon ID:(0x0,0xB488DCD) AccessesCreate Child Privileges - Properties: Create Child %%7689 msExchProtocolCfgProtocolContainer DELETE WRITE_DAC msExchProtocolCfgPOPContainer WRITE_DAC MAX_ALLOWED Read Property Write Property Delete Tree List Object %%7691 %%7693 %%7694 %%7695 classStore SYNCHRONIZE msExchProtocolCfgSMTPIPAddressContainer --- groupPolicyContainer msExchComputerPolicy List Contents Write Self Read Property msExchProtocolCfgIMAPContainer List Contents ipsecFilter WRITE_OWNER MAX_ALLOWED List Contents Write Property Control Access %%7691 %%7692 %%7694 ipsecPolicy Create Child Delete Child List Contents Read Property msExchActiveDirectoryConnector Create Child Read Property msExchProtocolCfgHTTPContainer List Contents Write Self msExchProtocolCfgNNTPContainer Write Self Read Property msExchProtocolCfgSMTPContainer List Contents Read Property msExchSchemaMapPolicy Create Child Delete Child Write Self msExchPublicFolderTreeContainer Delete Child List Contents Write Self msExchAdvancedSecurityContainer Create Child Delete Child List Contents Write Self publicFolder Create Child Write Self Read Property msExchIMGlobalSettingsContainer Create Child Delete Child List Contents domainPolicy Create Child Delete Child rpcContainer Read Property dMD Create Child Delete Child List Contents dSA Create Child Delete Child List Contents Write Self
RE: [ActiveDir] Groups and OU's
Title: Message What are the reasons for delegating the AD Root Identifier? Why delegate read? From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Friday, August 08, 2003 6:25 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Groups and OU's Per delegation I do the following AD ---Root Identifier +Delegation Description =Del-ID (5 Char Max)Give FC to the Directory Administrators, Enterprise Admins, andSystem; Read to the Data Administrators Authenticated Users. +OU or CN = Users Description = Del_IDUsers Give R/C/M to Full Data Admins, Jr Data Admins, and R/M to Helpdesk. (Contains all Mail-Enabled Users in Delegation) +OU or CN = Groups Description = Del_ID-Groups Give R/C/M to Full Data Admins, Jr Data Admins, and R/M to Helpdesk. (Contains all Org Level Global Groups in delegation) +OU or CN = Computers Description = Del_ID-Computers Give R/C/M to Full Data Admins, Jr Data Admins, and R/M to Helpdesk. (Contains all Workstations in delegation) +OU = OPS Description =Del-ID-OPS GiveR/C to the Full Data Administrators. FC to the Create Owner (Contains Custom OU's for the delegation) + OU or CN = Accounts Description = Del_ID-Accounts Give R/C/M to Full Data Admins, R/C to Jr Data Admins, and R to Helpdesk. (Contains Alt-Admin credentials) + OU or CN = Services Description = Del_ID-ServicesGive R/C/M to Full Data Admins, R to Jr Data Admins and to Helpdesk. (Contains Service Accounts) + OU or CN = Resources Description = Del_ID-Resources Give R/C/M to Full Data Admins,R/C to Jr Data Admins and R to Helpdesk. (Contains DLG for Each Share Resource {Each type of Access}) + OU or CN = DL = Description =Del_ID-DL Give R/C/M to Full Data Admins,R/C to Jr Data Admins and R to Helpdesk. (Contains Mail Enabled UG for each level of org in del) + OU or CN = Contacts Description =Del_ID-Contacts Give R/C/M to Full Data Admins,R/C to Jr Data Admins and R to Helpdesk. (Contains Contacts for the Del) + OU or CN = Servers Description =Del_ID-Servers Give R/C/M to Full Data Admins,R/C to Jr Data Admins and R to Helpdesk. (Contains Servers for the Delegation) + OU or CN =SecGroup Description =Del_ID-SecGroup Give R/G/M to Full Data Admins,R/C Jr Data Admins and R to Helpdesk. (Contains GPO Filter Security Groups, and Special Security Groups) The main driver for this tight model is for easier scriptable delegations. Principles of the design = All OU/CNis identified with asmall 1 word identifierto facilitate searches. Each objects Description field is filled out with the delegation ID a - and the CN name to facilitate with proper identification from searches. OU's allow for additional OU's within the OU. CN's don'tI believe by default do. Data Administration is delegated as Full, Jr, and Helpdesk. Full DA's can create mail enabled DL UG only. GPO linking can be done on the Users/Computers/Accounts/Services/Servers containers for easy troubleshooting and modeling of changes. Full DA's are the only ones who can modify GPO's. FDA and Jr. DA can Link GPO's. Use Security Groups for GPO filtering. Dir Admins create GPO's and delegate them to the Data Admins. All accounts in the Users container are Mail Enabled. All accounts in the Accounts and Services are not mail enabled. (ME Service accounts are normally a Directory Admin, Exchange Admin function in my mind) Groups contains only GG and uses nesting to create organizational groups. Computers contains all workstations. Use GPO Security Groups for filtering. DL contains mail enabled Organizational UG. Use nesting like in the Groups container. Resources contains a DLG for Each resource with specific permissions, R/C/Deny. On the Network Share add each DLG for each Access type to the Share and assign permissions. Administer the DLG for Dir. As you can see I like to control were object creation happens, and also limit the creation of additional OU's if possible to a specific location under OPS. The reason is for Scriptability. If the name space Path is consistent, it is easier to create additional delegations through scripts and ACL them. With a good third-party tool, you can also do form validation, hide OU's from the Data Admins to make the provisioning or resources more focused, and automate certain Administration operations. Like Account Creation validation, transfers, enforcingonly certain types of object creation (Like noLG orUG creation),mailbox creation, etc. What do you all think? What are the Principles of AD delegation! What are theRules forNativeAccess Control Delegation What are the Rules for Proxy Access Control Delegation What are theRules for Native and Proxy Access Control Delegation. Toddler -Original Message- From: Ellis, Debbie
RE: [ActiveDir] Groups and OU's
I you have one person that will administer the groups, create one OU for the groups and delegate it to that user sounds like a good idea. Regards, /Jimmy - Jimmy Andersson, Q Advice AB CEO Principal Advisor Microsoft MVP - Active Directory -- www.qadvice.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ellis, Debbie Sent: Friday, August 08, 2003 11:34 PM To: [EMAIL PROTECTED] I will have a single forest, single domain . Less than 1,000 users. I want it simple. If I don't create an OU for the groups will I have to include groups into another ou? I will have one person administer groups. -Original Message- From: Jimmy Andersson [mailto:[EMAIL PROTECTED] Sent: Friday, August 08, 2003 4:11 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Groups and OU's Yes, you could have an OU for groups if you want. But the pros and cons all depend on the way you want to administrate your AD. Can you give a bit more info on your environment? Regards, /Jimmy - Jimmy Andersson, Q Advice AB CEO Principal Advisor Microsoft MVP - Active Directory -- www.qadvice.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ellis, Debbie Sent: Friday, August 08, 2003 10:20 PM To: [EMAIL PROTECTED] Is it advisible to have an OU for Groups? What are the pros and cons? I want a very simple and basic OU structure. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Seeking some feedback ... use of 2003 Admin. tool s against a non-forest prep'd 2000 only directory ...
Title: Message Sod off Dean... :oP cheers! -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Thursday, August 07, 2003 5:55 PMTo: AD mailing list (send)Subject: RE: [ActiveDir] Seeking some feedback ... use of 2003 Admin. tool s against a non-forest prep'd 2000 only directory ... I very much appreciate all your feedback regarding the schema modifications (and here comes the but :) but does anyone actually have any experience using the uplevel admin. tools? LOL - get a group of technical people together and we can seemingly chat without end. :))) PS - As humor and intonation are often lost in print ... the above was intended to be "tongue in cheek" but nonetheless craving a response. PPS - A simple "NO, sod off Dean" will do nicely... I crack me up : Thanks so much! Dean -- Dean Wells MSEtechnology * Email: dwells@msetechnology.com http://msetechnology.com
RE: [ActiveDir] Anonymous Logon
Rick, The security logs in question are on my Windows 2000 domain controllers, PSDC1 and PSDC2. When I Audit Logon Events, the log fills with Event 538 NT Authority\Anonymous Logon User Logoff: User Name: ANONYMOUS LOGON Domain: NT AUTHORITY Logon ID: (0x0,0xCB82F) Logon Type: 3 and Event 540 NT Authority\System Logons Successful Network Logon: User Name: PSDC1$ Domain: LC_POLICE Logon ID: (0x0,0xCBE63) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: These don't appear to give me any specific information. I need to keep records for 3 years that show when a user logged onto the network and from which workstation. When I audit Account Logon, I get the information, but the user is always System, so there is no easy way to filter for a specific user name. When I use Audit Logon events, I can filter by user name, but I'm filling 75% of the log with Anonymous and System logons. I'm generating about 8MB of security log daily between the two DCs, so I'm not sure what is the most efficient way to configure the audit policy on my DCs. It seems that either way, the logs fill with quite a bit of basically useless information. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Monday, August 04, 2003 18:26 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous Logon Cindy, My initial thought on this, understanding the process, is that everyone is Anonymous when they first hit the server. A record of this 'anonymous' access is made, and the process continues where you actually identify yourself. Clearly, this is going to be different if you are running a web server, where the access might be mostly anonymous, unless set to some manner of authentication (Windows, Basic, etc.) Now, for more detail, if you want to post some of the records that you're seeing (you should be able to follow the authentication trail via the ID's in the audit records) I can help you identify what is going on and what the anonymous access is all about. It would help to know what type of server this is, as well. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy Sent: Monday, August 04, 2003 1:35 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Anonymous Logon I successfully upgraded my NT domain to AD yesterday. I now find my DC security log on the PDC emulator filling up twice a day. It is set to 2048 KB, do not overwrite (I have to save them for 3 years). The majority of events are Anonymous logons. Is it normal to have this quantity of Anonymous logons? Cynthia Rittenhouse MCSE,CCNA LAN Administrator County of Lancaster Lancaster, PA 17602 Phone: (717)293-7274 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] WOT Unreadable code (was Connection String)
