RE: [ActiveDir] Microsoft Patch
Title: Message I'm running SUS 1.1 quite successfully for about 700 client machines (and servers). SUS 2, which is due in beta within the next 30 days or so, is going to add Office and a few other products for patching, which really is all that SUS is missing. I prefer the SUS methodology of an agent on the client that pulls down the updates as they are available - we have a lot of highly mobile users so that really makes things work well for us. Things like HKNetCheck require the box be online when you push the patches, which doesn't work well in a lot of environments. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Cariglia, Daniel [mailto:[EMAIL PROTECTED] Sent: Monday, March 15, 2004 4:43 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Microsoft Patch I am in the process of looking at alternatives to distribute/manage Microsoft patches. We have SUS running in a lab setup and it seems alright. My question is are there superior products out there that someone has used and can recommend that work well with AD? Running AD with an empty root and 2 child domains where the users reside, users are either Windows 2000 Pro or XP Pro. Any suggestions would be appreciated. Thank You, Dan
RE: [ActiveDir] Group Policy
I'm one of those words :oP Most days I feel if you chop down the second phrase that would be the word. You know what is really funny though is one of our Exchange admins said your second sentence to me the other day almost word for word - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, March 16, 2004 12:55 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy Heh Darren, nothing surprises me out of joe anymore. I'm not sure if he's a genius or idiot savant. Either way, I'm just glad that he seems to be on our side Rick Kingslan MCSE, MCSA, MCT, CISSP Microsoft MVP: Windows Server / Directory Services Windows Server / Rights Management Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Monday, March 15, 2004 11:08 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy Yea, that's the right way to do it Joe. Guy, I'm kinda surprised you actually saw that behavior. I was under the impression that password complexity was one of those account policies that was completely ignored by DCs unless its linked to a domain policy. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, March 15, 2004 5:03 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy I would think you could do this by simply linking another policy for the member machines at a lower OU level that still encompasses all of those machines. I know I did this for lockout policy once. - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Monday, March 15, 2004 3:22 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy Actually I did it once. This way you can enforce different password complexity requirements for domain accounts vs. machine local accounts by applying stricter password complexity to GPO that is linked to Domain Controllers OU. This is rather simple: in Default Domain Controller Security policy you block inheritance and define different password length/complexity then in default domain policy. Standalone computers will receive the security settings from default domain policy and DC from it's own. Of course you must watch out for other settings defined in the default domain GPO. Never found any use for this, but it was one of those nice-to-know things. Guy -- Smith Wesson - the original point and click interface On Mon, 2004-03-15 at 07:56, joe wrote: Yes they do. The default domain policy is where your domain security policy is located at. What implications are there for blocking it... I am not sure, never tried... Let us know. :o) - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Shukovsky Jr Sent: Thursday, February 26, 2004 12:12 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Group Policy Do W2k domain controllers need to process default domain policy as well as default dc policy? If so and the DC's OU is set to block default domain policy what implications will/can this have? thanks in advance. This E-mail, including any attachments, may be intended solely for the personal and confidential use of the sender and recipient (s) named above. This message may include advisory, consultative and/or deliberative material and, as such, would be privileged and confidential and not a public document. Any Information in this e-mail identifying a client of the department of Human Services is confidential. If you have received this e-mail in error, you must not review, transmit, convert to hard copy, copy, use or disseminate this e-mail or any attachments to it and you must delete this message. You are requested to notify the sender by return e-mail. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ:
RE: [ActiveDir] Group Policy
Sorry I was hopped up on headache medicine last night for the weather front moving through hear. Maybe I am incoherent. Lockout polices, password policies, the restricted groups, that is all info that is stored in and replicated through AD and GPO's both... Consider these attributes that replicate through AD processes but are set through GPO which replicates on its own: lockoutDuration lockoutObservationWindow lockoutThreshold maxPwdAge minPwdAge minPwdLength pwdProperties pwdHistoryLength And then restricted groups obviously are simply modifying group membership and that replicates as well. So for example say you have a policy on one DC that sets a lockout threshhold of 5 bad and then that same policy hasn't replicated to another DC properly and has a value of 15. The one DC will keep switching the value in AD to 15 and the other will keep switching it to 5. Restricted groups you would see the same behavior. Now if all DCs are properly processing all of the same GPOs then I agree there shouldn't be an issue. The issues come in when GPOs aren't consistent or people start doing funky linking/blocking for DCs by putting them in different Ous and linking different policies to them for some of these attribs. It has always bothered me that you can set something that replicates through two different channels like that. In the early days I was actually threatening to turn off FRS because I was having so many problems with it due to this flipping as a policy change wouldn't make it around properly. Microsoft PSS was all over me like YOU CAN'T SHUT IT OFF, Don't do it!!! It is the number one issue I have had with AD in terms of having to get buddy drops and apply hotfixes for through the years. It seems that as soon as we went over about 50 domain controllers in an given domain FRS started to blow on us. The one following that was LSASS leaks. I do have to say that both are MUCH more stable now than they were. I still don't trust FRS though which is why everytime I make any change in sysvol I have to run a CRC checker program that checks CRCs of every SYSVOL on every DC. - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Tuesday, March 16, 2004 12:06 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy Joe- Not sure what you mean by that first sentence??? Most or all of those security settings aren't stored in AD so I'm surprised that they are seeing version numbers craziness. I can understand the issue where you have conflicting GPOs being delivered from both the domain and DC policies, but in general, they should be processed one after the other during foreground and backgrund processing and the flipping behavior shouldn't be a huge issue. Restricted Groups, however, is a dangerous business. Gotta keep that out of the kids hands :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, March 15, 2004 5:01 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy It is a bad thing when the policies don't match up for different DCs that set AD attributes that replicate through AD replication. When I went back to where I am now the company that had been mismanaging in my absence had somehow gotten the default DC policies and default domain policies out of sync and you get battles in AD for the things that replicate with the GPO and also through AD, such as lockout settings, restricted groups, etc. You will see the values flipping back and forth as a DC realizes it doesn't match the local policy and corrects it. You will see your version numbers on those attributes really spike as well obviously. At one point we had a restricted group for administrators/domain admins and the new admins we put in would get kicked out and replaced with the old admins, wait a little while and then we were back. It ping ponged for a couple of hours until I traced it all down to which DCs were out of sync and got them corrected. They had also set the GPO to remove the builtin Admin ID from administrators from one domain which was REALLY screwing up that domain and causing resource errors like crazy on about 80% of the DCs of that domain. - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Monday, March 15, 2004 11:39 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy DCs get their Account Policy, and a couple of other security settings, from any GPO linked to the domain, not necessarily just the Default Domain Policy. If you have no domain-linked policy, then the DCs will just use the local policy they have by default, out of the box. A quick test with my VMWare-2003 DC shows this to
[ActiveDir] Changing ACLs via VBscript
I need to change both file ACLs and Exchange permissions within vbscript (for Windows 2000 and 2003, and Exchange 2000 and 2003). I know how to do everything I want manually, but the GUI is too slow and error prone for the volume I've got going on... I've been unable to find a website that discusses doing this, or any online resources to really help. Does anyone have any suggestions, either online or books? Thanks.
RE: [ActiveDir] Changing ACLs via VBscript
Have you seen these? http://msdn.microsoft.com/library/default.asp?url=""> http://www.microsoft.com/technet/community/scriptcenter/default.mspx Regards, /Jimmy - Jimmy Andersson, Q Advice AB Principal AdvisorMicrosoft MVP - Directory Services-- www.qadvice.com -- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Tuesday, March 16, 2004 2:59 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Changing ACLs via VBscript I need to change both file ACLs and Exchange permissions within vbscript (for Windows 2000 and 2003, and Exchange 2000 and 2003). I know how to do everything I want manually, but the GUI is too slow and error prone for the volume I've got going on... I've been unable to find a website that discusses doing this, or any online resources to really help. Does anyone have any suggestions, either online or books? Thanks.
