[ActiveDir] [OT] USB/PS2 monitoring software

[Guy Teverovsky]

Hey all,

I am looking for an application that can monitor and alert the usage of USB/PS2 
devices on the clients (mostly XP). If a user plugs in a new keyboard, 
disconnects a mouse or tries to use a DOK - I need to be able to record the 
action and trigger alerts based on different criteria.
Anyone aware of something like this ? Using it ?

TIA,
Guy

RE: [ActiveDir] 100% CPU utilization when querying Win32_Account on DC

[Guy Teverovsky]

e, let it me know and I will be pleased 
to communicate this data point to the team in charge of WMI and the team in 
charge of Active Directory, So, we can let them know that it is an important 
scenario to enhance and support better. No commitments here, but I will be 
pleased to convey the message.

Hope this helps a bit …

PS:
However, if you feel you have WMI issues, you can always use the WMI Diagnosis 
Tool 1.0. You can find pointers to it (+Webcast) at http://www.lissware.net.
Note, we will release the version 2.0 early next year.


Regards,
/Alain
Alain LISSOIR

[cid:114265316@01122006-02BE]


[EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>
Home Page: http://www.LissWare.Net
Where am I? http://map.LissWare.Net



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
Sent: Friday, December 01, 2006 7:36 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 100% CPU utilization when querying Win32_Account on DC

Thanks Susan, but I think this case is different - we are talking about 
different WMI class and in my case the query hangs and never returns results. 
The ITMU issue is probably a result of intensive load on the CPU when 
performing the query you pointed to, but in my case if I let it run for hours 
it still never finishes.
I am far from being well versed in WMI, but I'd suspect that here the problem 
is caused by WMI not using paging in the query or very inefficient processing 
when using both LocalAccout=True and SidType=1 keys.

Guy

From: [EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks 
[MVP]
Sent: Friday, December 01, 2006 5:12 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] 100% CPU utilization when querying Win32_Account on DC

http://www.myitforum.com/articles/8/view.asp?id=9048
http://www.myitforum.com/articles/8/view.asp?id=9284

Rod's been tracking that on myitforum and the Patch management listserve
for a while now.

Guy Teverovsky wrote:
>
> Hi all,
>
> Recently I had a case where we experiences high CPU utilization after
> deploying SMS client to DCs.
> By now we have identified that the issue was caused by an extension of
> sms_def.mof file containing the definitions of information that should
> be collected from the agent.
>
> The interesting part is that I was able to reproduce the behavior
> without SMS agent. Just execute the following WMI query on your DC and
> see the CPU spikes to 100% and will stay there till you kill the
> wmiprvse.exe process:
> *select * from Win32_Account where LocalAccount=True and SIDType=1*
>
> Now you do not need to explain to me that this is damn stupid to run
> this type of query on a DC, yet I would expect the DC to be able
> to handle the query, but what I see is that the query never returns -
> it just hangs there choking up the CPU till you kill the WMI process.
>
> Almost the same behavior is observed when executing "wmic useraccount"
> from the command line, but in this case the query does return the
> results after a while (~2-3 minutes on ~2K user account AD).
>
> The only thing related to the issue that I was able to find is the
> following KB: http://support.microsoft.com/kb/268715
> ("WMI Query Support for Win32_Group Is Not Optimized") where the
> following query "SELECT * FROM Win32_Group WHERE Domain="workgroup"
> AND Name="smith"" causes the identical behavior. But folks, we are
> talking W2K3 with SP1 and not W2K pre-SP2.
>
> Any chance anyone has stumbled upon it ? Is aware of hotfix ?
>
> Thanks,
> Guy
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] 100% CPU utilization when querying Win32_Account on DC

[Guy Teverovsky]

Thanks Susan, but I think this case is different - we are talking about 
different WMI class and in my case the query hangs and never returns results. 
The ITMU issue is probably a result of intensive load on the CPU when 
performing the query you pointed to, but in my case if I let it run for hours 
it still never finishes.
I am far from being well versed in WMI, but I'd suspect that here the problem 
is caused by WMI not using paging in the query or very inefficient processing 
when using both LocalAccout=True and SidType=1 keys.

Guy

From: [EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks 
[MVP]
Sent: Friday, December 01, 2006 5:12 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] 100% CPU utilization when querying Win32_Account on DC

http://www.myitforum.com/articles/8/view.asp?id=9048
http://www.myitforum.com/articles/8/view.asp?id=9284

Rod's been tracking that on myitforum and the Patch management listserve
for a while now.

Guy Teverovsky wrote:
>
> Hi all,
>
> Recently I had a case where we experiences high CPU utilization after
> deploying SMS client to DCs.
> By now we have identified that the issue was caused by an extension of
> sms_def.mof file containing the definitions of information that should
> be collected from the agent.
>
> The interesting part is that I was able to reproduce the behavior
> without SMS agent. Just execute the following WMI query on your DC and
> see the CPU spikes to 100% and will stay there till you kill the
> wmiprvse.exe process:
> *select * from Win32_Account where LocalAccount=True and SIDType=1*
>
> Now you do not need to explain to me that this is damn stupid to run
> this type of query on a DC, yet I would expect the DC to be able
> to handle the query, but what I see is that the query never returns -
> it just hangs there choking up the CPU till you kill the WMI process.
>
> Almost the same behavior is observed when executing "wmic useraccount"
> from the command line, but in this case the query does return the
> results after a while (~2-3 minutes on ~2K user account AD).
>
> The only thing related to the issue that I was able to find is the
> following KB: http://support.microsoft.com/kb/268715
> ("WMI Query Support for Win32_Group Is Not Optimized") where the
> following query "SELECT * FROM Win32_Group WHERE Domain="workgroup"
> AND Name="smith"" causes the identical behavior. But folks, we are
> talking W2K3 with SP1 and not W2K pre-SP2.
>
> Any chance anyone has stumbled upon it ? Is aware of hotfix ?
>
> Thanks,
> Guy
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

[ActiveDir] 100% CPU utilization when querying Win32_Account on DC

[Guy Teverovsky]

Hi all,

Recently I had a case where we experiences high CPU utilization after deploying 
SMS client to DCs.
By now we have identified that the issue was caused by an extension of 
sms_def.mof file containing the definitions of information that should be 
collected from the agent.

The interesting part is that I was able to reproduce the behavior without SMS 
agent. Just execute the following WMI query on your DC and see the CPU spikes 
to 100% and will stay there till you kill the wmiprvse.exe process:
select * from Win32_Account where LocalAccount=True and SIDType=1

Now you do not need to explain to me that this is damn stupid to run this type 
of query on a DC, yet I would expect the DC to be able to handle the query, but 
what I see is that the query never returns - it just hangs there choking up the 
CPU till you kill the WMI process.

Almost the same behavior is observed when executing "wmic useraccount" from the 
command line, but in this case the query does return the results after a while 
(~2-3 minutes on ~2K user account AD).

The only thing related to the issue that I was able to find is the following 
KB: http://support.microsoft.com/kb/268715
("WMI Query Support for Win32_Group Is Not Optimized") where the following 
query "SELECT * FROM Win32_Group WHERE Domain="workgroup" AND Name="smith"" 
causes the identical behavior. But folks, we are talking W2K3 with SP1 and not 
W2K pre-SP2.

Any chance anyone has stumbled upon it ? Is aware of hotfix ?

Thanks,
Guy

RE: [ActiveDir] Updating cached credentials

[Guy Teverovsky]

Using "runas /user: something" after establishing a VPN session 
should do the trick.

Guy


From: [EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Wednesday, November 22, 2006 9:56 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Updating cached credentials

Thanks Al. We typically change passwords via a web app (Psynch) rather than at 
the workstation. One of our desktop techs thought that changing your password 
via the three-finger salute would cause the credentials to be updated, but in 
this case it didn't seem to work. We'll try the workstation lock and see if 
that works.


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Wednesday, November 22, 2006 12:31 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Updating cached credentials

As I understand it, The nortel vpn client is a shim that works at layer 3 and 
does not take effect until after the user session has begun.  This prevents 
much of the normal node processing you'd like to see happen such as control of 
the windows firewall, caching of group membership and so on.

Since most companies require a password change on a regular basis for user 
accounts, I'm kind of surprised that you see this behavior. The way to change 
the user credentials on a nortel client is to have the user use the three 
finger salute (ctrl+alt+del sequence) to lock the workstation after the vpn is 
established.  When the user logs back on this *is expected* to re-cash the 
credentials.  This should be a familiar sequence of events for the users every 
password change.

Has this not addressed the problem for you to date?

On 11/22/06, Ken Cornetet <[EMAIL PROTECTED]  > wrote:
Is there a way to force updating of cached credentials on an XP
workstation? We have several users that seldom (if ever) connect to the
corporate network directly. Instead, they log in (XP sp2) using cached
credentials and connect via a Nortel VPN.

We have several group policies that are filtered by group membership.
The problem is that the group membership seems to be cached on the
workstation, and is never updated to reflect the new membership, and
group policy is never applied.

Is there any mechanism for forcing this update?
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Kerberos is Killing Me!

[Guy Teverovsky]

I'll second that. Dups can be found not only across multiple domain NCs.
Not long ago I stumbled upon exactly the same error and it turned out
that it was a result of orphaned connection object in LostAndFoundConfig
container in Config partition. All the tests came up clean, repadmin was
coming up clean, but some DCs were logging the duplicate SPN error and a
script that was querying replication status using WMI was coming up with
non-replicating connection (interesting that repadmin did not error on
this).

Deleting the object from LostAndFoundConfig (it belonged to a retired DC
whose metadata was cleaned properly) fixed the issue. I guess this had
to do with the timing the metadata cleanup was performed and KCC
re-generating the topology.

 

Guy

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, November 17, 2006 6:55 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos is Killing Me!

 

Yes if you want to focus on a specific domain, use the -b and the NC you
want. However the SPNs are across all NCs so when you do an SPN lookup,
look at the GC and search across all NCs. It is unlikely to get duped
HOST entries in a single domain, usually that is a cross domain thing.

 

--

O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 

 

 

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of hboogz
Sent: Friday, November 17, 2006 10:26 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Kerberos is Killing Me!

Thanks Joe.

if i wanted to search within a child domain i would use the -b switch ?

-b dc=child,dc=domain,dc=org ?




On 11/17/06, joe <[EMAIL PROTECTED]> wrote: 

adfind -gc -null -f serviceprincipalname= -dn

 

That will search your entire GC which you must do, you can't just focus
on a single domain like I saw a previous dsquery command do.

 

--

O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 

 

 

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of hboogz
Sent: Thursday, November 16, 2006 2:38 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Kerberos is Killing Me!

Joe,

how do i find out if there are any duplicate SPN's ?

On 11/16/06, joe <[EMAIL PROTECTED]> wrote: 

Do you have any duplicate SPNs? Well specifically the SPNs mentioned in
the error?

 

--

O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 

 

 

 



From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]
 ] On Behalf Of hboogz
Sent: Thursday, November 16, 2006 12 :09 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Kerberos is Killing Me!


I am having continued issues with Kerberos. I tried running tokensz
against the problem server and i get this error message..

C:\Tools>tokensz /compute_tokensize /package:negotiate /use_delegation
/target_s
erver:host/phmaindc1

Name: Negotiate Comment: Microsoft Package Negotiator
Current PackageInfo->MaxToken: 12128

Asked for delegate, but didn't get it.
Check if server is trusted for delegation.

QueryKeyInfo:
Signature algorithm =
Encrypt algorithm = RSADSI RC4
KeySize = 128
Flags = 2001c
Signature Algorithm = -138
Encrypt Algorithm = 26625
QueryContextAttributes (lifespan): Status = 2148074242 0x80090302
SEC_E_NOT_SUPP 
ORTED


any ideas ?

I keep getting the following event log message on a domain controller
which prevents users from accessing it and authenticating to it.

Event Type:Error
Event Source:Kerberos
Event Category:None
Event ID:4
Date:11/16/2006
Time:12:02:37 PM 
User:N/A
Computer:PHMAINDC1
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
host/phmaindc1.phippsny.org.  The target name used was host/phprint1.
This indicates that the password used to encrypt the kerberos service
ticket is different than that on the target server. Commonly, this is
due to identically named  machine accounts in the target realm (
PHIPPSNY.ORG), and the client realm.   Please contact your system
administrator.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


Help!



-- 
HBooGz:\> 




-- 
HBooGz:\> 




-- 
HBooGz:\> 

RE: [ActiveDir] RFMAGIC

[Guy Teverovsky]

Title: Re: [ActiveDir] Forestprep Failure








>> [EMAIL PROTECTED]
~]# ls / -R | grep dcpromo

 

Come on Brian ! man find + man locate/slocate.

This is the most inefficient (complexity
and memory wise) search you can ever do (and notice that grep is case sensitive.
You should have used "grep –i" ) 

 

[EMAIL PROTECTED] root]# service ads start

ads: unrecognized service

[EMAIL PROTECTED] root]# apt-get install ads

Reading Package Lists... Done

Building Dependency Tree... Done

E: Couldn't find package ads

[EMAIL PROTECTED] root]# make ads

make: *** No rule to make target `ads'. 
Stop.

 

Anyone knows which repository should I
add to APT to get ADS ? or should I recompile it from the sources as in old
days ?

 

Guy

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Friday, July 07, 2006 10:03
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] RFMAGIC



 

 [EMAIL PROTECTED] ~]# dcpromo

bash: dcpromo: command not found

[EMAIL PROTECTED] ~]# pwd

/home/bdesmond

[EMAIL PROTECTED] ~]# uname

Linux

[EMAIL PROTECTED] ~]# whereis dcpromo

dcpromo:

[EMAIL PROTECTED] ~]# ls / -R | grep dcpromo

[EMAIL PROTECTED] ~]#

 



Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Oytun
Sent: Friday, July 07, 2006 2:48
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] RFMAGIC





 



FYI,

 

San Diego company RFMagic at www.rfmagic.com
looking for a Linux admin. 

 

Just FYI

 

Robert Oytun

RE: [ActiveDir] Schema Question

[Guy Teverovsky]

Isn't it something that Exchange System
Policies are supposed to take care of ?

Why would you want to set mailbox quotas
for each and every user account instead of setting the defaults on the stores and
overriding only when necessary ?

 

Guy

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS)
Sent: Friday, June 30, 2006 12:38
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Schema
Question



 

All,

 

Let me start with, I’m a total newb when it comes to
Schema and Schema modifications.

 

Is it possible to modify the schema that so every time a new
user is created (via ADUC) an extension attribute is populated with a default
value? Our Exchange guys would like extensionAttribute5 to be populated
automatically with 100, which is the default mailbox size. Is this possible? It
seems like it would be, but as I warned, I’m a newb.

 

Thanks,

 

Justin
Clay
ITS Enterprise Services 
Metropolitan Government
of Nashville and Davidson County 
 Howard
 School
 Building 
Phone: (615) 880-2573

 








ITS ENTERPRISE SERVICES EMAIL NOTICE

The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.

RE: [ActiveDir] Windows 2003 sp1 DNS problem

[Guy Teverovsky]

 

I have been bitten by it with databases,
but my understanding is that it is relevant to any authentication attempt that
tries to access a resource that does not have a registered SPN.

http://support.microsoft.com/?id=887993


Now that I think about it, the right way
would probably be to make sure the required SPN is registered for the server in
question. The KB above can help determining whether it is an SPN issue. If it
is, after registering the SPN, the DisableLoopbackCheck reg value can be set
back to 0 or deleted.

 

Guy

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Abouelnasr, Jerry
Sent: Friday, June 30, 2006 11:54
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Windows
2003 sp1 DNS problem



 

Is it your experience that this applies to
UNC file paths as well?

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy
 Teverovsky
Sent: Friday, June 30, 2006 9:57
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Windows
2003 sp1 DNS problem



 

Another thing that is worth mentioning
is the loopback check that has been enforced since W2K3 SP1.

Try disabling the loopback check or
specifying additional FQDNs using one of the methods in the following KB:

http://support.microsoft.com/?kbid=896861

 

Guy









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, June 30, 2006 8:14
AM
To: ActiveDir@mail.activedir.org
Cc: ActiveDir@mail.activedir.org;
[EMAIL PROTECTED]
Subject: RE: [ActiveDir] Windows
2003 sp1 DNS problem



 


Thanks a lot, It did not work. I used additional names,
disabled strict name checking But it is still the same. 
I
am almost aware it´s a         SP1 security function. But
there must be a way to disable that. 
I´m
still waiting new tips... 


 
  
  
  Adrião. 
  
   

 

   
  
  
  
 






        


 
  
  "Grillenmeier, Guido" <[EMAIL PROTECTED]> 
  Enviado
  Por: [EMAIL PROTECTED] 
  29/06/2006
  20:40 
  
   

Favor responder
a
ActiveDir@mail.activedir.org

   
  
  
  
  
  
   

Para


 

   
   

cc


 

   
   

Assunto


RE: [ActiveDir] Windows 2003 sp1 DNS problem

   
  
   
  
   

 


 

   
  
  
  
 





I wasn't aware that this was a change in SP1,
but it sounds as if StrictNameChecking is enabled on your server after you've
added SP1 
(http://support.microsoft.com/default.aspx?scid=kb;en-us;281308) 
  
You ca disable it in general by configuring the
DisableStrictNameChecking reg-key as the KB above explains.  However, this
would allow to access the server via _any_ name.   I typically suggest to
use the reg-keys to limit additional names to those you really want:

  
DNS: 
HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\AlternateComputerNames
(Multi-SZ) 
NetBios: 
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\Parameters\OptionalNames
(Multi-SZ) 
  
This can also be done via the Win2003 version of NETDOM:

NETDOM COMPUTERNAME 
/add: 
  
/Guido 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Donnerstag, 29. Juni 2006 21:38
To: ActiveDir@mail.activedir.org
Cc: [EMAIL PROTECTED]
Subject: [ActiveDir] Windows 2003 sp1 DNS problem


Hallow all. 

       I need help in a problem I have after installing
Service Pack 1 

       This is the case: 

       I have a windows 2003 Server (I Will call it
SERVER01), without service pack 1 
       I created a dns name like this 

       aplicacao.mycompany.com 

       Before installing SP1, when I called locally 

       \\aplicacao.mycompany.com 


       It opened shared folders perfectly 

       Now , after SP1, if I call \\aplicacao.mycompany.com
  It asks for a user and password. I don´t know witch password or user is
that... 

       If I call   \\SERVER01.mycompany.com, it
works. 

       What was changed after installing SP1?


       how can I correct that? 

Adrião 

RE: [ActiveDir] Windows 2003 sp1 DNS problem

[Guy Teverovsky]

Another thing that is worth mentioning
is the loopback check that has been enforced since W2K3 SP1.

Try disabling the loopback check or
specifying additional FQDNs using one of the methods in the following KB:

http://support.microsoft.com/?kbid=896861

 

Guy









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, June 30, 2006 8:14
AM
To: ActiveDir@mail.activedir.org
Cc: ActiveDir@mail.activedir.org;
[EMAIL PROTECTED]
Subject: RE: [ActiveDir] Windows
2003 sp1 DNS problem



 


Thanks a lot, It did not work. I used additional names,
disabled strict name checking But it is still the same. 
I
am almost aware it´s a         SP1 security function. But
there must be a way to disable that. 
I´m
still waiting new tips... 


 
  
  
  Adrião. 
  
   

 

   
  
  
  
 






        





 
  
  "Grillenmeier,
  Guido" <[EMAIL PROTECTED]> 
  Enviado
  Por: [EMAIL PROTECTED] 
  29/06/2006 20:40 
  
   

Favor
responder a
ActiveDir@mail.activedir.org

   
  
  
  
  
  
   

Para





   
   

cc


 

   
   

Assunto


RE: [ActiveDir] Windows 2003 sp1 DNS problem

   
  
   
  
   

 


 

   
  
  
  
 





I wasn't aware that this was a change in SP1,
but it sounds as if StrictNameChecking is enabled on your server after you've
added SP1 
(http://support.microsoft.com/default.aspx?scid=kb;en-us;281308) 
  
You ca disable it in general by configuring the
DisableStrictNameChecking reg-key as the KB above explains.  However, this
would allow to access the server via _any_ name.   I typically suggest to
use the reg-keys to limit additional names to those you really want:

  
DNS: 
HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\AlternateComputerNames
(Multi-SZ) 
NetBios: 
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\Parameters\OptionalNames
(Multi-SZ) 
  
This can also be done via the Win2003 version of NETDOM:

NETDOM COMPUTERNAME 
/add: 
  
/Guido 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Donnerstag, 29. Juni 2006 21:38
To: ActiveDir@mail.activedir.org
Cc: [EMAIL PROTECTED]
Subject: [ActiveDir] Windows 2003 sp1 DNS problem


Hallow all. 

       I need help in a problem I have after installing
Service Pack 1 

       This is the case: 

       I have a windows 2003 Server (I Will call it
SERVER01), without service pack 1 
       I created a dns name like this 

       aplicacao.mycompany.com 

       Before installing SP1, when I called locally 

       \\aplicacao.mycompany.com 


       It opened shared folders perfectly 

       Now , after SP1, if I call \\aplicacao.mycompany.com
  It asks for a user and password. I don´t know witch password or user is
that... 

       If I call   \\SERVER01.mycompany.com, it
works. 

       What was changed after installing SP1?


       how can I correct that? 

Adrião 

RE: [ActiveDir] Self vs. the object name / effective permissions

[Guy Teverovsky]

Title: Self vs. the object name / effective permissions








 

I just call it "best effort". It's
totally ineffective over cross forest trusts.

 

Guy

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, June 27, 2006 10:56
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Self vs.
the object name / effective permissions 



 

Without knowing the details I would start
off by saying effective permissions isn't the greatest[1] and is very
likely to be incorrect because without an actual security token to work
from on the machine that you need to know the effective rights it is very easy
to miss something and not get it right. I don't even bother looking at
effective rights ever, I look at the ACLs myself and work it through. 

 

If you want, email me the DSACLS dump to
my home address and what isn't working and I will give you a free opinion.
:)  

 

  joe



 





 





[1] I was going to say sucks but I tried
to write my own version of it once and it is really really really hard.





 



--

O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 

 



 



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernier, Brandon (.)
Sent: Tuesday, June 27, 2006 10:16
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Self vs. the
object name / effective permissions 

 



Someone
came by my cube and said they were having permission issues. They assigned Self
some rights for computer objects and in ADUC the effective permissions are
correct. However, they also did effective permissions on the name of the
computer object and it has different results….Why is this?? I know Self
represents the object…so where is it getting different permissions from?
DSAcls is retrieving correct information for me, but this seems like a bug to
me.

-Brandon 

RE: [ActiveDir] Deny permissions in AD

[Guy Teverovsky]

Re: "Looks like domain admins, Self, and
account operators have hard-coded rights to the object."

 

Those are taken from defaultSecurityDescriptor of the
object class and can be changed to suite your needs (just watch out not to lock
out services like Exchange from reading the objects):

http://www.windowsitpro.com/Windows/Article/ArticleID/40098/40098.html

 

Guy

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joshua Coffman
Sent: Monday, June 26, 2006 1:22
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Deny
permissions in AD



 

I think you are correct.
 
I started looking into this immediately after posting.
 
Looks like domain admins, Self, and account operators have hard-coded rights to
the object.
 
This would be applied before the inherited deny ACE.
 
Thanks!
 
Josh


Joshua M. Coffman
[EMAIL PROTECTED]
Cell:(970) 402-3457









Subject: RE: [ActiveDir] Deny
permissions in AD
Date: Mon, 26 Jun 2006 13:50:13 -0400
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org



Probably order of
inheritance…

 

1. Noninherited Deny entries.

2. Noninherited Allow entries.

3. Inherited Deny entries.

4. Inherited Allow entries.

 

 









































































:m:dsm:cci:mvp |
marcusoh.blogspot.com









































































 





From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joshua Coffman
Sent: Monday, June 26, 2006 1:44
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Deny
permissions in AD





 

I have an Active Directory 2003 domain that is used only as
an LDAP User store for a 3rd party Identity Management Application.
 
There are no workstations or servers in the domain, other than the DCs
themselves.
 
We are trying to lock down the domain, so that an ordinary user cannot read
other user's attributes. For some special attributes, we have implemented
the 2K3 SP1 "Confidential Attribute" function, and it is working
well.
 
However, over the weekend, another administrator decided to try something that
has me a little perplexed.
 
Here is what the Admin did:
 
Put a DENY ACE for the "Domain Users" group for "Read
All Properties" (in advanced security settings) on an OU containing a lot
of users.
 
Now, your average user account cannot read attributes, which is good. Domain
Admins and Administrators can read the attributes of users in the
OU, which is also good.
 
However, I am wondering, why does this work this way? Shouldn't the
DENY ACE override all other permissions, including those inherited for
domain Admins, which I believe is a member of the domain users group by
default. Also, an additional group was created which allows read/write access
to a single user attribute in the same OU. A non-administrative account,
when added to this group, can read and write to the attribute, even
though there is a deny on read all properties.
 
Can anyone tell me why this is working this way? It is contrary to what I
thought I knew about Deny ACEs.
 
Thanks,
 
Josh 
 

[ActiveDir] Recieved X out of Y objects

[Guy Teverovsky]

Title: Recieved X out of Y objects








Could be that I never took a better look at it and this is a well know issue, but when dcpromo-ing W2K SP4 to a DC I get "Replicating DC=domain,dc=tld: received X out of Y objects.", where X is larger than Y.



Could it be that X counts tombstones and Y does not ? 



Cheers,

Guy

RE: [ActiveDir] pw reset domain account

[Guy Teverovsky]

If I had a self service web service for
resetting password, and wanted to let the users access it from anywhere, I'd
not be using domain accounts for logging into the workstation.

 

Probably the best would be having
dedicated workstations in kiosk mode, but if that is not an option, I'd push a
local account to the end-user workstations (making sure I do not push it to
servers, etc…) and let them logon locally. Personally I do not see any
reason for using domain account – the self service web site should not require
authentication to access it in any case.

 

Guy

 

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of AWS
Sent: Monday, June 26, 2006 9:34
AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] pw reset
domain account



 

Yes, the latter. This is
an account a user would use to login with, then the pw reset website would
automatically run. The website has challenge/response Q's for them to get their
individual acct reset.



On 6/25/06, joe
<[EMAIL PROTECTED]> wrote:






Err, maybe you can fill in more detail. I
am not quite sure what you are saying. Are you saying there is a generic ID to
log into the website and it can reset anyone's password or are you saying there
is a generic ID with rights to reset anyone's password or  

 

Either of those solutions wouldn't be
optimal and I would love to work in that company for a day with that
implemented and have people point out who the dumbass managers were... Or at
least their IDs.   

 

Oh I just read that again, is this an idea
to give a userid/password to everyone so they can get past the GINA and get to
the self service website? 



 



--

O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 

 



 



 







From: [EMAIL PROTECTED]
[mailto: [EMAIL PROTECTED]]
On Behalf Of AWS
Sent: Sunday, June 25, 2006 6:35
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] pw reset
domain account

 







There's a proposal at my company for a self service password reset
website which uses a shared domain account. It's similar to a kiosk
configuration, but the intent is to publicize the account and password so
that it can be used from any users' pc when needed. 





 





They have an account-specific OU/GPO configuration which locks down the
typical stuff you would expect, but my position is that there are too many
unknown vectors for such an account to be abused. 





 





Since I don't dabble in the various black hat utils du jour, does
anyone have any thoughts on how a globally known domain account could be
hacked upon? Conversely, is there any way such an account could be effectively
locked down? 





 





Thanks,





AW











 

RE: [ActiveDir] DDNS in Unix environment

[Guy Teverovsky]

All good and valid points, Al.
 
The problem with DNS in this case is that DNS servers responsible for the AD zone must be located on the same segment as the application/DCs - this is client's requirement that I am totally agreeing with - we want to keep all the resources related to the application under strict control and behind the firewall.
 
As for DNS redundancy - DRP site also has 2 DCs with DNS installed, so if the primary is down, the DCs in the DR site will be able to answer the queries.
People accessing the application can resolve the DNS name of the service using their local DNS servers that can utilize conditional forwarding to both primary and DR site's DNS servers.
 
The point with the whole setup is that each node at primary or DR site is already HA and the main purpose of the DR site is to come up when the primary site as a whole is down. Yet I do not like making assumptions and would like to be able to deal with all the edge cases.
 