Heh Telemarketing company that I worked for in the early 80's did their coding in MUMPS. Interesting use for a language that was developed to target the medical industry, as I recall - Massachusetts General Hospital Utility Multi Programming System. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bjelke John A Contr AFRL/VSIO Sent: Tuesday, August 05, 2003 2:01 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) Gil, I'm not THAT old! Man, next you'll be implying that I built the DARPAnet! (and we all know it was Al Gore who's responsible for that!) *grin* Nah, I just have a fondness for old, dead languages and remembered seeing that one before. I actually had a book mark to a history of computing type doc that had this very example of MUMPS code. As for DEC Ottawa, I doubt it, times and budgets being what they are. But I'll take the chicken... sounds like cool geek-schwag :^) John A. Bjelke Unisys 505.853.6774 [EMAIL PROTECTED] Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad caput tuum saxum immane mittam. -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 12:01 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) Wow John! I'm impressed. Were you at Unisys when MUMPS actually ran on Unisys minis? Or did you just get lucky with Google? :) I'm thinking that your answer deserves a world-famous Official DEC Screaming Yellow Rubber Chicken, whose hideous screech is known to strike fear in the hearts of dogs, cats, and small children. Are you coming to DEC Ottawa? I can give it to you there, along with your free beer. Otherwise, send me your shipping info offlist, and no beer for you. -gil -Original Message- From: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 10:39 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) prints a table of primes, formatting it into columns. What's my prize :^) John A. Bjelke Unisys 505.853.6774 [EMAIL PROTECTED] If it's as difficult as pulling teeth through an elephants rump, then the approach needs to be reevaluated. -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 9:56 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) Have you ever coded in MUMPS? It doesn't matter who the programmer is; its ALWAYS unreadable. I think MUMPS programmers invented the term write-only programs. Typical MUMPS program: f p=2,3:2 s q=1 x f f=3:2 q:f*fp!'q s q=p#f w:q p,?$x\8+1*8 If anyone can guess what this code does, I'll give them a prize. -g Gil Kirkpatrick CTO, NetPro -Original Message- From: Robbie Allen [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 6:51 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Connection String Ha! It is not the language that makes code unreadable, it is the PROGRAMMER :-) Robbie Allen http://www.rallenhome.com/ -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 9:38 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Connection String HAHAHAPerl I like to be able to read my code and understand it again in 6 months :) Glenn - Original Message - From: Robbie Allen [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 11:14 PM Subject: RE: [ActiveDir] Connection String Come over to the 'Dark Side' with VB.NET.its nice and warm here *looks at the fires of hell*. Come on guys, why go to VB.NET when you can get most of the benefits of a compiled language and a whole lot more in a lot fewer lines with Perl! muaahh...Muaahh...MUUAAAHH :-) Robbie Allen http://www.rallenhome.com/ -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 8:54 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Connection String Roger, You should be able to convert the Primary Windows NT Account into a Domain\Username pairI did do it some time ago (yeah, it was Ex 5.5 timeframe too)I'll have a dig around (from memory it was using LookupAccountSID *shudder*) If your UPN in 2k and Exchange email address use the same format (ie [EMAIL PROTECTED]), you could cheat a bit, and use the UPN conversion type code: ADS_NAME_TYPE_USER_PRINCIPAL_NAME = 9 User principal name format. For example, [EMAIL PROTECTED] *shrug* might be worth a stab. not sure about mixing NT v4 and 2k servers
RE: [ActiveDir] os version
Use - for /f tokens=3 delims=.] %%v in ('ver') do set OSbuild=%%v Place the syntax above within a shell script to set the OSbuild variable to, well, the OS build :) HTH Dean -- Dean Wells MSEtechnology * Tel: +1 (954) 501-4307 * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Graham Turner Sent: Thursday, August 14, 2003 8:09 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] os version i know this one has probably been done about 500 times already, but was hoping to sound the mailing list out on techniques of differentiating between Windows 2000 / NT4 from login script, given that both Windows 2000 and NT4 return Windows NT from a query of the OS Version environment variable GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Group Policy and IE Zone Security
Title: Message Well it doesn't give a lot of info but the RegOpenKey failing on GetHKeyCU (Get a handle to the user's profile in HKEY_CURRENT_USER) looks like a problem. The policy extension can't access the user's profile. The strange thing is that it returns a 0x0, which usually means everything worked just fine. Here's a thought. Are these XP machines? If so, can you try something? On one of these machines thats having a problem, try enabling the following administrative template policy: Computer Configuration|Administrative Templates|System|Logon|Always wait for the network at computer startup and logon This ensures that policy processes synchronously rather than asynchronously. It would be interesting to see if this makes a difference. -Original Message-From: Charles Campbell [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 10:09 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Group Policy and IE Zone Security Okay This is what I have found in the userenv.log so far: ProcessGPOs: Processing extension Internet Explorer Branding ProcessGPOs: Extension Internet Explorer Branding skipped with flags 0x7 (Which should be fine since I dont use the GP to brand IE) ProcessGPOs: Processing extension Internet Explorer Branding CompareGPOLists: Different version numbers found ProcessGPOList: Entering for extension Internet Explorer Branding UserPolicyCallback: Setting status UI to Applying Internet Explorer Branding policy... GetHkeyCU: RegOpenKey failed with error 2 LibMain: Process Name: C:\WINNT\system32\rundll32.exe UserPolicyCallback: Setting status UI to Applying your personal settings... ProcessGPOList: Extension Internet Explorer Branding returned 0x0. ProcessGPOs: --- 734 ProcessGPOs: --- Those are the only lines that mention Internet Explorer Charles -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Wednesday, August 13, 2003 12:15To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Group Policy and IE Zone Security What you're looking for is any log items from the IE Maintenance extension as it tries to process the policy during user logon. Look for messages as to whether it skipped processing for some reason or couldn't process the policy.
RE: [ActiveDir] Anonymous Logon
I believe those would show a logon by the IUSR (or other specified account) account because it isn't truly anonymous, you are simply proxied into the IUSR or some other specified anonymous access account. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rick reynolds Sent: Wednesday, August 06, 2003 10:10 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Anonymous Logon If web services or ftp are running on those, both those services allow anon to access the main page, - Original Message - From: Rittenhouse, Cindy [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 1:02 PM Subject: RE: [ActiveDir] Anonymous Logon Rick, The security logs in question are on my Windows 2000 domain controllers, PSDC1 and PSDC2. When I Audit Logon Events, the log fills with Event 538 NT Authority\Anonymous Logon User Logoff: User Name: ANONYMOUS LOGON Domain: NT AUTHORITY Logon ID: (0x0,0xCB82F) Logon Type: 3 and Event 540 NT Authority\System Logons Successful Network Logon: User Name: PSDC1$ Domain: LC_POLICE Logon ID: (0x0,0xCBE63) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: These don't appear to give me any specific information. I need to keep records for 3 years that show when a user logged onto the network and from which workstation. When I audit Account Logon, I get the information, but the user is always System, so there is no easy way to filter for a specific user name. When I use Audit Logon events, I can filter by user name, but I'm filling 75% of the log with Anonymous and System logons. I'm generating about 8MB of security log daily between the two DCs, so I'm not sure what is the most efficient way to configure the audit policy on my DCs. It seems that either way, the logs fill with quite a bit of basically useless information. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Monday, August 04, 2003 18:26 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous Logon Cindy, My initial thought on this, understanding the process, is that everyone is Anonymous when they first hit the server. A record of this 'anonymous' access is made, and the process continues where you actually identify yourself. Clearly, this is going to be different if you are running a web server, where the access might be mostly anonymous, unless set to some manner of authentication (Windows, Basic, etc.) Now, for more detail, if you want to post some of the records that you're seeing (you should be able to follow the authentication trail via the ID's in the audit records) I can help you identify what is going on and what the anonymous access is all about. It would help to know what type of server this is, as well. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy Sent: Monday, August 04, 2003 1:35 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Anonymous Logon I successfully upgraded my NT domain to AD yesterday. I now find my DC security log on the PDC emulator filling up twice a day. It is set to 2048 KB, do not overwrite (I have to save them for 3 years). The majority of events are Anonymous logons. Is it normal to have this quantity of Anonymous logons? Cynthia Rittenhouse MCSE,CCNA LAN Administrator County of Lancaster Lancaster, PA 17602 Phone: (717)293-7274 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Has anyone had a problem with the RPC call to the OS
Hi All The virus is w32.blaster.worm - the details were released by Symantec about 12 hours ago. The hole it is using was patched by Microsoft a couple of weeks ago. Here is the link to the Symantec write up http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html It would appear to be improperly written to Windows XP (rumor has it a miswritten call to RPC designed for Windows 2000 will cause the service to crash in Windows XP, leading to the reboot). Hope this helps James R. Day (202) 354-1464 [EMAIL PROTECTED] |-+-- | | Carlos Magalhaes | | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 08/12/2003 02:04 PM ZE2| | | Please respond to | | | ActiveDir | |-+-- | | | | To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] | | cc: | | Subject: RE: [ActiveDir] OT: Has anyone had a problem with the RPC call to the OS | | Do you have the exact virus name? CM(See attached file: InterScan_Disclaimer.txt) InterScan_Disclaimer.txt Description: Binary data
RE: [ActiveDir] Settign password Expiration date
Erick, Joe makes a good point -- password expiration policy is global. However, you can avoid the rush of everyone's passwords expiring at once with the following process: 1) enable global password expiration, but set the interval really long. 2) run a batch file nightly to expire a small group of users. This primes the pump by getting users to have unique expiration schedules. 3) when you've got everyone to change their password once, shorten the global policy. I don't think we've run into any Win2K shops that had this problem, but we (vendor: M-Tech, product: P-Synch) have worked with some customers to do a gradual activation of reasonable expiration interval on WinNT domains using this process. Good luck! -- Idan On Wed, 13 Aug 2003, Joe wrote: You can not set password expiration for a group of users. Password expiration is a global domain policy. Now if you are looking to simply unexpire a group of users you could write (or most likely at this point) find a script that will take a CSV file and either reset the passwords of those users thereby making them active or you can force them expired then clear the expired flag which would make them hot again under their old password with a password age of 0 days. You can do that by forcing a 0 into pwdLastSet and then turning around and then forcing a -1 into pwdLastset. So say your password policy was set to expire in 91 days and then you have an account with a password of 200 days and you want to reenable that ID WITHOUT having to change the password you would use a script like this: set o=getobject(LDAP://cn=joe,cn=users,dc=domain,dc=com;) o.pwdlastset=0 o.setinfo o.pwdlastset=-1 o.setinfo That would force the must change password flag of the account which would then allow you to clear that same flag and you now have a password with a password age of 0 days and fully ready to go. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Erick Christian Sent: Wednesday, August 13, 2003 1:17 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Settign password Expiration date We are rolling our W2k network out, and have successfully migrated from NT4.0. Previously we had sat our user account's password to expire at the end of the year. However, going through and enabling each individual account is not an option, as of yet I have not found a way in AD to set the PW expiration date for an entire group. If anyone could shed light on this topic I would greatly appreciate it. Erick Christian Chesapeake Board of Education List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Disaster recovery scenario comments requested.