RE: [ActiveDir] Microsoft Patch
Title: Message Where can I find out more information on SUS version 2 Lynden From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 16, 2004 8:02 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Microsoft Patch I'm running SUS 1.1 quite successfully for about 700 client machines (and servers). SUS 2, which is due in beta within the next 30 days or so, is going to add Office and a few other products for patching, which really is all that SUS is missing. I prefer the SUS methodology of an agent on the client that pulls down the updates as they are available - we have a lot of highly mobile users so that really makes things work well for us. Things like HKNetCheck require the box be online when you push the patches, which doesn't work well in a lot of environments. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Cariglia, Daniel [mailto:[EMAIL PROTECTED] Sent: Monday, March 15, 2004 4:43 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Microsoft Patch I am in the process of looking at alternatives to distribute/manage Microsoft patches. We have SUS running in a lab setup and it seems alright. My question is are there superior products out there that someone has used and can recommend that work well with AD? Running AD with an empty root and 2 child domains where the users reside, users are either Windows 2000 Pro or XP Pro. Any suggestions would be appreciated. Thank You, Dan
RE: [ActiveDir] Changing ACLs via VBscript
First off let me start with a quick
link...
http://msdn.microsoft.com/library/default.asp?url="">
This describes the main interface you will
use...
Now that being said... You have to be careful with what you
are saying when you say Exchange permissions. Do you mean overall mailbox
permissions or do you mean folder roles. They are entirely different. For
instance a mailbox permission would allow you to say log into the mailbox with a
specific ID directly, say like admin access to someone else's mailbox. A folder
role allows someone access (Editor/Owner/Reviewer/Etc) to specific folders
within a mailbox. If you are doing your perm setting from the advanced exchange
tab of DSA.MSC, that is mailbox perms. If doing it from within outlook, that is
folder roles.
Here is a little quick and dirty script I can post right
now for enumerating a mailbox ACL (mailbox perms). I will see if I can post my
script that does mailbox mods to allow someone else full mailbox access. However
I will have to scrub some info out of it first. If you actually mean folder
roles, let me know as I have some stuff for doing that as well.
Const ACE_MB_FULL_ACCESS = h1 Const
ACE_MB_ASSOC_EXT_ACCT =
h4
' This was from stucki and was 5, really should be 4Const
ACE_MB_DELETE_STORAGE =
h1 '
ADS_RIGHT_DELETEConst ACE_MB_READ_PERMISSIONS =
h2 '
ADS_RIGHT_READ_CONTROLConst ACE_MB_CHANGE_PERMISSIONS =
h4 ' ADS_RIGHT_WRITE_DACConst
ACE_MB_TAKE_OWNERSHIP =
h8 '
ADS_RIGHT_WRITE_OWNERConst
ACE_MB_SYNCRONIZE=h10
' ADS_RIGHT_SYNCHRONIZE
Const ADS_ACETYPE_ACCESS_ALLOWED = 0Const
ADS_ACETYPE_ACCESS_DENIED = 1 Const ADS_ACETYPE_SYSTEM_AUDIT = 2 Const
ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = 5 Const ADS_ACETYPE_ACCESS_DENIED_OBJECT
= 6 Const ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = 7 Const
ADS_ACETYPE_SYSTEM_ALARM_OBJECT = 8
'Const ADS_ACEFLAG_INHERIT_ACE =
2 ' This one is wrong - from KB
Q310866Const ADS_ACEFLAG_INHERIT_ACE = 16
userdn=wscript.arguments.item(0)
' Get directory user object.Set objUser =
GetObject("LDAP://" userdn)
' Get the Mailbox security descriptor (SD).Set
oSecurityDescriptor = objUser.MailboxRights
' Extract the discretionary access control list (ACL) by
using the IADsSecurityDescriptor.' InterfaceSet dacl =
oSecurityDescriptor.DiscretionaryAcl
'''
The following block of code demonstrates how to read all the ACEs on
a' DACL for the Exchange 2000
mailbox.''wscript.echo
"Here are the existing ACEs in the mailbox's DACL:"
' Enumerate all the access control entries (ACEs) in the
ACL using the IADsAccessControlList.' Interface, therefore, displaying the
current mailbox rights.wscript.echo "Trustee, AccessMask, Access Desc,
ACEType, ACEFlags, Flags, ObjectType, InheritedObjectType"wscript.echo
"--- -- --- ---
- -- ---"wscript.echo
For Each ace In dacl accessstr=""
accessmask=ace.AccessMask leftoveram=accessmask if
(accessmask AND ACE_MB_FULL_ACCESS)=ACE_MB_FULL_ACCESS then
accessstr=accessstr+"FC;"
leftoveram=leftoveram-ACE_MB_FULL_ACCESS end if if
(accessmask AND ACE_MB_ASSOC_EXT_ACCT)=ACE_MB_ASSOC_EXT_ACCT then
accessstr=accessstr+"ASSOC_EXT;"
leftoveram=leftoveram-ACE_MB_ASSOC_EXT_ACCT end if if
(accessmask AND ACE_MB_DELETE_STORAGE)=ACE_MB_DELETE_STORAGE then
accessstr=accessstr+"DELETE_STORAGE;"
leftoveram=leftoveram-ACE_MB_DELETE_STORAGE end if if
(accessmask AND ACE_MB_READ_PERMISSIONS)=ACE_MB_READ_PERMISSIONS then
accessstr=accessstr+"READ;"
leftoveram=leftoveram-ACE_MB_READ_PERMISSIONS end if if
(accessmask AND ACE_MB_CHANGE_PERMISSIONS)=ACE_MB_CHANGE_PERMISSIONS then
accessstr=accessstr+"CHANGE;"
leftoveram=leftoveram-ACE_MB_CHANGE_PERMISSIONS end if if
(accessmask AND ACE_MB_TAKE_OWNERSHIP)=ACE_MB_TAKE_OWNERSHIP then
accessstr=accessstr+"TAKE_OWNERSHIP;"
leftoveram=leftoveram-ACE_MB_TAKE_OWNERSHIP end if if
(accessmask AND ACE_MB_SYNCRONIZE)=ACE_MB_SYNCRONIZE then
accessstr=accessstr+"SYNC;"
leftoveram=leftoveram-ACE_MB_SYNCRONIZE end if
acetypestr="" acetype=ace.AceType select case
acetype case ADS_ACETYPE_ACCESS_ALLOWED:
acetypestr="GRANT" case
ADS_ACETYPE_ACCESS_DENIED:
acetypestr="DENY" end select
aceflagstr="EXPLICIT"
aceflags=ace.AceFlags if (aceflags AND
ADS_ACEFLAG_INHERIT_ACE)=ADS_ACEFLAG_INHERIT_ACE then
aceflagstr="INHERITED"
if leftoveram0 then wscript.echo
"--WARNING--- All ACE's not decoded on next line"' Display
all the properties of the ACEs by using the IADsAccessControlEntry
interface. wscript.echo ace.Trustee ", " accessmask
"/" leftoveram ", " accessstr "," acetype "
("acetypestr "), " aceflags "(" aceflagstr
"), " ace.Flags ", " ace.ObjectType ", "
ace.InheritedObjectTypeNext
-
http://www.joeware.net
Re: [ActiveDir] AD SYSVOL folder
Thanks for the response. Well, since they can't be on a PC for more than 40 minutes (classes), and I have the windows logoff screensaver set to15 minutes of inactivity, I doubt they would be able to keep the files open, but one never knows. Thanks again, Ernesto - Original Message - From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, March 15, 2004 4:28 PM Subject: RE: [ActiveDir] AD SYSVOL folder they could analyse the policies, but that won't usually help them for an attack (I think). But they could also open the policy files and keep them open to hinder replication, which could bite you. -Original Message- From: EN [mailto:[EMAIL PROTECTED] Sent: Montag, 15. März 2004 22:56 To: [EMAIL PROTECTED] Subject: [ActiveDir] AD SYSVOL folder I need to know a little something. I work in a High School, so AD is used here but not to the extent that many of your use it. I wish I had more programming experience but that's besides the point. Being a HS, we have tons of little ones that just love to try and hack a computer and such. Well, I'm a bit worried that because the SYSVOL is a share, although somewhat hidden, that these little tykes can get to, is there any real danger/complication that can arise by them being able to view the policies and other files in the sysvol folder? Other than hacking and gaining admin control of a PC, can they actually do anything with the info that is present in those folders? Thanks!! Ernesto List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Microsoft Patch
Well, SUS is also missing reporting and auditing, if I remember correctly... I can't wait to see the new version though (anyone know the beta guest id?) Several departments here use a product called Bigfix (www.bigfix.com) and it seems to work very well. Its scalable and even integrates with AD. :) - Robbie Robbie Foust, IT Analyst Systems and Core Services Duke University Roger Seielstad wrote: I'm running SUS 1.1 quite successfully for about 700 client machines (and servers). SUS 2, which is due in beta within the next 30 days or so, is going to add Office and a few other products for patching, which really is all that SUS is missing. I prefer the SUS methodology of an agent on the client that pulls down the updates as they are available - we have a lot of highly mobile users so that really makes things work well for us. Things like HKNetCheck require the box be online when you push the patches, which doesn't work well in a lot of environments. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- *From:* Cariglia, Daniel [mailto:[EMAIL PROTECTED] *Sent:* Monday, March 15, 2004 4:43 PM *To:* [EMAIL PROTECTED] *Subject:* [ActiveDir] Microsoft Patch I am in the process of looking at alternatives to distribute/manage Microsoft patches. We have SUS running in a lab setup and it seems alright. My question is are there superior products out there that someone has used and can recommend that work well with AD? Running AD with an empty root and 2 child domains where the users reside, users are either Windows 2000 Pro or XP Pro. Any suggestions would be appreciated. Thank You, *Dan * List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Changing ACLs via VBscript
Oh yes, I know the script center well. I don't see anything on there about ACE's or ACL's. Thanks, Michael From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jimmy AnderssonSent: Tuesday, March 16, 2004 9:13 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Changing ACLs via VBscript Have you seen these? http://msdn.microsoft.com/library/default.asp?url=""> http://www.microsoft.com/technet/community/scriptcenter/default.mspx Regards, /Jimmy - Jimmy Andersson, Q Advice AB Principal AdvisorMicrosoft MVP - Directory Services-- www.qadvice.com -- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Tuesday, March 16, 2004 2:59 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Changing ACLs via VBscript I need to change both file ACLs and Exchange permissions within vbscript (for Windows 2000 and 2003, and Exchange 2000 and 2003). I know how to do everything I want manually, but the GUI is too slow and error prone for the volume I've got going on... I've been unable to find a website that discusses doing this, or any online resources to really help. Does anyone have any suggestions, either online or books? Thanks.