I'll ask ~Eric if I can borrow his huge DIT for a while, use it on the Unix guys and see how it goes ;). Relying on DNS in this case to me sounds too opportunistic...
 
Guy


From: Al MulnickSent: Tue 6/20/2006 3:53 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DDNS in Unix environment

Guy, I think the concern I have (I'll limit to one for this sentence) is that if you update the DNS, what does that do for the client? I.E. how does the client know to look at some other DNS? Or, more simply, how does the DNS get updated if that site the client was using for DNS goes to the dogs?  I'm wondering how that mechanism works in your scenario because the client has to be able to find the information and if the DNS went with the solution, then it's going to be difficult to make that work.  On the other hand, if DNS is hosted outside this solution, then you're only real hope is to use a load balancer IMHO.  Why? Because the people already have a signifcant investment in making this work and to do otherwise would be the equivalent of putting Huffy tires on a Mazerati; sure it might work and it'll drastically cheaper up front, but would you really want to do that and would you really be happy about it?  Would you want your friends to see you in that car? 
 
Anyhow, the solution lies with Veritas and by taking a good hard look at all 8 layers of the stack and comparing/contrasting that with your deliverables. HA doesn't occur at the application layer alone; rather it's a system that comes together and takes into account all 8 layers of the computing stack.  To do otherwise is without question a waste of time and resources.    
 
Keep your head low, walk softly and carry a very large Windows appliance. ;)
 
Al 
On 6/19/06, Guy Teverovsky <[EMAIL PROTECTED]> wrote: 




I will try to address all the points raised.
 
Al: 
You are right. The idea is to provide highly available service as transparently as possible. This is one of those times when Unix folks are leading the project and they are trying to find the solution in the DNS. I have already pointed out that even if DDNS is successful, the TTLs will have to be reduced drastically to very short values. 
 
Mike:
I have already suggested simple WMI script somehow triggered by the cluster, but they are hesitant about any non-standard customization. The SimpleFailover however looks like something that I might be able to use. Will defenetly have a better look at it. Funny that I have not found it while exercising my google-fu. 
 
Willem: 
If you ask me, the solution should indeed be based on some sort of appliance based load balancer, but the folks are looking into software based solution - introducing network related changes could be quite tricky in this case (politics, another IT group, single point of failure...) 
 
Disclaimer: have no idea about Veritas HA Unix cluster either ;)
 
Now if I could only smack the Unix folks, make them disable DDNS registration requirement on the cluster and look into hardware load balancer, the life would be much easier... 
 
Bottom line: Unix people are evil ! do not let them near your AD ;)
(ducking and getting on a plane)
 
Thanks all for the input !
Guy 
 


From: Willem KasdorpSent: Mon 6/19/2006 5:55 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DDNS in Unix environment 



Guy,
 
Those are good points by Al. Especially the DNS TTL will break you up if the customer expects a quick failover. I would expect that there is some mechanism in the cluster failover (a script hook or something) that will allow you to manually change DNS where needed. But is this really the way to go? I'd take a hard look at how the app is supposed to realize high availability. Additionally, I have seen a similar scenario where a redundant network loadbalancer would reroute traffic to the active node. That would take care of name resolution and similar issues, anyway. 
 
--
    Cheers, Willem
 
(disclaimer: I know no

RE: [ActiveDir] DDNS in Unix environment

[Guy Teverovsky]

I will try to address all the points raised.
 
Al: 
You are right. The idea is to provide highly available service as transparently as possible. This is one of those times when Unix folks are leading the project and they are trying to find the solution in the DNS. I have already pointed out that even if DDNS is successful, the TTLs will have to be reduced drastically to very short values.
 
Mike:
I have already suggested simple WMI script somehow triggered by the cluster, but they are hesitant about any non-standard customization. The SimpleFailover however looks like something that I might be able to use. Will defenetly have a better look at it. Funny that I have not found it while exercising my google-fu.
 
Willem: 
If you ask me, the solution should indeed be based on some sort of appliance based load balancer, but the folks are looking into software based solution - introducing network related changes could be quite tricky in this case (politics, another IT group, single point of failure...)
 
Disclaimer: have no idea about Veritas HA Unix cluster either ;)
 
Now if I could only smack the Unix folks, make them disable DDNS registration requirement on the cluster and look into hardware load balancer, the life would be much easier...
 
Bottom line: Unix people are evil ! do not let them near your AD ;)
(ducking and getting on a plane)
 
Thanks all for the input !
Guy 
 


From: Willem KasdorpSent: Mon 6/19/2006 5:55 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DDNS in Unix environment


Guy,
 
Those are good points by Al. Especially the DNS TTL will break you up if the customer expects a quick failover. I would expect that there is some mechanism in the cluster failover (a script hook or something) that will allow you to manually change DNS where needed. But is this really the way to go? I’d take a hard look at how the app is supposed to realize high availability. Additionally, I have seen a similar scenario where a redundant network loadbalancer would reroute traffic to the active node. That would take care of name resolution and similar issues, anyway. 
 
--
    Cheers, Willem
 
(disclaimer: I know nothing about Veritas HA clusters)
 




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Monday, June 19, 2006 4:01 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DDNS in Unix environment
 

Guy, can we assume that the requirement is to provide the high availability as transparently as possible then? 

What is the expectation if the primary site goes away as far as client name res? What is their way of knowing that the server went away and to use a new name (keeping in mind that caching etc is going to take place)? 

What does Veritas recommend? (it is there product after all).

 

Al 

On 6/17/06, Guy Teverovsky <[EMAIL PROTECTED]> wrote: 
Howdy all,I am banging my head over this trying to come up with a solution for a client.To make the long story short: financial organization which is very concerned about security. They are setting up a new network segment that will be serving some application to the internal network (there is a firewall in between). Because of the critical nature of the application, there is a DR site. AD is used for authentication and DNS. There is a Veritas HA cluster serving the application that will fail over to DR site in case the primary site goes down.Primary site: 2 DCs with SFU (R2) + Veritas cluster nodeDR site: 2 DCs with SFU (R2) + Veritas cluster node. Primary and DR site are at different physical locations and on different subnets.The only problem with this setup is that the cluster needs to register it's DNS name when failing over to DR site and it does not support secure DDNS. The best thing it can do is T-SIG DDNS with pre-shared key. Enabling non-secure DDNS is not an option.I can disable the DNS registration requirement in the cluster resource group, but this has some issues, while one of them is the fact that accessing the application at the DR site (from internal LAN) will require using FQDN different from the FQDN of the primary site. An alternative would be to somehow enable DDNS only from a predefined set of IP addresses, but from what I know the MS DNS is not capable of it (correct me if I'm wrong).Switching to BIND presents the same issue: while it can solve the dynamic registration of the cluster service using T-SIG DDNS, yet non-secure registration of SRV records is not acceptable and I would like to avoid having statically registered SRV records for the DCs. Not sure whether the solution is in the MS DNS, but there are some knowledgeable folks over here that might have stumbled upon something like this.Any help is greatly appreciated.Thanks,Guy
 

[ActiveDir] DDNS in Unix environment

[Guy Teverovsky]

Howdy all,

I am banging my head over this trying to come up with a solution for a client.

To make the long story short: financial organization which is very concerned 
about security. They are setting up a new network segment that will be serving 
some application to the internal network (there is a firewall in between). 
Because of the critical nature of the application, there is a DR site. AD is 
used for authentication and DNS.
There is a Veritas HA cluster serving the application that will fail over to DR 
site in case the primary site goes down.
Primary site: 2 DCs with SFU (R2) + Veritas cluster node
DR site: 2 DCs with SFU (R2) + Veritas cluster node.
Primary and DR site are at different physical locations and on different 
subnets.

The only problem with this setup is that the cluster needs to register it's DNS 
name when failing over to DR site and it does not support secure DDNS. The best 
thing it can do is T-SIG DDNS with pre-shared key.
Enabling non-secure DDNS is not an option.

I can disable the DNS registration requirement in the cluster resource group, 
but this has some issues, while one of them is the fact that accessing the 
application at the DR site (from internal LAN) will require using FQDN 
different from the FQDN of the primary site.

An alternative would be to somehow enable DDNS only from a predefined set of IP 
addresses, but from what I know the MS DNS is not capable of it (correct me if 
I'm wrong).

Switching to BIND presents the same issue: while it can solve the dynamic 
registration of the cluster service using T-SIG DDNS, yet non-secure 
registration of SRV records is not acceptable and I would like to avoid having 
statically registered SRV records for the DCs.

Not sure whether the solution is in the MS DNS, but there are some 
knowledgeable folks over here that might have stumbled upon something like this.

Any help is greatly appreciated.

Thanks,
Guy 

RE: [ActiveDir] FYI: Failing to create a trust

[Guy Teverovsky]

Title: RE: [ActiveDir] FYI: Failing to create a trust








May be I am shooting blanks into the
great wide open, but I have lately been beaten on various occasions by LSA's
loopback check that has been enabled by default in W2K3 SP1 (mainly installing
MOM Reporting Services or having MOM's DB on remote machine – all W2K3SP1 related).

I currently do not have an environment to
test this, but it could be worth a shot to try disabling the loopback check as
per: http://support.microsoft.com/default.aspx?scid=kb;en-us;896861

 

I guess this could be related to the way
the VM's network stack is implemented…

 

Cheers,

Guy

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de
Sent: Monday, December 19, 2005
17:34
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] FYI:
Failing to create a trust



 

Hi Tony,

 

While
creating my test environment that I will use at DEC, I also tested the
following:

 

ADCORP.LAN

->
DC01 (W2K3SP1)

->
DC02 (W2K3) promoting to DC and use DC01 (W2K3SP1) as source -> NO ISSUES!

 

BRANCH.ADCORP.LAN

-> DC11
(W2K3SP1) promoting to DC and use DC01 (W2K3SP1) as source -> ISSUES FOUND!
(changing pwd solved issue)

->
DC12 (W2K3) promoting to DC and use DC11 (W2K3SP1) as source -> NO ISSUES!

 

 SUBSIDIARY.ADCORP.LAN


->
DC21 (W2K3SP1) promoting to DC and use DC02 (W2K3) as source ->  ISSUES
FOUND! (changing pwd solved issue)

->
DC22 (W2K3SP1) promoting to DC and use DC21 (W2K3SP1) as source
->   ISSUES FOUND! (changing pwd solved issue)

 

It looks
like if the DC to be promoted = w2k3SP1 then the issues mentioned occur

 

Cheers,

jorge

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de
Sent: Sunday, December 18, 2005
21:38
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] FYI:
Failing to create a trust





Hi Tony,





 





R2 does not change core binaries so there should be no
change there. I can save you time when it comes to the R2 test as I found it
first in R2, then tried SP1. Both with the same issues





I have not tried pre-SP1 myself





 





I'm not sure, but I think it does not occur in pre-SP1
because I had never seen it before until working with R2 and SP1. 





 





Jorge







 







From:
[EMAIL PROTECTED] on behalf of Tony Murray
Sent: Sun 12/18/2005 9:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] FYI:
Failing to create a trust





Hi Jorge

 

Ok, I’m back at work and
the workaround using the same username and password combination does the trick.
  

 

I found one other
interesting glitch. Here’s the sequence.

 

1. Cross-forest trust setup fails with RPC
connection failure.

2. Change ForestA administrator name and password to
same as ForestB

3. Set up one side of the trust in ForestA. 
All ok.

4. Attempt to set up ForestB side of trust.  Fails
with RPC connection failure.

5. Remove trust in ForestA.

6. Go back to ForestB and set up one side of the
trust.  All ok.

7. Go back to ForestA and set up the other side of
the trust.  All ok.

 

Weird.

 

If I have time, I’ll do
the same thing with Windows 2003 (no SP1) and with Windows 2003 R2.  I’ll
also see if the behaviour is different with Virtual PC.

 

Tony

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de
Sent: Monday, 19 December 2005
2:05 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] FYI:
Failing to create a trust



 





Just before going to a party yesterday, I
was playing with 2 VMs. Each Vm was a DC in its own forest/doman and I wanted
to create a trust between the two. How difficult is that?





 





Well, not that difficult, until you get the error... ;-(( 





 





default tests: nslookup, mappings, etc and everything OK





 





There is a big difference here.





 





With the DCPROMO thing I goes wrong after entering the
credentials to dcpromo the DC





With the TRUST thing I goes wrong as soon as you enter
target domain





 





The fun part is (quote from the DCPROMO story I wrote):











To test permissions and credentials I created a mapping (to
the ADMIN$ share) from the stand alone server to the forest root DC and used
username administrator and password CORP. result = OK
To test permissions and credentials I started LDP on the stand alone server and
connected to the forest root DC and used username administrator and password
CORP. result = OK. I was able to anything in the directory.
To test permissions and credentials and joined the stand alone server and made
it a member

RE: [ActiveDir] Internet Explorer Home Page Question

[Guy Teverovsky]

If I am not mistaken, newly created
profiles take the defaults from:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Main]

Set the "Start Page" and
"Search Page" there and the newly created profiles will pick the settings
from there.

If you want to automate it, create a
custom administrative template to deploy the registry settings to all your
workstations with a GPO and you are done.

 

Guy

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Gauss
Sent: Tuesday, November 22, 2005
16:12
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Internet
Explorer Home Page Question



 

Excellent.  Thanks for the tip. 
I totally forgot about setting permissions on the group.

 

On the delete of the group I actually
meant to say delete from the group.

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh Parmar
Sent: Monday, November 21, 2005
9:34 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Internet
Explorer Home Page Question



Nice to know, that it worked out for you.





 





>I also tried using the /delete to
delete the group but if the person isnt in that group the script just 
hangs.

I am just curious, Why would u delete the group? also why you require password
in the script ? 





 





If you just give "add/remove self as member" access it
doesn't work thru GUI. You have to specifically go to propery level permission
and assign WRITE access on members attribute, then members will be able to
manage their membership of group. Give that right to SELF security principal.
( I just tested that again) 





 





Also, one caveat, If you have an AD2000 forest or an AD2003 forest
running on the Windows 2000 functional level, you should take into account the
following warning: If you delegate group management to members, it might create
problem if user update their membership on different DC. All members of a
group are stored in one multivalued property. If that member list is modified
on two domain controllers simultaneously (within replication latency), one of
the two changes will be lost. 





 





-





Kamlesh





 





On 11/22/05, Craig
Gauss <[EMAIL PROTECTED]>
wrote: 

Been working on this one most of the
day.have it sort of working.

 

Needed to use CPAU from joeware, but there
is one problem.  The password is displayed in the batch which is pretty
much unsecure and goes against any password policy.  Anyways, I have it
adding the user to the correct group upon logon.  It takes a little while
though for the user to show in the group.  I also tried using the /delete
to delete the group but if the person isnt in that group the script just hangs.


 







From: [EMAIL PROTECTED]
[mailto: [EMAIL PROTECTED]]
On Behalf Of Micheal S. Mand
Sent: Monday, November 21, 2005
11:46 AM
To: ActiveDir@mail.activedir.org
Subject: RE:
[ActiveDir] Internet Explorer Home Page Question

 



Craig,

 

Quoting what Kamlesh said before your email:

 

"To remove logged-in user, I
would use something like

if new-users is Domain Local group then 
net localgroup new-users 
%username% /delete /domain

if new-users is Domain Global group then 
net group new-users 
%username% /delete /domain"

 

His email was sent 11/19/2005 10:37 AM. If you
didn't get it I can forward that to you.

 

Thanks,

 





Micheal

 





-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Craig Gauss
Sent: Monday, November 21, 2005
9:09 AM 
To: ActiveDir@mail.activedir.org
Subject: RE:
[ActiveDir] Internet Explorer Home Page Question

 

How would you go about
removing the user from the group in a login script? 

 











From: [EMAIL PROTECTED]
[mailto: [EMAIL PROTECTED]]
On Behalf Of Kamlesh Parmar
Sent: Friday,
November 18, 2005 12:11 PM
To: ActiveDir@mail.activedir.org
Subject: Re:
[ActiveDir] Internet Explorer Home Page Question

Building on what James said,

You can make it automatic, create a group New-Users and assign the intranet
homepage GPO to this group. and importantly, Allow members to remove themselves
from group. 

When you create a new user, just make her member of this group.

Make a login script, in the same GPO, which will remove the logged in user from
this group. 

When user logs in first, time, she is member of this New-Users group, so this
GPO applies 
and her homepage is set to intranet.
At the same time, login script runs and removes user from that group. 
This makes sure that, this GPO is never applied again, as user no longer member
of New-Users group. And intranet was set for first login only. 

-
Kamlesh



On 11/18/05, Blair,
James < [EMAIL PROTECTED]> wrote: 



Michael,

 

You could create a new
user security group and a GPO for the homepage. Use security filtering so that
group only gets the policy. Remove the new users from the group after x days. 

 

James

 













From: [EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]] On
Behalf Of Brian Desmond
Sen

RE: [ActiveDir] IAS, Radius & AD

[Guy Teverovsky]

Sorry, that should be:

netsh ras set tracing * ENABLED

Also take a look at the authentication flow
over here: http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url="">

(it's W2K specific, but from my experience
is not different from W2K3)

It will help you correlate the logs with what
is going on.

 

The error you are getting is quite generic
– several times I have seen IAS trying to look for a non-existing domain (based
on incorrect mapping of user account to account's domain) and resulting in this
exact error.

Remember that IAS receives a RADIUS
authentication request, which (depending on the auth method: MSCHAPv2, EAP-TLS,
PEAP, PAP, CHAP, etc…) might have the user/account pair in different
forms. The result is that IAS needs to apply additional logic to figure out the
account's domain.

 

Have you tried to authenticate with UPN or
Kerb principal instead of domain\username ?

 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Friday, November 18, 2005
00:32
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] IAS,
Radius & AD



 

The problem is the IAS server cannot find
any DCs in those domains.  Also, I get the following error with the netsh
command:

 

C:\>netsh ras tracing * ENABLED

The following command was not found: ras
tracing * ENABLED.

 













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy
Teverovsky
Sent: Thursday, November 17, 2005
4:51 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] IAS,
Radius & AD



 

Are members in those 2 domains
having UPN suffix no in the namespace of the forest root ?

Example: 

Forest root
suffixes: @company.net

Child suffixes:
@child.forest.com

 

Are the users trying to
logon using UPN or domain\samaccountname ?

Have you tried implicit
Kerberos principal ([EMAIL PROTECTED])


 

IAS is rather touchy when
it comes to mapping UPNs to correct domains…

You can also enable IAS
debugging by issuing on the IAS server:

netsh ras tracing *
ENABLED

 

You will find detailed
logs at %SystemRoot%\Tracing

 

Guy 













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding,
 Devon
Sent: Thursday, November 17, 2005
20:15
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] IAS,
Radius & AD



 

No replication errors at
all.  Directory Service logs are clean.

 

















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Pochedley
Sent: Thursday, November 17, 2005
11:24 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] IAS,
Radius & AD



 

Hmm...  Any replication
problems with those servers in the past (or currently)?  Any Kerberos
errors?  

Joe
Pochedley 
A computer terminal
is not some clunky old television 
with a
typewriter in front of it. It is an interface 
where the mind
and body can connect with the universe 
and move bits
of it about. -Douglas Adams 



 



 















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding,
 Devon
Sent: Thursday, November 17, 2005
10:50 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] IAS,
Radius & AD

I ran
DNSLint and it returned SRV records for all DC’s in that domain.  I
also ran ntdsutil to do a metadata cleanup of any possible orphaned server an
noticed that I get the following RPC error when trying to connect to one of the
existing DCs: ‘DsBindW error 0x6ba(The RPC server is unavailable.)’

 





















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Pochedley
Sent: Thursday, November 17, 2005
9:47 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] IAS,
Radius & AD



 

DC's are located by querying
DNS.  Check and make sure the proper SRV records for the two domains in
question appears on the server that your IAS is using for DNS.  DNSLint
may help you with this task.

Joe
Pochedley 
A computer
terminal is not some clunky old television 
with a
typewriter in front of it. It is an interface 
where the mind
and body can connect with the universe 
and move bits
of it about. -Douglas Adams 



 



 



















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding,
 Devon
Sent: Thursday, November 17, 2005
8:47 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] IAS, Radius
& AD

I have 15 child domains in my AD
forest.  When using IAS (Nortel VPN) as a Radius server on my root AD
server, I can get clients to successfully authenticate against all domains but
2.  On these two domains, I get an IAS event id error of 5052,
‘There is no domain controller available for domain SWSNM’. 
I’ve ran DCDIAG and NETDIAG against these domain and the tests
passes.   How does IAS locate domain controllers for
authentication?  How can I troubleshoot this?

 

Devon Harding

Windows
Systems Engineer

Southern
Wine & Spirits - BSG

954-602-2469

 

RE: [ActiveDir] IAS, Radius & AD

[Guy Teverovsky]

Are members in those 2 domains having UPN
suffix no in the namespace of the forest root ?

Example: 

Forest root suffixes: @company.net

Child suffixes: @child.forest.com

 

Are the users trying to logon using UPN or
domain\samaccountname ?

Have you tried implicit Kerberos principal
([EMAIL PROTECTED])


 

IAS is rather touchy when it comes to
mapping UPNs to correct domains…

You can also enable IAS debugging by
issuing on the IAS server:

netsh ras tracing * ENABLED

 

You will find detailed logs at %SystemRoot%\Tracing

 

Guy 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Thursday, November 17, 2005
20:15
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] IAS,
Radius & AD



 

No replication errors at all. 
Directory Service logs are clean.

 













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Pochedley
Sent: Thursday, November 17, 2005
11:24 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] IAS,
Radius & AD



 

Hmm...  Any replication
problems with those servers in the past (or currently)?  Any Kerberos
errors?  

Joe
Pochedley 
A computer
terminal is not some clunky old television 
with a
typewriter in front of it. It is an interface 
where the mind
and body can connect with the universe 
and move bits
of it about. -Douglas Adams 



 



 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding,
 Devon
Sent: Thursday, November 17, 2005
10:50 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] IAS,
Radius & AD

I ran DNSLint and it
returned SRV records for all DC’s in that domain.  I also ran
ntdsutil to do a metadata cleanup of any possible orphaned server an noticed
that I get the following RPC error when trying to connect to one of the
existing DCs: ‘DsBindW error 0x6ba(The RPC server is unavailable.)’

 

















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Pochedley
Sent: Thursday, November 17, 2005
9:47 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] IAS,
Radius & AD



 

DC's are located by querying
DNS.  Check and make sure the proper SRV records for the two domains in
question appears on the server that your IAS is using for DNS.  DNSLint
may help you with this task.

Joe
Pochedley 
A computer
terminal is not some clunky old television 
with a
typewriter in front of it. It is an interface 
where the mind
and body can connect with the universe 
and move bits
of it about. -Douglas Adams 



 



 















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding,
 Devon
Sent: Thursday, November 17, 2005
8:47 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] IAS, Radius
& AD

I have 15 child domains in my AD
forest.  When using IAS (Nortel VPN) as a Radius server on my root AD
server, I can get clients to successfully authenticate against all domains but
2.  On these two domains, I get an IAS event id error of 5052,
‘There is no domain controller available for domain SWSNM’. 
I’ve ran DCDIAG and NETDIAG against these domain and the tests
passes.   How does IAS locate domain controllers for
authentication?  How can I troubleshoot this?

 

Devon Harding

Windows
Systems Engineer

Southern
Wine & Spirits - BSG

954-602-2469

 















__
This message and any attachments are
solely for the intended recipient
and may contain confidential or
privileged information. If you are not
the intended recipient, any disclosure,
copying, use or distribution of
the information included in the message
and any attachments is
prohibited. If you have received this
communication in error, please
notify us by reply e-mail and
immediately and permanently delete this
message and any attachments. Thank You.

RE: [ActiveDir] OT: MIIS, ADAM, & AD

[Guy Teverovsky]

I wonder whether anyone has tried the ADAM
Synchronizer for similar scenarios:

http://www.microsoft.com/downloads/details.aspx?familyid=06787254-d7f4-4fff-8e02-2609956cb19e&displaylang=en

The documentation is pretty vague about
the way the target objects are created.

 

Guy

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Friday, July 29, 2005 5:03
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: MIIS, ADAM,
& AD



 



We have an upcoming project which will require an LDAP
directory containing both our internal users, and our extranet users.
Currently, our internal users are in one AD domain, the extranet users are in
another. The domains are in separate forests, and there are no trusts.





 





My plan is to use ADAM for the central LDAP directory.
However, I'm on the horns of an enema, um, I mean dilemma on how to sync ADAM
to the two domains. A first glance would suggest MIIS. However, MIIS looks
pretty complicated, and difficult to configure. 





 





I'm considering writing my own sync code since the task at
hand is relatively straight-forward. Passwords will be a bit of a problem, but
not unworkable. We use Psynch to maintain our internal passwords, so I can have
it change the ADAM passwords at the same time it changes the internal AD
passwords. The extranet users change their password via an existing web app, so
having it change the ADAM passwords won't be an issue.





 





Reading about ADAM
"proxy users" leads me to believe they'd be a perfect fit as the
object type to use for our internal users (authentication is relayed to AD thus
negating the need to sync passwords). However, the ADAM tech ref says proxy
users should only be used as a last resort, and to refer to the next section as
to why. Unfortunately, the next section doesn't explain why not to use them.
Anybody know why proxy user objects are evil?





 





Are there any good "MIIS for dummies" type
documentation around? Any good ADAM and/or MIIS mailing lists?

RE: [ActiveDir] Windows -> MIT Cross-realm auth to domains not in the same dns hierarchy

[Guy Teverovsky]

> The preceding solution works great, but I've found that if we
establish a
> trust to a domain such as DOMAIN.SCHOOL.EDU (not in the same DNS
hierarchy
> as AD.SCHOOL.EDU) then user logons fail.

[Guy] There is a similar bug when changing passwords over cross forest
trust when the UPN suffix of the account you logon with to trusting
forest is different from the trusted forest's DNS name.
In this case the DC resolves the domain to \\
i.e.:
[EMAIL PROTECTED] is AD account in internal.local forest and logs on to
other.local forest over cross-forest transitive trust. When trying to
change password (when logged on with UPN), the target domain is resolved
to COMPANY and not INTERNAL (or internal.local)

There is a hotfix that you might want to try (it addresses the way the
domains are located when using UPN - might also resolve the MIT Kerb
issue):
http://support.microsoft.com/?kbid=890953

Also try to logon from W2K3 box in OTHER.AD.SCHOOL.EDU domain with MIT
Kerberos principal as it is not experiencing the above behavior.

Guy
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] using adfind/admod or dsquery/dsmod to copy members in a group

[Guy Teverovsky]

Oopps... Should be:

for /F "delims=*" %i in ('dsquery * -filter
"(&(objectcategory=person)(objectclass=user)(memberof=))"
') do @dsmod group  -addmbr %i

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Guy Teverovsky
> Sent: Friday, June 24, 2005 1:58 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] using adfind/admod or dsquery/dsmod to copy
> members in a group
> 
> Try
> 
> for /F "delims=*" %i in ('dsquery * -filter
>
"(&(objectcategory=person)(objectclass=user)(memberof=))"
> ') @do dsmod group  -addmbr %i
> 
> (all at one line)
> 
> It could be that you have stumbled upon dsmod's limitation when it can
> not have more than one DN piped in as a parameter.
> 
> Guy
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:ActiveDir-
> > [EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
> > Sent: Thursday, June 23, 2005 11:48 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: [ActiveDir] using adfind/admod or dsquery/dsmod to copy
> members
> > in a group
> >
> > Hi,
> > Task - to copy members of an AD email distribution group to
> another
> > email distribution group
> >
> > I have looked at both adfind and dsquery and while I can output all
of
> > the properties of the source email distribution group (including
> > members), I can't see how to restrict the output just to members in
> > order to pipe them to another email distribution group.
> >
> > Any thoughts?
> >
> > TIA,
> > Mike Thommes
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] using adfind/admod or dsquery/dsmod to copy members in a group

[Guy Teverovsky]

Try 

for /F "delims=*" %i in ('dsquery * -filter
"(&(objectcategory=person)(objectclass=user)(memberof=))"
') @do dsmod group  -addmbr %i 

(all at one line)

It could be that you have stumbled upon dsmod's limitation when it can
not have more than one DN piped in as a parameter.