That was my major concern too Hunter. Although we have not seen this in the lab, I am wondering in a more complex environment (like production) if the beast will rear it's ugly head then. That would be bad, very bad. Btw, thanks to all of you for the comments and scenario recommendations. Much appreciated! Dave -Original Message- From: Coleman, Hunter [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 10:40 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Disaster recovery scenario comments requested. My biggest concern in this case is that you end up with an offline backup of the AD database, so you could be happily backing up a database with page-level corruption. Running a couple of virtual DCs on different physical hardare should minimize the risk of -1018 errors, though. Has anyone seen low level corruption of an ntds.dit database? Hunter -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Friday, August 08, 2003 9:47 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Disaster recovery scenario comments requested. Actually VMWare or more likely Virtual Server are what we are *starting* to look at for a DR system. Basically the idea is to have a couple of nice sized Physical Servers running multiple virtual servers that are domain controllers for all Domains in the Forest. Every night one of the P-Servers shuts down all of the Virtuals and copies off the disk images to some other location for backup to tape. The next night the other P-Server does it. The beauty of this solution is that physical hardware becomes a lot less important for your DR site or your test lab (yes you could bring these images back up in a *segragated* test lab for testing of your production AD and data...). You simply load up your server and then install your virtualization software and then fire up your images and you are off to the races... We actually just got the hardware in for this, which we will use to develop the solution against the test environment and then once comfortable with it will go prod with it. Personally I think this is about the most flexible and safe DR solution you can have. I am not one for restoring AD from system state dumps. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chianese, David P. Sent: Friday, August 08, 2003 7:04 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Disaster recovery scenario comments requested. That would obviously kill the ghost image idea. I do however like the laptop and more graceful way of transferring roles at the DR site. I think I hear the chimes of VMWare ESX Server calling. Thanks for the feedback Don. I see another idea in my head now too. Alas, it's Friday and I'm late for Happy Hour -Dave -Original Message- From: Don Guyer [mailto:[EMAIL PROTECTED] Sent: Friday, August 08, 2003 5:12 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Disaster recovery scenario comments requested. David, We use similar methodology for our DR tests, by keeping a laptop running as a DC on our live network, then transferring FSMO roles at the DR site. This has worked flawlessly for us. We are now looking to be able to restore our AD evironment to a totally different server. Problem is, when we do DR testing we usually get Compaq hardware, whereas we are a Dell shop here. Don Guyer IS Dept Citadel FCU Ph: 610.380.7072 Fax: 610.380.7008 [EMAIL PROTECTED] -Original Message- From: Chianese, David P. [mailto:[EMAIL PROTECTED] Sent: Friday, August 08, 2003 1:17 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Disaster recovery scenario comments requested. All, I want to run this DR situation by the group and see if anyone else can identify any gotcha's in the process. We are currently testing out a DR scenario that involves off-site Domain controllers at a recovery center. During normal operations the DR DC's are linked to our network via VPN and fractional T1 line in order for replication to occur. When we declare a DR test or go into a live DR situation where one of our sites becomes unavailable for an extended period of time due to an outage, network issue or terrorist incident (remember 9/11?) we bring the DR site up, seize the PDC emulator roll (to add workstations, accounts and perform other urgent replication) and let our clients continue operations in all of our remote locations with little interruption of service. Now, here is the hard part. when DR is over we disconnect the DR DC from the wire and delpart.exe (format/fdisk for ntfs) all of the partitions. The site that was down is then restored and the PDC emulator roll is back to its original state. We then take the DR DC and apply a ghosted image of the server as it was when it was first dcpromo'd and let it catch up on replication. This so far has worked flawlessly in the lab. We avoid doing the metadata cleanup of the server since nothing has really changed on the DR DC as
Re: [ActiveDir] How to force RID master change
Thanks! I finally got everything working...at least so far, we'll see how it fares tomorrow and such. Did get some really weird errors, but they were fixable, according to MS. Ernesto - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 2:28 PM Subject: RE: [ActiveDir] How to force RID master change One thing to do is use NTDSUTIL to sieze the RID master role. Remove all references to the failed DC in AD (ADSI edit, Sites and Services, DNS,) Let replication update all DC's. You should then be able to bring the server back using it's original name. HTH -Original Message- From: EN [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 10:39 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] How to force RID master change Thanks, I have a question though. I want to still use this server. I got a completely new HD in there now, and I want to use the same name. Bad idea? What should I really do, this is the first time this has happened and I haven't read of what should be done when something like this occurs. Ernesto - Original Message - From: Chianese, David P. [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 12:33 PM Subject: RE: [ActiveDir] How to force RID master change NTDSUTIL.EXE, follow the prompts to seize the roll. NOTE: Once you seize this roll make sure the dead RID is offline and fdisk'd as you never want that server to come back and start servicing DC's with its old RID pool. The new RID master will artificially inflate the RID pool to a higher number and if per chance the old RID master comes back online in the future it could potentially catch up to the new RID master and issue duplicates. That is a big mess you don't want to get into. Regards, Dave -Original Message- From: EN [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 1:27 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] How to force RID master change MessageIm searching the knowledgebase,but I thought maybe someone had something I could use here as well. Well, one of my DCs just died, hard drive failed completely. Fine. I have another DC, but now I can't change the RID role. I could change the GC, PDC and infrastructure, but the RID master can't be changed, and it states on the tab server is offline. Can't change roles What's the best way to force the change? Thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any accompanying attachments are confidential. The information is intended solely for the use of the individual to whom it is addressed. Any review, disclosure, copying, distribution, or use of this e-mail communication by others is strictly prohibited. If you are not the intended recipient, please notify us immediately by returning this message to the sender and delete all copies. Thank you for your cooperation. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Group Policy and IE Zone Security
Interestingly enough, I have that policy enabled (IE Maintenance policy processing). However, I do notice that when I go to the registry key mentioned in that article, the value is still set to 1, instead of 0. I changed it manually, and will reboot to see what happens. Does anyone know what would keep that registry key from changing when the IE Maintenance policy is set to apply? Okay... rebooted, and the zones are being reset again, and everything that I changed is gone (under the zones). Thanks, Charles -Original Message- From: Darren Mar-Elia [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Monday, August 11, 2003 23:51 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy and IE Zone Security Charles- Have you checked out this article: http://support.microsoft.com/default.aspx?scid=kb;en-us;306915? Its not exactly the same but could be your problem. Darren attachment: winmail.dat
RE: [ActiveDir] os version
A ver command? -Original Message- From: Graham Turner [mailto:[EMAIL PROTECTED] Sent: Thu 8/14/2003 6:08 AM To: [EMAIL PROTECTED] Cc: Subject: [ActiveDir] os version i know this one has probably been done about 500 times already, but was hoping to sound the mailing list out on techniques of differentiating between Windows 2000 / NT4 from login script, given that both Windows 2000 and NT4 return Windows NT from a query of the OS Version environment variable GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Has anyone had a problem with the RPC call tothe OS
Yeah Thanks again guys for your responses. I was not sure what the virus was called however the symptoms, that you guys gave to me is exactly what some of our clients were experiencing. "The continuous reboot problem" The servers however are not having any problems as we patched all them. Suddenly "Management" see a need for a "Deployment Tool" So what is it that they don't seem to understand what I have been loud mouthing for months (they got to bite the bullet) It seems that it is not the clients that are affected the most our routers are taking strain with the clients requests. Another late nighter Yusuf Mayet From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: 12 August, 2003 15:20 PM To: '[EMAIL PROTECTED]' Hey, I was aware of the vulnerability (and thank you for pointing out the MS article for those who weren't), I just wanted to make sure we where all talking about the same thing ;) SUS is a wonderful thing ;-) Carlos Magalhaes - ADSI MVP http://groups.yahoo.com/group/adsianddirectoryservices __ For information about the Standard Bank group visit our web site www.standardbank.co.za__Disclaimer and confidentiality note Everything in this e-mail and any attachments relating to the official business of Standard Bank Group Limited is proprietary to the group. It is confidential, legally privileged and protected by law. Standard Bank does not own and endorse any other content. Views and opinions are those of the sender unless clearly stated as being that of the group. The person addressed in the e-mail is the sole authorised recipient. Please notify the sender immediately if it has unintentionally reached you and do not read, disclose or use the content in any way.Standard Bank can not assure that the integrity of this communication has been maintained nor that it is free of errors, virus, interception or interference.___
[ActiveDir] LDAP search filter for enabled accounts ?
Is there anything I can use in a LDAP search filter to include only accounts that are enabled ? For example, a filter like ((objectclass=user)(objectcategory=person)(physicalDeliveryOfficeName=MSPJ)) will find all user objects whose office is in building MSPJ - I'd like to add an argument that limits this to user objects that meet that condition that are enabled. Dave List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Group Policy and IE Zone Security
Title: Message Update: I have now noticed (beating my head on desk for not seeing it sooner) that the server also sees the reset of the site changes Meaning: 1) I log onto the server, change the site listings as needed under IE Maintenance/Security 2) Run Secedit, check to make sure changes are applied on workstation (they are). 3) Now I check the server, changes took place there as well. 4) Reboot *any* workstation, and the changes are gone. 5) Check server, changes are gone from there as well and from the policy. Any ideas? I have been unable to find anything even remotely close via google or technet. Thanks. Charles
RE: [ActiveDir] Group Policy and IE Zone Security
Title: Message You lost me on one part What are you referring to when you say Preference mode settings? As for local GPO IE settings, there are none set. I will enable the verbose logging and see what happens Thanks Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Tuesday, August 12, 2003 13:21 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy and IE Zone Security Charles- Just out of curiosity, are you using preference mode settings here? Things to check: -- Make sure you don't have any localGPOIE settings defined. Highly unlikely but worth checking. -- Enable verbose userenv.log logging to see if you can get a clue as to why this is happening. See http://support.microsoft.com/default.aspx?scid=kb;EN-US;221833to enable this logging. Darren
RE: [ActiveDir] Password change issue
We had a discussion involving this very issue on this list last week - MS has a KB article that describes this: http://support.microsoft.com/?scid=812499 There is a hotfix (referenced in this article), and the fix is included in Win2K SP4. Hope this helps...we're updating all our DCs to SP4 now, so we'll see... Dave -Original Message- From: Carr, Jonathan (OFT) [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2003 6:06 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Password change issue OK here it is... PDC emulator at a central site. DC at a remote site connected to Central site VIA a WAN link have Bridgehead with scheduled replication to remote sites Have GP that has strong password , Max password life 90 days, Min password life 1 days User contacts help desk because they forgot password (password was old123$) and locked their acct Helpdesk at Central site reset acct and password (newpassword new123$)and ck box to have user change password at next logon User logs in with password (new123$) from Help Desk The local Dc does a Pass thru authentication to the PDC emulator which returns a authentication packet to the client PC User gets Must change password Dialog box In the dialog box the old password is automatically back filled with the password (new123$) he logon with User enter new password (newer123$)and confirms it. When the user tries to finalize the change password he get blow out by old password not correct. the local dc is trying to commit the password change If the user enters his original password (old123$)(kind of tuff cause he forgot it that is why he called the help desk in the first place) in the old password box and enters a new one (newer123$) He is ok and allowed to go foward. This is really strange I Know why it happens. If you force replication thru out the domain before the user logs on this does not happen but that would be a no no in this place. If change the password on the PDC emulator and the local dc it does not happen. anyone got a valid reason why the client pc does this?? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] how to identify what got changed in a user's account?