RE: [ActiveDir] Changing ACLs via VBscript
Thanks for the link...
In regards to Exchange, I specifically want to be able
to:
a) change the permissions on the "All Address Lists"
object,
b) create a new address list,
c) change the default permissions on the new address
list,
d) change the permissions on the "All Global Address Lists"
object,
e) create a new GAL, and
f) change the default permissions on the new
GAL
(b) and (e) aren't within the scope of this particular
question. :-)
I've got(b) and (e)mapped out, but not written.
If you have working code --- that would be great to know.
:-)
I typically perform these actions froma mixture of
ESM and ADSIedit (some of the permissions are not exposed within
ESM).
A script to allow full mailbox access would be WONDERFUL.
That's another thing I do manually.
Thanks very much,
Michael
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
joeSent: Tuesday, March 16, 2004 9:34 AMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Changing ACLs
via VBscript
First off let me start with a quick
link...
http://msdn.microsoft.com/library/default.asp?url="">
This describes the main interface you will
use...
Now that being said... You have to be careful with what you
are saying when you say Exchange permissions. Do you mean overall mailbox
permissions or do you mean folder roles. They are entirely different. For
instance a mailbox permission would allow you to say log into the mailbox with a
specific ID directly, say like admin access to someone else's mailbox. A folder
role allows someone access (Editor/Owner/Reviewer/Etc) to specific folders
within a mailbox. If you are doing your perm setting from the advanced exchange
tab of DSA.MSC, that is mailbox perms. If doing it from within outlook, that is
folder roles.
Here is a little quick and dirty script I can post right
now for enumerating a mailbox ACL (mailbox perms). I will see if I can post my
script that does mailbox mods to allow someone else full mailbox access. However
I will have to scrub some info out of it first. If you actually mean folder
roles, let me know as I have some stuff for doing that as well.
Const ACE_MB_FULL_ACCESS = h1 Const
ACE_MB_ASSOC_EXT_ACCT =
h4
' This was from stucki and was 5, really should be 4Const
ACE_MB_DELETE_STORAGE =
h1 '
ADS_RIGHT_DELETEConst ACE_MB_READ_PERMISSIONS =
h2 '
ADS_RIGHT_READ_CONTROLConst ACE_MB_CHANGE_PERMISSIONS =
h4 ' ADS_RIGHT_WRITE_DACConst
ACE_MB_TAKE_OWNERSHIP =
h8 '
ADS_RIGHT_WRITE_OWNERConst
ACE_MB_SYNCRONIZE=h10
' ADS_RIGHT_SYNCHRONIZE
Const ADS_ACETYPE_ACCESS_ALLOWED = 0Const
ADS_ACETYPE_ACCESS_DENIED = 1 Const ADS_ACETYPE_SYSTEM_AUDIT = 2 Const
ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = 5 Const ADS_ACETYPE_ACCESS_DENIED_OBJECT
= 6 Const ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = 7 Const
ADS_ACETYPE_SYSTEM_ALARM_OBJECT = 8
'Const ADS_ACEFLAG_INHERIT_ACE =
2 ' This one is wrong - from KB
Q310866Const ADS_ACEFLAG_INHERIT_ACE = 16
userdn=wscript.arguments.item(0)
' Get directory user object.Set objUser =
GetObject("LDAP://" userdn)
' Get the Mailbox security descriptor (SD).Set
oSecurityDescriptor = objUser.MailboxRights
' Extract the discretionary access control list (ACL) by
using the IADsSecurityDescriptor.' InterfaceSet dacl =
oSecurityDescriptor.DiscretionaryAcl
'''
The following block of code demonstrates how to read all the ACEs on
a' DACL for the Exchange 2000
mailbox.''wscript.echo
"Here are the existing ACEs in the mailbox's DACL:"
' Enumerate all the access control entries (ACEs) in the
ACL using the IADsAccessControlList.' Interface, therefore, displaying the
current mailbox rights.wscript.echo "Trustee, AccessMask, Access Desc,
ACEType, ACEFlags, Flags, ObjectType, InheritedObjectType"wscript.echo
"--- -- --- ---
- -- ---"wscript.echo
For Each ace In dacl accessstr=""
accessmask=ace.AccessMask leftoveram=accessmask if
(accessmask AND ACE_MB_FULL_ACCESS)=ACE_MB_FULL_ACCESS then
accessstr=accessstr+"FC;"
leftoveram=leftoveram-ACE_MB_FULL_ACCESS end if if
(accessmask AND ACE_MB_ASSOC_EXT_ACCT)=ACE_MB_ASSOC_EXT_ACCT then
accessstr=accessstr+"ASSOC_EXT;"
leftoveram=leftoveram-ACE_MB_ASSOC_EXT_ACCT end if if
(accessmask AND ACE_MB_DELETE_STORAGE)=ACE_MB_DELETE_STORAGE then
accessstr=accessstr+"DELETE_STORAGE;"
leftoveram=leftoveram-ACE_MB_DELETE_STORAGE end if if
(accessmask AND ACE_MB_READ_PERMISSIONS)=ACE_MB_READ_PERMISSIONS then
accessstr=accessstr+"READ;"
leftoveram=leftoveram-ACE_MB_READ_PERMISSIONS end if if
(accessmask AND ACE_MB_CHANGE_PERMISSIONS)=ACE_MB_CHANGE_PERMISSIONS then
accessstr=accessstr+"CHANGE;"
leftoveram=leftoveram-ACE_MB_CHANGE_PERMISSIONS end if if
(accessmask AND ACE_MB_TAKE_OWNERSHIP)=ACE_MB_TAKE_OWNERSHIP then
[ActiveDir] Time synchronization
Title: Time synchronization We have 4 DC's in our root domain...All 2K3. With the PDC emulator set for external time synchronization and all others set for nt5ds. What is your opinion on setting all 4 DCs to NTP and getting time from the same external source. We are looking at. Redundancy for external time and not having to reconfigure the time source when the PDCE role is moved. Recommendations? Thanks
RE: [ActiveDir] Changing ACLs via VBscript
http://www.rallenhome.com/books/ad2e/code.html Check the Chapter 23 scripts. They'll be a bit obtuse without the benefit of the explanations in the book, but that's a good reason to buy the book :-) Hunter From: Michael B. Smith [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 16, 2004 7:42 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Changing ACLs via VBscript Oh yes, I know the script center well. I don't see anything on there about ACE's or ACL's. Thanks, Michael From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jimmy AnderssonSent: Tuesday, March 16, 2004 9:13 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Changing ACLs via VBscript Have you seen these? http://msdn.microsoft.com/library/default.asp?url=""> http://www.microsoft.com/technet/community/scriptcenter/default.mspx Regards, /Jimmy - Jimmy Andersson, Q Advice AB Principal AdvisorMicrosoft MVP - Directory Services-- www.qadvice.com -- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Tuesday, March 16, 2004 2:59 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Changing ACLs via VBscript I need to change both file ACLs and Exchange permissions within vbscript (for Windows 2000 and 2003, and Exchange 2000 and 2003). I know how to do everything I want manually, but the GUI is too slow and error prone for the volume I've got going on... I've been unable to find a website that discusses doing this, or any online resources to really help. Does anyone have any suggestions, either online or books? Thanks.