Guy

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
> Sent: Thursday, June 23, 2005 11:48 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] using adfind/admod or dsquery/dsmod to copy
members
> in a group
> 
> Hi,
> Task - to copy members of an AD email distribution group to
another
> email distribution group
> 
> I have looked at both adfind and dsquery and while I can output all of
> the properties of the source email distribution group (including
> members), I can't see how to restrict the output just to members in
> order to pipe them to another email distribution group.
> 
> Any thoughts?
> 
> TIA,
> Mike Thommes
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Migration between domains with same NetBios name

[Guy Teverovsky]

Guido,
 
How about:
1) rename the NetBios name of the target AD
2) perform the migration
3) rename the NetBios name of the AD back to the original
 
Because you are changing only NetBios name and not the DNS name, the fixups at 
the AD side are rather minor...
 
Or are we talking about target AD being already production and/or W2K ?
 
Guy



From: [EMAIL PROTECTED] on behalf of Grillenmeier, Guido
Sent: Thu 6/16/2005 8:43 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Migration between domains with same NetBios name


Here is a nice one - I've done quite a few migration with all kinds of 
scenarios, so I hardly ask questions around this topic. 
 
But when migrating from one NT4 domain to an AD domain which both have the same 
NetBios names, various issues and potential conflicts come to mind and I wonder 
if others had to do this in the past, who could share their experience.
 
Think about an existing NT4 domain called CORP and another existing AD domain 
called CORP (with DNS=copr.company.com). And now you need to migrate all users 
and resources from the NT4 CORP to the AD CORP and place AD DCs into the same 
sites as the exising NT4 DCs... 
 
I can imagine various challenges, besides not being able to setup a trust and 
thus loosing various options for doing a "normal" migration. At least I have no 
need to register the AD domain in WINS; all clients are XP, but I know for sure 
that I'm going to run into various other issues (the worst one being that the 
account activation and the resource migration has to happend instantaneously, 
since resource access won't be possible accross the domains). But I'm also 
thinking of networking issues with and NT4 DC of the one and an AD DC of the 
other domain in the same ip-subnet...
 
I wonder how others have tackled this challenge and what issues you ran into. 
 
/Guido
<>

RE: [ActiveDir] LDAPS question

[Guy Teverovsky]

Title: LDAPS question








Hi Joseph,

 

The thing with the GUID is that DCs use
the GUIDs to locate and identify each other; hence a cert without a GUID would
break the replication, so it’s quite natural that the cert was rejected
by the DC (good to know that certs that can break things are rejected)

 

I was too trying to edit the inf file
directly and was failing. Just skipped that and used certreq with arguments.
Cool that you managed to figure out that part.

 

Guy

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Friday, May 20, 2005 2:43 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAPS
question



 

I think I may have figured it out.  I
was able to repro this on my Microsoft CA.  The certificate will not load
unless you provide a valid host name and GUID in the SAN.  In my case I
also added my alias.

 

Guy,

 

I know you said to include the GUID so
shame on me for not listening.  It appears you also need to include the DC
host name, even if the host name appears in the subject which is in contrast to
the Microsoft documentation which states that the host name can be in the
subject OR the SAN.

 

I haven't tried this out with our external
CA yet but I'm thinking it's going to work this time.  Crossing my
fingers.

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Thursday, May 19, 2005 2:58
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAPS
question

After a lot of time spent testing I
finally figured out how to make this work with an external CA.  The main
issue is that the third party CA does not allow you to use the certreq.exe
utility to submit the request.  Instead I had to paste the CSR directly
into their web form which meant that I needed to include all extensions in
the .inf file the reqDCcert.vbs creates.  I found out the hard way that
you can't simply add these extensions to the .inf.  The data has to be
converted and encoded.  In the end I had to modify reqDCcert.vbs in the
following way:

 

aASNsubstring(0, ASCIIDATA) = sDNShostname  
aASNsubstring(0, HEX_TYPE) = "82" 
' 
' Convert DNS name into Hex 
' 
For i = 1 to Len(aASNsubstring(0, ASCIIDATA)) 
    aASNsubstring(0, HEXDATA) = aASNsubstring(0, HEXDATA) &
_ 
   
Hex(Asc(Mid(aASNsubstring(0, ASCIIDATA), i, 1))) 
Next 
aASNsubstring(0, HEX_DATA_LENGTH) = ComputeASN1 (Len(aASNsubstring(0, HEXDATA))
/ 2) 
' 
' Build the ASN.1 blob for DNS name 
' 
sASN = aASNsubstring(0, HEX_TYPE) & _ 
   aASNsubstring(0, HEX_DATA_LENGTH) & _ 
   aASNsubstring(0, HEXDATA) 



'





'  This is the section I added.  I'm
basically adding a second DNS name to the INF file.





'  I'm adding it here in the script instead of
the .INF file because it needs to be converted.





'  



aASNsubstring(1, ASCIIDATA)
= "ldap.company.net" 
aASNsubstring(1, HEX_TYPE) = "82"  
For i = 1 to Len(aASNsubstring(1, ASCIIDATA)) 
    aASNsubstring(1, HEXDATA) = aASNsubstring(1, HEXDATA) &
_ 
   
Hex(Asc(Mid(aASNsubstring(1, ASCIIDATA), i, 1))) 
Next 
aASNsubstring(1, HEX_DATA_LENGTH) = ComputeASN1 (Len(aASNsubstring(1, HEXDATA))
/ 2) 



 



sASN = sASN &  aASNsubstring(1, HEX_TYPE) & _ 
      
aASNsubstring(1, HEX_DATA_LENGTH) & _ 
  
aASNsubstring(1, HEXDATA) 
'
' 
' Append the GUID as other name 
' 
'if (sType = "E") then 
'    aASNsubstring(2, HEXDATA) = sGUID 
'    aASNsubstring(2, HEX_TYPE) = "A0" 
'    aASNsubstring(2, HEX_DATA_LENGTH) = ComputeASN1
(Len(aASNsubstring(2, HEXDATA)) / 2) 
'    sASN = sASN & _ 
'  
"A01F06092B0601040182371901" & _ 
'   aASNsubstring(2,
HEX_TYPE) & _ 
'  
"120410" & _ 
'   aASNsubstring(1,
HEXDATA) 
'end if 

 

I basically added another section that
added a second DNS name.  I also commented out the GUID because I did not
need it.  It may be possible to uncomment it.

 

Now run the reqDCcerts.vbs to create the
.inf file.  

 

Then run:

 certreq -new
servername.inf yourNewRequest.csr

 

Now you can paste the contents of
yourNewRequest.csr directly into the third party request form.

 

Now for the bad news.  After all of
that it still doesn't work! :-)  It added the SAN to my cert; however, I
still can't use ldp.exe to connect using the LDAPS when I use the alternate
name.  The alternate name shows up just as it did when I used the
Microsoft CA; however, when I used the Microsoft CA LDAPS worked.  Now it
doesn't 

 

I'm going to keep at it.  I let
everyone know If I get it to work.

 

 

 

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy
 Teverovsky
Sent: Tuesday, 

RE: [ActiveDir] [OnTopic] Active Directory Property Set Madness

[Guy Teverovsky]

The interesting thing is that the permissions of the newly created GP
Objects are not inherited neither from the System\Policies container in
the default NC, nor from the Policies folder in the SYSVOL. The
permissions are taken from the defaultSecurityDescriptor of the
groupPolicyContainer object class.

My biggest issue with this group is that it's a global group which can
not contain accounts from other domains or forests (and it's also
well-known security principal, so it can't be converted to local or
universal). In my case I ended up with adding a DLG to Policies folder
and container ACL and had to change the defaultSecurityDescriptor to
include another DLG with admin permissions over all the GPOs.

The bad part is that some vendors assume that when dealing with GPOs you
are either member of GPCO or Domain Admin.

Guy


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of joe
> Sent: Thursday, May 12, 2005 3:40 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] [OnTopic] Active Directory Property Set
Madness
> 
> > Let's take, for example Group Policy Creator Owner.  How is this
built,
> > controlled and how does it manifest its control over GPOs?
> 
> Look at the ACL on your Policy Container and the Policies folder. You
> should
> see
> 
> On the Policy Container...
> 
> Allow x\Group Policy Creator Owners   SPECIAL ACCESS
>   CREATE CHILD
> 
> On the Policies folder
> 
> x\Group Policy Creator Owners:(special access:)
> READ_CONTROL
> SYNCHRONIZE
> FILE_GENERIC_READ
> FILE_GENERIC_WRITE
> FILE_GENERIC_EXECUTE
> FILE_READ_DATA
> FILE_WRITE_DATA
> FILE_APPEND_DATA
> FILE_READ_EA
> FILE_WRITE_EA
> FILE_EXECUTE
> FILE_READ_ATTRIBUTES
> FILE_WRITE_ATTRIBUTES
> 
> x\Group Policy Creator Owners:(OI)(CI)(IO)(special access:)
> GENERIC_READ
> GENERIC_WRITE
> GENERIC_EXECUTE
> 
> 
> Once someone creates the relevant AD Objects and file system objects,
they
> are the owner of the items so they have FC of them.
> 
>joe
> 
> 
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Kingslan,
Rick T.
> Sent: Wednesday, May 11, 2005 5:27 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] [OnTopic] Active Directory Property Set
Madness
> 
> OK - now that this conversation is started, and the interest level is
sort
> of there...  What about the permissions and rights for the Built-in
and
> Default groups and users?
> 
> Let's take, for example Group Policy Creator Owner.  How is this
built,
> controlled and how does it manifest its control over GPOs?
> 
> -rtk
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:ActiveDir-
> > [EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
> > Sent: Wednesday, May 11, 2005 4:03 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] [OnTopic] Active Directory Property Set
> Madness
> >
> > Hey joe - what a post - took forever to read but it was quite
> > entertaining as I've been through similar thoughts myself.
> >
> > However, I didn't specifically ask for support from PSS.  When you
> asked
> > for the support for removing attributes from property sets, I doubt
> that
> > the PSS folks really understood you in the first place (specifically
> > since you had to explain what this means... ;-)
> >
> > I've found removal of attributes from permission property sets work
> > quite well - and the nice thing is it works instantaniously.
Obviously
> > you can't take it too far and you might need to re-add some
attributes
> > to another property set and then grant specific rights for Exchange
or
> > other apps etc. - but at least now you have a chance to remove those
> > overly extensive rights more easily from authenticated users and the
> > SELF sec prin.  I fully agree that the defaults are less than ideal
-
> > but I'm sure glad you can change them in Win2K3...  And they
wouldn't
> be
> > editable if they weren't made to be edited...
> >
> > Sure, allowing an attribute in multiple pr.sets would be nice - but
I
> > also agree with Brett that this would cause plenty of other issues.
> > Instead I'm fine with breaking up the defaults and adjusting them as
I
> > require them.  The apps don't typically don't care HOW they get
> certain
> > permissions - they just care THAT they get them.
> >
> > What I think is even worse in the default AD secrity model (a

RE: [ActiveDir] LDAPS question

[Guy Teverovsky]

Title: LDAPS question








Have never tried that and do not have the
environment handy to give it a shot, but as long as you meet the requirement
for the DC’s cert and the CSR contains the desired SANs, you should be
fine. Just make sure that DCs GUID, FQDN and the alias are in the SAN. Not sure
if you will need to specify the template – have no idea if 3rd
party CA will reject the CSR or just ignore that part.

 

Guy

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Wednesday, May 11, 2005 2:58
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAPS
question



 

Thanks Guy.  That is a really helpful
blog.  After a little fuss I was able to get the cert to recognize and
honor the Subject Alternative Name using your steps.  Do you know if these
same steps will work against a third party CA?  In any case I plan on trying
it out on a third party CA tomorrow.  I'll let you know how it goes.

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy
 Teverovsky
Sent: Monday, May 09, 2005 8:56 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAPS
question

It turned out to be a bit more complicated
than I thought…

I made some notes over here:

http://guy.netguru.co.il/archives/18-Issuing-certificates-to-DCs-with-additional-DNS-names.html

 

I have not yet verified that LDAPS works
with aliases when querying, but the cert installs fine and in theory has all
the requirements… 

If you want to automate the process, you
will probably want to tweak reqdccert.vbs to generate valid
“Subject” in the [NewRequest] section.

At least should give you a direction.

 

Guy

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Monday, May 09, 2005 9:32 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAPS
question



 

Thanks Guy,

 

I've spent about 12hours trying to write a
script that will include the Subject Alternative Name in the CSR.  I found
the ICEnroll COM interface on MSDN and am using it to generate my
request.  The request works fine; however, the Subject Alternative Name
never seems to take when I request the cert.  

 

Here's what I added to my script:

 

Call Request.addExtensionToRequest(True,
"2.5.29.17", "ldap.company.net")

 

The call goes through without generating
an error; however, it doesn't seem to take.

 

Has anyone out there successfully created
a CSR using this extension?

 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Guy Teverovsky
Sent: Friday, May 06, 2005 5:44 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAPS
question

You will need to issue new certificates to
the DCs with the ldap.company.net in the Subject Alternative Name section. The
certificate requirements for DCs are specified in the following KB:

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q291010

Though it is about 3rd part
CAs, the requirements still apply even if you are using MS CA. The key point is
that the certificate can not be issued to an alias (ldap.company.com) in the
Subject field – the alias should be part of the Alternative Name together
with DCs GUID. 

 

Guy

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Saturday, May 07, 2005 1:22
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] LDAPS
question



 

We
currently provide LDAPS to our customers.  Right now the certificates that
we load on our DC uses the DC name and the clients connect using that
name.  We'd like to set up a DNS alias like: ldap.company.net.  I
tried generating a cert named ldap.company.net and loaded it on a DC; however,
the clients were unable to connect.

Does
anyone know if MS has a restriction that will not allow a cert to be loaded for
LDAPS if the name on the cert is not the same as the DC?

Thanks

RE: [ActiveDir] LDAPS question

[Guy Teverovsky]

Title: LDAPS question








It turned out to be a bit more complicated
than I thought…

I made some notes over here:

http://guy.netguru.co.il/archives/18-Issuing-certificates-to-DCs-with-additional-DNS-names.html

 

I have not yet verified that LDAPS works
with aliases when querying, but the cert installs fine and in theory has all
the requirements… 

If you want to automate the process, you
will probably want to tweak reqdccert.vbs to generate valid “Subject”
in the [NewRequest] section.

At least should give you a direction.

 

Guy

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Monday, May 09, 2005 9:32 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAPS
question



 

Thanks Guy,

 

I've spent about 12hours trying to write a
script that will include the Subject Alternative Name in the CSR.  I found
the ICEnroll COM interface on MSDN and am using it to generate my
request.  The request works fine; however, the Subject Alternative Name
never seems to take when I request the cert.  

 

Here's what I added to my script:

 

Call Request.addExtensionToRequest(True,
"2.5.29.17", "ldap.company.net")

 

The call goes through without generating
an error; however, it doesn't seem to take.

 

Has anyone out there successfully created
a CSR using this extension?

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy
 Teverovsky
Sent: Friday, May 06, 2005 5:44 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAPS
question

You will need to issue new certificates to
the DCs with the ldap.company.net in the Subject Alternative Name section. The
certificate requirements for DCs are specified in the following KB:

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q291010

Though it is about 3rd part
CAs, the requirements still apply even if you are using MS CA. The key point is
that the certificate can not be issued to an alias (ldap.company.com) in the
Subject field – the alias should be part of the Alternative Name together
with DCs GUID. 

 

Guy

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Saturday, May 07, 2005 1:22
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] LDAPS
question



 

We currently
provide LDAPS to our customers.  Right now the certificates that we load
on our DC uses the DC name and the clients connect using that name.  We'd
like to set up a DNS alias like: ldap.company.net.  I tried generating a
cert named ldap.company.net and loaded it on a DC; however, the clients were
unable to connect.

Does
anyone know if MS has a restriction that will not allow a cert to be loaded for
LDAPS if the name on the cert is not the same as the DC?

Thanks

RE: [ActiveDir] LDAPS question

[Guy Teverovsky]

Title: LDAPS question








You will need to issue new certificates to
the DCs with the ldap.company.net in the Subject Alternative Name section. The
certificate requirements for DCs are specified in the following KB:

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q291010

Though it is about 3rd part
CAs, the requirements still apply even if you are using MS CA. The key point is
that the certificate can not be issued to an alias (ldap.company.com) in the
Subject field – the alias should be part of the Alternative Name together
with DCs GUID. 

 

Guy

 











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Isenhour, Joseph
Sent: Saturday, May 07, 2005 1:22
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] LDAPS
question



 

We
currently provide LDAPS to our customers.  Right now the certificates that
we load on our DC uses the DC name and the clients connect using that
name.  We'd like to set up a DNS alias like: ldap.company.net.  I
tried generating a cert named ldap.company.net and loaded it on a DC; however,
the clients were unable to connect.

Does
anyone know if MS has a restriction that will not allow a cert to be loaded for
LDAPS if the name on the cert is not the same as the DC?

Thanks

RE: [ActiveDir] userenv bug in w2k3?

[Guy Teverovsky]

I just wonder whether W2K3 gets confused and tries to treat
authenticating against MIT Kerberos realm as fully bloated cross-forest
logon.

Do you have loopback enabled in this GPO ?

W2K3 and W2K behave a bit differently when doing cross-forest logons.
W2K by default does not process the user policies, roaming profiles and
logon scripts from the user account domain when authenticating over
cross forest trust (but does not default to loopback). W2K3 (by default)
disables the cross-forest GPO processing and defaults to loopback.
Now if you explicitly disable the loopback, W2K still fails to process
the logon scripts (I believe there is an open bug regarding this one).

I'd suggest you to explicitly set "Allow cross-forest User Policies and
Roaming Profiles" in the computer part of the GPO to "Disabled" and also
check whether disabling/enabling loopback changes things.

Well... Just my 2 mumbling cents.

Guy 

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Robbie Foust
> Sent: Wednesday, February 16, 2005 8:46 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] userenv bug in w2k3?
> 
> Hi,
> 
> I have a w2k3 machine (terminal server) that works fine when a user
logs
> in to the domain.  But, if a user authenticates to a MIT kerberos
realm
> (with a name mapping defined in AD) then the server logs an event id
> 1054 (Userenv).  The description is:
> 
> "Windows cannot obtain the domain controller name for your computer
> network. (The specified domain either does not exist or could not be
> contacted. ). Group Policy processing aborted."
> 
> To make a long story shorter, I enabled debug logging for userenv and
> confirmed that it is looking in the wrong domain for the DC's when
> looking up group policy for the user.  Its looking in the
authenticating
> realm (the MIT kerberos realm) and not the AD domain.  The server
> configuration *is* correct.  In other words, the domain suffix is the
AD
> domain name.  (confirmed by ipconfig /all and netdiag).  This server
is
> using the same GP as another working (2000) server.  I compared TGT's
> and they look the same, so I'm not sure where else to look.
> Suggestions? :-)
> 
> Thanks!
> 
> --
> Robbie Foust, IT Analyst
> OIT/CASI - Administrative Information Support
> Duke University
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] alternative to ms-DS-Bind-Proxy in W2K3 AD ?

[Guy Teverovsky]

Why second forest ? We are R&D, have to be special and love to push the 
technology to its limits ;)

 

Now seriously... Being R&D, we have some requirements that can not be 
provisioned using corporate forest both from the point of procedures and 
flexibility. While we do use user accounts from the corporate forest, we need 
to have control over the hosts and have environment flexible enough to host 
projects that require level of control that corporate forest can not provide 
us. The result is that we have our own forest for hosts and project related 
accounts.

 

As for Kerberos, this is rather an issue, as we need to provide simultaneous 
access to users from different Kerberos realms, meaning that switching host's 
realm is not an option. As for 3rd party apps - those currently are not an 
option (sigh), so I came up with idea of collapsing/synching relevant user 
accounts (those R&D folks) from multiple domains to a single LDAP partition the 
hosts will be pointed to.

 

The intension is to use LDAPS for authentication. As I see it, this is much 
easier to provision: you do not need to join hosts to Kerberos realms and the 
end user can have his boxes be easily configured by following short 
instructions. The authentication chain is basically:

[*nix host] <= (LDAPS) => [OpenLDAP] < = (Kerberos) => [DC in one of user 
account domains]

 

In any case, I would be glad to hear what guys on this list think about this 
kind of setup.

 

Thanks,

Guy




From: [EMAIL PROTECTED] on behalf of joe
Sent: Sat 1/29/2005 5:49 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] alternative to ms-DS-Bind-Proxy in W2K3 AD ?


I am trying to understand why you have a second forest for resources at all? Is 
it strictly to hold the non-MS kerberos princs?
 
I understand the issue with the multiple realms with the current UNIX kerb 
implementations. They don't seem to be in a hurry to correct that shortcoming 
either from the talks I have heard about. One of the companies I admin'ed for 
previously had that issue for about 5000 UNIX hosts. It got to the point that 
they had a system set up where they scripted the process so they could quickly 
move UNIX machines to point from one realm to another in the event it was 
needed which wasn't terribly often. However, it took admin interaction. In the 
backend they had a little perl daemon they wrote on the machines that would get 
the keytab files as needed and manage that whole process. It would use sockets 
to communicate to a member server (one server in the whole forest was fine, but 
two offered failover) which it would call out to get the keytabs generated. 
They were thinking at one point about setting up a custom PAM to handle it so 
you could specify what domain/realm to auth the user in which would switch 
which sys files were used but the concern was writing the custom code for that 
as it would have had to work on Solaris, HPUX, DEC, various Linux blends, IRIX, 
and probably eventually mainframes, etc. Anything not smart enough to handle an 
Enterprise Kerberos implementation [1].  
 
You might consider looking at the Centrify and Vintela solutions. They will get 
you far more than just auth. I know Centrify will handle multi-realm. 
 
  joe
 
 
[1] Let's face it, a single kerberos realm is small or medium centralized 
business or university class, it isn't enterprise class.
 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
Sent: Saturday, January 29, 2005 2:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] alternative to ms-DS-Bind-Proxy in W2K3 AD ?



Hi Eric,

 

Guess what google has come up with  ?

http://blogs.msdn.com/efleis/archive/2004/10/06/238850.aspx  :-) 

 

Second paragraph from the bottom is exactly my scenario, so looks like I'm 
stuck with another directory.

Will probably end up with OpenLDAP to make our Unix geeks happy, if this can 
not be done using the existing environment.

 

Btw, it's quite interesting how OpenLDAP handles the simple bind 
authentication: the userPassword value contains the mechanism used to 
authenticate the account.

For example:

 

Dn: uid=guy,ou=test,dc=company,dc=com

...

userPassword: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> 

 

Or this could be:

userPassword: {crypt}ijFYNcSNctBYg 

 

The part in the parenthesis can be CRYPT, MD5, KERBEROS, SASL, etc... 

 

Thanks a bunch !

Guy

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Saturday, January 29, 2005 2:31 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] alternative to ms-DS-Bind-Proxy in W2K3 AD ?

 

We actually do have this in AD, sorta. :)

The point of bind redirection is allowing a simple bind to work in such a 
manner. If you're open to other sorts of binds, this

RE: [ActiveDir] alternative to ms-DS-Bind-Proxy in W2K3 AD ?

[Guy Teverovsky]

Hi Eric,

 

Guess what google has come up with  ?

http://blogs.msdn.com/efleis/archive/2004/10/06/238850.aspx
 J 

 

Second paragraph from the bottom is
exactly my scenario, so looks like I’m stuck with another directory.

Will probably end up with OpenLDAP to make
our Unix geeks happy, if this can not be done using the existing environment.

 

Btw, it’s quite interesting how OpenLDAP
handles the simple bind authentication: the userPassword value contains the
mechanism used to authenticate the account.

For example:

 

Dn: uid=guy,ou=test,dc=company,dc=com

…

userPassword: [EMAIL PROTECTED]

 

Or this could be:

userPassword: {crypt}ijFYNcSNctBYg 

 

The part in the parenthesis can be CRYPT,
MD5, KERBEROS, SASL, etc… 

 

Thanks a bunch !

Guy

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Saturday, January 29, 2005
2:31 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
alternative to ms-DS-Bind-Proxy in W2K3 AD ?



 

We actually do have this in AD, sorta. :)

The point of bind redirection is allowing
a simple bind to work in such a manner. If you’re open to other sorts of
binds, this works in ADAM w/o this mechanism. In AD, the same logic
applies…..use a secure bind, and this will work just fine.

 

The mechanism as it exists in ADAM,
though, does not exist in AD. Sorry.

 

~Eric

 

 

 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
Sent: Friday, January 28, 2005
12:53 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] alternative
to ms-DS-Bind-Proxy in W2K3 AD ?



 

Hello all,

 

In ADAM there is a nice feature, called “bind
redirects”, which is implemented using ms-DS-Bind-Proxy auxiliary class.

Now it appears that in AD there is no alternative for
something like this.

What I would like to do is, given 2 AD forests (resource
forest where hosts reside and account forest where the user accounts are):


 have the resource
 forest’s schema extended to utilize posixAccount (I need those
 uidNumber, gidNumber…)
 configure Linux/Unix clients to
 use LDAP authentication against resource forest (can’t use Kerberos
 as the account forest is multi-domain and *nix can point to only one
 Kerberos realm) 
 create proxy accounts in
 resource AD
 have the resource AD proxy the
 authentication request to the user’s real accounts in account
 forest:


[EMAIL PROTECTED]
=> [EMAIL PROTECTED]

[EMAIL PROTECTED]
=> [EMAIL PROTECTED]

 

I have this setup currently successfully working by using OpenLDAP
instead of resource AD, but I would really like to avoid deploying another
directory.

 

Your thoughts ?

 

Thanks,

Guy

[ActiveDir] alternative to ms-DS-Bind-Proxy in W2K3 AD ?

[Guy Teverovsky]

Hello all,

 

In ADAM there is a nice feature, called “bind
redirects”, which is implemented using ms-DS-Bind-Proxy auxiliary class.

Now it appears that in AD there is no alternative for
something like this.

What I would like to do is, given 2 AD forests (resource
forest where hosts reside and account forest where the user accounts are):


 have the resource forest’s
 schema extended to utilize posixAccount (I need those uidNumber, gidNumber…)
 configure Linux/Unix clients to
 use LDAP authentication against resource forest (can’t use Kerberos
 as the account forest is multi-domain and *nix can point to only one
 Kerberos realm) 
 create proxy accounts in resource
 AD
 have the resource AD proxy the
 authentication request to the user’s real accounts in account forest:


[EMAIL PROTECTED]
=> [EMAIL PROTECTED]

[EMAIL PROTECTED]
=> [EMAIL PROTECTED]

 

I have this setup currently successfully working by using OpenLDAP
instead of resource AD, but I would really like to avoid deploying another
directory.

 

Your thoughts ?

 

Thanks,

Guy

RE: [ActiveDir] Issues with Win 2k3 Inplace Upgrade - Registry Security

[Guy Teverovsky]

What we did in our environment was:

-
disabled the links of DDP/DDCP to domain object and Domain
Controllers OU

-
remove “Group Policy Creator Owners” from the ACL of “CN=Policies,CN=System,DC=domain,DC=com”
and added our own group with permissions to create objects in the container.

-
changed the defaultSecurityDescriptor attribute of Group-Policy-Container
object, trimmed the Domain Admins to read-only and introduced a new security
group with full permissions over newly created GPOs (SDDL is an ugly thing to
work with, so if you are interested in quick and dirty SDDL parser I wrote,
grab it from here: http://www.petri.co.il/forums/download.php?id=43
). This way the GPOs are created with ACL which does not allow default groups
to change it (see http://www.jsiinc.com/SUBL/tip5500/rh5528.htm
for details)

-
created new GPOs to replace DDP/DDCP (those were created with the
adjusted ACL)

 

Guy

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Willem Kasdorp
Sent: Monday, November 08, 2004
5:40 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Issues
with Win 2k3 Inplace Upgrade - Registry Security



 

I have had similar issues before at
customer sites with apps modifying the DDP and DDCP, although none this bad.
ADMT is a notorious offender.  I am seriously tempted to fix it in the
following way:

 

- 
create a new DDP/DDCP (new name of course) with highest prio. Edit
any additional settings in the new policies.

- 
Remove write for Domain Admins on the DDP/DDCP, and instead create
an additional group for write permissions. This group is empty by default.