I've been trying to track them with MOM and have concluded that 642's are a can of worms. What tends to happen is that a single change will generate one 642 with a description of the change (Account Unlocked, etc.), followed by one or more additional 642's with no description whatsoever. I've even run across situations where I thought a 645 Computer Account Created should have been generated, but instead got a 642 User Account Changed: User Account CreatedTarget Account ID: TEST$ - that was from RIS I guess I could also use some help. Bruce Hansen -Original Message- From: Thommes, Michael M. [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 6:59 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] how to identify what got changed in a user's account? Hi, I am trying to identify exactly what got changed in a user's account (W2K domain). I know that a change will create a Security log record, EventID 642, category Account Management, type Success. It will identify the account that got changed (Target Account ID) and who made the change ( Caller User Name). But how do you tell *exactly* what changed? Is there additional logging that must be enabled? Thank for any info! Mike Thommes List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Seeking some feedback ... use of 2003 Admin. tool s against a non-forest prep'd 2000 only directory ...
Title: Message Thank you Joe ... high praise indeed and rigt back at ya ... though in my case, I'm not certain it's deserved but I'll take what I can get :-))) PS - Being English, I do read tea leaves and as such am perfectly capable of predicting the future, in fact, I predict that this PS is going to bite me in the ass very shortly ;-) -- Dean Wells MSEtechnology * Email: dwells@msetechnology.com http://msetechnology.com -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of JoeSent: Thursday, August 07, 2003 11:31 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Seeking some feedback ... use of 2003 Admin. tool s against a non-forest prep'd 2000 only directory ... OT but So the question is, are you that good! Dean is really really really really good. Not a fortune teller, but if it is all based on technology, he is the man. joe -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT)Sent: Thursday, August 07, 2003 4:57 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Seeking some feedback ... use of 2003 Admin. tool s against a non-forest prep'd 2000 only directory ... Schema Extensions aren't bad, if they are documented correctly and properly replicated throughout the forest. Rob, didn't you say that you found a way to clean upold schema extensions that Microsoft "fixed" in SP3. Dean, Whyis it necessary for you to extend the native tool function?If it is to have better Data Administration functions, I would recommendusing a third-party products. I personally think investing time and money into the native tools for data administers is like giving children razor blades.Directory Administrators on the other hand can use tools like Hyena, or one of the many tools out there, but you are right, to get extended functions, the only way is toeither forest prep using Microsoftregression tested methods, or roll you own. So the question is, are you that good! This isn't to say can you write a script to do it, more so, can you predict how long their directory will be used, and if your extensions will one day cause more problems than its worth to the next guy who supports them.Ihave to say you do have a very impressiveMicrosoftknowledge base in your brain, and intellectual grasps of the cause and effect of changes in Microsoft Technology,so I am not really worried. Just trying the scare off the faint of heart. From what you describe though, it doesn't sound to difficult and I have modified display specifies many of times. (Who in the heck searches an address book by first name? The guy who wrote AD UC must have had some good drugs that day.) -Original Message-From: Robbie Allen [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2003 4:07 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Seeking some feedback ... use of 2003 Admin. tool s against a non-forest prep'd 2000 only directory ... Based on some things I've done in the past that are similar in nature to this, I would be extremely surprised if MSsupports it. That said, it didn't prevent me from doing it anyway ;-) I'd like tosee the script when you are done to look at what is involved. You'll definitely want to put add an "undo" option as part of it. As you mentioned, the schema version would be the major concern. Who knows how Microsoft usesit within applications. I suppose other non-MS apps could also use it to determine what to expect in the schema. As far asextending theschema goes, you will inevitably run into the people that don't want to do it because it is "bad", and probably even more so if it isn't supported by MS.I'm a big proponent of extending the schema when it makes sense. Especially in this case, you aren't adding to the GC (which of course isn'tan issue in W2K3). It all comes down to how much the customer needs the new tools and is not wanting to upgrade. Robbie Allen http://www.rallenhome.com/ -Original Message-From: Dean Wells [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2003 12:12 PMTo: AD mailing list (send)Subject: RE: [ActiveDir] Seeking some feedback ... use of 2003 Admin. tools against a non-forest prep'd 2000 only directory ... In order for the multi-select property sheets to become available within the admin. tools, a display specifier modification is necessary. The modification entails the usage of an attribute NOT provided by the base Windows
RE: [ActiveDir] Group Policy and IE Zone Security
Title: Message Well, I did a reset with no problems I tried setting to preference mode, but seem unable to input any changes. I tried adding the *.adm files for IE (inetcorp.adm and inetset.adm), however, when I go to access the settings, I see the following: The inetset.adm file is not for Windows 2000. These settings will not be displayed. I see the same error message for inetcorp.adm. When trying to access the Advanced settings under User Config/IE Maintenance/Advanced, I can see Corporate settings and Internet Settings listed. When I try to access either one of those policies, I get the following 2 errors: Source: DrWatson Event ID: 4097 The application, mmc.exe, generated an application error The error occurred on 08/13/2003 @ 08:41:52.547 The exception generated was c005 at address 02324FD8 (nosymbols) And Source: SQLServerAgent Category: Alert Engine Event ID: 318 Unable to read local eventlog (reason: The data area passed to a system call is too small). I am assuming that I am seeing these errors due to the problem stated above (that the *.adm file isnt for Windows 2000). Other than that I am at a loss as to what is happening. Any ideas? Thanks, Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Tuesday, August 12, 2003 16:08 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy and IE Zone Security IE Maintenance has two modes--preference and mandatory. Preference says, hand down IE policy but then let the user change it whereas mandatory says, reinforce it all the time. You can see this by right clicking the IE Maintenance node and choosing either Preference mode or Reset Browser Settings. You might try a reset--I have seen weirdness around preference mode in the past.
RE: [ActiveDir] os version
Graham, From the Script Center in Technet: strComputer = . Set objWMIService = GetObject(winmgmts: _ {impersonationLevel=impersonate}!\\ strComputer \root\cimv2) Set colOperatingSystems = objWMIService.ExecQuery _ (Select * from Win32_OperatingSystem) For Each objOperatingSystem in colOperatingSystems Wscript.Echo objOperatingSystem.Caption objOperatingSystem.Version Next But one of the many ways to accomplish. And, as I remember, but can't recall the name, I've used a CLI .exe in CMD type scripts to do a determination of OS as well. Many other ways to do this, as you obviously need to have WMI installed/activated for the above to work. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/scriptcen ter/compmgmt/ScrCM26.asp Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Thursday, August 14, 2003 6:09 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] os version i know this one has probably been done about 500 times already, but was hoping to sound the mailing list out on techniques of differentiating between Windows 2000 / NT4 from login script, given that both Windows 2000 and NT4 return Windows NT from a query of the OS Version environment variable GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] WOT Unreadable code (was Connection String)
This still requires a list of semi trusted networks. I am curious would you use the IPSEC to limit the port range to the DC's for replication, or both the client level traffic and the DCs traffic? On problem with client traffic being encrypted is that we support multiple hosts connecting to our domains, (Mac, UNIX, old NTLM clients). I have to be honest, I have spoken with several engineers who have tried to do IPSEC on large scale deployments and they say it is more trouble than it is worth when you are not standardized on Windows 2000 or XP. The problem I am having is that some of the organizations in my operation want to view all traffic from outside their organization as totally untrusted. So basically their security experts want us to identify specific ports and trusted inbound communication from specific host for every domain in the forest. We have about 24 domains, and about 75 DC's. That's one big list to keep maintaining and coordinating for just the DC traffic. We also have 5 Class B address ranges of ports in our design (Remember we are the government) so exposing planning for client exposure is also somewhat an issue. So far I came up with two solutions to this, use DMZ's and limited/Static RPC replication, and allow inbound traffic from trusted networks to community network services (DNS, AD, Exchange Servers, Intranet servers), then separate mission critical servers and clients by connecting them through a second firewall to the border DMZ. Allow all outbound communication to occur, and allow limited inbound from DMZ servers to occur. What this basically will probably require is that AD replication and operations will work as expected for host inside the firewall and traveling users who work at other departments with in the organization. If the organization chooses to limit basically all inbound communication request except from the direct replication partners this potentially can break authentication from outside sources to local resources, provisioning via LDAP, and single sign-on using only Microsoft technology. So if the user ever visits another part of the organization that is behind a closed firewall DMZ design, they will have to VPN into their portion of the network to properly authenticate and access resources. So the question I posed earlier has still gone un-answered. Do you think RPC NTDS and FRS replication is fine with just on port being open, or do you think it would be better to open a range? Thanks, Todd Myrick -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 9:37 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) Correct. One option is to run IPSec tunnels without encryption - that allows for full content inspection while still having reduced requirements for open ports. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 9:12 AM To: ActiveDir Subject: Re: [ActiveDir] WOT Unreadable code (was Connection String) I would like to see his thoughts on the matter. MS's published recommendations for using ipsec tunnels to traverse firewalls is fine between trusted environments, but most trusted environments can create their own vpn tunnels using firewalls more efficiently. And between untrusted environments it would be generally irresponsible (security-wise). -- Sent from my BlackBerry Wireless Handheld - Original Message - From: ActiveDir-owner Sent: 08/05/2003 11:10 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) Todd, If you're working with Microsoft, have them contact or engage Steve Riley. He's a 'softie that has specific experience in large environments (previously telecoms) and I seem to remember the last time we talked he was with some area of the Security practices - though I can't specifically state where. He is in Redmond now (last I knew), and has published some very interesting and promising work on AD over/through/around firewalls using IPSec and other advanced technologies. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Tuesday, August 05, 2003 3:31 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) Well we are currently redesigning our Site Topology due to several organizations setting up firewalls and thinking they are guarding against Neo and the Matrix Gang. One thing we are working with Microsoft on is optimized Hub and
RE: [ActiveDir] Connection String
More importantly - I like to be able to read someone ELSE's code and understand it. My last perl hacking was updating a firewall parsing routine. The reg ex that was used was thoroughly inconceivable for the first 20 minutes. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 9:38 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Connection String HAHAHAPerl I like to be able to read my code and understand it again in 6 months :) Glenn - Original Message - From: Robbie Allen [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 11:14 PM Subject: RE: [ActiveDir] Connection String Come over to the 'Dark Side' with VB.NET.its nice and warm here *looks at the fires of hell*. Come on guys, why go to VB.NET when you can get most of the benefits of a compiled language and a whole lot more in a lot fewer lines with Perl! muaahh...Muaahh...MUUAAAHH :-) Robbie Allen http://www.rallenhome.com/ -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 8:54 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Connection String Roger, You should be able to convert the Primary Windows NT Account into a Domain\Username pairI did do it some time ago (yeah, it was Ex 5.5 timeframe too)I'll have a dig around (from memory it was using LookupAccountSID *shudder*) If your UPN in 2k and Exchange email address use the same format (ie [EMAIL PROTECTED]), you could cheat a bit, and use the UPN conversion type code: ADS_NAME_TYPE_USER_PRINCIPAL_NAME = 9 User principal name format. For example, [EMAIL PROTECTED] *shrug* might be worth a stab. not sure about mixing NT v4 and 2k servers in the call, I don't think it would work too well (may require AD). Come over to the 'Dark Side' with VB.NET.its nice and warm here *looks at the fires of hell*. G. - Original Message - From: Roger Seielstad [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 10:42 PM Subject: RE: [ActiveDir] Connection String Cool Might be able to stay away from a compiler for another 3 months... I know what it was that didn't work - VBScript can't handle the way Exchange 5.5[1] returns the Primary Windows NT Account attribute - it comes back as a string octet (I think). The VB examples all included the same contstant defs, so I was thinking it was the same thing I looked at a month or two ago. Now I'm wondering if I can just direct translate using the syntax below... I'll have to try that later... -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. [1] Yeah, I'm still running it -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 8:36 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Connection String From the online help about NameTranslate, VBScript Example (havent tried it, but looks like it should work) Dim nto const ADS_NAME_INITTYPE_SERVER = 2 const ADS_NAME_TYPE_1779 = 1 const ADS_NAME_TYPE_NT4 = 3 server = aDsServer user = jeffsmith dom= Fabrikam passwd = top secret dn = CN=jeffsmith,CN=Users,DC=Fabrikam,DC=COM Set nto = Server.CreateObject(NameTranslate) nto.InitEx ADS_NAME_INITTYPE_SERVER, server, user, dom, passwd nto.Set ADS_NAME_TYPE_1779, dn result = nto.Get(ADS_NAME_TYPE_NT4) - Original Message - From: Roger Seielstad [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 10:31 PM Subject: RE: [ActiveDir] Connection String The only problem with that is you can't call the same methods from VBScript - which is where I seem to need it the most.. Better brush up on my mAd VB.net skilz... -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 8:17 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Connection String Pablo, here is some code I use in VB.NET to do a similar thing, should be convertable to C# without much hassle strUserName = the fully qualified LDAP path