RE: [ActiveDir] Changing ACLs via VBscript
Ok, those are AD permission changes, in the config
container. You will be manipulating the actual AD sd, not any special exchange
sd's, at least I am pretty sure, never dorked with them personally but play a
guy on TV who does
I will scrub the script for full mailbox access and
post it.
Also go back in time and look for a perl script I
posted here for how to retrieve the binary values for ACLs. You can capture what
an ACL looks like on an object you want to change, manually do one by hand your
normal way, then recheck what the binary values are so you can script the
change. It is how I tend to do it.
I will also look for some code that does generic AD
changes so you can see that. It is really fairly easy once you know what values
to stick in.
-
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B.
SmithSent: Tuesday, March 16, 2004 9:54 AMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Changing ACLs
via VBscript
Thanks for the link...
In regards to Exchange, I specifically want to be able
to:
a) change the permissions on the "All Address Lists"
object,
b) create a new address list,
c) change the default permissions on the new address
list,
d) change the permissions on the "All Global Address Lists"
object,
e) create a new GAL, and
f) change the default permissions on the new
GAL
(b) and (e) aren't within the scope of this particular
question. :-)
I've got(b) and (e)mapped out, but not written.
If you have working code --- that would be great to know.
:-)
I typically perform these actions froma mixture of
ESM and ADSIedit (some of the permissions are not exposed within
ESM).
A script to allow full mailbox access would be WONDERFUL.
That's another thing I do manually.
Thanks very much,
Michael
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
joeSent: Tuesday, March 16, 2004 9:34 AMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Changing ACLs
via VBscript
First off let me start with a quick
link...
http://msdn.microsoft.com/library/default.asp?url="">
This describes the main interface you will
use...
Now that being said... You have to be careful with what you
are saying when you say Exchange permissions. Do you mean overall mailbox
permissions or do you mean folder roles. They are entirely different. For
instance a mailbox permission would allow you to say log into the mailbox with a
specific ID directly, say like admin access to someone else's mailbox. A folder
role allows someone access (Editor/Owner/Reviewer/Etc) to specific folders
within a mailbox. If you are doing your perm setting from the advanced exchange
tab of DSA.MSC, that is mailbox perms. If doing it from within outlook, that is
folder roles.
Here is a little quick and dirty script I can post right
now for enumerating a mailbox ACL (mailbox perms). I will see if I can post my
script that does mailbox mods to allow someone else full mailbox access. However
I will have to scrub some info out of it first. If you actually mean folder
roles, let me know as I have some stuff for doing that as well.
Const ACE_MB_FULL_ACCESS = h1 Const
ACE_MB_ASSOC_EXT_ACCT =
h4
' This was from stucki and was 5, really should be 4Const
ACE_MB_DELETE_STORAGE =
h1 '
ADS_RIGHT_DELETEConst ACE_MB_READ_PERMISSIONS =
h2 '
ADS_RIGHT_READ_CONTROLConst ACE_MB_CHANGE_PERMISSIONS =
h4 ' ADS_RIGHT_WRITE_DACConst
ACE_MB_TAKE_OWNERSHIP =
h8 '
ADS_RIGHT_WRITE_OWNERConst
ACE_MB_SYNCRONIZE=h10
' ADS_RIGHT_SYNCHRONIZE
Const ADS_ACETYPE_ACCESS_ALLOWED = 0Const
ADS_ACETYPE_ACCESS_DENIED = 1 Const ADS_ACETYPE_SYSTEM_AUDIT = 2 Const
ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = 5 Const ADS_ACETYPE_ACCESS_DENIED_OBJECT
= 6 Const ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = 7 Const
ADS_ACETYPE_SYSTEM_ALARM_OBJECT = 8
'Const ADS_ACEFLAG_INHERIT_ACE =
2 ' This one is wrong - from KB
Q310866Const ADS_ACEFLAG_INHERIT_ACE = 16
userdn=wscript.arguments.item(0)
' Get directory user object.Set objUser =
GetObject("LDAP://" userdn)
' Get the Mailbox security descriptor (SD).Set
oSecurityDescriptor = objUser.MailboxRights
' Extract the discretionary access control list (ACL) by
using the IADsSecurityDescriptor.' InterfaceSet dacl =
oSecurityDescriptor.DiscretionaryAcl
'''
The following block of code demonstrates how to read all the ACEs on
a' DACL for the Exchange 2000
mailbox.''wscript.echo
"Here are the existing ACEs in the mailbox's DACL:"
' Enumerate all the access control entries (ACEs) in the
ACL using the IADsAccessControlList.' Interface, therefore, displaying the
current mailbox rights.wscript.echo "Trustee, AccessMask, Access Desc,
ACEType, ACEFlags, Flags, ObjectType,
RE: [ActiveDir] Time synchronization
Title: Time synchronization I generally recommend that any machine that can be the PDC for the forest root domain should be synced externally with all of them syncing to the same source. - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gayoso, RaySent: Tuesday, March 16, 2004 9:54 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Time synchronization We have 4 DC's in our root domain...All 2K3. With the PDC emulator set for external time synchronization and all others set for nt5ds. What is your opinion on setting all 4 DCs to NTP and getting time from the same external source. We are looking at. Redundancy for external time and not having to reconfigure the time source when the PDCE role is moved. Recommendations? Thanks
RE: [ActiveDir] Microsoft Patch
Title: Message Its not really widely available to the best of my knowledge. As I said - its scheduled to go beta soon, and I'd expect a mid summer general availability release. I'd watch this forum, and the SUS websites: http://www.microsoft.com/windowsserversystem/sus/default.mspx http://www.susserver.com And SUSServer.com has a story here about it - http://forums.susserver.com/index.php?showtopic=1871 -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Philadelphia, Lynden - Revios Toronto [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 16, 2004 9:31 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Microsoft Patch Where can I find out more information on SUS version 2 Lynden From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 16, 2004 8:02 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Microsoft Patch I'm running SUS 1.1 quite successfully for about 700 client machines (and servers). SUS 2, which is due in beta within the next 30 days or so, is going to add Office and a few other products for patching, which really is all that SUS is missing. I prefer the SUS methodology of an agent on the client that pulls down the updates as they are available - we have a lot of highly mobile users so that really makes things work well for us. Things like HKNetCheck require the box be online when you push the patches, which doesn't work well in a lot of environments. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Cariglia, Daniel [mailto:[EMAIL PROTECTED] Sent: Monday, March 15, 2004 4:43 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Microsoft Patch I am in the process of looking at alternatives to distribute/manage Microsoft patches. We have SUS running in a lab setup and it seems alright. My question is are there superior products out there that someone has used and can recommend that work well with AD? Running AD with an empty root and 2 child domains where the users reside, users are either Windows 2000 Pro or XP Pro. Any suggestions would be appreciated. Thank You, Dan
RE: [ActiveDir] Microsoft Patch
Actually - there is some ability to do reporting, although we use a software inventory and audit tool so reporting is less necessary for us - but its fairly inadequate, unless you really like digging through IIS logs for info. Then again - you can do some pretty goood reporting using the free log parsers to generate reports. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Robbie Foust [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 16, 2004 9:42 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Microsoft Patch Well, SUS is also missing reporting and auditing, if I remember correctly... I can't wait to see the new version though (anyone know the beta guest id?) Several departments here use a product called Bigfix (www.bigfix.com) and it seems to work very well. Its scalable and even integrates with AD. :) - Robbie Robbie Foust, IT Analyst Systems and Core Services Duke University Roger Seielstad wrote: I'm running SUS 1.1 quite successfully for about 700 client machines (and servers). SUS 2, which is due in beta within the next 30 days or so, is going to add Office and a few other products for patching, which really is all that SUS is missing. I prefer the SUS methodology of an agent on the client that pulls down the updates as they are available - we have a lot of highly mobile users so that really makes things work well for us. Things like HKNetCheck require the box be online when you push the patches, which doesn't work well in a lot of environments. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- *From:* Cariglia, Daniel [mailto:[EMAIL PROTECTED] *Sent:* Monday, March 15, 2004 4:43 PM *To:* [EMAIL PROTECTED] *Subject:* [ActiveDir] Microsoft Patch I am in the process of looking at alternatives to distribute/manage Microsoft patches. We have SUS running in a lab setup and it seems alright. My question is are there superior products out there that someone has used and can recommend that work well with AD? Running AD with an empty root and 2 child domains where the users reside, users are either Windows 2000 Pro or XP Pro. Any suggestions would be appreciated. Thank You, *Dan * List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Changing ACLs via VBscript
You know, I think Robbie might have posted that perl script
mentioned below on his site as well under the Cookbook scripts
link.