 

 

This story might just trigger me to do
it…

 

--

    Regards, Willem 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
 Guido
Sent: Monday, November 08, 2004
2:57 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Issues with
Win 2k3 Inplace Upgrade - Registry Security



 

Hello folks,

 

I've just had a very
curious issue at a customer, which took us a while to figure out. You should
all be aware of this as it could hurt you as well.  After testing
everything successfully in the lab (and ADPREPing the production forest +
domains), we've inplace-upgraded the first production DC from Win2000 to
Win2003 and it failed with errors such as a crashing LSASS and a DHCP service,
which couldn't start due to access violation etc.

 

It turns out that this
was caused due to a lengthy list of policy settings on the
Def Domain and Def DC Policy, which configured Security (ACL) over one
hundred registry
keys and File System folders and files.



 

The
resulting permissions were ok for Windows 2000, but incompatible
with Windows Server 2003 - e.g. the DHCP Client Service and the TCPIP Service
require specific permissions on their respective registry keys for the DHCP
service to start via the new Network Service account.
I see other's in this list have also had issues with the DCHP service,
which may be related to the same thing.  





Although we
now fixed the issue by cleaning the policies and un-promoting the DC and
reinstalling it from scratch (since the 2003 OS's default permissions were
effectively overwritten due to the policy), I am looking for
clues on how these weird settings were introduced to the Def Dom and
the Def DC policy in the first place?  





 





The settings were
definitely not added manually "by accident" -  more likely by
some whacky setup routine.  Does anybody have an ideas or
experience with respect to services/apps which could have changed the domain
policies in this way?





 





 





Thanks for any
feedback,





Guido





 

RE: [ActiveDir] RESOLVED: A weird one (or Joeware vs. MS)

[Guy Teverovsky]

If anyone here is interested, I have been able to nail the issue.
After deeper investigation, I found that moving the W2K3 servers into client's OU 
(different GPOs that force the client to "Send NTLMv2 response only") resolved the 
issue. 
The problem was caused by domain member servers of forestA.com not being able to 
negotiate NTLM dialect with forestA.com DCs.
forestA.com DCs are configured to "Send NTLMv2 response only". Windows servers (if not 
explicitly configured) default to "Send LM&NTLM responses" (see 
http://www.microsoft.com/resources/documentation/windowsserv/2003/standard/proddocs/en-us/576.asp
 
<http://www.microsoft.com/resources/documentation/windowsserv/2003/standard/proddocs/en-us/576.asp>
  for details)
forestB.com DCs are using less strict Domain Controllers GPO, hence servers in 
forestA.com were able to negotiate NTLM dialect with forestB.com DCs, but not with 
forestA.com DCs.
The interesting part is that apparently Task Scheduler is not capable of doing 
Kerberos and tries only NTLM (and I was trying to chase Kerberos) 
 
So for the sake of others: if you configure your DCs to "Send NTLMv2 only", the 
default settings of W2K3 member servers will prevent them from talking to DCs using 
NTLM. Forcing the clients to "Send NTLMv2" will make the problem disappear.
 
Guy

________

From: [EMAIL PROTECTED] on behalf of Guy Teverovsky
Sent: Thu 10/28/2004 5:00 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A weird one (or Joeware vs. MS)



Hi Eric,

All W2K3. And yes, as I wanted to eliminate any other issues, I was
using forestA's domain accounts, which are members of local
Administrators group (and the member servers GPO regarding user rights
is at defaults). I even tried forestA's Admnistrator account.

2 W2K3 forests. Both at W2K3 FFL with all domains at W2K3 Native mode.
forestB.com has 3 child domains ([EMAIL PROTECTED] can schedule
the job on host.forestA.com)
forestA.com is a single domain (this is where the W2K3 hosts are)

forestA.com trusts forestB.com

The problem is observed only on W2K3 member servers.

The following works against W2K member server or XP (with the same
RSoP), but fails against W2K3 (Standard and Enterprise):
C:\>schtasks /Create /RU ForestA\administrator /RP "password" /SC
Daily /TN test1 /TR c:\WINDOWS\system32\cmd.exe /ST 22:00:00 /S X.X.X.X

X.X.X.X is a host in ForestA.com.

Tell me if you need more info (DC's RSoP, member servers RSoP ?).

Thanks a lot !

Guy


On Wed, 2004-10-27 at 19:22 -0700, Eric Fleischman wrote:
> Silly question perhaps: does the acct in question have log on as a batch
> job (and any other rights required, perhaps log on locally?) that it
> needs for the job to run?
>
> I can set this up in my lab tomorrow to see if it works/fails and take a
> peak, just let me know what OSs are involved (all 2003, since it is a
> forest trust I think you said below?).
>
> ~Eric
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
> Sent: Wednesday, October 27, 2004 6:50 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] A weird one (or Joeware vs. MS)
>
> Already tried most of what you mentioned. Same error when using forestA
> account on the console of host.forestA.com box.
>
> Scheduling remotely - same error. Nothing in event log and the sniffer
> does not even show Kerb traffic (I'll do more tests tomorrow, but
> meanwhile I was not successful at catching any authentication traffic
> between the host and DCs from either forest, but it could be the
> hour...).
> It looks like the API just fails and says: "Hey! I am not aware of the
> account domain you are trying to make me look at !"
> (tried ForestA\user, upn and kerb principal - same result)
> Tried both by IP and by hostname. The error I get:
>
> C:\>schtasks /Create /RU ForestA\administrator /RP "password" /SC
> Daily /TN test1 /TR c:\WINDOWS\system32\cmd.exe /ST 22:00:00 /S X.X.X.X
>
> WARNING: The task name "test1" already exists. Do you want to replace it
> (Y/N)?y
> WARNING: The scheduled task "test1" has been created, but may not run
> because the account information could not be set.
>
> Clocks are synced and alright across the forests. The event logs are
> perfectly clean. Actually this is the only issue I have with the server
> (and it's ALL W2K3 member servers in the forestA that show this
> behavior). The strange thing that I have found right now is that the
> forestA DCs are immune to this weirdness (forestA accounts can be used
> to schedule jobs on forestA DCs).
>
> Guy
> 
>
> On Wed, 2004-10-27 at 16:29 -0400, joe wrote:
> > I have to say that seems to be a weird one... But I 

RE: [ActiveDir] A weird one (or Joeware vs. MS)

[Guy Teverovsky]

Hi Eric,

All W2K3. And yes, as I wanted to eliminate any other issues, I was
using forestA's domain accounts, which are members of local
Administrators group (and the member servers GPO regarding user rights
is at defaults). I even tried forestA's Admnistrator account. 

2 W2K3 forests. Both at W2K3 FFL with all domains at W2K3 Native mode.
forestB.com has 3 child domains ([EMAIL PROTECTED] can schedule
the job on host.forestA.com)
forestA.com is a single domain (this is where the W2K3 hosts are)

forestA.com trusts forestB.com 

The problem is observed only on W2K3 member servers.

The following works against W2K member server or XP (with the same
RSoP), but fails against W2K3 (Standard and Enterprise):
C:\>schtasks /Create /RU ForestA\administrator /RP "password" /SC
Daily /TN test1 /TR c:\WINDOWS\system32\cmd.exe /ST 22:00:00 /S X.X.X.X

X.X.X.X is a host in ForestA.com.

Tell me if you need more info (DC's RSoP, member servers RSoP ?).

Thanks a lot !

Guy


On Wed, 2004-10-27 at 19:22 -0700, Eric Fleischman wrote:
> Silly question perhaps: does the acct in question have log on as a batch
> job (and any other rights required, perhaps log on locally?) that it
> needs for the job to run?
> 
> I can set this up in my lab tomorrow to see if it works/fails and take a
> peak, just let me know what OSs are involved (all 2003, since it is a
> forest trust I think you said below?).
> 
> ~Eric
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
> Sent: Wednesday, October 27, 2004 6:50 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] A weird one (or Joeware vs. MS)
> 
> Already tried most of what you mentioned. Same error when using forestA
> account on the console of host.forestA.com box.
> 
> Scheduling remotely - same error. Nothing in event log and the sniffer
> does not even show Kerb traffic (I'll do more tests tomorrow, but
> meanwhile I was not successful at catching any authentication traffic
> between the host and DCs from either forest, but it could be the
> hour...).
> It looks like the API just fails and says: "Hey! I am not aware of the
> account domain you are trying to make me look at !" 
> (tried ForestA\user, upn and kerb principal - same result)
> Tried both by IP and by hostname. The error I get:
> 
> C:\>schtasks /Create /RU ForestA\administrator /RP "password" /SC
> Daily /TN test1 /TR c:\WINDOWS\system32\cmd.exe /ST 22:00:00 /S X.X.X.X
> 
> WARNING: The task name "test1" already exists. Do you want to replace it
> (Y/N)?y
> WARNING: The scheduled task "test1" has been created, but may not run
> because the account information could not be set.
> 
> Clocks are synced and alright across the forests. The event logs are
> perfectly clean. Actually this is the only issue I have with the server
> (and it's ALL W2K3 member servers in the forestA that show this
> behavior). The strange thing that I have found right now is that the
> forestA DCs are immune to this weirdness (forestA accounts can be used
> to schedule jobs on forestA DCs).
> 
> Guy
>  
> 
> On Wed, 2004-10-27 at 16:29 -0400, joe wrote:
> > I have to say that seems to be a weird one... But I am glad that cpau
> helps
> > it work for you. :o)
> > 
> > Are you doing this remotely? What happens if you sit down on
> > host.forestA.com with a forestA userid and try to schedule the task?
> >  Also
> > can you try to schedule it remotely with just the IP address? If that
> works,
> > the issue is probably somewhere in kerberos and I would start looking
> for
> > ker errors and verify SPN's are properly registered and time between
> the
> > machines is correct, etc.
> > 
> >   joe
> > 
> >  
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Guy
> Teverovsky
> > Sent: Wednesday, October 27, 2004 3:11 PM
> > To: [EMAIL PROTECTED]
> > Subject: [ActiveDir] A weird one (or Joeware vs. MS)
> > 
> > Here is a weird one:
> > 2 forests with one way forest trusts:
> > forestA.com trusts forestB.com
> > 
> > I try to schedule a a task on host.forestA.com with account
> FORESTA\user
> > (tried everything up to member of Enterprise Admins, Domain Admins,
> > BUILTIN\Administrators) and I get "0x80070005 Access Denied" error -
> bad
> > credentials, when submitting the task (tried both GUI and
> schdtasks.exe) The
> > same task can be scheduled using CHILD_OF_FORESTB\user account (notice
> that
> > the host is in forestA and forestB accounts are OK, but it's own
>

RE: [ActiveDir] A weird one (or Joeware vs. MS)

[Guy Teverovsky]

Already tried most of what you mentioned. Same error when using forestA
account on the console of host.forestA.com box.

Scheduling remotely - same error. Nothing in event log and the sniffer
does not even show Kerb traffic (I'll do more tests tomorrow, but
meanwhile I was not successful at catching any authentication traffic
between the host and DCs from either forest, but it could be the
hour...).
It looks like the API just fails and says: "Hey! I am not aware of the
account domain you are trying to make me look at !" 
(tried ForestA\user, upn and kerb principal - same result)
Tried both by IP and by hostname. The error I get:

C:\>schtasks /Create /RU ForestA\administrator /RP "password" /SC
Daily /TN test1 /TR c:\WINDOWS\system32\cmd.exe /ST 22:00:00 /S X.X.X.X

WARNING: The task name "test1" already exists. Do you want to replace it
(Y/N)?y
WARNING: The scheduled task "test1" has been created, but may not run
because the account information could not be set.

Clocks are synced and alright across the forests. The event logs are
perfectly clean. Actually this is the only issue I have with the server
(and it's ALL W2K3 member servers in the forestA that show this
behavior). The strange thing that I have found right now is that the
forestA DCs are immune to this weirdness (forestA accounts can be used
to schedule jobs on forestA DCs).

Guy
 

On Wed, 2004-10-27 at 16:29 -0400, joe wrote:
> I have to say that seems to be a weird one... But I am glad that cpau helps
> it work for you. :o)
> 
> Are you doing this remotely? What happens if you sit down on
> host.forestA.com with a forestA userid and try to schedule the task?
>  Also
> can you try to schedule it remotely with just the IP address? If that works,
> the issue is probably somewhere in kerberos and I would start looking for
> ker errors and verify SPN's are properly registered and time between the
> machines is correct, etc.
> 
>   joe
> 
>  
> 
> -----Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
> Sent: Wednesday, October 27, 2004 3:11 PM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] A weird one (or Joeware vs. MS)
> 
> Here is a weird one:
> 2 forests with one way forest trusts:
> forestA.com trusts forestB.com
> 
> I try to schedule a a task on host.forestA.com with account FORESTA\user
> (tried everything up to member of Enterprise Admins, Domain Admins,
> BUILTIN\Administrators) and I get "0x80070005 Access Denied" error - bad
> credentials, when submitting the task (tried both GUI and schdtasks.exe) The
> same task can be scheduled using CHILD_OF_FORESTB\user account (notice that
> the host is in forestA and forestB accounts are OK, but it's own accounts
> are denied).
> Local machine's accounts are also fine - the problem is only with host's
> forest accounts.
> 
> This happens on all W2K3 servers and ONLY on W2K3 (XP, W2K are fine).
> 
> Wrapping the same task with joe's CPAU resolves the issue and the task is
> executed correctly.
> 
> I tried to sniff the traffic, but it looks like the task scheduler does not
> even try to authenticate the forestA accounts.
> 
> In our test environment the scheduled tasks do work as expected, but there
> we currently have 2-way forest trust and some other things not yet
> implemented in production, so I can not rely on the test environment
> regarding this issue.
> 
> I am starting to run out of ideas here...
> 
> Guy
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] A weird one (or Joeware vs. MS)

[Guy Teverovsky]

Here is a weird one:
2 forests with one way forest trusts:
forestA.com trusts forestB.com

I try to schedule a a task on host.forestA.com with account FORESTA\user
(tried everything up to member of Enterprise Admins, Domain Admins,
BUILTIN\Administrators) and I get "0x80070005 Access Denied" error - bad
credentials, when submitting the task (tried both GUI and schdtasks.exe)
The same task can be scheduled using CHILD_OF_FORESTB\user account
(notice that the host is in forestA and forestB accounts are OK, but
it's own accounts are denied).
Local machine's accounts are also fine - the problem is only with host's
forest accounts.

This happens on all W2K3 servers and ONLY on W2K3 (XP, W2K are fine).

Wrapping the same task with joe's CPAU resolves the issue and the task
is executed correctly.

I tried to sniff the traffic, but it looks like the task scheduler does
not even try to authenticate the forestA accounts.

In our test environment the scheduled tasks do work as expected, but
there we currently have 2-way forest trust and some other things not yet
implemented in production, so I can not rely on the test environment
regarding this issue.

I am starting to run out of ideas here...

Guy

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] OT: Wireless EAP-TLS, IAS, and certificates

[Guy Teverovsky]

Ken,

If you are lucky enough to have all your clients with XP, you can use
GPO to configure the Wireless policies.
Check it out under "Computer Configuration\Security Settings\Wireless
network (IEEE 802.11) policies"

The link below should answer your questions regarding computer/user
authentication (check the "Notes" section):
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/define_8021x_inGP.asp

If you run into issues with XP pre-SP2, also take a look at the
following wireless update rollup for XP:
http://support.microsoft.com/default.aspx?scid=kb;en-
us;826942&Product=winxp. 
It did resolve some issues I was having.

Not sure all this will work with W2K though - have not tested that yet.

Cheers,
Guy


On Fri, 2004-10-08 at 11:06 -0500, Ken Cornetet wrote:
> Is there any way to force EAP-TLS wireless authentication to use
> machine certificates exclusively (instead of user certs) for client
> side authentication? Or better yet, require BOTH user and machine
> certs?
>  
> Here's the setup:
>  
> IBM Thinkpads with either integrated cisco 802.11b or Cisco cards.
> Running XP.
> Cisco access points
> MS Internet Authentication Server running on a non DC 2k3 box.
>  
>  

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Fun with Kerberos

[Guy Teverovsky]

I have been trying to reproduce the behavior in our test forest, but meanwhile in 
vain. I can only speculate that you need more than one DC on site (at least 1 DC and 1 
GC maybe ?).
 
In any case, meanwhile another issue popped up and it looks like it might be related.
As I have already mentioned, we have 2 forest in our environment:
1) myad.com (empty root + domains: child.myad.com, anotherchild.myad.com)
2) rd.company.com (well yes, we are R&D and have to be special :-) )
 
For myad.com we have alternative UPN suffix in the form of "company.com" ==> my 
account in child.myad.com would be [EMAIL PROTECTED]
The rd.company forest is resource forest: all user accounts are located in child 
domains of myad.com forest.
Now user CHILD\guy (Kerberos principal: [EMAIL PROTECTED]) logs on to host 
mycomp01.rd.company.com (the host is in rd.company.com forest) using UPN ([EMAIL 
PROTECTED])
 
The trust is one-way forest trust.
 
Now user guy decides to change his password, hits ALT+CTRL+DEL, fills in his UPN, 
types the new password, hits Enter, and "The system can not change your password 
now because domain is not available".
OK... I do some searching and come up with this KB: 
"Cannot Change Password if You Use the UPN Suffix": 
http://support.microsoft.com/default.aspx?scid=kb;en-us;321074 
<http://support.microsoft.com/default.aspx?scid=kb;en-us;321074> 
 
The cause is, I quote:
"This behavior may occur when the built-in Authenticated Users group was removed from 
the organizational unit where the user account resides. By default, the computer 
account is a member of the Authenticated Users group. If you use the "Change Password" 
dialog box, the local computer account is used to resolve the UPN. If the 
Authenticated Users group was removed from the organizational unit that contains the 
user account, you cannot successfully change the password. "
 
ok... this makes sense... but there is a slight problem: 
This is one-way trust and the computer account can not have access to the OU the user 
accounts are located in even if Authenticated users group has read access - this is 
Authenticated Users group from the wrong forest !
 
I guess the answer would still be "the behavior is by design", but this is rather 
confusing for the users - object picker wants Kerberos principals in W2K, if you logon 
using DOMAIN\Username you end up with messed up cached credentials, UPN almost works, 
but you can't change your password using UPN and the list goes on...
 
We have started to document what actions can be done using UPN, explicit Kerb 
principal and DOMAIN\username and we can't figure out a rule of thumb that can work 
for the end-users.
 
Ideas ?
 
Guy



From: [EMAIL PROTECTED] on behalf of Grillenmeier, Guido
Sent: Fri 9/10/2004 6:10 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Fun with Kerberos


Al, realize that the user accounts Guy is talking about are all in one forest - so the 
issue is not related to UPNs being unique accross more than one forest. They're just 
logging in from a machine in a different forest.
 
I've already discussed offline with Guy that the clash is between the implicit UPN of 
the regular account (which would be [EMAIL PROTECTED]) and the explicit UPN of the 
supplemental account (which had previously been set to [EMAIL PROTECTED]) => fixing 
the explicit UPN of the supplemental account fixed the clash and the related 
problems...
 
 
BTW, we're thinking that the account lockouts and the XP request for credentials is 
likely related to Kerberos preauthentication. During preauth, AD looks up accounts 
using the UPN - so if it hits the wrong account, and uses the wrong password hash for 
validation of the Kerberos preauth data this may have the same effect as logging on 
with the wrong password.
 
Here's a nice article that explains Kerberos preauthentication in more detail
http://www.windowsitlibrary.com/Content/617/06/6.html 
<http://www.windowsitlibrary.com/Content/617/06/6.html> 
 
/Guido



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Friday, September 10, 2004 4:38 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Fun with Kerberos


No, that sounds about right.  
 
Across two forests?  Be tough for any administrative program to enforce uniqueness 
unless it was authoritative for both forests.   That said, that's something you want 
your admin processes to compensate for and ensure that all accounts are unique across 
forests that can talk to each other.
 
Al



From: Guy Teverovsky [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
Sent: Thursday, September 09, 2004 8:26 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Fun with Kerberos


ok... this starts to be more interesting. If the implicit UPN is constructed from 
s

RE: [ActiveDir] Fun with Kerberos

[Guy Teverovsky]

ok... this starts to be more interesting. If the implicit UPN is constructed from 
samaccountname and AD DNS name, I do not see how Kerberos principals could clash. This 
is what I initially had (names changed to protect the innocent):
 
Regular account:
dn:[EMAIL PROTECTED],OU=Accounts,DC=child,DC=myad,DC=com
>sAMAccountName: guy
>userPrincipalName: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> 
 
Supplemental account:
dn:CN=Teverovsky\, Guy (Supplemental),OU=Accounts,DC=child,DC=myad,DC=com
>sAMAccountName: guysu
>userPrincipalName: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> 
 
The regular account was programmatically created as disabled and was renamed+enabled 
when user migrated from NT domain. Supplemental account was created beforehand for 
administrative purposes (the user is member of IT staff)
 
Renaming the UPN of supplemental account to [EMAIL PROTECTED] <mailto:[EMAIL 
PROTECTED]>  was the fix.
Now I am totally confused and can't understand why the lockouts happened. It is almost 
as if [EMAIL PROTECTED] and [EMAIL PROTECTED] UPNs were somehow resolved to the same 
account.
 
P.S.: it's worth to mention that the machine the user was logged to was in another 
forest which has Kerberos trust with myad.com forest.
 
Guy

 


From: [EMAIL PROTECTED] on behalf of Grillenmeier, Guido
Sent: Thu 9/9/2004 11:52 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Fun with Kerberos



that's correct - even if you configure an additional UPN suffix for the
forest (or for an OU) and assign this to an account when you create the
account (e.g. via ADUC), every account will still have an implicit UPN
suffix that is made up of his samAccountName + the domain-suffix of his
AD domain.  So even though your first user had an explicit UPN of
[EMAIL PROTECTED], he also had an implicit UPN of [EMAIL PROTECTED]

Looks like the reason for your problem was mainly caused due to the
special char in your ADM accounts (as it only used the first part of the
name to create) - or did you configure your 2nd account like this on
purpose?  I assume that the accounts were created programmatically, as
the ADUC UI will check for duplicate UPNs by querying a GC - so usually
this is only a problem if accounts are created at roughly the same time
on differnt DCs (even in different domains). But I'm not sure if ADUC
only queries for the explicit UPN that you've assigned at creation and
ignores the implicit UPN (seems to be the case). But I'm quite sure that
this check is not performed when you programmatically add accounts to
AD.

As a result the duplicate UPNs caused a Kerberos conflict as you well
noticed - interesting to read how your users noticed this on their XP
clients.  Can you elaborate on the "Once in a while..." - i.e. how
often? and did this only occurr if they were also logged on as the
guy$adm at the same time? 
And when did the 2nd account get locked out - at the time the kerberos
ticket of #1 was getting refreshed (i.e. after 10 hours past logon of
#1)? Or at logon of #1?

I'll have to check out this sort of attack a little closer...


BTW - the same risk applies with machine-accounts in AD, wich register
an SPN (service principal name) that must also be unique: if they're
able to register the same name as another machine (e.g. when DDNS is not
secured sufficiently well), they can hinder both machines from receiving
kerberos tickets and (if the "attacked" server was set to allow kerberos
delegation e.g. for some web-application) could thus cause a DOS for
applications running on the other server.


/Guido

-----Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
Sent: Thursday, September 09, 2004 6:22 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Fun with Kerberos

Stumbled upon an issue couple of days ago and wanted to hear what you
guys think about it.

Suppose that your AD is called myad.com and you also configure
additional UPN suffix "company.com".
Now I create 2 users in child.myad.com child domain:
 
1) sAMAccountName: guy
userPrincipalName: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>

2) sAMAccountName: guy$adm
userPrincipalName: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>

(Notice that in ADUC the userPrincipalName is constructed from 2 fields:
W2K username and suffix)

>From AD point of view this is all nice and legit and UI will be happy
to create both.
But if you look at the users explicit Kerberos principals, both look the
same:
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>  (checked with klist
tgt).
In our environment, if you are logged on with account #1, two things
happened:
1. Once in a while LAN users had XP pop up a baloon in systrey with "XP
needs your user credentials"
2. The corresponding account #2 was getting locked out.

Renaming UPNs of supplemental accounts fixed the issue (the name clas

[ActiveDir] Fun with Kerberos

[Guy Teverovsky]

Stumbled upon an issue couple of days ago and wanted to hear what you guys think about 
it.
 
Suppose that your AD is called myad.com and you also configure additional UPN suffix 
"company.com".
Now I create 2 users in child.myad.com child domain:
  
1) sAMAccountName: guy
userPrincipalName: [EMAIL PROTECTED]  
 
2) sAMAccountName: guy$adm
userPrincipalName: [EMAIL PROTECTED]  
 
(Notice that in ADUC the userPrincipalName is constructed from 2 fields: W2K username 
and suffix)
 
>From AD point of view this is all nice and legit and UI will be happy to create both.
But if you look at the users explicit Kerberos principals, both look the same:
[EMAIL PROTECTED]   (checked with klist tgt).
In our environment, if you are logged on with account #1, two things happened:
1. Once in a while LAN users had XP pop up a baloon in systrey with "XP needs your 
user credentials"
2. The corresponding account #2 was getting locked out.
 
Renaming UPNs of supplemental accounts fixed the issue (the name clash was not 
intentional from the beginning as you might guess). Still I am wondering why AD 
allowed creation of account with Kerberos principal that already existed in AD. If AD 
check for sAMAccountName collisions, is there any special reason not to check Kerberos 
principals ?
How can I prevent this from happening ? (the implications would mean that anyone with 
permissions to create user accounts can do some very nasty things)
 
Guy
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] By design or configurable ?

[Guy Teverovsky]

I know... should be renewed after 10 hours if I remember correctly.
It is a remote site I'll be visiting next week and will give a good look
at the logs when it happens.
When I actually think of it, logging in with cached creds does not use
Kerberos provider, so the user should not have any tickets.

Any idea if sidHistory is also obtained from the ticket's PAC the same
way as SIDs of security groups the user is member of ?

+Guy
 

On Tue, 2004-08-24 at 00:03, Mulnick, Al wrote:
> Kerb tickets have a lifetime, but not sure that's your issue necessarily.
> How's your name resolution working?  Anything in the event logs when this
> occurs?  Especially the security logs on the clients/dc's/resources being
> accessed?
> 
> 
> Al 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
> Sent: Monday, August 23, 2004 4:48 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] By design or configurable ?
> 
> 
> I was too lazy to tell the long story that made me speculate about TGTs, so
> I'll try to explain the reason for asking:
> 
> We have 2 W2K3 forests with Kerberos transitive trust.
> 
> Forest corp.com has 3 child domains respectively:
> emea.company.com
> amer.company.com
> ap.company.com
> 
> Second forest (ad.devision.company.com) has no children.
> We have users migrating from NT domains to one of the corp AD child domains
> (emea\amer\ap).
> 
> After the migration, when users logon to XP computers in
> ad.division.company.com domain with EMEA\username cached credentials and
> than reconnect to the network, sometimes (after they work for a while) they
> get a popup in system tray saying something like "XP needs your
> credentials". 
> 
> Usually this would be caused by changing the user password from another
> machine or account lockout replicated from another DC, but in our case this
> is the only machine the user logs on to and there are no account lockouts.
> When the same user logs on with UPN ([EMAIL PROTECTED]), we have not
> yet seen this to repeat itself.
> So I was wondering whether UPN logons enable caching of TGTs and
> sAMAccountName logons are different in some way from UPN logons.
> 
> Hope I managed to be clear enough ;)
> 
> Cheers,
> Guy
> 
> 
> > I don't know if the kerberos ticket is cached or not.  (I suspect 
> > not.) When a machine reconnects to the network and you attempt to 
> > access a network resource, the resource will ask for you ticket.  If 
> > you don't have one, or if it is out of date, the client will request a 
> > new kerberos ticket and then be authenticated to the resource.
> > 
> > Denny
> >  
> > 
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of Guy 
> > > Teverovsky
> > > Sent: Friday, August 20, 2004 8:48 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: [ActiveDir] By design or configurable ?
> > > 
> > > 
> > > In my environment, when W2K3 DC boots with security logs full, the 
> > > replication from that DC stops till the security log is cleared and 
> > > the box is rebooted.
> > > The interesting thing is that after the security logs become full 
> > > (while the box is online) the replication continues to work till the 
> > > box is rebooted with full log.
> > > 
> > > So the question is whether this can be prevented (we do have a 
> > > routine which takes care of security logs archiving, but it failed 
> > > on one of the DCs and I would like to prevent the replication from 
> > > breaking again).
> > > 
> > > And another OT question:
> > > When logging on to XP with cached credentials, is the Kerberos 
> > > ticket cached too ? And if yes, what happens when the ticket expires 
> > > and the box is reconnected to the network: will it seamlessly try to 
> > > renew the ticked ?
> > > 
> > > Thanks,
> > > Guy
> > > 
> > > --
> > > Smith & Wesson - the original point and click interface
> > > 
> > > List info   : http://www.activedir.org/mail_list.htm
> > > List FAQ: http://www.activedir.org/list_faq.htm
> > > List archive: 
> > > http://www.mail-archive.com/activedir%40mail.activedir.org/
> > > 
> > List info   : http://www.activedir.org/mail_list.htm
> > List FAQ: http://www.activedir.org/list_faq.htm
> > List archive: 
> > http://www.mail-archive.com/activedir%40mail.activedir.org/
> --
> Smith & Wess

RE: [ActiveDir] By design or configurable ?