[ActiveDir] ADMT 2.0 erro 7557
was wondering if any one could give us info ADMT error 7557 this is being logged by the ADMT user migration wizard when selecting the option to migrate passwords using password export server. this has been working a treat to date but from the one article on this found to date looks to name resolution related to try and diagnose further was hoping the NG could provide me with a bit of detail on the communication between the ADMT host and the password export server during the user migration Thanks GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Pagefile sizes... Its that time of year again.
So you have a Gig of ram on a DC, what do you all set the pagefile size to? Memory +11 MB? Like to hear your feedback. Toddler List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Home Labs Interconnected
Or maybe DirectoryInsight :-) -Original Message- From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2003 2:15 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Home Labs Interconnected This sounds like a job for Directory Lockdown! Toddler -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2003 5:06 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Home Labs Interconnected Even if you trust everyone, coordination remains a problem. Chat and such are fine, but if I'm running some tests over the course of a couple of evenings or a weekend, how can I reasonably expect 20 other people to leave the whole thing alone for that length of time? And how do I put everything back the way it was? (I guess remotely deployable VMWare is the obvious answer to this last issue.) -g -Original Message- From: Cary, Mark [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2003 1:44 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Home Labs Interconnected What happens in the real world when this happens? With message boards, chat rooms, and instant messengers configuration changes could be documented and discussed. Your question goes back to trust, Is someone going to make changes on there own with no concern for the other participants? -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2003 2:44 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Home Labs Interconnected Interesting idea I would think that trust isn't so much of an issue as configuration management. If you have 20 people link their 100 servers into a couple of AD forests (for instance), how do you make sure no one reconfigures the replication topology right when you're in the middle of testing out some site-specific GPO? -g -Original Message- From: Cary, Mark [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2003 10:33 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Home Labs Interconnected I wanted to pose this idea to the group and get some feedback. Resources at work are limited for a test lab and I only have 3 computers at home for a lab, and I would think at least some of you are in similar situations. The home lab is ok for some stuff but I find it's hard to put a real world slant on such a small network. Would it be plausible to get several IT people, that haven't really met just interacted online (such as this list), to connect there home labs over the Internet creating a larger lab environment. This would create many different sites and subnets, something hard to do in a standalone home lab with limited hardware. I see the biggest issue would be with security and trust, could this be overcome? Could this experiment succeed or would some people always be trying to trash everyone else's computers? What do you think? The information contained in this message is confidential and is intended for the addressee(s) only. If you have received this message in error or there are any problems please notify the originator immediately. The unauthorized use, disclosure, copying or alteration of this message is strictly forbidden. Badger Meter, Inc. will not be liable for direct, special, indirect or consequential damages arising from alteration of the contents of this message by a third party or as a result of any virus being passed on. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ The information contained in this message is confidential and is intended for the addressee(s) only. If you have received this message in error or there are any problems please notify the originator immediately. The unauthorized use, disclosure, copying or alteration of this message is strictly forbidden. Badger Meter, Inc. will not be liable for direct, special, indirect or consequential damages arising from alteration of the contents of this message by a third party or as a result of any virus being passed on. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive:
RE: [ActiveDir] Seeking some feedback ... use of 2003 Admin. tools against a non-forest prep'd 2000 only directory ...
Title: Message The schema revision update is kind of scary to me Dean. What else looks for that that we aren't aware of that would blow horribly when it didn't really get what it needed because it thought it would be there because of that revision level? joe -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Thursday, August 07, 2003 12:12 PMTo: AD mailing list (send)Subject: RE: [ActiveDir] Seeking some feedback ... use of 2003 Admin. tools against a non-forest prep'd 2000 only directory ... In order for the multi-select property sheets to become available within the admin. tools, a display specifier modification is necessary. The modification entails the usage of an attribute NOT provided by the base Windows 2000 AD schema, subsequently, some minor directory updates are necessary if batch modification is desirable within the GUI (in my experience, it's listed as the one of the major complaints especially from those that upgraded from NT4). The mods. necessary are quite extensive and involve incrementing the schema revision (objectVersion attribute of the schema NC head) to a value of 15 (this step is mandatory as the tools appear to be hard coded to look for this value before presenting the properties context menu option during a multi-select operation). With the exception of the schema revision and a modification to two of the pre-existing display specifiers, no further potentially destructive changes are necessary (the schema revision is the major concern). As for supportability from MS themselves, I agree thisis important to many but since we're introducing changes defined by Microsoft themselves (admittedly incomplete) I see no reason for major technical concern. I'm uncertain as to PSS's point of view at this stage (without wishing to raise the "ooh, look at me flag", I'm fortunate enough to have the luxury of teaching the majority of Microsoft's worldwide AD PSS tech. leads support staff and will ask for their opinion next week). I guess I look it these modifications as similar to those you referenced in your reply, they are little more than "run of the mill" schema extensions that happen to be defined and used by MS themselves ... one would hope this is a positive thing :) . Thanks for your input Glenn ... much appreciated. Dean -- Dean Wells MSEtechnology ( Tel: +1 (954) 501-4307 * Email: dwells@msetechnology.com http://msetechnology.com -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Glenn CorbettSent: Thursday, August 07, 2003 11:02 AMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] Seeking some feedback ... use of 2003 Admin. tools against a non-forest prep'd 2000 only directory ... Dean, I'm not quite sure I understand the question (it may have something to do with it being 1am here) Running the 2k3 Admin tools on 2000 / XP machineswont requireany mods to the forest schema (and in fact is the only way you can perform some administrative tasks from XP machines (like e2k) - gr Microsoft). That being said, it sounds like you are performing a selective update of the schema with those properties / objects to give some additional 2003 'ish features without going all they way and really 2k3'ing the environment ? Are they simply additional properties to existing objects (like users, groups, computers), or it it something more fundamental ? Sounds like a feasible alternative, provided that you arent changing underlying properties within objects that may affect downlevel 2000 clients or DC's (which it sounds like you arent). Personally, I dont think MS would support you in the slightest if you did have issues in the 2k environment, and would be tricky to undo as you cant reverse schema mods in 2k. The only option would be a 'forced' rollup to 2k3 before the client environment is ready for it. What sort of additional functionality are you gaining, and is this enough to potentially have an "unsupported" AD in the eyes of MS ? (I'm not saying for certain they wouldnt support you, but from personal experience its probable). My suggestion would be to get a definate yes or no from MS on the supportability of this change, and if they are happy make your decision then. The schema isnt written in stone obviously, so is meant to be changed (within reason), your just modding it in a slightly *strange* way. I would certainly be interested in the details of what changes you are making, and what additional functionality you are getting. Myunderstanding with things like Multiple Object Edit is that it is simply additional functionality within the 2k3
RE: [ActiveDir] Anonymous Logon
We were playing with KIWI and an addin called backlogNT that a lot of others were using and recommending. Looks like it's morphed into SNARE. http://www.intersectalliance.com/projects/SnareWindows/index.html -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2003 6:14 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Anonymous Logon How are you sending the Windows event logs to a syslog server? Is that Kiwi as well? -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 7:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous Logon Cindy, I've evaluated and have recommended MonitorWare to our Security Director for the needs of our environment which is combined Enterprise with Cisco, Windows, Unix (all flavors) ACDs, and Tandem systems. Clearly, our ability to send syslog formatted logs makes sense, as we're not the only players, just a bit more adaptable. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy Sent: Wednesday, August 06, 2003 3:11 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Anonymous Logon Does anyone have any experience with MonitorWare. Since I'll need a syslog server, I'd like one that will also work with the logs on our Cisco devices? -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 23:03 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous Logon Cindy, If you're going to have to keep all audit entries, you're going to have a tough time. I can help decipher these records for you (I do a lot of this!), but in a nutshell you've recorded a successful logoff (the Event 538) and a successful network logon via the Kerberos authentication package by the user PSDC1 - who looks to be a machine. In fact, one of your DCs. Yes, they do logon and logoff of the domain - typically to connect to services that it needs. This one (the Event 540) was a logon to the domain, where the previous was not a logoff from the domain proper. A Logon type 3 tells you that it was via the network, while a type 2 is interactive (too bad you can't tell if it was actually at the console). Less common types are 4 (batch), 5 (service), 7 (unlocked workstation), 8 (plaintext password) or 9 (impersonated logon). The Logon process and authentication package notes what type of process was spawned to authenticate the user from the point it connected to the session through authentication. You might see Kerberos (network), NTLM (network), or User32/Negotiate (Local). Realm associated events to MIT Kerberos realms should record as Kerberos authentication. Bottom line: Ignore the SYSTEM (usually a service doing what it needs) and the machine name events logging on. They are irrelevant and generally service and process related to normal operation of the network. Do, however, take note of the user logon and logoffs. The Logon ID field will stay with the user from Logon through the logoff of this session. You should be able to always associate a 540 Event to a corresponding 538 Event. However, be vigilant that a 538 is not always the same. One might indicate a network logoff, one might indicate and net use disconnection and another might record an Interactive logoff or an auto disconnect. As to what to do about spurious events that mean nothing when dealing with user activity, I'd suggest a more manageable solution such as a syslog server for Windows events and filter the records that you want going to the syslog server. This not only collects all of the server's audit events at one place but also allows you to get rid of the events that play no part in true auditing of the server. Do a Google search on Windows Syslog and you'll find a number of options - one of which should suit. Hope this helps! Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy Sent: Tuesday, August 05, 2003 3:03 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Anonymous Logon Rick, The security logs in question are on my Windows 2000 domain controllers, PSDC1 and PSDC2. When I Audit Logon Events, the log fills with Event 538 NT Authority\Anonymous Logon User Logoff: User Name: ANONYMOUS LOGON Domain: NT AUTHORITY Logon ID:
RE: [ActiveDir] Disaster recovery scenario comments requested.