-
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
joeSent: Tuesday, March 16, 2004 10:24 AMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Changing ACLs
via VBscript
Ok, those are AD permission changes, in the config
container. You will be manipulating the actual AD sd, not any special exchange
sd's, at least I am pretty sure, never dorked with them personally but play a
guy on TV who does
I will scrub the script for full mailbox access and
post it.
Also go back in time and look for a perl script I
posted here for how to retrieve the binary values for ACLs. You can capture what
an ACL looks like on an object you want to change, manually do one by hand your
normal way, then recheck what the binary values are so you can script the
change. It is how I tend to do it.
I will also look for some code that does generic AD
changes so you can see that. It is really fairly easy once you know what values
to stick in.
-
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B.
SmithSent: Tuesday, March 16, 2004 9:54 AMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Changing ACLs
via VBscript
Thanks for the link...
In regards to Exchange, I specifically want to be able
to:
a) change the permissions on the "All Address Lists"
object,
b) create a new address list,
c) change the default permissions on the new address
list,
d) change the permissions on the "All Global Address Lists"
object,
e) create a new GAL, and
f) change the default permissions on the new
GAL
(b) and (e) aren't within the scope of this particular
question. :-)
I've got(b) and (e)mapped out, but not written.
If you have working code --- that would be great to know.
:-)
I typically perform these actions froma mixture of
ESM and ADSIedit (some of the permissions are not exposed within
ESM).
A script to allow full mailbox access would be WONDERFUL.
That's another thing I do manually.
Thanks very much,
Michael
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
joeSent: Tuesday, March 16, 2004 9:34 AMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Changing ACLs
via VBscript
First off let me start with a quick
link...
http://msdn.microsoft.com/library/default.asp?url="">
This describes the main interface you will
use...
Now that being said... You have to be careful with what you
are saying when you say Exchange permissions. Do you mean overall mailbox
permissions or do you mean folder roles. They are entirely different. For
instance a mailbox permission would allow you to say log into the mailbox with a
specific ID directly, say like admin access to someone else's mailbox. A folder
role allows someone access (Editor/Owner/Reviewer/Etc) to specific folders
within a mailbox. If you are doing your perm setting from the advanced exchange
tab of DSA.MSC, that is mailbox perms. If doing it from within outlook, that is
folder roles.
Here is a little quick and dirty script I can post right
now for enumerating a mailbox ACL (mailbox perms). I will see if I can post my
script that does mailbox mods to allow someone else full mailbox access. However
I will have to scrub some info out of it first. If you actually mean folder
roles, let me know as I have some stuff for doing that as well.
Const ACE_MB_FULL_ACCESS = h1 Const
ACE_MB_ASSOC_EXT_ACCT =
h4
' This was from stucki and was 5, really should be 4Const
ACE_MB_DELETE_STORAGE =
h1 '
ADS_RIGHT_DELETEConst ACE_MB_READ_PERMISSIONS =
h2 '
ADS_RIGHT_READ_CONTROLConst ACE_MB_CHANGE_PERMISSIONS =
h4 ' ADS_RIGHT_WRITE_DACConst
ACE_MB_TAKE_OWNERSHIP =
h8 '
ADS_RIGHT_WRITE_OWNERConst
ACE_MB_SYNCRONIZE=h10
' ADS_RIGHT_SYNCHRONIZE
Const ADS_ACETYPE_ACCESS_ALLOWED = 0Const
ADS_ACETYPE_ACCESS_DENIED = 1 Const ADS_ACETYPE_SYSTEM_AUDIT = 2 Const
ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = 5 Const ADS_ACETYPE_ACCESS_DENIED_OBJECT
= 6 Const ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = 7 Const
ADS_ACETYPE_SYSTEM_ALARM_OBJECT = 8
'Const ADS_ACEFLAG_INHERIT_ACE =
2 ' This one is wrong - from KB
Q310866Const ADS_ACEFLAG_INHERIT_ACE = 16
userdn=wscript.arguments.item(0)
' Get directory user object.Set objUser =
GetObject("LDAP://" userdn)
' Get the Mailbox security descriptor (SD).Set
oSecurityDescriptor = objUser.MailboxRights
' Extract the discretionary access control list (ACL) by
using the IADsSecurityDescriptor.' InterfaceSet dacl =
oSecurityDescriptor.DiscretionaryAcl
'''
The following block of code demonstrates how to read all the ACEs on
a' DACL for
RE: [ActiveDir] Microsoft Patch
Title: Message On another note what is a MS-MVP Lynden From: Rod Trent [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 16, 2004 9:39 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Microsoft Patch More public info will be forthcoming after this week's Microsoft Management Summit. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philadelphia, Lynden - Revios Toronto Sent: Tuesday, March 16, 2004 9:31 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Microsoft Patch Where can I find out more information on SUS version 2 Lynden From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 16, 2004 8:02 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Microsoft Patch I'm running SUS 1.1 quite successfully for about 700 client machines (and servers). SUS 2, which is due in beta within the next 30 days or so, is going to add Office and a few other products for patching, which really is all that SUS is missing. I prefer the SUS methodology of an agent on the client that pulls down the updates as they are available - we have a lot of highly mobile users so that really makes things work well for us. Things like HKNetCheck require the box be online when you push the patches, which doesn't work well in a lot of environments. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Cariglia, Daniel [mailto:[EMAIL PROTECTED] Sent: Monday, March 15, 2004 4:43 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Microsoft Patch I am in the process of looking at alternatives to distribute/manage Microsoft patches. We have SUS running in a lab setup and it seems alright. My question is are there superior products out there that someone has used and can recommend that work well with AD? Running AD with an empty root and 2 child domains where the users reside, users are either Windows 2000 Pro or XP Pro. Any suggestions would be appreciated. Thank You, Dan
RE: [ActiveDir] Time synchronization
Title: Time synchronization My suggestion is set your main DC to and external NTP source and the other DC's to your main DC Lynden From: Gayoso, Ray [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 16, 2004 9:54 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Time synchronization We have 4 DC's in our root domain...All 2K3. With the PDC emulator set for external time synchronization and all others set for nt5ds. What is your opinion on setting all 4 DCs to NTP and getting time from the same external source. We are looking at. Redundancy for external time and not having to reconfigure the time source when the PDCE role is moved. Recommendations? Thanks
RE: [ActiveDir] AD SYSVOL folder
you can always gain admin control over a client and then run a job or service that keeps files open if you really want to ;-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of EN Sent: Dienstag, 16. März 2004 15:40 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] AD SYSVOL folder Thanks for the response. Well, since they can't be on a PC for more than 40 minutes (classes), and I have the windows logoff screensaver set to15 minutes of inactivity, I doubt they would be able to keep the files open, but one never knows. Thanks again, Ernesto - Original Message - From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, March 15, 2004 4:28 PM Subject: RE: [ActiveDir] AD SYSVOL folder they could analyse the policies, but that won't usually help them for an attack (I think). But they could also open the policy files and keep them open to hinder replication, which could bite you. -Original Message- From: EN [mailto:[EMAIL PROTECTED] Sent: Montag, 15. März 2004 22:56 To: [EMAIL PROTECTED] Subject: [ActiveDir] AD SYSVOL folder I need to know a little something. I work in a High School, so AD is used here but not to the extent that many of your use it. I wish I had more programming experience but that's besides the point. Being a HS, we have tons of little ones that just love to try and hack a computer and such. Well, I'm a bit worried that because the SYSVOL is a share, although somewhat hidden, that these little tykes can get to, is there any real danger/complication that can arise by them being able to view the policies and other files in the sysvol folder? Other than hacking and gaining admin control of a PC, can they actually do anything with the info that is present in those folders? Thanks!! Ernesto List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Microsoft Patch
Title: Message Microsoft Most Valuable Professional. It is an award MS presents to folks for contributions to the community at large. Itused to be primarily for newsgroup participation but has been branching out tolistservs, web sites, and other significant contributions,etc. Basically MS says, hey you are doing good things. Here are some nice little prizes keep up the good work. The prizes includinga nice certificate suitable for framing; a summit in Redmond once a year for us to be brainwashed (err brainwash the execs heh), see the Dev guys; Source Code access to OS's (and trying for Exchange), and some other nice little things. Definitely doesn't work out to pay off in terms of money but if you are already helping people it is a nice add on. One other recent benefit I have noticed lately is companies asking if you are an MVP or specifically head hunting MVP's. Sort of like they used to do for MCSEs. The site with info is http://mvp.support.microsoft.com. You can click on the link mvp awards up by the MS logo to see a list of all of the MVP's for the various categories. This list is run by an MVP, several MVP's contribute heavily to the list... joe[1] [1] Microsoft MVP Windows Server / Active Directory (with MVP minors in Security and AD Dev) - three years running. - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philadelphia, Lynden - Revios TorontoSent: Tuesday, March 16, 2004 10:31 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Microsoft Patch On another note what is a MS-MVP Lynden From: Rod Trent [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 16, 2004 9:39 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Microsoft Patch More public info will be forthcoming after this week's Microsoft Management Summit. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philadelphia, Lynden - Revios TorontoSent: Tuesday, March 16, 2004 9:31 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Microsoft Patch Where can I find out more information on SUS version 2 Lynden From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 16, 2004 8:02 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Microsoft Patch I'm running SUS 1.1 quite successfully for about 700 client machines (and servers). SUS 2, which is due in beta within the next 30 days or so, is going to add Office and a few other products for patching, which really is all that SUS is missing. I prefer the SUS methodology of an agent on the client that pulls down the updates as they are available - we have a lot of highly mobile users so that really makes things work well for us. Things like HKNetCheck require the box be online when you push the patches, which doesn't work well in a lot of environments. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Cariglia, Daniel [mailto:[EMAIL PROTECTED] Sent: Monday, March 15, 2004 4:43 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Microsoft Patch I am in the process of looking at alternatives to distribute/manage Microsoft patches. We have SUS running in a lab setup and it seems alright. My question is are there superior products out there that someone has used and can recommend that work well with AD? Running AD with an empty root and 2 child domains where the users reside, users are either Windows 2000 Pro or XP Pro. Any suggestions would be appreciated. Thank You, Dan