[Guy Teverovsky]

Thanks !

This is exactly what I needed.

And if anyone is interested, here is an ADM I wrote to deploy the settings (works the same on W2K3):
(might wrap)

### Cut here 

#if version >= 3

CLASS MACHINE

CATEGORY !!System
    CATEGORY !!EventViewer
	#if version >= 4
	EXPLAIN !!EventViewer_Help
	#endif

    POLICY !!AutobackupSecLog
		#if version >= 4
		SUPPORTED !!SUPPORTED_Win2k
		#endif

   		EXPLAIN !!AutobackupSecLogHelp
   		KEYNAME "SYSTEM\CurrentControlSet\Services\EventLog\Security"
	    	VALUENAME "AutoBackupLogFiles"
	    	VALUEON 	NUMERIC   1
	    	VALUEOFF	NUMERIC   0
    END POLICY
    
    POLICY !!AutobackupAppLog
	    	#if version >= 4
		SUPPORTED !!SUPPORTED_Win2k
		#endif

   		EXPLAIN !!AutobackupAppLogHelp
   		KEYNAME "SYSTEM\CurrentControlSet\Services\EventLog\Application"
	    	VALUENAME "AutoBackupLogFiles"
	    	VALUEON 	NUMERIC   1
	    	VALUEOFF	NUMERIC   0
    END POLICY
    
    POLICY !!AutobackupSysLog
	    	#if version >= 4
		SUPPORTED !!SUPPORTED_Win2k
		#endif

   		EXPLAIN !!AutobackupSysLogHelp
   		KEYNAME "SYSTEM\CurrentControlSet\Services\EventLog\System"
	    	VALUENAME "AutoBackupLogFiles"
	    	VALUEON 	NUMERIC   1
	    	VALUEOFF	NUMERIC   0
    END POLICY

    END CATEGORY ; Event Viewer

END CATEGORY ;; System

#endif


[strings]
System="System"
EventViewer="Event Viewer"
EventViewer_Help="Event Viewer specific settings"
AutobackupSecLog="Automatically clear a full security event log and back up the log file"
AutobackupSecLogHelp="Using this entry causes the Event Log service to automatically clear a full event log and to back up the log file. On computers with the "CrashOnAuditFail" policy turned on, the computer continues to log events (instead of hanging because of an audit failure) if the current log file can be backed up automatically. By default, event logs are stored in the %SystemRoot%\System32\Config folder. If you enable this setting, a full log file is automatically backed up in the %SystemRoot%\System32\Config folder, the log file is cleared, and event logging resumes."
AutobackupAppLog="Automatically clear a full application event log and back up the log file"
AutobackupAppLogHelp="Using this entry causes the Event Log service to automatically clear a full event log and to back up the log file. On computers with the "CrashOnAuditFail" policy turned on, the computer continues to log events (instead of hanging because of an audit failure) if the current log file can be backed up automatically. By default, event logs are stored in the %SystemRoot%\System32\Config folder. If you enable this setting, a full log file is automatically backed up in the %SystemRoot%\System32\Config folder, the log file is cleared, and event logging resumes."
AutobackupSysLog="Automatically clear a full system event log and back up the log file"
AutobackupSysLogHelp="Using this entry causes the Event Log service to automatically clear a full event log and to back up the log file. On computers with the "CrashOnAuditFail" policy turned on, the computer continues to log events (instead of hanging because of an audit failure) if the current log file can be backed up automatically. By default, event logs are stored in the %SystemRoot%\System32\Config folder. If you enable this setting, a full log file is automatically backed up in the %SystemRoot%\System32\Config folder, the log file is cleared, and event logging resumes."
SUPPORTED_Win2k="At least Microsoft Windows 2000"


### Cut here 

Guy

On Tue, 2004-08-24 at 11:48, Ulf B. Simon-Weidner wrote:

Hi Guy,

took me a while to find the Article again, here it is:

312571 The Event Log Stops Logging Events Before Reaching the Maximum Log
Size
http://support.microsoft.com/?ln=en&id=312571

It describes how you are able to configure a feature to automatically dump
the eventlog into a file if it reaches it's maximum length.

You do have to take care what to do with those dumps and delete them from
the machine, but this helps to keep the filespace used by dumps somewhat
dynamic but not to big.

I've included this in some of the backup jobs at customers to move the
dumpfiles away daily, so no worries if the events logged at a specific day
would be more than the memory allowed for the log, and no events are lost. 

HTH

Gruesse - Sincerely,
 
Ulf B. Simon-Weidner

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Guy Teverovsky
> Sent: Saturday, August 21, 2004 2:48 AM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] By design or configurable ?
> 
> 
> In my environment, when W2K3 DC boots with security logs full, the
> replication 

RE: [ActiveDir] By design or configurable ?

[Guy Teverovsky]

I have been able to reproduce the behavior in both our test and
production forests on several DCs. GPO has been applied a while ago,
boxes have been rebooted more than once and RSoP shows the right
settings. 
More than that, when I look at
c:\windows\security\templates\policies\gpt1.inf (which contains the
settings pulled from DC's GPO, I see line like this:
MACHINE\System\CurrentControlSet\Control\LSA\CrashOnAuditFail=4,0
and the registry has CrashOnAuditFail set to 0 (disabled).


void *Guy;
(you guys are contagious ;) )  

On Tue, 2004-08-24 at 00:05, Mulnick, Al wrote:
> Sounds like the feature isn't working as expected if the box continues to
> work until reboot. It's also possible it was triggered prior to the GPO
> being applied, but you'd have to repro to know IMHO.
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
> Sent: Monday, August 23, 2004 5:01 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] By design or configurable ?
> 
> Right, but this feature was turned off in GPO, so the box was not supposed
> to crash. 
> And how would you explain the working replication (with full security
> logs) till the box is rebooted manually and only then enters the "crashed"
> state ?
> 
> We indeed have a policy for keeping 3 months of security logs and meanwhile
> it takes between one to two weeks to fill the logs, but this is a new forest
> and users keep arriving, so eventually we will need to implement a more
> serious approach.
> 
> Guy
> 
> On Mon, 2004-08-23 at 23:37, Mulnick, Al wrote:
> >  
> > http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/
> > deploy 
> > guide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/
> > all/de
> > ployguide/en-us/46686.asp?frame=true
> > 
> > This link is the documented behavior.  Sounds like that is what you're 
> > getting. I think there may be some misnaming involved in that it 
> > should actually restart if it says "crashondump" but whatever.
> > 
> > As for your situation, I know in some environments, 128mb wouldn't 
> > last two hours.  A process to collect the data at the end of the day 
> > would be too late.  That's what makes me suggest other methods. IMHO, 
> > there's a balance between collecting the data and self-configured 
> > denial of service. The key is to figure out how important that logging 
> > data is.  If it's important, such as in regulatory environments, then 
> > that indicates you really should have a process of collecting that 
> > data whenever it's written to the logs or very soon after.  If for 
> > security reasons, you have to stop service if unable to log security 
> > events, then so be it.  Just make sure you never run into that 
> > situation, right?  If you have that requirement, but don't prevent 
> > your systems from ever running into that situation, then it is by default
> acceptable to have occasional DoS events.
> > 
> > Your system did crash when it was full.  Normal operations failed to 
> > continue and the LSA stopped for that particular DC.  It's a testament 
> > to your architecture if the users never noticed :)
> > 
> > Al
> >  
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Guy 
> > Teverovsky
> > Sent: Monday, August 23, 2004 4:24 PM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] By design or configurable ?
> > 
> > 
> > Interesting...
> > 
> > I have "Audit: Shutdown system immediately if unable to log security
> audits"
> > set to disabled and security log size configured to 128Mb (DCs
> > GPO)
> > 
> > We are keeping 3 months back of security logs, hence the GPO is 
> > configured not to override the security logs. DCs have a scheduled 
> > task that pops up once a day and archives/clears the security logs - 
> > not the state of the art solution, but does the work without 
> > purchasing any additional software. I would love to give MOM a try, 
> > but we already have OpenView in place, so I'll be checking with OvO people
> if the security logs can be handled by OvO.
> > 
> > So in this configuration, if booted with full security logs, I 
> > experience the same behavior as CrashOnAuditFail set to 2 (box in 
> > crashed mode) - verified that by adding peer DC to builtin 
> > Administrators group and the replication resumed.
> > 
> > Am I missing something or this is not the desired behavior when the DC 
> >

RE: [ActiveDir] By design or configurable ?

[Guy Teverovsky]

Right, but this feature was turned off in GPO, so the box was not
supposed to crash. 
And how would you explain the working replication (with full security
logs) till the box is rebooted manually and only then enters the
"crashed" state ?

We indeed have a policy for keeping 3 months of security logs and
meanwhile it takes between one to two weeks to fill the logs, but this
is a new forest and users keep arriving, so eventually we will need to
implement a more serious approach.

Guy

On Mon, 2004-08-23 at 23:37, Mulnick, Al wrote:
>  http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deploy
> guide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/de
> ployguide/en-us/46686.asp?frame=true
> 
> This link is the documented behavior.  Sounds like that is what you're
> getting. I think there may be some misnaming involved in that it should
> actually restart if it says "crashondump" but whatever. 
> 
> As for your situation, I know in some environments, 128mb wouldn't last two
> hours.  A process to collect the data at the end of the day would be too
> late.  That's what makes me suggest other methods. IMHO, there's a balance
> between collecting the data and self-configured denial of service. The key
> is to figure out how important that logging data is.  If it's important,
> such as in regulatory environments, then that indicates you really should
> have a process of collecting that data whenever it's written to the logs or
> very soon after.  If for security reasons, you have to stop service if
> unable to log security events, then so be it.  Just make sure you never run
> into that situation, right?  If you have that requirement, but don't prevent
> your systems from ever running into that situation, then it is by default
> acceptable to have occasional DoS events.  
> 
> Your system did crash when it was full.  Normal operations failed to
> continue and the LSA stopped for that particular DC.  It's a testament to
> your architecture if the users never noticed :)
> 
> Al
>  
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
> Sent: Monday, August 23, 2004 4:24 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] By design or configurable ?
> 
> 
> Interesting...
> 
> I have "Audit: Shutdown system immediately if unable to log security audits"
> set to disabled and security log size configured to 128Mb (DCs
> GPO)
> 
> We are keeping 3 months back of security logs, hence the GPO is configured
> not to override the security logs. DCs have a scheduled task that pops up
> once a day and archives/clears the security logs - not the state of the art
> solution, but does the work without purchasing any additional software. I
> would love to give MOM a try, but we already have OpenView in place, so I'll
> be checking with OvO people if the security logs can be handled by OvO.
> 
> So in this configuration, if booted with full security logs, I experience
> the same behavior as CrashOnAuditFail set to 2 (box in crashed mode) -
> verified that by adding peer DC to builtin Administrators group and the
> replication resumed.
> 
> Am I missing something or this is not the desired behavior when the DC is
> configured not to crash on audit ?
> 
> Thanks,
> Guy
> 
> 
> On Mon, 2004-08-23 at 16:10, Mulnick, Al wrote:
> > I suppose in theory, setting it to crash on full is also a security 
> > risk since it could be used to cause a denial of service.
> > 
> > I'd guess that if you have something that siphons off the logs on 
> > submit event, then it could be a workable solution.  I'd have to say 
> > I'm not impressed with a lot of the tools currently out there that do 
> > this due to the overhead they place on the machine, but it could be 
> > done.  MOM Server is a good way to get this done IIRC.
> > 
> > I'm guessing that's what you had in mind, Rick?  Something that clears 
> > it as it is written, vs a timed deal?
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick
> > Sent: Monday, August 23, 2004 9:02 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] By design or configurable ?
> > 
> > I have had the same problem, but setting the logs to overwrite is bad 
> > system administration. IF a person attempt to break passwords, thy can 
> > just flood the server with requests and eventually the log will clear.
> > The best solution is to have the logs cleared by a script or third 
> > party utility to clear and archive the 

RE: [ActiveDir] By design or configurable ?

[Guy Teverovsky]

I was too lazy to tell the long story that made me speculate about TGTs,
so I'll try to explain the reason for asking:

We have 2 W2K3 forests with Kerberos transitive trust.

Forest corp.com has 3 child domains respectively:
emea.company.com
amer.company.com
ap.company.com

Second forest (ad.devision.company.com) has no children.
We have users migrating from NT domains to one of the corp AD child
domains (emea\amer\ap).

After the migration, when users logon to XP computers in
ad.division.company.com domain with EMEA\username cached credentials and
than reconnect to the network, sometimes (after they work for a while)
they get a popup in system tray saying something like "XP needs your
credentials". 

Usually this would be caused by changing the user password from another
machine or account lockout replicated from another DC, but in our case
this is the only machine the user logs on to and there are no account
lockouts.
When the same user logs on with UPN ([EMAIL PROTECTED]), we have
not yet seen this to repeat itself.
So I was wondering whether UPN logons enable caching of TGTs and
sAMAccountName logons are different in some way from UPN logons.

Hope I managed to be clear enough ;)

Cheers,
Guy


> I don't know if the kerberos ticket is cached or not.  (I suspect not.)
> When a machine reconnects to the network and you attempt to access a
> network resource, the resource will ask for you ticket.  If you don't
> have one, or if it is out of date, the client will request a new
> kerberos ticket and then be authenticated to the resource.
> 
> Denny
>  
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] 
> > [mailto:[EMAIL PROTECTED] On Behalf Of Guy 
> > Teverovsky
> > Sent: Friday, August 20, 2004 8:48 PM
> > To: [EMAIL PROTECTED]
> > Subject: [ActiveDir] By design or configurable ?
> > 
> > 
> > In my environment, when W2K3 DC boots with security logs full, the
> > replication from that DC stops till the security log is 
> > cleared and the
> > box is rebooted. 
> > The interesting thing is that after the security logs become 
> > full (while
> > the box is online) the replication continues to work till the box is
> > rebooted with full log.
> > 
> > So the question is whether this can be prevented (we do have a routine
> > which takes care of security logs archiving, but it failed on 
> > one of the
> > DCs and I would like to prevent the replication from breaking again).
> > 
> > And another OT question:
> > When logging on to XP with cached credentials, is the Kerberos ticket
> > cached too ? And if yes, what happens when the ticket expires and the
> > box is reconnected to the network: will it seamlessly try to renew the
> > ticked ?
> > 
> > Thanks,
> > Guy
> > 
> > -- 
> > Smith & Wesson - the original point and click interface
> > 
> > List info   : http://www.activedir.org/mail_list.htm
> > List FAQ: http://www.activedir.org/list_faq.htm
> > List archive: 
> > http://www.mail-archive.com/activedir%40mail.activedir.org/
> > 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
-- 
Smith & Wesson - the original point and click interface

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] By design or configurable ?

[Guy Teverovsky]

Interesting...

I have "Audit: Shutdown system immediately if unable to log security
audits" set to disabled and security log size configured to 128Mb (DCs
GPO)

We are keeping 3 months back of security logs, hence the GPO is
configured not to override the security logs. DCs have a scheduled task
that pops up once a day and archives/clears the security logs - not the
state of the art solution, but does the work without purchasing any
additional software. I would love to give MOM a try, but we already have
OpenView in place, so I'll be checking with OvO people if the security
logs can be handled by OvO.

So in this configuration, if booted with full security logs, I
experience the same behavior as CrashOnAuditFail set to 2 (box in
crashed mode) - verified that by adding peer DC to builtin
Administrators group and the replication resumed.

Am I missing something or this is not the desired behavior when the DC
is configured not to crash on audit ?

Thanks,
Guy


On Mon, 2004-08-23 at 16:10, Mulnick, Al wrote:
> I suppose in theory, setting it to crash on full is also a security risk
> since it could be used to cause a denial of service.  
> 
> I'd guess that if you have something that siphons off the logs on submit
> event, then it could be a workable solution.  I'd have to say I'm not
> impressed with a lot of the tools currently out there that do this due to
> the overhead they place on the machine, but it could be done.  MOM Server is
> a good way to get this done IIRC.
> 
> I'm guessing that's what you had in mind, Rick?  Something that clears it as
> it is written, vs a timed deal? 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick
> Sent: Monday, August 23, 2004 9:02 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] By design or configurable ?
> 
> I have had the same problem, but setting the logs to overwrite is bad system
> administration. IF a person attempt to break passwords, thy can just flood
> the server with requests and eventually the log will clear.
> The best solution is to have the logs cleared by a script or third party
> utility to clear and archive the logs every night.
> 
> 
> 
> Rick Gasper
> Manager, Network Services
> King's College
> 133 N. River St
> Wilkes-Barre PA  18711
> PH: 570-208-5845
> Fax: 570-208-6072
> Cell: 570-760-0335
> [EMAIL PROTECTED]
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Depp, Dennis M.
> Sent: Monday, August 23, 2004 6:48 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] By design or configurable ?
> 
> Guy,
> 
> One way to avoid the problems of a full security log is to set the logs to
> overwrite as needed.  You can set this via group policy.
> 
> I don't know if the kerberos ticket is cached or not.  (I suspect not.) When
> a machine reconnects to the network and you attempt to access a network
> resource, the resource will ask for you ticket.  If you don't have one, or
> if it is out of date, the client will request a new kerberos ticket and then
> be authenticated to the resource.
> 
> Denny
>  
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Guy 
> > Teverovsky
> > Sent: Friday, August 20, 2004 8:48 PM
> > To: [EMAIL PROTECTED]
> > Subject: [ActiveDir] By design or configurable ?
> > 
> > 
> > In my environment, when W2K3 DC boots with security logs full, the 
> > replication from that DC stops till the security log is cleared and 
> > the box is rebooted.
> > The interesting thing is that after the security logs become full 
> > (while the box is online) the replication continues to work till the 
> > box is rebooted with full log.
> > 
> > So the question is whether this can be prevented (we do have a routine 
> > which takes care of security logs archiving, but it failed on one of 
> > the DCs and I would like to prevent the replication from breaking 
> > again).
> > 
> > And another OT question:
> > When logging on to XP with cached credentials, is the Kerberos ticket 
> > cached too ? And if yes, what happens when the ticket expires and the 
> > box is reconnected to the network: will it seamlessly try to renew the 
> > ticked ?
> > 
> > Thanks,
> > Guy
> > 
> > --
> > Smith & Wesson - the original point and click interface
> > 
> > List info   : http://www.activedir.org/mail_list.htm
> > List FAQ: http://www.activedir.org/list_faq.htm
> > List archive: 
> > http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] By design or configurable ?

[Guy Teverovsky]

In my environment, when W2K3 DC boots with security logs full, the
replication from that DC stops till the security log is cleared and the
box is rebooted. 
The interesting thing is that after the security logs become full (while
the box is online) the replication continues to work till the box is
rebooted with full log.

So the question is whether this can be prevented (we do have a routine
which takes care of security logs archiving, but it failed on one of the
DCs and I would like to prevent the replication from breaking again).

And another OT question:
When logging on to XP with cached credentials, is the Kerberos ticket
cached too ? And if yes, what happens when the ticket expires and the
box is reconnected to the network: will it seamlessly try to renew the
ticked ?

Thanks,
Guy

-- 
Smith & Wesson - the original point and click interface

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Anonymous bind (here we go again)

[Guy Teverovsky]

Thank you all for your replies. 

Unfortunately our BIND does not accept dynamic updates. Digging some
more I have found the following article about third party certs on DC:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx
Indeed not for the faint of heart, though doable.

I'll catch a chat with our BIND guru and see where we go from here.

Thanks for the ideas.

Guy

On Fri, 2004-08-13 at 16:26, Mulnick, Al wrote:
> Personally, I prefer the latter FWIW.  Have the workstations update their
> own data in the BIND zone. It would be no more (or less) secure than if you
> pulled that data from Active Directory really, just more IP addrs to watch.
> 
> Otherwise, I think the certs on the DC's are the wrong path to go down.  But
> if you must, there is some docs out there about putting certs on DC's
> without installing PKI into the forest.  It's not for the faint of heart
> from what I remember.  It's handled for you with certificate services if you
> install it into the forest.  If you don't, why not stand up a standalone CA
> and generate your certs that way?  Not a great long term solution, but
> that's why I don't favor it.
> 
> If you stood a server up in the forest and used it to grab the records and
> do the conversion, you have no more error probability than if you have the
> BIND server fetch the data itself that I can see.  That's just a customized
> solution is all. 
> 
> Just a few thoughts.  
> 
> Al 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Thursday, August 12, 2004 11:09 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Anonymous bind (here we go again)
> 
> I like the idea if having some Windows machine that is part of the domain
> run a task as the system or network service account and grab the info and
> jam it into your BIND setup. Do you allow unsecured dynamic updates? If so
> you could should be able to pretty easily do this with perl, adfind, and
> nsupdate without changing your AD security or trying to cobble certs
> together on the DC.  
> 
> Another possible solution is to take the workstations that are the issue
> themselves and have them run a script to update the foreign DNS. This
> assumes again open dynamic updates. 
> 
>   joe
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
> Sent: Thursday, August 12, 2004 7:52 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Anonymous bind (here we go again)
> 
> I have thought about that, but if you think about it, it only reverts the
> problem: now I need to either install some software on the DC to ensure
> secure connection/authentication with BIND box or do it in 3
> steps:
> - get the data from AD and dump it into a flat file.
> - transfer the file to BIND machine
> - parse the file on BIND box
> 
> Both approaches are rather cumbersome and error prone.
> I tend to prefer installing third party certificate on the DC.
> On this note, can anyone give me a hint how to generate CSR if I do not have
> IIS installed ? Is there any command line tool for that maybe ?
> 
> I tried scripting it
> (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncapi/htm
> l/certenrollment.asp), but it looks like I am doing something wrong: the CA
> has no problem signing the CSRs generated by IIS, but would not sign mine
> (script generated) 
> 
> Thanks,
> Guy
> 
> On Thu, 2004-08-12 at 10:26, Bernard, Aric wrote:
> > OK, understood.  While the original idea does accomplish the desired 
> > outcome, I think there are still other alternatives.
> > 
> > For example, why not create a script that runs based on a schedule on 
> > a machine that is a member of the forest, runs in or uses the proper 
> > security context to access the desired information in the OUs, writes 
> > that information into the zone files on the BIND server, and then 
> > completes the appropriate action to ensure that the data is available 
> > in BIND DNS (i.e. restarting the DNS daemon)?
> > 
> > With this example, you do not need to modify the security around AD.  
> > If for some reason you can not perform the desired BIND tasks 
> > remotely, you can transfer a file containing the data to an 
> > appropriate location and allow a scheduled script on the BIND server 
> > to
> perform the import, etc.
> > 
> > - Aric
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Guy 
> > Teverovsky
> > Sent: Wednesday, August 11, 2004 10:11 P

RE: [ActiveDir] Anonymous bind (here we go again)

[Guy Teverovsky]

I have thought about that, but if you think about it, it only reverts
the problem: now I need to either install some software on the DC to
ensure secure connection/authentication with BIND box or do it in 3
steps:
- get the data from AD and dump it into a flat file.
- transfer the file to BIND machine
- parse the file on BIND box

Both approaches are rather cumbersome and error prone.
I tend to prefer installing third party certificate on the DC.
On this note, can anyone give me a hint how to generate CSR if I do not
have IIS installed ? Is there any command line tool for that maybe ?

I tried scripting it
(http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncapi/html/certenrollment.asp),
 but it looks like I am doing something wrong: the CA has no problem signing the CSRs 
generated by IIS, but would not sign mine (script generated) 

Thanks,
Guy

On Thu, 2004-08-12 at 10:26, Bernard, Aric wrote:
> OK, understood.  While the original idea does accomplish the desired
> outcome, I think there are still other alternatives.  
> 
> For example, why not create a script that runs based on a schedule on a
> machine that is a member of the forest, runs in or uses the proper
> security context to access the desired information in the OUs, writes
> that information into the zone files on the BIND server, and then
> completes the appropriate action to ensure that the data is available in
> BIND DNS (i.e. restarting the DNS daemon)?
> 
> With this example, you do not need to modify the security around AD.  If
> for some reason you can not perform the desired BIND tasks remotely, you
> can transfer a file containing the data to an appropriate location and
> allow a scheduled script on the BIND server to perform the import, etc.
> 
> - Aric
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
> Sent: Wednesday, August 11, 2004 10:11 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Anonymous bind (here we go again)
> 
> Well, I know where the hosts should be in AD, but those hosts can
> change. The idea is that if host resides in one of the OUs in question,
> it gets to get CNAME in company.com, but the hosts can come and go, so I
> do not know what records should get CNAMEs without looking in the OUs.
> 
> Guy
> 
> On Thu, 2004-08-12 at 03:48, Bernard, Aric wrote:
> > Since you must already know what records you want to transform into
> > CNAME records in the BIND environment, why not build your scripts on
> the
> > linux system to query the AD hosted DNS servers and then create the
> > CNAME records based on this DNS query instead of an LDAP query?
> > 
> > - Aric
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Guy
> Teverovsky
> > Sent: Wednesday, August 11, 2004 2:34 PM
> > To: [EMAIL PROTECTED]
> > Subject: [ActiveDir] Anonymous bind (here we go again)
> > 
> > 
> > 
> > We have W2K3 AD (FFL/DFL 2003) configured as ad.company.com
> > There is a subset of workstations (located in pre-configured OUs) that
> > need to be resolvable using the "company.com" suffix (company.com zone
> > is managed by BIND, while ad.company.com is managed by MS DNS).
> > 
> > One of the ideas was to run (from Linux) LDAP queries against AD for
> the
> > machines in question, query the MS DNS for the registration and build
> > CNAME entries for BIND based on the query.
> > 
> > Caveat: our AD is configured with "LDAP signing requirement:
> Negotiate",
> > which means that any attempt for simple bind will be forced to use
> > SSL/TLS (and we do not run CA or have certs installed on DCs) and
> > otherwise will fail. 
> > 
> > >From here two options have been proposed:
> > 
> > 1) flip the 7th bit of dsHeuristics to allow anon access and grant
> > anonymous access to the required attributes (dnsHostName)
> > cons: this exposed the AD to potential DoS of LDAP service by
> anonymous
> > (am I right here ?)
> > 
> > 2) install 3rd party certs on DCs and have scripts use embedded
> service
> > account for LDAP binds/queries.
> > cons/pros: I have no experience with 3rd party certs on DCs. Are there
> > any caveats or gotchas here ? Is it possible/reasonable ?
> > 
> > In any case, nothing that is not already exposed by DNS is going to be
> > exposed.
> > 
> > If you can think of any other way of achieving the desired result
> > (up-to-date mapping from client.ad.company.com to client.company.com
> > using CNAMEs), I would be happy to hear. Zone transfers are out of the
> > question - we do not want all the hosts from AD DNS, only the certain
> > subset of them.
> > 
> > Thanks,
> > Guy
-- 
Smith & Wesson - the original point and click interface

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Anonymous bind (here we go again)

[Guy Teverovsky]

The company.com suffix for clients is something we would like to get rid
of in the ( not so close) future. This is only needed to support
the legacy habits till the transition from NT to W2K3 is completed and
users are comfortable with the new namespace. At least during the
transition period we need to have the machines in question in both
zones.  