Don- We're in the same spot, with production DCs running on Dell and DR hardware often being Compaq. We've found that KB810161 (http://support.microsoft.com/default.aspx?scid=kb;en-us;810161) has been important to successfully accomplishing the restores. Recently, we've also found that building the Compaq boxes with a SmartStart CD, instead of using an OS CD + specific drivers, to be much less painful. The IBM boxes that we've done test restores to have been less picky. Hunter -Original Message- From: Don Guyer [mailto:[EMAIL PROTECTED] Sent: Friday, August 08, 2003 3:12 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Disaster recovery scenario comments requested. David, We use similar methodology for our DR tests, by keeping a laptop running as a DC on our live network, then transferring FSMO roles at the DR site. This has worked flawlessly for us. We are now looking to be able to restore our AD evironment to a totally different server. Problem is, when we do DR testing we usually get Compaq hardware, whereas we are a Dell shop here. Don Guyer IS Dept Citadel FCU Ph: 610.380.7072 Fax: 610.380.7008 [EMAIL PROTECTED] -Original Message- From: Chianese, David P. [mailto:[EMAIL PROTECTED] Sent: Friday, August 08, 2003 1:17 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Disaster recovery scenario comments requested. All, I want to run this DR situation by the group and see if anyone else can identify any gotcha's in the process. We are currently testing out a DR scenario that involves off-site Domain controllers at a recovery center. During normal operations the DR DC's are linked to our network via VPN and fractional T1 line in order for replication to occur. When we declare a DR test or go into a live DR situation where one of our sites becomes unavailable for an extended period of time due to an outage, network issue or terrorist incident (remember 9/11?) we bring the DR site up, seize the PDC emulator roll (to add workstations, accounts and perform other urgent replication) and let our clients continue operations in all of our remote locations with little interruption of service. Now, here is the hard part. when DR is over we disconnect the DR DC from the wire and delpart.exe (format/fdisk for ntfs) all of the partitions. The site that was down is then restored and the PDC emulator roll is back to its original state. We then take the DR DC and apply a ghosted image of the server as it was when it was first dcpromo'd and let it catch up on replication. This so far has worked flawlessly in the lab. We avoid doing the metadata cleanup of the server since nothing has really changed on the DR DC as it was re-imaged previous to the PDC emulator roll seizure. Our lab environment is a fraction of the capacity of our Production and not as complex. Can anyone see any problems arising down the road by doing a DR process like this? The other option planned is to already have the workstations and DR environments created in a separate OU so that in a DR situation we just need to let the site that is disconnected stay disconnected and then catch up on replication when it comes back. This is my preferred method of how to handle our DR woes, but unfortunately we are not there yet. I am only looking for feedback or you to play devil's advocate on the above situation we currently have in place. Thank you in advance for your comments. Regards, David Chianese Senior Engineer IT - Server Services Delaware Investments *Powered By Research A Member of the Lincoln Financial Group This e-mail and any accompanying attachments are confidential. The information is intended solely for the use of the individual to whom it is addressed. Any review, disclosure, copying, distribution, or use of this e-mail communication by others is strictly prohibited. If you are not the intended recipient, please notify us immediately by returning this message to the sender and delete all copies. Thank you for your cooperation. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Server Monitoring
Take a look at HostMonitor at www.ks-soft.com Very functional product for a very low price. The developer is very responsive for functionality changes and bug fixes as well. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Tuesday, August 05, 2003 4:35 PM To: ActiveDir (E-mail) Subject: [ActiveDir] OT: Server Monitoring Mmy company is currently looking for a product that will monitor if the e-mail server and other servers are up or down and then notify me by e-mailing my cell phone. Question 1) What software do you use? 2) How do you get notified by e-mail if your e-mail server is down? Any help is appreciated, I have already looked at Whats Up Gold and Servers Alive. Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Disaster recovery scenario comments requested.
Jan, Do you know if they have published a paper or some detail on this process? Naturally, I'm interested in what they are proposing. Currently, their full-fledged technical document is slated for March 2004, which, IMHO, is way too late. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jan Wilson Sent: Sunday, August 10, 2003 10:56 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Disaster recovery scenario comments requested. Just as an aside here - MS of course displayed their VM server at tech ed - one nice idea was DR for Exchange 2003 - you would basically generate a new email server in minutes on a VM - users are then back online and you then begin to backfill their email from tape. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Has anyone had a problem with the RPC call tothe OS
Title: Message http://isc.sans.org/diary.html?date=2003-08-11 It goes by different names, depending on the antivirus vendor. The patch has been out for this for a while now. Our servers our patched, and we've seen no issues as of yet. -Original Message-From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 8:05 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] OT: Has anyone had a problem with the RPC call to the OS Do you have the exact virus name? CM
RE: [ActiveDir] Password Lookup
Title: Message Hi Robbie, I'm not aware that Windows 2000 password complexity switch prevents the use of dictionary words. That certainly has not been the case here. Please let me know if there is some "special" switch to prevent dictionary words and what dictionary it uses. Thanks! Mike Thommes Argonne National Laboratory -Original Message-From: Robbie Allen [mailto:[EMAIL PROTECTED]Sent: Tuesday, August 05, 2003 9:27 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Password Lookup I don't believe MS does, but there are a few scripts/tools on the net that can be used to do it. Have you enabled password complexity, which prevents the use of dictionary passwords? Do you have account lockout enabled? It is much harder (i.e. time consuming)to perform dictionary attacks against AD if account lockout is turned on. Robbie Allen http://www.rallenhome.com/ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 10:15 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Password LookupDoes anyone know if Microsoft provides provisions for doing dictionary lookups on passwords? Thanks!Ryan McDonaldSystems AdministratorThe Bankers Bank
RE: [ActiveDir] Seeking some feedback ... use of 2003 Admin. tool s against a non-forest prep'd 2000 only directory ...