[ActiveDir] security event log audits
Has anyone had success putting together something home-grown to centralize security event logs into a sql database? If so, I wanted to get some tips on how the tables should be set up can all events that are captured in the security log be placed in the same table, or do different events have their own structure and would have to go into separate tables? Also, Im familiar with EventCombMT and eldump are there any other tools I should be considering to pull the data? Im assuming Ill need to use something like one of those to act as the middleware between the logs and the database. Thanks Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do �
RE: [ActiveDir] security event log audits
MACS (MS Audit Collector System) will do all of that for you and likely much more efficient than what you'd do yourself (and more secure as well) - should be released soon (I think with 2003 SP1) /Guido From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Dienstag, 16. März 2004 19:18To: [EMAIL PROTECTED]Subject: [ActiveDir] security event log audits Has anyone had success putting together something home-grown to centralize security event logs into a sql database? If so, I wanted to get some tips on how the tables should be set up - can all events that are captured in the security log be placed in the same table, or do different events have their own structure and would have to go into separate tables? Also, I'm familiar with EventCombMT and eldump - are there any other tools I should be considering to pull the data? I'm assuming I'll need to use something like one of those to act as the middleware between the logs and the database. Thanks... Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do
RE: [ActiveDir] security event log audits
AhhhI forgot about that coming. Thanks Guido! mc -Original Message- From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 16, 2004 1:40 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security event log audits MACS (MS Audit Collector System) will do all of that for you and likely much more efficient than what you'd do yourself (and more secure as well) - should be released soon (I think with 2003 SP1) /Guido From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Dienstag, 16. März 2004 19:18 To: [EMAIL PROTECTED] Subject: [ActiveDir] security event log audits Has anyone had success putting together something home-grown to centralize security event logs into a sql database? If so, I wanted to get some tips on how the tables should be set up - can all events that are captured in the security log be placed in the same table, or do different events have their own structure and would have to go into separate tables? Also, I'm familiar with EventCombMT and eldump - are there any other tools I should be considering to pull the data? I'm assuming I'll need to use something like one of those to act as the middleware between the logs and the database. Thanks... Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do �
RE: [ActiveDir] security event log audits
Will this work for Win2k servers also? Mike From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 16, 2004 1:40 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] security event log audits MACS (MS Audit Collector System) will do all of that for you and likely much more efficient than what you'd do yourself (and more secure as well) - should be released soon (I think with 2003 SP1) /Guido From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Dienstag, 16. März 2004 19:18To: [EMAIL PROTECTED]Subject: [ActiveDir] security event log audits Has anyone had success putting together something home-grown to centralize security event logs into a sql database? If so, I wanted to get some tips on how the tables should be set up - can all events that are captured in the security log be placed in the same table, or do different events have their own structure and would have to go into separate tables? Also, I'm familiar with EventCombMT and eldump - are there any other tools I should be considering to pull the data? I'm assuming I'll need to use something like one of those to act as the middleware between the logs and the database. Thanks... Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do
RE: [ActiveDir] security event log audits
Short answer: Yes More detailed info: http://www.windowsboston.com/downloads/doc/MACS_beta_Overview.doc Hope that helps :) r/ Lou -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Celone, Mike Sent: Tuesday, March 16, 2004 1:49 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] security event log audits Will this work for Win2k servers also? Mike From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 16, 2004 1:40 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security event log audits MACS (MS Audit Collector System) will do all of that for you and likely much more efficient than what you'd do yourself (and more secure as well) - should be released soon (I think with 2003 SP1) /Guido From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Dienstag, 16. März 2004 19:18 To: [EMAIL PROTECTED] Subject: [ActiveDir] security event log audits Has anyone had success putting together something home-grown to centralize security event logs into a sql database? If so, I wanted to get some tips on how the tables should be set up - can all events that are captured in the security log be placed in the same table, or do different events have their own structure and would have to go into separate tables? Also, I'm familiar with EventCombMT and eldump - are there any other tools I should be considering to pull the data? I'm assuming I'll need to use something like one of those to act as the middleware between the logs and the database. Thanks... Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Unable to modify GPO Policy
That is weird. Might be time to do a sniffer trace. Also, check the system event log on each of the machines that is having a problem and make sure you're not getting any machine trust issues with the domain. Also, double-check that DNS client config on the two problem machines is correct. Could be a name resolution issue too. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Tuesday, March 16, 2004 8:31 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Unable to modify GPO Policy I have checked the security permissions, they appear to be correct (EA - Full Control). But, if permissions where the problem, then I would not be able to manage the domain from the Parent DC. It just does not work from my desk nor logging into the child DC. Could there be a communication problem, operations master, etc.??... I guessing here.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Monday, March 15, 2004 2:36 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Unable to modify GPO Policy Enterprise Admin should be able to do this. You might want to double check the permissions on the GPO in the child domain you're trying to edit. Make sure EAs really do have write perms on that GPO. You should be able to view and change GPO perms by either looking at the Properties on the GPO in the GPO editor (or dsa.msc) or by using the GPMC, which has a nicer interface into GPO perms. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Monday, March 15, 2004 12:29 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Unable to modify GPO Policy Okay, here is an interesting one. I am an enterprise admin trying to modify a child domains domain policy. If I open up an mmc console on the parents DC, I have no problem. If I open the mmc on either my desktop or on the child's DC, it says that I do not have permission. Why does one way work, but not the other? And what permissions do I have to change to have it work? Thanks, S List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] security event log audits
I wrote it four year ago. A Windows NT Service on every machine send the information (every eventlog section ) to a database ODBC connected (Oracle, MSSQlserver, DB2, MySql etc.) I wrote also the client administrative to setup, install, modify configuration and interrogate the datbase, produce reports (Crystal, Html, PDF etc.) and also send script as soon as a program to modify the system from remote location. From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security event log audits Date: Tue, 16 Mar 2004 19:40:02 +0100 MIME-Version: 1.0 Received: from mail.activedir.org ([64.245.160.7]) by mc2-f10.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Tue, 16 Mar 2004 10:40:40 -0800 Received: from bbnrelint01.net.external.hp.com [192.6.76.88] by mail.activedir.org with ESMTP (SMTPD32-8.05) id AA071D5B0150; Tue, 16 Mar 2004 13:40:07 -0500 Received: from isar.bbn.hp.com (isar.bbn.hp.com [15.140.168.13])by bbnrelint01.net.external.hp.com (Postfix) with ESMTP id 0C6D137C90for [EMAIL PROTECTED]; Tue, 16 Mar 2004 19:37:32 +0100 (CET) Received: by isar.bbn.hp.com with Internet Mail Service (5.5.2657.72)id GPZ8QP5T; Tue, 16 Mar 2004 19:40:06 +0100 X-Message-Info: yilqo4+6kc42bID0SLkQu4MzXVSilpwe Message-ID: [EMAIL PROTECTED] X-Mailer: Internet Mail Service (5.5.2657.72) Precedence: bulk Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 16 Mar 2004 18:40:40.0966 (UTC) FILETIME=[2EAA6A60:01C40B86] MACS (MS Audit Collector System) will do all of that for you and likely much more efficient than what you'd do yourself (and more secure as well) - should be released soon (I think with 2003 SP1) /Guido _ From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Dienstag, 16. März 2004 19:18 To: [EMAIL PROTECTED] Subject: [ActiveDir] security event log audits Has anyone had success putting together something home-grown to centralize security event logs into a sql database? If so, I wanted to get some tips on how the tables should be set up - can all events that are captured in the security log be placed in the same table, or do different events have their own structure and would have to go into separate tables? Also, I'm familiar with EventCombMT and eldump - are there any other tools I should be considering to pull the data? I'm assuming I'll need to use something like one of those to act as the middleware between the logs and the database. Thanks... Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do _ Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Slightly OT: command line tips