Guy

On Thu, 2004-08-12 at 00:38, joe wrote:
> Why not just have the workstations in the company.com suffix? Is there a
> requirement for them to be in the ad.company.com zone?
> 
>   joe
> 
>  
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
> Sent: Wednesday, August 11, 2004 5:34 PM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] Anonymous bind (here we go again)
> 
> 
> 
> We have W2K3 AD (FFL/DFL 2003) configured as ad.company.com There is a
> subset of workstations (located in pre-configured OUs) that need to be
> resolvable using the "company.com" suffix (company.com zone is managed by
> BIND, while ad.company.com is managed by MS DNS).
> 
> One of the ideas was to run (from Linux) LDAP queries against AD for the
> machines in question, query the MS DNS for the registration and build CNAME
> entries for BIND based on the query.
> 
> Caveat: our AD is configured with "LDAP signing requirement: Negotiate",
> which means that any attempt for simple bind will be forced to use SSL/TLS
> (and we do not run CA or have certs installed on DCs) and otherwise will
> fail. 
> 
> >From here two options have been proposed:
> 
> 1) flip the 7th bit of dsHeuristics to allow anon access and grant anonymous
> access to the required attributes (dnsHostName)
> cons: this exposed the AD to potential DoS of LDAP service by anonymous (am
> I right here ?)
> 
> 2) install 3rd party certs on DCs and have scripts use embedded service
> account for LDAP binds/queries.
> cons/pros: I have no experience with 3rd party certs on DCs. Are there any
> caveats or gotchas here ? Is it possible/reasonable ?
> 
> In any case, nothing that is not already exposed by DNS is going to be
> exposed.
> 
> If you can think of any other way of achieving the desired result
> (up-to-date mapping from client.ad.company.com to client.company.com using
> CNAMEs), I would be happy to hear. Zone transfers are out of the question -
> we do not want all the hosts from AD DNS, only the certain subset of them.
> 
> Thanks,
> Guy
> --
> Smith & Wesson - the original point and click interface
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
-- 
Smith & Wesson - the original point and click interface

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Anonymous bind (here we go again)

[Guy Teverovsky]

We have W2K3 AD (FFL/DFL 2003) configured as ad.company.com
There is a subset of workstations (located in pre-configured OUs) that
need to be resolvable using the "company.com" suffix (company.com zone
is managed by BIND, while ad.company.com is managed by MS DNS).

One of the ideas was to run (from Linux) LDAP queries against AD for the
machines in question, query the MS DNS for the registration and build
CNAME entries for BIND based on the query.

Caveat: our AD is configured with "LDAP signing requirement: Negotiate",
which means that any attempt for simple bind will be forced to use
SSL/TLS (and we do not run CA or have certs installed on DCs) and
otherwise will fail. 

>From here two options have been proposed:

1) flip the 7th bit of dsHeuristics to allow anon access and grant
anonymous access to the required attributes (dnsHostName)
cons: this exposed the AD to potential DoS of LDAP service by anonymous
(am I right here ?)

2) install 3rd party certs on DCs and have scripts use embedded service
account for LDAP binds/queries.
cons/pros: I have no experience with 3rd party certs on DCs. Are there
any caveats or gotchas here ? Is it possible/reasonable ?

In any case, nothing that is not already exposed by DNS is going to be
exposed.

If you can think of any other way of achieving the desired result
(up-to-date mapping from client.ad.company.com to client.company.com
using CNAMEs), I would be happy to hear. Zone transfers are out of the
question - we do not want all the hosts from AD DNS, only the certain
subset of them.

Thanks,
Guy
-- 
Smith & Wesson - the original point and click interface

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Anonymous bind

[Guy Teverovsky]

I have went over the Vintela's white paper you posted a link some time
ago. Looks very promising.
But give the Open Source folks some time... go figure, maybe they will
come up with something even better :oP

Guy

On Fri, 2004-05-28 at 01:28, joe wrote:
> Nothing free. :oP
> 
> However Vintela and other companies are working on making this A LOT easier
> for a price. I expect in another year or so *nix machines will hardly be any
> more hassle to manage in an Enterprise than Windows machines. 
> 
> I doubt anyone will do something in this arena for free. It isn't exactly
> the kind of thing the Open Source people really care do to I don't think.
> More of a corporate thing and I don't visualize any company going through
> writing this up for themselves and then giving it away. 
> 
>   joe
>  
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
> Sent: Tuesday, May 25, 2004 7:23 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Anonymous bind
> 
> LDAP with SSL/TLS is way better than NIS.
> 
> As for environment, it's two W2K3 forests with Kerberos forest trust.
> Forest A has several child domains and holds user accounts.
> Forest B is where my hosts are (We are relatively small organization in the
> enterprise, but we are R&D and want to have control at least over the
> hosts).
> 
> So users can come from any child domain of forest A and logon to hosts in
> forest B. Now Linux does not play well, when the host is in one realm, and
> users are from several other realms... The only workaround is to map uid to
> Kerb principal in the LDAP. Modifying the A forest schema (user accounts) is
> not an option, and it's quite reasonable considering the small size of our
> division.
> 
> So here I am, stuck with LDAP authentication ...
> If you have any better idea, I am all ears ;)
> 
> Guy
> 
> On Mon, 2004-05-24 at 16:25, Mulnick, Al wrote:
> > Just for curiousity...
> > 
> > You don't want to use NIS because it's less secure, yet you are going 
> > to use LDAP for authentication?  Isn't that a counter?
> > 
> > Can you give an overview of your topology and what you're wanting to 
> > accomplish in the end?  I think we tried to help with the original 
> > post without all of the topology information.
> > 
> > Sounds like an interesting problem though...
> >  
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Guy 
> > Teverovsky
> > Sent: Friday, May 21, 2004 7:01 PM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] Anonymous bind
> > 
> > If you excuse me, I will break the inline pattern ;). It got too
> unreadable.
> > 
> > I have seen the interoperability doc. I have also read the whole doc 
> > mentioned in the post. It's a very good reference, but is lacking any 
> > description of Kerberos deployments in multi-realm environments.
> > Personally I had to choose LDAP authentication instead of Kerberos 
> > because my hosts are in one forest, while user accounts are from a 
> > child domain of another forest. If someone is aware of a workaround 
> > for that, monthly beer supply is on me ;)
> > 
> > SFU is nice, but it tries to emulate NIS and with all do respect to 
> > NIS, it's time is gone. There are just too many security issues with NIS.
> > 
> > As for having more than one directory, see my reply to joe. I wish I 
> > could put it all in one place, but it's not always possible.
> > 
> > Guy
> > 
> > On Thu, 2004-05-20 at 03:15, Eric Fleischman wrote:
> > > A few bits more.
> > > 
> > > [Guy] I know that I am speculating here but all I wanted to do is to 
> > > point the finger to the interoperability issue. Setting up a 
> > > heterogeneous environment is a pain. Putting *nix clients (or
> > > services) into the AD mix is not easy. One would blame the marketing 
> > > attitude, the other would blame the maturity level of the other OSes.
> > > The truth, I believe, is somewhere in between. So here we go:
> > > 
> > > [EFLEIS] - Have you seen the whole paper we wrote on Kerb interop? 
> > > And just about anything around SFU (which might I point out again 
> > > won best
> > app at Linux world)? 
> > > I think we've done a great job of interop. Can we do better? Always! 
> > > And
> > we continue to work on it. 
> > > But we're doing a *lot* in this space.
> > > We have doc's out th

RE: [ActiveDir] DC not replicating out

[Guy Teverovsky]

The error was Access Denied... My colleague has found a workaround for
the replication issue by adding the accounts of the DCs that were trying
to pull to Builtin\Administrators group. After that the replication
started to flow. More investigation showed that the DC was rejecting any
connection of accounts that are not members of Administrators group as a
result of local security settings corruption.

It looks like WMI db corruption was not along there.
Restoring the local security settings solved the issue.  


Guy

On Fri, 2004-05-28 at 01:53, joe wrote:
> I doubt the GPO is it, could be wrong, but doubt it. However what did you
> change in the GPO?
> 
> What does repadmin /showreps say on the DC trying to pull?
> 
>  
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
> Sent: Wednesday, May 26, 2004 11:40 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] DC not replicating out
> 
> Both come up clean, despite the fact that the A record for the DC initially
> didn't have the BAD_DC$ account in the ACL and the owner was SYSTEM instead
> of BAD_DC$. I adjusted that manually and the change replicated to all DCs.
> Still the netdiag and dcdiag do not show any DNS related problems - only FRS
> and AD outbound replication is failing. All other tests are fine.
> 
> Other DCs that participate in the replication with bad DC come up with KCC
> errors (eventid 1311: there is insufficient site connectivity,
> blabla...) - it's the only DC at site.  
> 
> It looks almost like island DNS, but it's W2K3 and that should not happen.
> 
> Guy
> 
> On Wed, 2004-05-26 at 17:50, Mulnick, Al wrote:
> > Would be relatively easy to check DNS.  DCDIAG and NETDIAG would be 
> > two tools to use to check to see that all is well from the bad dc and 
> > good dc perspectives. I'd say go the easy part first.
> > 
> > Invalid Checksum?  Hmmm...  Anything in the security logs that gives 
> > an indication?
> > 
> > Al
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Guy 
> > Teverovsky
> > Sent: Tuesday, May 25, 2004 6:02 PM
> > To: [EMAIL PROTECTED]
> > Subject: [ActiveDir] DC not replicating out
> > 
> > 
> > I am banging my head against the wall the whole day.
> > 
> > In pilot environment we applied a GPO to replace the Default DC GPO.
> > Apparently one of the DCs had some issues when the GPO was applied.
> > The result was: the inbound replication on the DC works, but no other 
> > DC can pull from the sick one.
> > Closer examination showed total WMI repository corruption. I have 
> > rebuilt it and it looks that WMI is back (not sure it's related, but 
> > worth mentioning)
> > 
> > Since than, the new GPO has been unlinked and replaced with default 
> > (and as the inbound replication on the DC in question is working, it 
> > has replicated to it). But that has not resolved the issue.
> > 
> > >From faulty DC issued:
> > repadmin /replicate good_dc bad_dc cn=configuration,dc=compay,dc=com 
> > /force
> > 
> > Traced the session with network monitor from the good DC...
> > What I see is:
> > - LDAP bind
> > - some searches performed and answered correctly
> > - MSRPC session initiated
> > - RPC request from good DC, RPC response from bad DC
> > - RPC bind request from good DC and RCP Bind Ack from bad DC
> > - again RPC request from good DC, RPC response from bad DC
> > - again RPC bind request from good DC and RPC Bind Nack from bad DC 
> > with Provider Reject Reason: "Invalid checksum"
> > 
> > I was about to blame the DNS till I got this "Invalid checksum" in the 
> > trace...
> > 
> > Now the question is: am I complicating the whole thing and should look 
> > closer into DNS or this is something else ?
> > 
> > Thanks,
> > Guy
> > 
> > 
> > List info   : http://www.activedir.org/mail_list.htm
> > List FAQ: http://www.activedir.org/list_faq.htm
> > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> > List info   : http://www.activedir.org/mail_list.htm
> > List FAQ: http://www.activedir.org/list_faq.htm
> > List archive: 
> > http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DC not replicating out

[Guy Teverovsky]

Both come up clean, despite the fact that the A record for the DC
initially didn't have the BAD_DC$ account in the ACL and the owner was
SYSTEM instead of BAD_DC$. I adjusted that manually and the change
replicated to all DCs. Still the netdiag and dcdiag do not show any DNS
related problems - only FRS and AD outbound replication is failing. All
other tests are fine.

Other DCs that participate in the replication with bad DC come up with
KCC errors (eventid 1311: there is insufficient site connectivity,
blabla...) - it's the only DC at site.  

It looks almost like island DNS, but it's W2K3 and that should not
happen.

Guy

On Wed, 2004-05-26 at 17:50, Mulnick, Al wrote:
> Would be relatively easy to check DNS.  DCDIAG and NETDIAG would be two
> tools to use to check to see that all is well from the bad dc and good dc
> perspectives. I'd say go the easy part first.
> 
> Invalid Checksum?  Hmmm...  Anything in the security logs that gives an
> indication?
> 
> Al 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
> Sent: Tuesday, May 25, 2004 6:02 PM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] DC not replicating out
> 
> 
> I am banging my head against the wall the whole day.
> 
> In pilot environment we applied a GPO to replace the Default DC GPO.
> Apparently one of the DCs had some issues when the GPO was applied.
> The result was: the inbound replication on the DC works, but no other DC can
> pull from the sick one.
> Closer examination showed total WMI repository corruption. I have rebuilt it
> and it looks that WMI is back (not sure it's related, but worth mentioning)
> 
> Since than, the new GPO has been unlinked and replaced with default (and as
> the inbound replication on the DC in question is working, it has replicated
> to it). But that has not resolved the issue.
> 
> >From faulty DC issued:
> repadmin /replicate good_dc bad_dc cn=configuration,dc=compay,dc=com /force
> 
> Traced the session with network monitor from the good DC...
> What I see is:
> - LDAP bind
> - some searches performed and answered correctly
> - MSRPC session initiated
> - RPC request from good DC, RPC response from bad DC
> - RPC bind request from good DC and RCP Bind Ack from bad DC
> - again RPC request from good DC, RPC response from bad DC
> - again RPC bind request from good DC and RPC Bind Nack from bad DC with
> Provider Reject Reason: "Invalid checksum"
> 
> I was about to blame the DNS till I got this "Invalid checksum" in the
> trace...
> 
> Now the question is: am I complicating the whole thing and should look
> closer into DNS or this is something else ?
> 
> Thanks,
> Guy
> 
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Anonymous bind

[Guy Teverovsky]

LDAP with SSL/TLS is way better than NIS.

As for environment, it's two W2K3 forests with Kerberos forest trust.
Forest A has several child domains and holds user accounts.
Forest B is where my hosts are (We are relatively small organization in
the enterprise, but we are R&D and want to have control at least over
the hosts).

So users can come from any child domain of forest A and logon to hosts
in forest B. Now Linux does not play well, when the host is in one
realm, and users are from several other realms... The only workaround is
to map uid to Kerb principal in the LDAP. Modifying the A forest schema
(user accounts) is not an option, and it's quite reasonable considering
the small size of our division.

So here I am, stuck with LDAP authentication ...
If you have any better idea, I am all ears ;)

Guy

On Mon, 2004-05-24 at 16:25, Mulnick, Al wrote:
> Just for curiousity...
> 
> You don't want to use NIS because it's less secure, yet you are going to use
> LDAP for authentication?  Isn't that a counter?
> 
> Can you give an overview of your topology and what you're wanting to
> accomplish in the end?  I think we tried to help with the original post
> without all of the topology information.  
> 
> Sounds like an interesting problem though...
>  
> 
> -Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
> Sent: Friday, May 21, 2004 7:01 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Anonymous bind
> 
> If you excuse me, I will break the inline pattern ;). It got too unreadable.
> 
> I have seen the interoperability doc. I have also read the whole doc
> mentioned in the post. It's a very good reference, but is lacking any
> description of Kerberos deployments in multi-realm environments.
> Personally I had to choose LDAP authentication instead of Kerberos because
> my hosts are in one forest, while user accounts are from a child domain of
> another forest. If someone is aware of a workaround for that, monthly beer
> supply is on me ;)
> 
> SFU is nice, but it tries to emulate NIS and with all do respect to NIS,
> it's time is gone. There are just too many security issues with NIS.
> 
> As for having more than one directory, see my reply to joe. I wish I could
> put it all in one place, but it's not always possible.
> 
> Guy
> 
> On Thu, 2004-05-20 at 03:15, Eric Fleischman wrote:
> > A few bits more.
> > 
> > [Guy] I know that I am speculating here but all I wanted to do is to 
> > point the finger to the interoperability issue. Setting up a 
> > heterogeneous environment is a pain. Putting *nix clients (or 
> > services) into the AD mix is not easy. One would blame the marketing 
> > attitude, the other would blame the maturity level of the other OSes. 
> > The truth, I believe, is somewhere in between. So here we go:
> > 
> > [EFLEIS] - Have you seen the whole paper we wrote on Kerb interop? 
> > And just about anything around SFU (which might I point out again won best
> app at Linux world)? 
> > I think we've done a great job of interop. Can we do better? Always! And
> we continue to work on it. 
> > But we're doing a *lot* in this space.
> > We have doc's out there that go down to even walk you through how to set
> up the pam modules! 
> > We have a lot out there. Here's one of my fav docs, but there are
> others
> > this is from a post to this very DL: 
> > http://www.mail-archive.com/[EMAIL PROTECTED]/msg13880.html
> > 
> > 
> > 1) You are right. Nobody mentioned schema extensions, but the truth is 
> > that if you are considering the integration of open source services, 
> > you probably do have some Linux boxes around. NIS sucks big time. NIS+ 
> > is a pain to configure and both do not give you SSO. AD is great, but 
> > does not have out-of-the-box capabilities to absorb non-MS clients. So 
> > what is left for those that can not afford VAS ? Either tweak the 
> > schema (Linux client will have hard time without posixAccount and 
> > posixGroup
> > objectClasses) or have a cut down functionality (sendmail LDAP mail 
> > routing is great, but I would not extend the AD's schema just to make 
> > sendmail happy). And if you are still short on the $$$, you are 
> > starting to improvise (talking about OpenLDAP...). SMBs are somewhat 
> > neglected in this area.
> > 
> > 2) Small *heterogeneous* environments. If all you have is Windows, 
> > there is no reason to bring in more overhead. Long live and prosper AD !
> > 
> > 3) 
> > a) Linux clients logons require uid, uidNumber, gidNumber and et

[ActiveDir] DC not replicating out

[Guy Teverovsky]

I am banging my head against the wall the whole day.

In pilot environment we applied a GPO to replace the Default DC GPO.
Apparently one of the DCs had some issues when the GPO was applied.
The result was: the inbound replication on the DC works, but no other DC
can pull from the sick one.
Closer examination showed total WMI repository corruption. I have
rebuilt it and it looks that WMI is back (not sure it's related, but
worth mentioning)

Since than, the new GPO has been unlinked and replaced with default (and
as the inbound replication on the DC in question is working, it has
replicated to it). But that has not resolved the issue.

>From faulty DC issued:
repadmin /replicate good_dc bad_dc cn=configuration,dc=compay,dc=com
/force

Traced the session with network monitor from the good DC...
What I see is:
- LDAP bind
- some searches performed and answered correctly 
- MSRPC session initiated
- RPC request from good DC, RPC response from bad DC 
- RPC bind request from good DC and RCP Bind Ack from bad DC
- again RPC request from good DC, RPC response from bad DC
- again RPC bind request from good DC and RPC Bind Nack from bad DC with
Provider Reject Reason: "Invalid checksum"

I was about to blame the DNS till I got this "Invalid checksum" in the
trace...

Now the question is: am I complicating the whole thing and should look
closer into DNS or this is something else ?

Thanks,
Guy


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Domain Controller Security...

[Guy Teverovsky]

You can restrict access to Task Scheduler using GPO (Admin
Templates\Windows Components\Task Scheduler) and by changing permissions
on %SYSTEMROOT%\Tasks folder, but there are other ways around.

BTW, I remember reading somewhere that "at" command uses old style API
which is not enforced by GPO, and therefore the only way around is to
change the ACL on Tasks folder. Anyone remembers the details ?

Guy

On Mon, 2004-05-24 at 14:44, Roger Seielstad wrote:
> The problem, as you're most likely aware, is that server admins have
> access to the Task Scheduler, which means they can kick things off as
> LocalSystem, which means the DC is then 0wn3d.(owned)
> 
> Not sure what I'd do in your shoes. I'm fortunate enough to have really
> good IT folk in my remote locations with DCs. I'm also fortunate enough
> to be 6'5" tall, built like an NFL lineman, and have an expense account
> with which I can purchase plane tickets to their location to engage in
> what my ex-Army junior admin refers to as "wall to wall counseling."
> 
> Roger
> --
> Roger D. Seielstad - MTS MCSE MS-MVP
> Sr. Systems Administrator
> Inovis Inc.
>  
> 
> > -Original Message-
> > From: Chris Lynch [mailto:[EMAIL PROTECTED] 
> > Sent: Friday, May 21, 2004 5:11 PM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] Domain Controller Security...
> > 
> >  
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA1
> > 
> > I know.  I agree that this isn't good security practice.  I wouldn't
> > recommend this as well.  But, for the lack of space in most locations
> > (and we are only talking about 4 locations), we would just like to
> > give the local tech access to that DC only and no other DC in the
> > domain.  I can restrict them to log onto that DC local to them only
> > (via GPO).  I might just give them Server Operators rights, restrict
> > them to log onto that DC only, and call it a day.
> > 
> > Thanks,
> > 
> > Chris 
> > 
> > > -Original Message-
> > > From: [EMAIL PROTECTED] 
> > > [mailto:[EMAIL PROTECTED] On Behalf Of 
> > > Roger Seielstad
> > > Sent: Friday, May 21, 2004 10:19 AM
> > > To: [EMAIL PROTECTED]
> > > Subject: RE: [ActiveDir] Domain Controller Security...
> > > 
> > > True... I musta read half the question (again).
> > > 
> > > 
> > > --
> > > Roger D. Seielstad - MTS MCSE MS-MVP
> > > Sr. Systems Administrator
> > > Inovis Inc.
> > >  
> > > 
> > > > -Original Message-
> > > > From: joe [mailto:[EMAIL PROTECTED]
> > > > Sent: Friday, May 21, 2004 12:41 PM
> > > > To: [EMAIL PROTECTED]
> > > > Subject: RE: [ActiveDir] Domain Controller Security...
> > > > 
> > > > I am not sure that fits his requirements for this one...
> > > > 
> > > > Sounds like he is file sharing from the DC (not something I 
> > > personally
> > > > recommend) and obviously it would be a bit much to dcpromo down
> > > > and  back up to add a new share.
> > > > 
> > > >   joe
> > > > 
> > > > -Original Message-
> > > > From: [EMAIL PROTECTED]
> > > > [mailto:[EMAIL PROTECTED] On Behalf Of Roger 
> > > > Seielstad
> > > > Sent: Friday, May 21, 2004 11:54 AM
> > > > To: [EMAIL PROTECTED]
> > > > Subject: RE: [ActiveDir] Domain Controller Security...
> > > > 
> > > > I like Joe Richard's option - DCPromo it out, let the tech 
> > > work on it, 
> > > > and DCPromo it back in
> > > > 
> > > > 
> > > > --
> > > > Roger D. Seielstad - MTS MCSE MS-MVP
> > > > Sr. Systems Administrator
> > > > Inovis Inc.
> > > >  
> > > > 
> > > > > -Original Message-
> > > > > From: Chris Lynch [mailto:[EMAIL PROTECTED]
> > > > > Sent: Friday, May 21, 2004 11:27 AM
> > > > > To: [EMAIL PROTECTED]
> > > > > Subject: [ActiveDir] Domain Controller Security...
> > > > > 
> > > > >  
> > > > > -BEGIN PGP SIGNED MESSAGE-
> > > > > Hash: SHA1
> > > > > 
> > > > > I'm wondering if anyone has accomplished the following:
> > > > > 
> > > > > Provided different security policies to multiple DC's
> > > > within the same
> > > > > domain, but different OU's for field techs to manage
> > > > resources on just
> > > > > that DC without giving Server Operators rights.
> > > > > 
> > > > > I have almost all of the requirements resolved, except the
> > > > ability to
> > > > > create shares.  I have modified the security on the 
> > > > > HKLM\System\CurrentControlSet\Services\LanManserver and 
> > > > > HKLM\System\ControlSet001\Services\LanManserver with no success.
> > > > > Every document I have read about where the shares 
> > definitions are 
> > > > > stored are located in these two reg keys.
> > > > > 
> > > > > I know the simple way would be to deploy another server to that 
> > > > > location and give them local Administrator rights.  But, 
> > > management 
> > > > > doesn't want to do this.
> > > > > 
> > > > > Thanks for any input,
> > > > > 
> > > > > Chri

RE: [ActiveDir] Anonymous bind

[Guy Teverovsky]

 sounds nice at first, till you hit the non-RFC compliance barrier of
> uid attribute in SFU and realize that NIS is by no means not a secure
> environment)
> [EFLEIS] - Yup, SFU can do this. Schema extension required of course, but
> painless (if memory serves me correctly, no PAS extensions there).
>  
>   b) a lot of *nix services can be easily managed through LDAP
> backend, though the interoperability issues with AD force the creation of
> another directory. I totally agree with you here - it IS overhead, but if I
> extend the schema with app-specific *nix extensions I put myself in danger
> of that specific extension colliding with future (no offense) MS insights :)
> and I do not want mangled attributes in AD.
> 
> [EFLEIS] - So we think it is easier to sync over a subset of data to the
> other directory, extend there and populate there? Rather than just putting
> it all in the main directory? I'm sorry, I just disagree. :)
> 
>   c) I am writing these lines right after bachelor's party of one of
> my friends, so my apologies for not coming up with more. Promise to be back
> to my senses tomorrow.  
> 
> [EFLEIS] - Hehe, I can't help you here. :)
> 
> 
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
> Sent: Wednesday, May 19, 2004 7:01 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Anonymous bind
> 
> Inline is fine by me ;)
> 
> Cheers,
> Guy
> 
> [snip]
> > [EFLEIS] - So you don't like anonymous access on AD because it is hard?
> It's two stepsone to allow the bind, one to give access to the
> resources. It's like a light switch + a dimmer. Turn it on, then tell me how
> much you want. Click in, then turn the knob. I actually like it this
> waynow you can wholesale turn the whole thing off with one flip of a
> flag in dsHeuristics and not have to touch your ACLs until later when you
> see fit to do so.
> > Or is there more to what you're trying to say here that I'm missing?
> [Guy] As I have already said, this is something I was not aware of.
> Thanks for pointing that out.
> btw, KB 326690 still mentions 7th bit.
>   
> [snip]
> > [EFLEIS] - Wow, many corrections to be made here:
> > 1) I don't recall seeing any mention in this thread of a schema extension,
> only change in ACLs to facilitate a client. There's been no discussion here
> about schema extensions, but if I'm missing the point where there was please
> point it out ot me.
> > 2) What I found interesting is that you said you like this for small
> enterprises and a single directory for large. Many customers would argue
> that the ideal is the other way around, since the small shop has fewer
> resources to invest in settting up and maintaining the sync mechanisms.
> While I wish everyone had a single directory, if forced to pick a group of
> people to sync, I'd rather it be the big guys than the little ones.
> > 3) You said many advantages, but only cited:
> > a) same OpenLDAP for Linux client logs - same as what? I'm not sure
> I follow. It sounds like the Linux client config would be the same.
> > Where are the others I missed?
> [Guy] I know that I am speculating here but all I wanted to do is to point
> the finger to the interoperability issue. Setting up a heterogeneous
> environment is a pain. Putting *nix clients (or services) into the AD mix is
> not easy. One would blame the marketing attitude, the other would blame the
> maturity level of the other OSes. The truth, I believe, is somewhere in
> between. So here we go:
> 1) You are right. Nobody mentioned schema extensions, but the truth is that
> if you are considering the integration of open source services, you probably
> do have some Linux boxes around. NIS sucks big time. NIS+ is a pain to
> configure and both do not give you SSO. AD is great, but does not have
> out-of-the-box capabilities to absorb non-MS clients. So what is left for
> those that can not afford VAS ? Either tweak the schema (Linux client will
> have hard time without posixAccount and posixGroup
> objectClasses) or have a cut down functionality (sendmail LDAP mail routing
> is great, but I would not extend the AD's schema just to make sendmail
> happy). And if you are still short on the $$$, you are starting to improvise
> (talking about OpenLDAP...). SMBs are somewhat neglected in this area.
> 
> 2) Small *heterogeneous* environments. If all you have is Windows, there is
> no reason to bring in more overhead. Long live and prosper AD !
> 
> 3) 
>   a) Linux clients logons require uid, uidNumber, gidNumber and etc...
> (SFU sounds nice at first, till

RE: [ActiveDir] Anonymous bind

[Guy Teverovsky]

If you excuse me, I will break the inline pattern ;). It got too
unreadable.

I have seen the interoperability doc. I have also read the whole doc
mentioned in the post. It's a very good reference, but is lacking any
description of Kerberos deployments in multi-realm environments.
Personally I had to choose LDAP authentication instead of Kerberos
because my hosts are in one forest, while user accounts are from a child
domain of another forest. If someone is aware of a workaround for that,
monthly beer supply is on me ;)

SFU is nice, but it tries to emulate NIS and with all do respect to NIS,
it's time is gone. There are just too many security issues with NIS.