Title: Message Excellent response Todd. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT)Sent: Friday, August 08, 2003 3:14 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Seeking some feedback ... use of 2003 Admin. tool s against a non-forest prep'd 2000 only directory ... How about this, We use third-party tools for Basic Network Identity Management, Data Integrity, Consistent Access Management Policies, and Consistent Provisioning of Resources. Our customers / data administrators demand a lot from our environmentbecause many are giving up their domains as a result. It is simpleeconomy of scale to have them consolidate, into a single system. The problem is thatbeing part of a larger domain means more users to have to filter through, more resources that are visible, needs for consistent naming of objects(Especially CN) and filling out ofaDescription field that helps identify the uniquenessof theobject. If you put let say 70 directory level administrators in a single domain,you might be able to get them to do some basic Identity Management, but eventually it will fall off, and fields would go unpopulated or populated with inconsistent data, access management policies would go lax, and eventually your directory would get bloated with possible bad data, inconsistent data, and possible the ACL's would get to unwieldy. In a proxy system, you could also provide better protection from web access, and also reduce the size of ACL's on native storage. My rule of thumb is, if it is larger than 1000 users and there is regular turnover, it is a good idea to automate. Toddler -Original Message-From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Friday, August 08, 2003 4:20 AMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] Seeking some feedback ... use of 2003 Admin. tool s against a non-forest prep'd 2000 only directory ... Todd, no, not really a fault tolerant issue, rather an issue with minor changes within the structure forthe directory or domains that the tools were relying on...doco not getting updated etc, eventually culminating into a situation where the automated tools didnt work properly, no-one knew how to fix them, and no-one remembered exactly what fields they set to what values...basically a royal PITA. In of themselves,automated tools are not evil and have their place for repetitive tasks (like unlocking accounts, changing user group memberships), butsole reliance on them for what you call your Data Administrators(we call them 1st level support) IMHO is a bad thing. If these directory mangement tools go down (no matter how cool they are there will be circumstances where they do fail), andthis is the only way your people know how to manage the network, then your Enterprise Administrators (2nd and 3rd level support) are innundated with requests for simple tasks (since 1st level dont know how to do it the 'normal' way). I've written a number of automated tools for various clients, but are now restricting them to the most repetitive or error prone tasks, not the routine tasks that are better suited for the native tools. If your doing 35 delegations, then I agree, that is something prime for automation. For normal day to day things like resetting passwords, unlocking accounts, the normal tools are just fine. I guess the current AD environment istightened down enough that we dont have to worry a great deal about people getting in the wrong places and doing the wrong things. Finger fumbles are a natural part of using any system, and an automated tool will only solve some of these. G. - Original Message - From: Myrick, Todd (NIH/CIT) To: '[EMAIL PROTECTED]' Sent: Friday, August 08, 2003 11:44 AM Subject: RE: [ActiveDir] Seeking some feedback ... use of 2003 Admin. tool s against a non-forest prep'd 2000 only directory ... Sounds like you had some bad experiences with Data Administration tools that weren't design to be fault tolerant. When I refer to the concept of a Data Administrator, I am speaking to the fact that they can only administer Data within a OU. Directory or Enterprise Administrators should be fluid with Native Tools. So how do you control what the 1st and 2nd Level Admins enter into forms, also sounds like they might be entering in repetitive information. Nice thing about our third party tools is we can create dynamic group memberships, automatically assign them to groups. Automate Home directory creation in
RE: [ActiveDir] OT: Has anyone had a problem with the RPC call to the OS
Title: Message This is a great tool to scan your network if anyone is still having problems. http://www.iss.net/support/product_utilities/ms03-026rpc.php -Original Message-From: Mayet, Yusuf Y [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 9:58 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] OT: Has anyone had a problem with the RPC call to the OS Yeah Thanks again guys for your responses. I was not sure what the virus was called however the symptoms, that you guys gave to me is exactly what some of our clients were experiencing. "The continuous reboot problem" The servers however are not having any problems as we patched all them. Suddenly "Management" see a need for a "Deployment Tool" So what is it that they don't seem to understand what I have been loud mouthing for months (they got to bite the bullet) It seems that it is not the clients that are affected the most our routers are taking strain with the clients requests. Another late nighter Yusuf Mayet From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: 12 August, 2003 15:20 PMTo: '[EMAIL PROTECTED]' Hey, I was aware of the vulnerability (and thank you for pointing out the MS article for those who weren't), I just wanted to make sure we where all talking about the same thing ;) SUS is a wonderful thing ;-) Carlos Magalhaes - ADSI MVP http://groups.yahoo.com/group/adsianddirectoryservices __ For information about the Standard Bank group visit our web site www.standardbank.co.za__Disclaimer and confidentiality note Everything in this e-mail and any attachments relating to the official business of Standard Bank Group Limited is proprietary to the group. It is confidential, legally privileged and protected by law. Standard Bank does not own and endorse any other content. Views and opinions are those of the sender unless clearly stated as being that of the group. The person addressed in the e-mail is the sole authorised recipient. Please notify the sender immediately if it has unintentionally reached you and do not read, disclose or use the content in any way.Standard Bank can not assure that the integrity of this communication has been maintained nor that it is free of errors, virus, interception or interference.___
RE: [ActiveDir] Group Policy and IE Zone Security
Title: Message Try turning that off (make it synchronous). -Original Message-From: Charles Campbell [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 12:46 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Group Policy and IE Zone Security These are all 2000 machines Under the GPO, I have Apply Group Policy Asynchronously for Users enabled. Charles -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Wednesday, August 13, 2003 13:47To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Group Policy and IE Zone Security Well it doesn't give a lot of info but the RegOpenKey failing on GetHKeyCU (Get a handle to the user's profile in HKEY_CURRENT_USER) looks like a problem. The policy extension can't access the user's profile. The strange thing is that it returns a 0x0, which usually means everything worked just fine. Here's a thought. Are these XP machines? If so, can you try something? On one of these machines thats having a problem, try enabling the following administrative template policy: Computer Configuration|Administrative Templates|System|Logon|Always wait for the network at computer startup and logon This ensures that policy processes synchronously rather than asynchronously. It would be interesting to see if this makes a difference. -Original Message-From: Charles Campbell [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 10:09 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Group Policy and IE Zone Security Okay This is what I have found in the userenv.log so far: ProcessGPOs: Processing extension Internet Explorer Branding ProcessGPOs: Extension Internet Explorer Branding skipped with flags 0x7 (Which should be fine since I dont use the GP to brand IE) ProcessGPOs: Processing extension Internet Explorer Branding CompareGPOLists: Different version numbers found ProcessGPOList: Entering for extension Internet Explorer Branding UserPolicyCallback: Setting status UI to Applying Internet Explorer Branding policy... GetHkeyCU: RegOpenKey failed with error 2 LibMain: Process Name: C:\WINNT\system32\rundll32.exe UserPolicyCallback: Setting status UI to Applying your personal settings... ProcessGPOList: Extension Internet Explorer Branding returned 0x0. ProcessGPOs: --- 734 ProcessGPOs: --- Those are the only lines that mention Internet Explorer Charles -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Wednesday, August 13, 2003 12:15To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Group Policy and IE Zone Security What you're looking for is any log items from the IE Maintenance extension as it tries to process the policy during user logon. Look for messages as to whether it skipped processing for some reason or couldn't process the policy.
RE: [ActiveDir] Power Options with GPO
Marc, Forewarned is ... Well, you get the drift. It would be irresonsible of me to suggest adding your own entries to an .ADM without first mentioning the issue. So with that disclaimer out of the way I'd suggest that your solution would likely be the best. Take a snapshot of what it looks like in the unconfigured state, then configure and look for the changes. For me, that works most of the time. Good luck! Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of De Schepper Marc Sent: Sunday, August 10, 2003 11:22 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Power Options with GPO Rick, I know the risks. I even think I found the Reg key, but if I'm right the data is Binary, and there is the problem...;-) If I'm right then it should be the regkey HKEY_CURRENT_USER\Control Panel\PowerCfg\GlobalPowerPolicy\Policies and the data looks like this : Policies=hex:01,00,00,00,00,00,00,00,03,00,00,00,10,00,00,00,00,00,00,00,03 ,\ 00,00,00,10,00,00,00,02,00,00,00,03,00,00,00,00,00,00,00,02,00,00,00,03,00,\ 00,00,00,00,00,00,02,00,00,00,01,00,00,00,00,00,00,00,02,00,00,00,01,00,00,\ 00,00,00,00,00,01,00,00,00,03,00,00,00,03,00,00,00,04,00,00,c0,01,00,00,00,\ 05,00,00,00,01,00,00,00,0a,00,00,00,00,00,00,00,03,00,00,00,01,00,01,00,01,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,02,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,03,00,00,00,00,\ 00,17,00,00,00 I could still change ALL the settings and look for changes. Marc -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: zondag 10 augustus 2003 18:02 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Power Options with GPO Marc, Maybe Darren or others will weigh in on this more authoritatively than I, but I do have a fair amount of experience with GP and I don't know of a .ADM file that is going to help directly solve your problem. However, you can write your own that can be imported into your GP console and managed almost as if it was one of the supplied policies. But - there is a 'gotcha' - the GP entries will not be automatically removable. IOW, they will tattoo the registry, much like NT policies applied to clients. These policy entries are applied directly to the specific registry entry and not to the /policies subkey section reserved for GP and flushed when the user logs off or the machine is shut down. As long as you're aware of these limitations, you should be able to do anything as long as you can identify the reg key and the associated necessary values. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of De Schepper Marc Sent: Sunday, August 10, 2003 4:38 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Power Options with GPO I try to enforce a standard Policy for the POWER options in the control panel so that everybody ues the same power settings, this for Desktops as for portables. I can't seem to find any ADM file for this. Is there somebody who can help me on this one? Marc * Dit e-mail bericht inclusief eventuele ingesloten bestanden kan informatie bevatten die vertrouwelijk is en/of beschermd door intellectuele eigendomsrechten. Dit bericht is uitsluitend bestemd voor de geadresseerde(n). Elk gebruik van de informatie vervat in dit bericht (waaronder de volledige of gedeeltelijke reproductie of verspreiding onder elke vorm) door andere personen dan de geadresseerde(n) is verboden. Indien u dit bericht per vergissing heeft ontvangen, gelieve de afzender hiervan te verwittigen en dit bericht te verwijderen. This e-mail and any attachment thereto may contain information which is confidential and/or protected by intellectual property rights and are intended for the sole use of the addressees. Any use of the information contained herein (including but not limited to total or partial reproduction or distribution in any form) by other persons than the addressees is prohibited. If you have received this e-mail in error, please notify the sender and delete its contents. * List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive:
Re: [ActiveDir] Connection String