I absolutely cant live without changing the visuals of the command processor. Since you shared here is one of my favorite command line tips for w2k. Back into NT when typing out long command lines you could use the * for the auto-complete character so from a command prompt cd c:\doc* enter would change the dir to docs and settings great, but incredibly limited. In UNIX I can use the Tab key to really quickly fly through long command lines etc. so to change the NT/W2k default from the * to the Tab change HKLM\Software\Microsoft\Command Processor\CompletionChar value from 40 (I think that is the default) to 9 and restart the command processor. Remember speed kills, oh yeah and *WARNING: Modifying the registry incorrectly will cause all small furry creatures to spontaneously combust and other really, really bad things will happen, so you all be careful out there!* This is the default in 2k3 and XP. I cant wait to see some other tips from people on this list. Kevin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Tuesday, February 24, 2004 11:05 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Slightly OT: command line tips I was doing some stuff in a command prompt, and was admiring the dnscmd output, and it occurred to me one reason some people dont like doing things at the command line I got in the habit a while back of changing my command prompt window properties to a nice looking font, navy text on white background, 120 characters across and buffer of . The 120 characters across really helps with the word wrap thing. Command line output ends up being nice to read, as opposed to defaults which are pretty hard on the eyes J Rich Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst Applebee's International, Inc. 913-967-2819 ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.
RE: [ActiveDir] Microsoft Patch
Title: Message Firstly, it won't be called SUS 2.0. It will apparently be called the very unfortunate name of WUS - Windows Update Services. Yes, jokes have started, and WUS is getting tripped and beat up by all the other software bullies. However, there is destined to be, as I understand it, an Application Programming Interface for WUS (and, no - I'm not making this up...) So, now we have the WUS API As I mentioned on another list, to my knowledge -this is only served with Sushi.. Rick Kingslan MCSE, MCSA, MCT, CISSPMicrosoft MVP:Windows Server / Directory ServicesWindows Server / Rights ManagementAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzoneWebLog - www.msmvps.com/willhack4food From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rod TrentSent: Tuesday, March 16, 2004 8:39 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Microsoft Patch More public info will be forthcoming after this week's Microsoft Management Summit. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philadelphia, Lynden - Revios TorontoSent: Tuesday, March 16, 2004 9:31 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Microsoft Patch Where can I find out more information on SUS version 2 Lynden From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 16, 2004 8:02 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Microsoft Patch I'm running SUS 1.1 quite successfully for about 700 client machines (and servers). SUS 2, which is due in beta within the next 30 days or so, is going to add Office and a few other products for patching, which really is all that SUS is missing. I prefer the SUS methodology of an agent on the client that pulls down the updates as they are available - we have a lot of highly mobile users so that really makes things work well for us. Things like HKNetCheck require the box be online when you push the patches, which doesn't work well in a lot of environments. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Cariglia, Daniel [mailto:[EMAIL PROTECTED] Sent: Monday, March 15, 2004 4:43 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Microsoft Patch I am in the process of looking at alternatives to distribute/manage Microsoft patches. We have SUS running in a lab setup and it seems alright. My question is are there superior products out there that someone has used and can recommend that work well with AD? Running AD with an empty root and 2 child domains where the users reside, users are either Windows 2000 Pro or XP Pro. Any suggestions would be appreciated. Thank You, Dan
RE: [ActiveDir] Microsoft Patch
Title: Message *cough* *splutter* HAHAHAHAHA. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Rick KingslanSent: Tuesday, March 16, 2004 9:06 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Microsoft Patch Firstly, it won't be called SUS 2.0. It will apparently be called the very unfortunate name of WUS - Windows Update Services. Yes, jokes have started, and WUS is getting tripped and beat up by all the other software bullies. However, there is destined to be, as I understand it, an Application Programming Interface for WUS (and, no - I'm not making this up...) So, now we have the WUS API As I mentioned on another list, to my knowledge -this is only served with Sushi.. Rick Kingslan MCSE, MCSA, MCT, CISSPMicrosoft MVP:Windows Server / Directory ServicesWindows Server / Rights ManagementAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzoneWebLog - www.msmvps.com/willhack4food From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rod TrentSent: Tuesday, March 16, 2004 8:39 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Microsoft Patch More public info will be forthcoming after this week's Microsoft Management Summit. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philadelphia, Lynden - Revios TorontoSent: Tuesday, March 16, 2004 9:31 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Microsoft Patch Where can I find out more information on SUS version 2 Lynden From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 16, 2004 8:02 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Microsoft Patch I'm running SUS 1.1 quite successfully for about 700 client machines (and servers). SUS 2, which is due in beta within the next 30 days or so, is going to add Office and a few other products for patching, which really is all that SUS is missing. I prefer the SUS methodology of an agent on the client that pulls down the updates as they are available - we have a lot of highly mobile users so that really makes things work well for us. Things like HKNetCheck require the box be online when you push the patches, which doesn't work well in a lot of environments. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Cariglia, Daniel [mailto:[EMAIL PROTECTED] Sent: Monday, March 15, 2004 4:43 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Microsoft Patch I am in the process of looking at alternatives to distribute/manage Microsoft patches. We have SUS running in a lab setup and it seems alright. My question is are there superior products out there that someone has used and can recommend that work well with AD? Running AD with an empty root and 2 child domains where the users reside, users are either Windows 2000 Pro or XP Pro. Any suggestions would be appreciated. Thank You, Dan
RE: [ActiveDir] Microsoft Patch
Does that mean it's going to be hot stuff? ;-) Sorry... been a long day... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** However, there is destined to be, as I understand it, an Application Programming Interface for WUS (and, no - I'm not making this up...) So, now we have the WUS API As I mentioned on another list, to my knowledge - this is only served with Sushi.. Rick Kingslan MCSE, MCSA, MCT, CISSP List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Microsoft Patch
Title: Message Man I ignored that on the other list so you brought it here too ARRG. - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Tuesday, March 16, 2004 9:06 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Microsoft Patch Firstly, it won't be called SUS 2.0. It will apparently be called the very unfortunate name of WUS - Windows Update Services. Yes, jokes have started, and WUS is getting tripped and beat up by all the other software bullies. However, there is destined to be, as I understand it, an Application Programming Interface for WUS (and, no - I'm not making this up...) So, now we have the WUS API As I mentioned on another list, to my knowledge -this is only served with Sushi.. Rick Kingslan MCSE, MCSA, MCT, CISSPMicrosoft MVP:Windows Server / Directory ServicesWindows Server / Rights ManagementAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzoneWebLog - www.msmvps.com/willhack4food From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rod TrentSent: Tuesday, March 16, 2004 8:39 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Microsoft Patch More public info will be forthcoming after this week's Microsoft Management Summit. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philadelphia, Lynden - Revios TorontoSent: Tuesday, March 16, 2004 9:31 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Microsoft Patch Where can I find out more information on SUS version 2 Lynden From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 16, 2004 8:02 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Microsoft Patch I'm running SUS 1.1 quite successfully for about 700 client machines (and servers). SUS 2, which is due in beta within the next 30 days or so, is going to add Office and a few other products for patching, which really is all that SUS is missing. I prefer the SUS methodology of an agent on the client that pulls down the updates as they are available - we have a lot of highly mobile users so that really makes things work well for us. Things like HKNetCheck require the box be online when you push the patches, which doesn't work well in a lot of environments. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Cariglia, Daniel [mailto:[EMAIL PROTECTED] Sent: Monday, March 15, 2004 4:43 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Microsoft Patch I am in the process of looking at alternatives to distribute/manage Microsoft patches. We have SUS running in a lab setup and it seems alright. My question is are there superior products out there that someone has used and can recommend that work well with AD? Running AD with an empty root and 2 child domains where the users reside, users are either Windows 2000 Pro or XP Pro. Any suggestions would be appreciated. Thank You, Dan
RE: [ActiveDir] Schema diff tool
Here is something really Q-N-D for you Alan. Any chance to
help out you intel guys I'm all there, I have intel all over my house.