As for having more than one directory, see my reply to joe. I wish I
could put it all in one place, but it's not always possible.

Guy

On Thu, 2004-05-20 at 03:15, Eric Fleischman wrote:
> A few bits more.
> 
> [Guy] I know that I am speculating here but all I wanted to do is to
> point the finger to the interoperability issue. Setting up a
> heterogeneous environment is a pain. Putting *nix clients (or services)
> into the AD mix is not easy. One would blame the marketing attitude, the
> other would blame the maturity level of the other OSes. The truth, I
> believe, is somewhere in between. So here we go:
> 
> [EFLEIS] - Have you seen the whole paper we wrote on Kerb interop? 
> And just about anything around SFU (which might I point out again won best app at 
> Linux world)? 
> I think we've done a great job of interop. Can we do better? Always! And we continue 
> to work on it. 
> But we're doing a *lot* in this space.
> We have doc's out there that go down to even walk you through how to set up the pam 
> modules! 
> We have a lot out there. Here's one of my fav docs, but there are others
> this is from a post to this very DL: http://www.mail-archive.com/[EMAIL 
> PROTECTED]/msg13880.html
> 
> 
> 1) You are right. Nobody mentioned schema extensions, but the truth is
> that if you are considering the integration of open source services, you
> probably do have some Linux boxes around. NIS sucks big time. NIS+ is a
> pain to configure and both do not give you SSO. AD is great, but does
> not have out-of-the-box capabilities to absorb non-MS clients. So what
> is left for those that can not afford VAS ? Either tweak the schema
> (Linux client will have hard time without posixAccount and posixGroup
> objectClasses) or have a cut down functionality (sendmail LDAP mail
> routing is great, but I would not extend the AD's schema just to make
> sendmail happy). And if you are still short on the $$$, you are starting
> to improvise (talking about OpenLDAP...). SMBs are somewhat neglected in
> this area.
> 
> 2) Small *heterogeneous* environments. If all you have is Windows, there
> is no reason to bring in more overhead. Long live and prosper AD !
> 
> 3) 
>   a) Linux clients logons require uid, uidNumber, gidNumber and etc...
> (SFU sounds nice at first, till you hit the non-RFC compliance barrier
> of uid attribute in SFU and realize that NIS is by no means not a secure
> environment) 
> [EFLEIS] - Yup, SFU can do this. Schema extension required of course, but painless 
> (if memory serves me correctly, no PAS extensions there).
>  
>   b) a lot of *nix services can be easily managed through LDAP backend,
> though the interoperability issues with AD force the creation of another
> directory. I totally agree with you here - it IS overhead, but if I
> extend the schema with app-specific *nix extensions I put myself in
> danger of that specific extension colliding with future (no offense) MS
> insights :) and I do not want mangled attributes in AD.
> 
> [EFLEIS] - So we think it is easier to sync over a subset of data to the other 
> directory, extend there and populate there? Rather than just putting it all in the 
> main directory? I'm sorry, I just disagree. :)
> 
>   c) I am writing these lines right after bachelor's party of one of my
> friends, so my apologies for not coming up with more. Promise to be back
> to my senses tomorrow.  
> 
> [EFLEIS] - Hehe, I can't help you here. :)
> 
> 
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
> Sent: Wednesday, May 19, 2004 7:01 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Anonymous bind
> 
> Inline is fine by me ;)
> 
> Cheers,
> Guy
> 
> [snip]
> > [EFLEIS] - So you don't like anonymous access on AD because it is hard? It's two 
> > stepsone to allow the bind, one to give access to the resources. It's like a 
> > light switch + a dimmer. Turn it on, then tell me how much you want. Click in, 

RE: [ActiveDir] Anonymous bind

[Guy Teverovsky]

You are of course right about LDAP being primary a directory and not
authentication protocol, but Linux's support for multiple Kerberos
realms is not good enough and it is what I have in my environment (two
W2K3 forests with cross forest Kerberos trust). I would prefer using
Kerberos for authentication, but there are cases when the overhead and
complication of Kerberos for Linux client authentication is not worth
it, as compared to LDAP authentication.

As for open source LDAP synchronization tool: I am not aware of one.
This is something I would really love to put my hands on.  Commercial
solutions exist, but not always you have the bucks for it.

Guy  

On Thu, 2004-05-20 at 00:13, joe wrote:
> Why use LDAP for Linux client authentication instead of Kerberos? I am
> seriously asking. I don't know why someone would avoid an authentication
> protocol for authentication and instead would use a directory protocol for
> authentication. Especially when you have to go through an extra step then to
> secure the communication. I don't really even like that people do it for
> apps but if you have one application running on one server handling multiple
> users, I can see the draw of LDAP Auth. 
> 
> I am not a huge fan of multiple directories that you have to keep synced.
> The larger the environment more likely the better chance it is something
> that would have to be done. The smaller the environment the less things you
> want to have to deal with as they are less likely to have the people to
> manage the syncing plus more than likely it means yet another piece of
> software to do the syncing though I could be completely wrong and there is a
> beautiful open source free directory syncer out there somewhere. 
> 
>   joe
> 
> 
>  
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
> Sent: Wednesday, May 19, 2004 2:26 PM
> To: [EMAIL PROTECTED]
> Cc: ADS Customer Feedback
> Subject: RE: [ActiveDir] Anonymous bind
> 
> Eric,
> 
> It looks like I was not clear enough. See my comments below.
> 
> And as others have already stated, the solution should be in the app's code.
> The problem is that it's not always that easy to change the code even if
> it's open source.
> 
> Guy
> 
> On Wed, 2004-05-19 at 14:50, Eric Fleischman wrote:
> > IÂm going to respectfully disagree with the approach being taken here.
> > It is, IMHO, misguided.
> > 
> >  
> > 
> > What has been described as a security hole (opening your AD for a 
> > subset of operations being allowed by ANONYMOUS) has somehow been 
> > justified in the OpenLDAP world. Make no mistake about it: anonymous 
> > is anonymous on any platform. Allowing ANONYMOUS to read from one 
> > directory vs. another is the same threat. Why they are being viewed is 
> > a mystery to me.
> My point was that you are only syncing with OpenLDAP the
> uid<->sAMAccountName(or upn) and user's Kerberos principal.
> ACL-ing OpenLDAP to allow read access by attribute is one-liner.
> 
> > 
> >  
> > 
> > That said, from an order of complexity perspective, a sync solution 
> > will be substantially harder to set up and maintain over the long 
> > haul.
> Indeed. But it gives several advantages, like using the same OpenLDAP for
> Linux clients logons, without tweaking AD's schema by installing SFU (which
> is rather dumb and not flexible enough to my taste). What I described might
> be a good solution for a small heterogeneous network. In larger scale, I
> would not be even considering deploying an application which by default does
> anonymous binds. 
> > 
> > If this were my project, I would do the following:
> > 
> > 1)   Flip 7th bit of dsHeuristics to 2, enabling the ability to
> > have anonymous binds to the DS (part one of the solution)
> > 
> > 2)   We need to now ACL things to ANONYMOUS has access to the data
> > required. Fundamentally, there are two approaches:
> > 
> > a.   Target the objects that your auth client will be searching
> > (perhaps a single subtree under an OU) and grant ANONYMOUS the minimum 
> > required perms for itÂmy bet is that just read to a subset of 
> > attributes is sufficient.
> only 2 attributes are needed. The equivalent of uid (sAMAccountName or upn
> ?) and userPassword. 
> > 
> > b.   You can try to flip the reg value ÂEveryoneIncludesAnonymousÂ
> > to 1 on a single DC and see if that satisfies your needs. 
> > NOTE: this approach, if it works, is particularly advantageous as it 
> > is localized to a single DC, IE only a subset of DCs would have 
> > increased abi

RE: [ActiveDir] Anonymous bind

[Guy Teverovsky]

oops...
Damn habit of hitting Reply to All acquired at another dist list.

Sorry again,
Guy 

On Wed, 2004-05-19 at 21:26, Guy Teverovsky wrote:
> Eric,
> 
> It looks like I was not clear enough. See my comments below.
> 
> And as others have already stated, the solution should be in the app's
> code. The problem is that it's not always that easy to change the code
> even if it's open source.
> 
> Guy
> 
> On Wed, 2004-05-19 at 14:50, Eric Fleischman wrote:
> > Iâm going to respectfully disagree with the approach being taken here.
> > It is, IMHO, misguided.
> > 
> >  
> > 
> > What has been described as a security hole (opening your AD for a
> > subset of operations being allowed by ANONYMOUS) has somehow been
> > justified in the OpenLDAP world. Make no mistake about it: anonymous
> > is anonymous on any platform. Allowing ANONYMOUS to read from one
> > directory vs. another is the same threat. Why they are being viewed is
> > a mystery to me.
> My point was that you are only syncing with OpenLDAP the
> uid<->sAMAccountName(or upn) and user's Kerberos principal.
> ACL-ing OpenLDAP to allow read access by attribute is one-liner.
> 
> > 
> >  
> > 
> > That said, from an order of complexity perspective, a sync solution
> > will be substantially harder to set up and maintain over the long
> > haul.
> Indeed. But it gives several advantages, like using the same OpenLDAP
> for Linux clients logons, without tweaking AD's schema by installing SFU
> (which is rather dumb and not flexible enough to my taste). What I
> described might be a good solution for a small heterogeneous network. In
> larger scale, I would not be even considering deploying an application
> which by default does anonymous binds. 
> > 
> > If this were my project, I would do the following:
> > 
> > 1)   Flip 7th bit of dsHeuristics to 2, enabling the ability to
> > have anonymous binds to the DS (part one of the solution)
> > 
> > 2)   We need to now ACL things to ANONYMOUS has access to the data
> > required. Fundamentally, there are two approaches:
> > 
> > a.   Target the objects that your auth client will be searching
> > (perhaps a single subtree under an OU) and grant ANONYMOUS the minimum
> > required perms for itâmy bet is that just read to a subset of
> > attributes is sufficient.
> only 2 attributes are needed. The equivalent of uid (sAMAccountName or
> upn ?) and userPassword. 
> > 
> > b.   You can try to flip the reg value âEveryoneIncludesAnonymousâ
> > to 1 on a single DC and see if that satisfies your needs. 
> > NOTE: this approach, if it works, is particularly advantageous as it
> > is localized to a single DC, IE only a subset of DCs would have
> > increased abilities for ANONYMOUS.
> > 
> >  
> > 
> > Many comments Guy made confuse me, especially this one:
> > 
> > > You will definitely not want that in production
> > 
> > So you want to have a second directory with ANONYMOUS able to read it,
> > but not a single one? How is OpenLDAP with ANONYMOUS somehow different
> > than AD with ANONYMOUS reads enabled? I fail to see the difference
> > here. If your difference was the localization problem, my
> > EveryoneInludesAnonymous solution might do that for you a bit more
> > gracefully.
> I was not aware of that approach and I stand corrected. Obviously there
> is a good reason I am subscribed to this list - I learn something new
> every day. Thanks guys !
> > 
> >  
> > 
> > I donât recall all of the ACLs that Everyone has in 2k03 out of the
> > box, but if there is a problem there send me a trace of a failure and
> > I can show you what need change to make it work. I bet it is small
> > though.
> > 
> >  
> > 
> > ~Eric
> > 
> >  
> > 
> >  
> > 
> >
> > __
> > 
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Aitzol
> > Naberan BurgaÃa
> > Sent: Wednesday, May 19, 2004 1:47 AM
> > To: [EMAIL PROTECTED]
> > Subject: Re: [ActiveDir] Anonymous bind
> > 
> > 
> >  
> > 
> > OK, I will try the second approach. 
> > So I have to copy (sync) all the AD data into my local openLDAP???
> > creating a local schema with the user info???
> > --
> > 
> > Aitzol Naberan BurgaÃa
> > CodeSyntax
> > [EMAIL PROTECTED]
> > www.codesyntax.com
> > Tel: 943  82 17 80
> >

RE: [ActiveDir] Anonymous bind

[Guy Teverovsky]

Eric,

It looks like I was not clear enough. See my comments below.

And as others have already stated, the solution should be in the app's
code. The problem is that it's not always that easy to change the code
even if it's open source.

Guy

On Wed, 2004-05-19 at 14:50, Eric Fleischman wrote:
> Iâm going to respectfully disagree with the approach being taken here.
> It is, IMHO, misguided.
> 
>  
> 
> What has been described as a security hole (opening your AD for a
> subset of operations being allowed by ANONYMOUS) has somehow been
> justified in the OpenLDAP world. Make no mistake about it: anonymous
> is anonymous on any platform. Allowing ANONYMOUS to read from one
> directory vs. another is the same threat. Why they are being viewed is
> a mystery to me.
My point was that you are only syncing with OpenLDAP the
uid<->sAMAccountName(or upn) and user's Kerberos principal.
ACL-ing OpenLDAP to allow read access by attribute is one-liner.

> 
>  
> 
> That said, from an order of complexity perspective, a sync solution
> will be substantially harder to set up and maintain over the long
> haul.
Indeed. But it gives several advantages, like using the same OpenLDAP
for Linux clients logons, without tweaking AD's schema by installing SFU
(which is rather dumb and not flexible enough to my taste). What I
described might be a good solution for a small heterogeneous network. In
larger scale, I would not be even considering deploying an application
which by default does anonymous binds. 
> 
> If this were my project, I would do the following:
> 
> 1)   Flip 7th bit of dsHeuristics to 2, enabling the ability to
> have anonymous binds to the DS (part one of the solution)
> 
> 2)   We need to now ACL things to ANONYMOUS has access to the data
> required. Fundamentally, there are two approaches:
> 
> a.   Target the objects that your auth client will be searching
> (perhaps a single subtree under an OU) and grant ANONYMOUS the minimum
> required perms for itâmy bet is that just read to a subset of
> attributes is sufficient.
only 2 attributes are needed. The equivalent of uid (sAMAccountName or
upn ?) and userPassword. 
> 
> b.   You can try to flip the reg value âEveryoneIncludesAnonymousâ
> to 1 on a single DC and see if that satisfies your needs. 
> NOTE: this approach, if it works, is particularly advantageous as it
> is localized to a single DC, IE only a subset of DCs would have
> increased abilities for ANONYMOUS.
> 
>  
> 
> Many comments Guy made confuse me, especially this one:
> 
> > You will definitely not want that in production
> 
> So you want to have a second directory with ANONYMOUS able to read it,
> but not a single one? How is OpenLDAP with ANONYMOUS somehow different
> than AD with ANONYMOUS reads enabled? I fail to see the difference
> here. If your difference was the localization problem, my
> EveryoneInludesAnonymous solution might do that for you a bit more
> gracefully.
I was not aware of that approach and I stand corrected. Obviously there
is a good reason I am subscribed to this list - I learn something new
every day. Thanks guys !
> 
>  
> 
> I donât recall all of the ACLs that Everyone has in 2k03 out of the
> box, but if there is a problem there send me a trace of a failure and
> I can show you what need change to make it work. I bet it is small
> though.
> 
>  
> 
> ~Eric
> 
>  
> 
>  
> 
>
> __
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Aitzol
> Naberan BurgaÃa
> Sent: Wednesday, May 19, 2004 1:47 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [ActiveDir] Anonymous bind
> 
> 
>  
> 
> OK, I will try the second approach. 
> So I have to copy (sync) all the AD data into my local openLDAP???
> creating a local schema with the user info???
> --
> 
> Aitzol Naberan BurgaÃa
> CodeSyntax
> [EMAIL PROTECTED]
> www.codesyntax.com
> Tel: 943  82 17 80
> 
> 
> 
> Guy Teverovsky(e)k dio: 
> 
> There are several solutions to that:
>  
> 1) Grant Everyone read permissions (this object and all child objects)
> to the domain object. The drawbacks are obvious: you are opening a HUGE
> security hole. You will definitely not want that in production.
>  
> 2) Setup OpenLDAP and sync the needed attributes from AD. From what I
> can find ( http://docs.opengroupware.org/Members/sim/ldap-notes/view ),
> you will need to use top, account and simpleSecurityObject
> objectClasses. 
> userPassword attribute can be a pointer to the user's Kerberos principal
> in AD Kerberos realm in the following form:
> userPassword

Re: [ActiveDir] Anonymous bind

[Guy Teverovsky]

There are several solutions to that:

1) Grant Everyone read permissions (this object and all child objects)
to the domain object. The drawbacks are obvious: you are opening a HUGE
security hole. You will definitely not want that in production.

2) Setup OpenLDAP and sync the needed attributes from AD. From what I
can find ( http://docs.opengroupware.org/Members/sim/ldap-notes/view ),
you will need to use top, account and simpleSecurityObject
objectClasses. 
userPassword attribute can be a pointer to the user's Kerberos principal
in AD Kerberos realm in the following form:
userPassword: [EMAIL PROTECTED]
In that way you can allow anonymous searches in OpenLDAP while exposing
the bare minimum data and yet authenticate the users through LDAP.
What happens in such a configuration is something like this:

1) OpenGroupware binds anonymously to OpenLDAP and performs the search
for user object.
2) After the user object is found, OpenGroupware tries to bind as user
to OpenLDAP (you should configure SSL/TLS if you do not want the
passwords to travel in clear text)
3) OpenLDAP proxies the authentication request and passes it to AD's
Kerberos.
4) AD's KDC verifies the user/password and returns OK to OpenLDAP.
5) OpenLDAP lets the user bind to OpenLDAP and user is authenticated.

As you can figure it out, this approach greatly depends on the size of
your AD (I have tested this at a small size network when implementing
single sign-on for Linux clients. Have no idea how it will behave, if at
all, with larger than single site implementation.

Have a look at the following link for a HOWTO I used:
http://www.arayan.com/da/yazi/OpenAFS_Kerberos_5.html

Again, I have not tested it with OG and the mentioned above
objectClasses (I needed top, person and posixAccount), but I guess this
should work the same. 

Guy 

On Tue, 2004-05-18 at 17:17, Aitzol Naberan BurgaÃa wrote:
> It's not so easy rewrite the source code, I will need spend a lot of
> time to understand the source and to change it. But I think that I
> have to do it, and change the bind method (I think it will work...).
> 
> OpenGroupware is for unix systems, you can learn more in
> www.opengroupware.org
> 
> Thanks
> --
> Aitzol Naberan BurgaÃa
> CodeSyntax
> [EMAIL PROTECTED]
> www.codesyntax.com
> Tel: 943  82 17 80
> 
> 
> joe(e)k dio: 
> > Ah. Interesting, so it sounds like they want to compare the hashes
> > instead of actually use the authentication of the system. Well since
> > it is OpenSource, that should be easy to rewrite and correct huh.
> > :o)
> >  
> > You can open up the anonymous search but if they need to see the
> > password, you are dead in the water right there. You either can't
> > use AD, can't use that product, or you need to modify the
> > authentication routines. 
> >  
> > I have never heard of that product, is it *nix only or do they have
> > Win32 ports?
> >  
> >joe
> >  
> >  
> > 
> > 
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Aitzol
> > Naberan BurgaÃa
> > Sent: Tuesday, May 18, 2004 9:21 AM
> > To: [EMAIL PROTECTED]
> > Subject: Re: [ActiveDir] Anonymous bind
> > 
> > 
> > I'm trying to authentificate OpenGroupware (open source groupware
> > suite) against Active Directory. The problem is that OpenGroupware's
> > authentification method is a litle bit curious:  It tries to do an
> > anonymous bind to the ldap server before it will try to bind as the
> > user name supplied at the login prompt.  Active Directory will allow
> > an anonymous bind, so that part is successful, but it does not allow
> > an anonymous search. I'm not sure where authentification fails,
> > because I have read thet OpenGroupware search a password and when
> > doesn't find it fails.
> > 
> > --
> > Aitzol Naberan BurgaÃa
> > CodeSyntax
> > [EMAIL PROTECTED]
> > www.codesyntax.com
> > Tel: 943  82 17 80
> > 
> > 
> > joe(e)k dio: 
> > > Correct.
> > >  
> > > Aitzol, what problem are you trying to solve?
> > >  
> > >   joe
> > > 
> > > __
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of Brent
> > > Westmoreland
> > > Sent: Tuesday, May 18, 2004 8:41 AM
> > > To: [EMAIL PROTECTED]
> > > Subject: Re: [ActiveDir] Anonymous bind
> > > 
> > > 
> > > I know that the unicodePwd attributes can never be read by way of
> > > ldap, you will probably find that this is true for userPassword
> > > also.
> > > 
> > > http://support.microsoft.com/default.aspx?scid=kb;EN-US;269190
> > > 
> > > 
> > > On May 18, 2004, at 6:29 AM, Aitzol Naberan BurgaÃa wrote:
> > > 
> > > Hi all
> > > 
> > > How can I grant "read" access to userPasswor attribute?
> > > 
> > > 
> > > Thanks
> > > 
> > > -- 
> > > Aitzol Naberan BurgaÃa
> > > CodeSyntax
> > > [EMAIL PROTECTED]
> > > www.codesyntax.com
> > > T

Re: [ActiveDir] Default printer logon script OT

[Guy Teverovsky]

Printers are user specific.
The script needs to run in user context.

Guy

On Tue, 2004-04-20 at 23:19, Kern, Tom wrote:
> Sorry for the off topic. 
> I'm running a VBscript to set the default printer to always be the same printer on a 
> workstation( we have a legacy Paradox dos app and it always prints to the default 
> printer) regardless of the user.
> When i run it from the current session, it works fine.
> However, when I put it into a local policy machine startup script, it can't find the 
> printer. I'm guessing the printers don't get loaded at the computer account logon 
> phase.
> Anyway to automatically set a specific printer as default no matter who logs onto a 
> machine?
> thanks
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
-- 
Smith & Wesson - the original point and click interface

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Effective permission

[Guy Teverovsky]

I will try to make the long story short:

2 W2K3 forests with transitive forest trust (abc.com and xyz.com)
xyz.com is "resource forest"
abc.com is "user accounts forest" (child.abc.com is a child domain)

I logged on to forest xyz.com DC with account from child domain of
forest abc.com ([EMAIL PROTECTED]) which is a member of local
Administrators group in xyz.com domain

I created a new GPO and edited the GP object's ACL:
- domain local group "XYZ\NewGPOOwner" contains a domain global group
from the child domain of the other forest: CHILD\xyzGPOOwners
- Account I am logged on with is a member of CHILD\xyzGPOOwners which
makes me also a member of ABC\NewGPOOwners
- Added a domain local group "XYZ\NewGPOOwners" with Full permissions
except "Apply Group Policy" (this makes it Read/Write and Create/Delete
child objects)
- Removed myself from the ACL
- Changed the owner of the object to "XYZ\NewGPOOwners" domain local
group.

Now the funny part:
All permissions behave as expected: I can modify the GPO, change
permissions, change owner, etc... 
BUT if I go to Effective permissions tab and select my
[EMAIL PROTECTED] account, it shows me that I have read only
permissions (just like Authenticated Users).

If I select CHILD\xyzGPOOwners group from account forest (member of
XYZ\NewGPOOwner group), the UI shows that the group has no permissions.

If I select XYZ\NewGPOOwner group, I get the correct permissions.

A little bit confusing and quite inconsistent I would say...

To me it looks like security principals are not processed correctly by
UI, but the OS enforces the correct permissions.
>From wht I understand, this behavior is similar to partial SID
filtering: the SIDs of user groups from another forest are not
enumerated by UI (despite the fact that the OS enumerates the group
membership correctly)

Any ideas ? 


Thanks,
Guy
-- 
Smith & Wesson - the original point and click interface

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Wlan & AD Security

[Guy Teverovsky]

I would say that the link below gives a pretty good reason for not
plugging APs into internal LAN:
http://www.cisco.com/en/US/products/products_security_advisory09186a00802119c8.shtml

Guy

On Tue, 2004-04-13 at 18:12, Mulnick, Al wrote:
> That's a pretty valid argument to put any access to your network into an
> untrusted network segment, isn't it?  Remote access, wired access (what
> about vendors that jack-in?)etc. 
> 
> There's some talk about using the reskit stuff to quarantine the network
> access.  Some of the AP providers offer this type of usage as well.  One of
> the better ways to accomplish authorized access only is to use strong
> authentication.  WEP isn't it.  Cracking WEP is published and pretty quick.
> MAC layer isn't all that great either since you can spoof the MAC address to
> gain access. Certificates are nice, except that some of your downlevel and
> handheld devices won't like it.  
> 
> 
> I'd say this is a pretty valid argument to rethink security (for many
> companies) from a "keep out the bad guys and we'll be fine" mentaility to a
> "let's figure out what we need to protect on our network and add security to
> those parts to protect from outside the firewall as well as the inside of
> the firewall" mentality.  When you can sip coffee or favorite hot beverage
> of choice downstairs and wander a company's network two floors above or
> across the street, the possibilities are limitless.  
> 
> I favor the certificate method and VPN for wireless access, but that only
> addresses part of the issue IMHO.
> 
> Al  
> 
> 
> 
>  
> 
> -Original Message-
> From: Rick Kingslan [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, April 13, 2004 12:13 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Wlan & AD Security
> 
> Chris,
> 
> We sometimes become off-topic city.  No worries there
> 
> This is an interesting topic, and one that I will fall clearly on one side
> of it because of my experiences at my company.
> 
>  Treat your access points like untrusted computers in the public
> DMZ. 
> 
> There is really no way that one should treat an access point in any other
> way.  Given that the signals coming into an AP cannot truly be verified,
> then one must add extra methods to insure security.  The way that I prefer
> to see this accomplished is by placing the AP's into an untrusted are of the
> network, applying a 128-bit WEP key, then using some added methods
> consistent with 802.1x.  This can either be PEAP (using RADIUS / IAS),
> Cisco's LEAP, or other secure methods for providing strong authentication.
> Obviously, stronger the better, and two-factor (RSA fob, smart card, what
> have you) is magnitudes better than a single factor authN.
> 
> I'm still fighting to get my APs at work in the DMZ.  They are, at present,
> on our internal network.  They are PEAP protected, but somehow I'm just not
> all that heartened by the simple addition of PEAP to untrusted devices.
> 
> Rick Kingslan  MCSE, MCSA, MCT, CISSP
> Microsoft MVP:
> Windows Server / Directory Services
> Windows Server / Rights Management
> Associate Expert
> Expert Zone - www.microsoft.com/windowsxp/expertzone
> WebLog - www.msmvps.com/willhack4food
>  
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Chris Blair
> Sent: Monday, April 12, 2004 8:47 AM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] Wlan & AD Security
> 
> This maybe slightly Off Topic, Sorry. I am looking to deploy wireless access
> points for our users to access our AD. I am currently reading the white
> paper from Microsoft named "Enterprise Deployment of Secure 802.11 Networks
> Using Microsoft Windows". Has anyone else implemented this? I have also read
> about putting the AP's outside of the network and using VPN to access any AD
> related resources. Sounds easier, but is it as secure? Does anyone else have
> any other solutions?
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Group Policy

[Guy Teverovsky]

Darren, now I am puzzled...
I would have sworn that what I have described once worked with W2K (if I
am not mistaken, it was SP1), but  

So I checked...

2 DCs in the test domain (W2K native): 
1 W2K3 (holds all FSMOs)
1 W2K SP4 (GC)

Test 1:
On W2K3:
1) Defined Default Domain Policy with 6 chars password length.
2) Defined Default DC Policy with 8 chars length.
3) ReACL-ed the Default Domain Policy and denied it to Enterprise Domain
Controllers
4) gpupdate + gpresult shows that default domain policy is not applied
at DCs.
5) Trying to set user's password to 6 chars works (just as you have
said) ==> Default DC password complexity settings are indeed ignored
6) Canceled the Deny for enterprise DCs on default domain policy +
gpupdate + gpresult
7) Default Domain Policy (6 chars) is enforced (meanwhile everything as
expected)

Test 2 (things stop making sense):
1) Default domain Policy is configured not to define password complexity
2) W2K3 local machine policy is set to 5 chars
3) W2K local machine policy set to 6 chars
4) sync the domain && gpupdate && secedit /refreshpolicy
5) on W2K setting 5 char password works (local policy set to 6)
6) on W2K3 5 char password works (local policy set to 5)
7) trying 4 chars fails on both DCs

Test 3 (the other way around):
1) Default domain Policy is configured not to define password complexity
2) W2K3 local machine policy is set to 6 chars
3) W2K local machine policy set to 5 chars
4) sync the domain && gpupdate && secedit /refreshpolicy
5) on W2K3 setting 5 char password fails (local policy set to 6)
6) on W2K 5 char password fails ! (local policy set to 5)
7) trying 4 chars fails on both DCs

Now I've been lurking this mail list for quite a while and been
listening to Joe :), so I fire up Network Monitor on W2K3 (local=6)
while trying to set 5 char password on W2K (local=5) and I see nothing,
accept some LDAP chatter about cn=configuration,dc=domain,dc=com... and
yet the password reset to 5 chars fails.