HAHAHAPerl I like to be able to read my code and understand it again in 6 months :) Glenn - Original Message - From: Robbie Allen [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 11:14 PM Subject: RE: [ActiveDir] Connection String Come over to the 'Dark Side' with VB.NET.its nice and warm here *looks at the fires of hell*. Come on guys, why go to VB.NET when you can get most of the benefits of a compiled language and a whole lot more in a lot fewer lines with Perl! muaahh...Muaahh...MUUAAAHH :-) Robbie Allen http://www.rallenhome.com/ -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 8:54 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Connection String Roger, You should be able to convert the Primary Windows NT Account into a Domain\Username pairI did do it some time ago (yeah, it was Ex 5.5 timeframe too)I'll have a dig around (from memory it was using LookupAccountSID *shudder*) If your UPN in 2k and Exchange email address use the same format (ie [EMAIL PROTECTED]), you could cheat a bit, and use the UPN conversion type code: ADS_NAME_TYPE_USER_PRINCIPAL_NAME = 9 User principal name format. For example, [EMAIL PROTECTED] *shrug* might be worth a stab. not sure about mixing NT v4 and 2k servers in the call, I don't think it would work too well (may require AD). Come over to the 'Dark Side' with VB.NET.its nice and warm here *looks at the fires of hell*. G. - Original Message - From: Roger Seielstad [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 10:42 PM Subject: RE: [ActiveDir] Connection String Cool Might be able to stay away from a compiler for another 3 months... I know what it was that didn't work - VBScript can't handle the way Exchange 5.5[1] returns the Primary Windows NT Account attribute - it comes back as a string octet (I think). The VB examples all included the same contstant defs, so I was thinking it was the same thing I looked at a month or two ago. Now I'm wondering if I can just direct translate using the syntax below... I'll have to try that later... -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. [1] Yeah, I'm still running it -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 8:36 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Connection String From the online help about NameTranslate, VBScript Example (havent tried it, but looks like it should work) Dim nto const ADS_NAME_INITTYPE_SERVER = 2 const ADS_NAME_TYPE_1779 = 1 const ADS_NAME_TYPE_NT4 = 3 server = aDsServer user = jeffsmith dom= Fabrikam passwd = top secret dn = CN=jeffsmith,CN=Users,DC=Fabrikam,DC=COM Set nto = Server.CreateObject(NameTranslate) nto.InitEx ADS_NAME_INITTYPE_SERVER, server, user, dom, passwd nto.Set ADS_NAME_TYPE_1779, dn result = nto.Get(ADS_NAME_TYPE_NT4) - Original Message - From: Roger Seielstad [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 10:31 PM Subject: RE: [ActiveDir] Connection String The only problem with that is you can't call the same methods from VBScript - which is where I seem to need it the most.. Better brush up on my mAd VB.net skilz... -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 8:17 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Connection String Pablo, here is some code I use in VB.NET to do a similar thing, should be convertable to C# without much hassle strUserName = the fully qualified LDAP path of a user or group, ie LDAP://CN=GroupName,DC=testdomain,DC=local 'Constants required, rest are in the online doco for NameTranslate Const ADS_NAME_INITTYPE_GC = 3 Const ADS_NAME_TYPE_1779 = 1 Const ADS_NAME_TYPE_NT4 = 3 Dim Translate As New ActiveDs.NameTranslate Dim strUser As String 'We want to chat to a GC server, any one will do Translate.Init(ADS_NAME_INITTYPE_GC, ) 'Pass in the FQDN name of the object Translate.Set(ADS_NAME_TYPE_1779, Mid(strUserName, 8)) -- the call doesnt like the LDAP:// on the front, so strip it 'Get back the NT v4 Equivalent strUser = Translate.Get(ADS_NAME_TYPE_NT4) Translate = Nothing
[ActiveDir] Group Policy
Does anyone have a Group Policy Spreadsheet ? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Has anyone had a problem with the RPC call to the OS
Title: Message Yusuf, Check out some of the security vulnerability lists like full-disclosure, vulnwatch, vulndiscuss, etc.People are saying that since yesterday sometime, possibly the night before they have been seeing infections and have noticed a considerable increase in hits on their firewalls for RPC ports and other ports used by MSBLASTER. Also some of the other Microsoft MVP's have indicated that they have seen it in their sites as well.Check out http://isc.sans.org/images/port135percent.pngat sans.org and note the huge spike in the number of sources and records. If you have a high number of records/targets but a relatively low number of sources, that is usually normal people or black hats scanning. If you have a high number of sources and records then that is usually a worm or virus. Additionally in the public newsgroups there have been several posts of people complaining of the symptoms of the worm such as why is my machine scanning netbios ports or why is my machine getting an rpc error and rebooting, etc. I haven't gotten to the office yet, but I am expecting that I will be hearing about infections today insideour intranet. joe -- Joe Richards Microsoft MVP Windows Server / Active Directory www.joeware.net -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayet, Yusuf YSent: Tuesday, August 12, 2003 8:02 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] OT: Has anyone had a problem with the RPC call to the OS Hi everyone Curiosity has gotten the better of me and I wanted to know if anyone out there been affected by the virus that does the rpc call to the Operating system? Your comments, Yusuf __ For information about the Standard Bank group visit our web site www.standardbank.co.za__Disclaimer and confidentiality note Everything in this e-mail and any attachments relating to the official business of Standard Bank Group Limited is proprietary to the group. It is confidential, legally privileged and protected by law. Standard Bank does not own and endorse any other content. Views and opinions are those of the sender unless clearly stated as being that of the group. The person addressed in the e-mail is the sole authorised recipient. Please notify the sender immediately if it has unintentionally reached you and do not read, disclose or use the content in any way.Standard Bank can not assure that the integrity of this communication has been maintained nor that it is free of errors, virus, interception or interference.___
RE: [ActiveDir] Password change issue
Shaking head still hawking this old tired solution, eh? ;o) You've been busy tonight - you're weighing in on everything in one night. I just want to see the time when Joe answers questions 12 hours in advance. Now THAT would be a time saver Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Thursday, August 07, 2003 10:24 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Password change issue Get Q812499 or SP4. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carr, Jonathan (OFT) Sent: Thursday, August 07, 2003 7:06 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Password change issue OK here it is... PDC emulator at a central site. DC at a remote site connected to Central site VIA a WAN link have Bridgehead with scheduled replication to remote sites Have GP that has strong password , Max password life 90 days, Min password life 1 days User contacts help desk because they forgot password (password was old123$) and locked their acct Helpdesk at Central site reset acct and password (newpassword new123$)and ck box to have user change password at next logon User logs in with password (new123$) from Help Desk The local Dc does a Pass thru authentication to the PDC emulator which returns a authentication packet to the client PC User gets Must change password Dialog box In the dialog box the old password is automatically back filled with the password (new123$) he logon with User enter new password (newer123$)and confirms it. When the user tries to finalize the change password he get blow out by old password not correct. the local dc is trying to commit the password change If the user enters his original password (old123$)(kind of tuff cause he forgot it that is why he called the help desk in the first place) in the old password box and enters a new one (newer123$) He is ok and allowed to go foward. This is really strange I Know why it happens. If you force replication thru out the domain before the user logs on this does not happen but that would be a no no in this place. If change the password on the PDC emulator and the local dc it does not happen. anyone got a valid reason why the client pc does this?? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] WOT Unreadable code (was Connection String)
When I spoke at the 2002 AFITC, a general from ACC (I've forgotten his name) told me that someone in his office had received one and the noise was driving him crazy. Scratch the chicken off the list of how to win friends and influence people. LOL! That's great Gil! Thanks! John A. Bjelke Unisys 505.853.6774 [EMAIL PROTECTED] Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad caput tuum saxum immane mittam. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] [OT] Password change issue
Heh thanks Rick. I am going to push that solution all the time, I worked too hard to get MS to make that change and stop giving the old tired answer of change the password on the DC the user will authenticate on. :P I had some time so I went through most of the posts. Been really busy lately with work and home and started feeling like a scrub for not doing my due diligence in the groups and listservs. People will forget who I am and all that... Plus this listserv was BUSY this week, usually it isn't quite so chatty. If I get to the point where I can answer questions 12 hours in advance you will not finding me posting much here... You will instead find me on the island of joe. That island will be the one currently named Aruba but renamed after I buy it from having the answer questions 12 hours in advance superpower... :) joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Friday, August 08, 2003 12:27 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Password change issue Shaking head still hawking this old tired solution, eh? ;o) You've been busy tonight - you're weighing in on everything in one night. I just want to see the time when Joe answers questions 12 hours in advance. Now THAT would be a time saver Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Thursday, August 07, 2003 10:24 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Password change issue Get Q812499 or SP4. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carr, Jonathan (OFT) Sent: Thursday, August 07, 2003 7:06 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Password change issue OK here it is... PDC emulator at a central site. DC at a remote site connected to Central site VIA a WAN link have Bridgehead with scheduled replication to remote sites Have GP that has strong password , Max password life 90 days, Min password life 1 days User contacts help desk because they forgot password (password was old123$) and locked their acct Helpdesk at Central site reset acct and password (newpassword new123$)and ck box to have user change password at next logon User logs in with password (new123$) from Help Desk The local Dc does a Pass thru authentication to the PDC emulator which returns a authentication packet to the client PC User gets Must change password Dialog box In the dialog box the old password is automatically back filled with the password (new123$) he logon with User enter new password (newer123$)and confirms it. When the user tries to finalize the change password he get blow out by old password not correct. the local dc is trying to commit the password change If the user enters his original password (old123$)(kind of tuff cause he forgot it that is why he called the help desk in the first place) in the old password box and enters a new one (newer123$) He is ok and allowed to go foward. This is really strange I Know why it happens. If you force replication thru out the domain before the user logs on this does not happen but that would be a no no in this place. If change the password on the PDC emulator and the local dc it does not happen. anyone got a valid reason why the client pc does this?? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Choosing between Domain Controllers
Title: Message You can alter the SRV priority and weight settings for the DC so that clients will select one DC over another. See the Windows .NET mag article I wrote in the March issue, or DL it from http://www.netpro.com/forum/files/authentication_topology.pdf. -gil Gil KirkpatrickCTO, NetPro -Original Message-From: Darryl Hall [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 8:33 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Choosing between Domain Controllers I know that "echo %LOGONSERVER%" from the command prompt will give you the DC that you used but the only way I know how to force the use of a particular DC is to put garbage information for the DC you do not want to use in the Hosts/LMHosts file on the client. The machine will then be unable to contact that DC and go to the one you want but this may not help with timing issues as there may well be a timeout factor that may skew your result. Hope this helps though, Darryl. -Original Message-From: Kevin Felker [mailto:[EMAIL PROTECTED] Sent: 13 August 2003 15:16To: [EMAIL PROTECTED]Subject: [ActiveDir] Choosing between Domain Controllers Hi all, We're running two domain controllers on the same domain. My questions are i. what command can you run to see which one your client pc is using ii. how can you change which DC your pc client is using Reason being, I think one of them is slow, and would rather use the other one to test this theory. Thanks Kevin Felker Univ of MS
RE: [ActiveDir] LDAP search filter for enabled accounts ?
Dave, As I understand it, the following identifies a user account that is disabled: (userAccountControl:1.2.840.113556.1.4.803:=2) That is, the account is disabled when this value is set to 2. To exclude disabled accounts you would use the following string, plus any other filters you want to apply: (!(userAccountControl:1.2.840.113556.1.4.803:=2)) Jerry Welch CPS Systems -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Fugleberg, David A Sent: Thursday, August 14, 2003 1:59 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] LDAP search filter for enabled accounts ? Is there anything I can use in a LDAP search filter to include only accounts that are enabled ? For example, a filter like ((objectclass=user)(objectcategory=person)(physicalDeliveryOfficeName=MSPJ) ) will find all user objects whose office is in building MSPJ - I'd like to add an argument that limits this to user objects that meet that condition that are enabled. Dave List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/