What is going on here ??? What am I missing ?


Test 4 (back to reality):
1) set default domain policy to 6 chars + sync the DCs + check that GPO
setting have replicated)
2) gpupdate && secedit /refreshpolicy 
3) local policies are overridden as expected and 6 char passwords are
enforced

Guy

On Tue, 2004-03-16 at 07:08, Darren Mar-Elia wrote:
> Yea, that's the right way to do it Joe. 
> 
> Guy, I'm kinda surprised you actually saw that behavior. I was under the
> impression that password complexity was one of those account policies
> that was completely ignored by DCs unless its linked to a domain policy.
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Monday, March 15, 2004 5:03 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Group Policy
> 
> I would think you could do this by simply linking another policy for the
> member machines at a lower OU level that still encompasses all of those
> machines. I know I did this for lockout policy once.  
> 
> 
> -
> http://www.joeware.net   (download joeware)
> http://www.cafeshops.com/joewarenet  (wear joeware)
>  
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
> Sent: Monday, March 15, 2004 3:22 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Group Policy
> 
> 
> Actually I did it once. This way you can enforce different password
> complexity requirements for domain accounts vs. machine local accounts
> by applying stricter password complexity to GPO that is linked to Domain
> Controllers OU.
> 
> This is rather simple: in Default Domain Controller Security policy you
> block inheritance and define different password length/complexity then
> in default domain policy. Standalone computers will receive the security
> settings from default domain policy and DC from it's own.
> Of course you must watch out for other settings defined in the default
> domain GPO.
> 
> Never found any use for this, but it was one of those nice-to-know
> things.
> 
> Guy
> 
> --
> Smith & Wesson - the original point and click interface
> 
> On Mon, 2004-03-15 at 07:56, joe wrote:
> > Yes they do. The default domain policy is where your domain security 
> > policy is located at.
> > 
> > What implications are there for blocking it... I am not sure, never
> tried...
> > Let us know. :o)
> > 
> > 
> > -
> > http://www.joeware.net   (download joeware)
> > http://www.cafeshops.com/joewarenet  (wear joeware)
> >  
> > 
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of John 
> > Shukovsky Jr
>

RE: [ActiveDir] Group Policy

[Guy Teverovsky]

Actually I did it once. This way you can enforce different password
complexity requirements for domain accounts vs. machine local accounts
by applying stricter password complexity to GPO that is linked to Domain
Controllers OU.

This is rather simple: in Default Domain Controller Security policy you
block inheritance and define different password length/complexity then
in default domain policy. Standalone computers will receive the security
settings from default domain policy and DC from it's own.
Of course you must watch out for other settings defined in the default
domain GPO.

Never found any use for this, but it was one of those nice-to-know
things.

Guy

-- 
Smith & Wesson - the original point and click interface

On Mon, 2004-03-15 at 07:56, joe wrote:
> Yes they do. The default domain policy is where your domain security policy
> is located at.
> 
> What implications are there for blocking it... I am not sure, never tried...
> Let us know. :o) 
> 
> 
> -
> http://www.joeware.net   (download joeware)
> http://www.cafeshops.com/joewarenet  (wear joeware)
>  
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of John Shukovsky Jr
> Sent: Thursday, February 26, 2004 12:12 PM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] Group Policy
> 
> Do W2k domain controllers need to process default domain policy as well as
> default dc policy?
> If so and the DC's OU is set to block default domain policy  what
> implications will/can this have?
> 
> thanks in advance.
> 
> 
> 
> This E-mail, including any attachments, may be intended solely for the
> personal and confidential use of the sender and recipient (s) named above.
> This message may include advisory, consultative and/or deliberative material
> and, as such, would be privileged and confidential and not a public
> document. Any Information in this e-mail identifying a client of the
> department of Human Services is confidential. If you have received this
> e-mail in error, you must not review, transmit, convert to hard copy, copy,
> use or disseminate this e-mail or any attachments to it and you must delete
> this message. You are requested to notify the sender by return e-mail.
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Local Admin to Domain Admin escalation

[Guy Teverovsky]

Joe & Guido, thanks for clearing this up. 
I was helping out someone and came up with the solution described below
and when it worked I was totally sure I was missing something.

I know that the topic is rather controversial and I am sorry for blowing
the whistle, but I just had to know it for sure.

Thanks again,
Guy

On Tue, 2004-03-09 at 08:43, joe wrote:
> I agree with Guido. Its all about physical security. 
> 
> Consider if they fixed that little loophole... What would you do? You
> obviously have done this enough you have worked up a nice little process.
> You have probably described a method that 10% or better of the people on the
> list read and said, no kidding and another 10% said don't say it out loud, I
> don't want that fixed as it saves my butt all of the time. 
> 
> The only realistic fix from MS would be to make it so it isn't possible to
> get into the box even if you have physical access and could do the
> screensaver, at, service, gina, you name it, hack.  
> 
> Its like why don't they take away the whole creator/owner loophole on
> ACLs Because the second they do someone is going to start screaming they
> can't get at their stuff when they or someone else screwed up.
> 
> Personally I am all for tough love and security, you screwed up and can't
> get in, rebuild. You screwed up and locked yourself out of a file or
> directory object, tough love. 
> 
> I have DCs all over the world and this is one thing that I don't even start
> to take the time to worry about because I have zero control over how
> physical security will in the end really be handled and zero compensating
> controls I can feasibly put into place to prevent anything bad if someone
> got the idea they wanted to do something bad. 
> 
> 
> 
> -
> http://www.joeware.net   (download joeware)
> http://www.cafeshops.com/joewarenet  (wear joeware)
>  
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO
> (HP-Germany,ex1)
> Sent: Friday, February 27, 2004 3:33 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Local Admin to Domain Admin escalation
> 
> no need to install a new service at all => scheduling an "at" command in
> DSRM mode to execute the right script is sufficient, as the task scheduler
> is configured to run as Local System.
> 
> And even though I agree that it would be nice to see new services being
> pre-configured to be run with the Local Service account an admin can change
> it to run as local system anyways.  Also, how is Windows supposed to know,
> if the service doesn't require network access and should thus use the
> Network Service instead...
> 
> In summary: the default install account of a service should be the least of
> your worries. Better to concentrate on physically securing the DC.
> 
> 
> /Guido
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
> Sent: Freitag, 27. Februar 2004 17:56
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] Local Admin to Domain Admin escalation
> 
> Hi all,
> 
> Recently I have been playing around with an idea of how do you deal with a
> situation when you must have a Domain Admin access to AD but do not have
> Domain Admin password (this can happen in small outsourced companies or when
> the only Domain Admin is suddenly unavailable).
> 
> 
> In W2K this was easy. You use one of those tools that reset the
> Administrator's password in local SAM, boot in DS Restore Mode, copy cmd.exe
> over logon.scr, reboot, wait and get a shell running in Local System
> context. As this is a DC and LSA has enough privileges to reset Domain Admin
> password, you are all set.
> 
> In W2K3 this behavior has been changed. The screensaver runs in Local
> Service account context and has no access to AD. This sounds nice and dandy,
> BUT if I boot into DS Restore Mode, install a service (using resource kit
> utilities) that will spawn a shell, which will run a script, which will
> reset Domain Admin password, I still get access to the AD (tested
> successfully at home).
> 
> The problem I see here is the fact that in DS Restore Mode (actually it does
> not really matter in which mode), when you install a new service, it will
> run by default in LSA context.
> 
> I know that you will all say: "physical access = Domain Admin" and will be
> right, but what bothers me more is the fact that local account has a way to
> escalate it's rights by taking advantage of the fact that new services
> default to run under Local System account.
> 
> Your thoughts ?
> 
> Guy
> 
> --
> Smit

[ActiveDir] Local Admin to Domain Admin escalation

[Guy Teverovsky]

Hi all,

Recently I have been playing around with an idea of how do you deal with
a situation when you must have a Domain Admin access to AD but do not
have Domain Admin password (this can happen in small outsourced
companies or when the only Domain Admin is suddenly unavailable).


In W2K this was easy. You use one of those tools that reset the
Administrator's password in local SAM, boot in DS Restore Mode, copy
cmd.exe over logon.scr, reboot, wait and get a shell running in Local
System context. As this is a DC and LSA has enough privileges to reset
Domain Admin password, you are all set.

In W2K3 this behavior has been changed. The screensaver runs in Local
Service account context and has no access to AD. This sounds nice and
dandy, BUT if I boot into DS Restore Mode, install a service (using
resource kit utilities) that will spawn a shell, which will run a
script, which will reset Domain Admin password, I still get access to
the AD (tested successfully at home).

The problem I see here is the fact that in DS Restore Mode (actually it
does not really matter in which mode), when you install a new service,
it will run by default in LSA context.

I know that you will all say: "physical access = Domain Admin" and will
be right, but what bothers me more is the fact that local account has a
way to escalate it's rights by taking advantage of the fact that new
services default to run under Local System account.

Your thoughts ?

Guy

-- 
Smith & Wesson - the original point and click interface

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DCPromo

[Guy Teverovsky]

The machine in question was the first DC in site C (which was already 
pre-configured in Sites and Services). The dcpromo.log confirms that it
properly recognized it's site.

I saw the LDAP session to PDCE (site A) when initiating the dcpromo by
running netstat (a saw a new LDAP session). The replication was
performed from a DC in site B (Infrastructure Master).
dcpromo.log and dcpromogui.log do not show initial query to PDCE.
All the machines are W2K3. Domain and forest functional levels are 2003.
What is interesting is that the DC the replication was performed from is
actually much closer from the network and latency point of view. It
would be pretty smart of W2K3 to replicate from the nearest partner...

Guy

On Sat, 2004-02-14 at 04:37, joe wrote:
> What site was the machine that was being promoted to in?
> 
> I would expect it was in site B. The change should be done on the machine
> that it did its initial replication with. How do you know that it did that
> replication with the PDC? Is this info from the dcpromo log?
> 
>   joe
>  
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
> Sent: Friday, February 13, 2004 10:29 AM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] DCPromo
> 
> 
> Yesterday, while dcpromoing a machine (which was already domain member), I
> have noticed that while the LDAP session was initiated against PDCE in site
> A, the computer account move to "Domain Controllers" OU was performed on a
> DC in site B. Although after the replication everything was nice and dandy,
> but any insight on at which DC the changes should take place during the
> dcpromo process is more than welcome.
> 
> Thanks,
> Guy
> 
> - - -
> Smith & Wesson - the original point and click interface
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
-- 


- - - 
Smith & Wesson - the original point and click interface

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] DCPromo

[Guy Teverovsky]

Yesterday, while dcpromoing a machine (which was already domain member),
I have noticed that while the LDAP session was initiated against PDCE in
site A, the computer account move to "Domain Controllers" OU was
performed on a DC in site B. Although after the replication everything
was nice and dandy, but any insight on at which DC the changes should
take place during the dcpromo process is more than welcome.

Thanks,
Guy

- - - 
Smith & Wesson - the original point and click interface

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: RE: [ActiveDir] Integrate Linux with AD

[Guy Teverovsky]

You might also want to look at the following solution:
http://laaad.sourceforge.net/en/index.html

The idea behind the project is to apply SFU schema extensions, and
making the clients authenticate using LDAP/SSL instead of NIS as opposed
to vanilla SFU.
if you want, you can also make clients authenticate against AD's
Kerberos realm.

Actually the problem is not authentication, but having a single store
for user account properties in AD (Posix account properties in the case
of Linux/Unix) and that is what SFU schema extensions do in this case.

Guy

On Sat, 2004-02-07 at 02:27, [EMAIL PROTECTED] wrote:
> Jennifer,
> 
> The first solution that was presented to you by Tom [AD4Unix] is a solution that 
> we've implemented in the past.  It uses the schema extensions from SFU, and it's a 
> fairly easy to manage and easy to install solution.  Not lots of bells and whistles, 
> and does require that all of your systems are a part of NIS - which can be 
> arbitrarilly defined.  IOW, it doesn't have to be an official and stringent NIS, 
> just something for AD to know who is and who isn't playing in your ballpark.
> 
> As to SFU 3.5, I believe that Rod Trent or Jackson suggested it, and you can 
> certainly use it to great advantage as well.  The VAS solution is a fantastic 
> product, but many folks are put off by the cost.  It all depends on how 'seamless' 
> you want the solution, obviously offset by the 'pocket book' factor.
> 
> Good luck!
> 
> Rick Kingslan
> Microsoft MVP - Active Directory
> 
> > 
> > From: "Jennifer Fountain" <[EMAIL PROTECTED]>
> > Date: 2004/02/06 Fri PM 05:11:49 EST
> > To: <[EMAIL PROTECTED]>
> > Subject: RE: [ActiveDir] Integrate Linux with AD
> > 
> > > 
> > > Hot off the press.
> > > 
> > > Solution Guide for Windows Security and Directory Services 
> > > for UNIX Using Active Directory and Kerberos for 
> > > authentication and identity store in a heterogeneous UNIX and 
> > > Windows IT environment.
> > > 
> > > http://www.microsoft.com/downloads/details.aspx?FamilyId=144F7
> > > B82-65CF-4105-
> > > B60C-44515299797D&displaylang=en
> > > 
> > 
> > Could I use Services for Unix? Would that work instead of buying VAS?
> > 
> > Jennifer
> > List info   : http://www.activedir.org/mail_list.htm
> > List FAQ: http://www.activedir.org/list_faq.htm
> > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> > 
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
-- 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] forcing a logoff

[Guy Teverovsky]

You can try the following shell command:
RunDll32.exe Shell32.dll,SHExitWindowsEx 0x1

http://www.borncity.com/WSHBazaar/WSHExitWin3.htm for details.

Guy

On Tue, 2004-01-20 at 21:41, Creamer, Mark wrote:
> I noticed that there is a WMI core install for Win9x and I installed it on my test 
> Win95 machine.
> However, I can't get the WMI script to reboot that machine. Is it possible that even 
> though WMI core
> is installed, it doesn't give me access to all of the features I'd have on a Win2K 
> machine?
> 
> The error I receive on the script is:
> Microsoft VBScript runtime error: The remote server machine does not exist or is 
> unavailable:
> 'GetObject'
> 
> Thanks,
> Mark Creamer
> 
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
-- 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Backups

[Guy Teverovsky]

And if you mention Linux, you can go a little further and get your own
rescue CD with a nice set of tools for imaging and basic disaster
recovery:
http://www.t4k.org/~ebcd/
Can image even over the network. 

Guy

On Wed, 2004-01-14 at 22:16, Ken Cornetet wrote:
> If you feel comfortable with Linux, you could build a bootable floppy or
> CDROM with firewire support. Then, backing up your internal disk to the
> firewire disk is as simple as "dd if=/dev/hda of=/dev/hdb" (assuming
> internal disk is hda and firewire is hdb).
> 
> The disadvantage of this is that you have to do the backup "offline",
> but of course DriveImage and the like require that too.
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Jake Connor
> Sent: Wednesday, January 14, 2004 2:23 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [ActiveDir] Backups
> 
> 
> No they are too cheap to buy a few hard drives and a raid card :-\
> 
> I'll look into Ghost and pcInspector. Do you know if Drive Image by 
> Symantec will work on Win2k server or just workstations?
> 
> 
> 
> On Jan 14, 2004, at 11:09 AM, Mark Nold wrote:
> 
> > They would spring for Ghost or pcInspector or the like, but not 80
> > bucks
> > for a 120G IDE drive that you could slap in there to mirror?
> >
> > Do you have any "dead" pc's lying around that you can grab the IDE
> > drive
> > from?  Not the best I know, but seems like it would be better than
> > re-imaging your drive after every change you made in AD to keep your
> > "backup" fresh.
> >
> > My 2cents anyway
> >
> > -Original Message-
> > From: Jake Connor [mailto:[EMAIL PROTECTED]
> > Sent: Wednesday, January 14, 2004 11:03 AM
> > To: [EMAIL PROTECTED]
> > Subject: Re: [ActiveDir] Backups
> >
> > Because it's a small company and I have recommended it a hundred times
> 
> > but in a nutshell, they are too cheap even though we have experienced 
> > a server crash which took about almost a week to restore everything 
> > (which costs more for paying me) and they don't realize a RAID will 
> > solve about almost everything and cheaper.
> >
> >
> > On Jan 14, 2004, at 10:25 AM, Coleman, Hunter wrote:
> >
> >> If you're concerned about the hard drive failing, why not just set up
> > a
> >> RAID1 (mirror) configuration? Cost would be low, and you won't have 
> >> to
> >
> >> worry
> >> about creating disk images and swapping hard drives around.
> >>
> >> Hunter
> >>
> >> -Original Message-
> >> From: Jake Connor [mailto:[EMAIL PROTECTED]
> >> Sent: Wednesday, January 14, 2004 11:00 AM
> >> To: [EMAIL PROTECTED]
> >> Subject: Re: [ActiveDir] Backups
> >>
> >> First of all, thank you for the information :-)
> >>
> >> I would like to make a complete hard drive backup onto the firewire 
> >> drive (like a complete image) so that if the one on my system crashed
> 
> >> then I
> >
> >> can
> >> just get the hard drive on the fire wire cable and put it into the 
> >> IDE ribbons.
> >>
> >> I probably should have mentioned that what I am using is just a fire 
> >> wire cable that lets you connect any type of IDE drive to it.
> >>
> >> So with pcinspector, would it be able to make a complete copy of the 
> >> hard drive (with all the partitions, bootup stuff, etc) to another 
> >> hard drive and
> >> have that hard drive be exactly the same as the hard drive in the
> >> system so
> >> in the event of a crash I can just swap the hard drive, start up the
> >> system,
> >> and everything is back to normal with all my Active Directory users,
> >> etc?
> >>
> >> Thanks once again in advanced.
> >>
> >> Jake
> >>
> >>
> >>
> >> On Jan 14, 2004, at 4:25 AM, GRILLENMEIER,GUIDO (HP-Germany,ex1)
> > wrote:
> >>
> >>> using a FW drive, you may run into issues with available drivers to 
> >>> allow you to copy the data without first re-installing an OS on the 
> >>> box. There
> >>> are some cool free-utilities (such as a disk-cloner) that you may
> > want
> >>> to look at - but I have no idea if they support drives connected via
> >>> FW:
> >>> http://www.pcinspector.de/file_recovery/uk/welcome.htm
> >>>
> >>> so in worst case, you'd have to restore the OS onto the new 
> >>> harddrive (default install - incl. the FW driver, if this is not in 
> >>> the
> > default)
> >>> and then restore your backup afterwards onto this new drive.
> >>>
> >>> Otherwise you may preferr using a backup on tape afterall, for which
> 
> >>> you can get routines to completely restore a server from bare-metal 
> >>> fully automated.
> >>>
> >>> /Guido
> >>>
> >>> -Original Message-
> >>> From: [EMAIL PROTECTED]
> >>> [mailto:[EMAIL PROTECTED] On Behalf Of Jake Connor
> >>> Sent: Mittwoch, 14. Januar 2004 00:04
> >>> To: [EMAIL PROTECTED]
> >>> Subject: [ActiveDir] Backups
> >>>
> >>> I have a schedule backup that just copies everything on my hard 
> >>> drive to a drive on my firewire drive.
> >>>
> >>> If my active hard drive crashes, how do I restore it with the data 
> >>> on my firewire drive s

Re: [ActiveDir] Remotely Boot into DS Restore Mode?

[Guy Teverovsky]

Use /SAFEBOOT:DSREPAIR /SOS switches in boot.ini:
http://support.microsoft.com/?kbid=256588

Guy

On Wed, 2004-01-14 at 03:26, David Adner wrote:
> Without using a lights-out type adapter or something else that will allow 
> me to remotely view the bootup process, is there a way to reboot a server 
> and have it automatically enter DS Restore Mode?
> 
> TIA
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
-- 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Finding the time of last update of SRV record

[Guy Teverovsky]

Joe, I'm puzzled. Should I be looking under
CN=MicrosoftDNS,CN=System,DC=foobar,DC=com in the Domain naming context
?
Because I can only see there the child sub-domains (like
child.foobar.com), but not the _msdcs.foobar.com, _sites.foobar.com, etc
- zones which are AD integrated too.
The interesting thing is that not all AD integrated sub-domains show in
there (a.foobar.com, b.foobar.com are there but c and d are not). Should
I be worried ? (It is a pilot domain after all)

Thanks,
Guy

On Thu, 2003-12-25 at 23:10, Joe wrote:
> If you are using AD Integrated Windows DNS you should be able to find the
> actual AD object associated with the record and look at the whenchanged
> attribute with any LDAP tool or the objects metadata via repadmin.
> 
>joe
> 
>  
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Teverovsky, Guy
> Sent: Wednesday, December 24, 2003 6:29 AM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] Finding the time of last update of SRV record
> 
> 
> Hello all,
> 
> I am looking for a way to get the time of last successful SRV record update.
> 
> We are having a DNS related replication problem and I basically want to
> check when a specific SRV record has been last updated at a given DNS
> server.
> 
> And another related question: from what I understand, the default frequency
> of DNS records re-registration at W2K Server is one hour by default and can
> be controlled by DefaultRegistrationRefreshInterval registry key under
> HKLM\System\CurrentControlSet\Services\Tcpip\Parameters. 
> Does the same apply to W2K3 ? (The W2K3 registry reference does not mention
> the key). 
> Has anyone stumbled into a situation when he had to change the default
> settings ?
> 
> Thanks and happy holidays,
> Guy   
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
-- 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Finding the time of last update of SRV record

[Guy Teverovsky]

Thanks Marcus,

The dwTimeStamp attribute is also accessible by checking
"View-->Advanced" in the DNS snap-in.
The thing is that the timestamp is not the precise time the RR has been
refreshed - the hour is rouned (i.e.: update performed at 15:17
12/25/2003 is rounded to 15:00 12/25/2003).

The command line returns the same...

Thanks,
Guy

On Wed, 2003-12-24 at 22:01, marcus wrote:
> I got this tidbit from Robbie ... I suppose you could point it at the SRV
> record in question:
> 
> There are a couple of ways you can get it.  If you are a command line
> hacker, you could use this:
>   dnscmd . /enumrecords rallencorp.com foobar /detail | findstr
> dwTimeStamp
> 
> If you are looking to do it via VBScript or Perl, then you'll want to look
> at the MicrosoftDNS_ResourceRecord WMI class.  It has a Timestamp
> property:
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dns/dns
> /mic
> rosoftdns_resourcerecord.asp
>  s/mi
> crosoftdns_resourcerecord.asp>
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Teverovsky, Guy
> Sent: Wednesday, December 24, 2003 6:29 AM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] Finding the time of last update of SRV record
> 
> 
> Hello all,
> 
> I am looking for a way to get the time of last successful SRV record update.
> 
> We are having a DNS related replication problem and I basically want to
> check when a specific SRV record has been last updated at a given DNS
> server.
> 
> And another related question: from what I understand, the default frequency
> of DNS records re-registration at W2K Server is one hour by default and can
> be controlled by DefaultRegistrationRefreshInterval registry key under
> HKLM\System\CurrentControlSet\Services\Tcpip\Parameters. 
> Does the same apply to W2K3 ? (The W2K3 registry reference does not mention
> the key). 
> Has anyone stumbled into a situation when he had to change the default
> settings ?
> 
> Thanks and happy holidays,
> Guy   
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
-- 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Backup Problem: Data Protector 5.10

[Guy Teverovsky]

Michael,

I have DP 5.1 setup with local system account on a member server. Guess
it should work the same on a DC. 

P.S.: Looks like I should look at the change log more frequently :-)   

Cheers,
Guy

On Wed, 2003-12-10 at 22:39, Donovan, Michael wrote:
> Hi-
>  
> I have a DC locally attached to a DLT Tape device running with Data 
> Protector 5.1. When I boot into DS Restore Mode, the Cell Manager
> Service 
> won't start, even though it's configured to use the local Administrator 
> account. However, I can directly log into the machine as local
> Administrator.
>  
> Has anyone seen this behavior before? Should DC's not be backup servers
> as well? I have found no documentation in the Data Protector manuals, or
> from MS that DC's can 
> not be backup servers, so I'm terribly confused at this point.
> 
> Any help would be greatly appreciated.
> 
> Thanks!
> 
> Michael Donovan
> [EMAIL PROTECTED]
> (617)551-7644(voice)
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
-- 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPO change management

[Guy Teverovsky]

Thanks Matty,

I have looked at the code and although I posses no knowledge of .NET,
the logic is very clear. I am more in the direction of change tracking
and that can be easily done by combining sample GPMC scripts with some
logic from the C# wrapper class. 

Fancy interface is not an issue here: we have a rather small group of
people who will be managing the Group Policies and they are not scared
of CLI. 

Thanks,
Guy 

On Tue, 2003-12-09 at 16:29, Holland Matthew BC GB wrote:
> Hi Guy,
> 
> You can have a look on the http://www.activedir.org site.  The Group Policy
> FAQ you will probably help you find some of the answers you are looking for.
> 
> I have to agree with your point on the 3rd party tools, GPMC will pretty
> much do everything you need, especially if you are prepared to automate some
> of these tasks using scripts.  We actually use web based management for most
> of the GPO operations, for this we created a .NET GPMC Class.  If you are
> interested in this you can download the code from http://www.activedir.org
> downloads.
> 
> Cheers, 
> 
> Matty
> 
> 
> -Original Message-
> From: Guy Teverovsky [mailto:[EMAIL PROTECTED] 
> Sent: 06 December 2003 04:03
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] GPO change management
> 
> Hi all,
> 
> My organization is currently running a W2K3 pilot and i have been
> assigned the task of defining GPO change management, backup and restore
> procedures.
> 
> I have divided this into 3 sub-categories:
> 1) Procedures for tasks related to changes in the Group Policies
> (testing new GPOs, archiving, establishing new baseline, backup, etc..)
> 2) Documentation of changes
> 3) GPO management tools.
> 
> Now, as I was used to W2K environment, I started by looking into third
> party tools: FAZAM 2000, Directory Administrator by Small Wonders and
> ActiveRoles by Quest without totally being aware of the existence of
> GPMC. I have dedicated some time to investigating this tool and
> meanwhile have not noticed any features I might benefit of by buying
> third party software. Except GPO merging, restoring GPO links, exporting
> GPO to a database, comparing GPOs and some other minor features, it
> seems that a bunch of automated scripts can do a pretty good job. 
> Any insights on this ? Am I missing something here ?
> 
> Second question: have anybody encountered GPO change management best
> practices anywhere ? I do not mind reinventing the wheel, but additional
> insights are always welcome.
> 
> Thanks in advance,
> Guy 
-- 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] GPO change management

[Guy Teverovsky]

Hi all,

My organization is currently running a W2K3 pilot and i have been
assigned the task of defining GPO change management, backup and restore
procedures.

I have divided this into 3 sub-categories:
1) Procedures for tasks related to changes in the Group Policies
(testing new GPOs, archiving, establishing new baseline, backup, etc..)
2) Documentation of changes
3) GPO management tools.

Now, as I was used to W2K environment, I started by looking into third
party tools: FAZAM 2000, Directory Administrator by Small Wonders and
ActiveRoles by Quest without totally being aware of the existence of
GPMC. I have dedicated some time to investigating this tool and
meanwhile have not noticed any features I might benefit of by buying
third party software. Except GPO merging, restoring GPO links, exporting
GPO to a database, comparing GPOs and some other minor features, it
seems that a bunch of automated scripts can do a pretty good job. 
Any insights on this ? Am I missing something here ?

Second question: have anybody encountered GPO change management best
practices anywhere ? I do not mind reinventing the wheel, but additional
insights are always welcome.

Thanks in advance,
Guy 
-- 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/