:o)
Basically you take adfind and you do a schema dump from
both dc's you are concerned about...
adfind -h server1name -schema -f
"(objectcategory=attributeschema)(objectcategory=attributeschema)"
File1.txt
adfind -h server2name -schema -f
"(objectcategory=attributeschema)(objectcategory=attributeschema)"
File2.txt
Then take the quick and dirty perl script for normalizing
schema dumps below and run it something like
schemanorm /in:file1.txt
/out:file1.norm
schemanorm /in:file2.txt
/out:file2.norm
If comparing two different schema from different forests
(versus the schema on two DCs in the same forest) you also want the /diff switch
so
schemanorm /in:file1.txt /out:file1.norm
/diff
schemanorm /in:file2.txt /out:file2.norm
/diff
Then use WINDIFF to compare the two norm files.
That should do it for you. Let me know if it helps
out.
joe
__QUICK AND DIRTY PERL SCRIPT FOR NORMALIZING SCHEMA
DUMPS__
$diffforest=0;
map { if (/\/in:(.+)/i)
{$in=$1}; if (/\/out:(.+)/i)
{$out=$1}; if (/\/diff/i)
{$diffforest=1}; } @ARGV;
if ($diffforest) {print "DIFFERENT
FORESTS\n"};
open ifh,"$in";open ofh,"$out";
$currentdn="";%info=();%hash=();
foreach $t (ifh){ if
($t=~/^dn:/) { if ($currentdn ne
"") {
@i=(); foreach $g (sort keys
%info)
{ push @i,"$g:
".$info{$g};
} push
@i,"\n";
$hash{$normcdn}=join("",@i); }
%info=(); $currentdn=$t; print
$currentdn; $normcdn=$currentdn;
$normcdn=~s/(dc=.+)/DOMAIN/i;
next; } next unless $t=~/^/;
@a=split(/:/,$t); next if $a[0]=~/^uSNChanged/; next if
$a[0]=~/^uSNCreated/; next if $a[0]=~/^whenChanged/;
if ($a[0]=~/^(distinguishedName|objectCategory)/i)
{ $a[1]=~s/(dc=.+)/DOMAIN/i;
} if ($diffforest) { next if
$a[0]=~/^objectGUID/; next if
$a[0]=~/^whenCreated/; }
$info{$a[0]}=$a[1];}@i=();foreach $g (sort keys
%info){ push @i,"$g: ".$info{$g};}push
@i,"\n";$hash{$normcdn}=join("",@i);
print "Writing...\n";foreach $w (sort keys
%hash){ print ofh $w; print ofh
$hash{$w};}
-
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isham, Alan
ASent: Tuesday, March 16, 2004 11:52 AMTo:
[EMAIL PROTECTED]Subject: [ActiveDir] Schema diff
tool
Is anyone familiar with a directory tool ($$$ or
freeware) that allows one to compare directory
schemas and identify changes at a metadata level? For
example,schema1extAttrib1index = ygc enabled =
yschema2extAttrib1index = ngc enabled =
yschema diff tool finds there is a difference on extAttrib1 on the
index value because schema1 == y and schema2 == nThanks for your
reply in advance!
Alan A
IshamIntel Corporation in
USA-CA-Folsom
RE: [ActiveDir] Microsoft Patch
Well, that remains to be seen. I haven't had time to play with it yet, but I'll comment here and there as I get a feel for what it does / can do / flat doesn't deliver. Rick Kingslan MCSE, MCSA, MCT, CISSP Microsoft MVP: Windows Server / Directory Services Windows Server / Rights Management Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Tuesday, March 16, 2004 8:19 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Microsoft Patch Does that mean it's going to be hot stuff? ;-) Sorry... been a long day... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** However, there is destined to be, as I understand it, an Application Programming Interface for WUS (and, no - I'm not making this up...) So, now we have the WUS API As I mentioned on another list, to my knowledge - this is only served with Sushi.. Rick Kingslan MCSE, MCSA, MCT, CISSP List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Microsoft Patch
Title: Message Ahhh geez. Deal with it, Smart Ass. They like me here (I think). I'm not so sure on the other list. But then, I don't really care much. ;o) I'm just irritated over the near-sighted and obviously lame thought process of the new Microsoft 'Marketing' genius. Rather than the slick marketing machine of a few years ago, I now get some yutz getting dunked with a water cooler by his office mates because he figured out how to do his job with Office 2003. Yawn. Now, I'm getting bombarded by a name that is so bad (WUS) that it deserves the bad press it will get. SUS was not good. But, it wasn't obviously dumb. WUS is the latter - in spades. So, if I make fun of the name, I'm only like Leno and Kimmel - I'm only riding the crest while it's there Regardless, I still like you, joe. ;0P Rick Kingslan MCSE, MCSA, MCT, CISSPMicrosoft MVP:Windows Server / Directory ServicesWindows Server / Rights ManagementAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzoneWebLog - www.msmvps.com/willhack4food From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Tuesday, March 16, 2004 9:52 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Microsoft Patch Man I ignored that on the other list so you brought it here too ARRG. - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Tuesday, March 16, 2004 9:06 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Microsoft Patch Firstly, it won't be called SUS 2.0. It will apparently be called the very unfortunate name of WUS - Windows Update Services. Yes, jokes have started, and WUS is getting tripped and beat up by all the other software bullies. However, there is destined to be, as I understand it, an Application Programming Interface for WUS (and, no - I'm not making this up...) So, now we have the WUS API As I mentioned on another list, to my knowledge -this is only served with Sushi.. Rick Kingslan MCSE, MCSA, MCT, CISSPMicrosoft MVP:Windows Server / Directory ServicesWindows Server / Rights ManagementAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzoneWebLog - www.msmvps.com/willhack4food From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rod TrentSent: Tuesday, March 16, 2004 8:39 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Microsoft Patch More public info will be forthcoming after this week's Microsoft Management Summit. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philadelphia, Lynden - Revios TorontoSent: Tuesday, March 16, 2004 9:31 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Microsoft Patch Where can I find out more information on SUS version 2 Lynden From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 16, 2004 8:02 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Microsoft Patch I'm running SUS 1.1 quite successfully for about 700 client machines (and servers). SUS 2, which is due in beta within the next 30 days or so, is going to add Office and a few other products for patching, which really is all that SUS is missing. I prefer the SUS methodology of an agent on the client that pulls down the updates as they are available - we have a lot of highly mobile users so that really makes things work well for us. Things like HKNetCheck require the box be online when you push the patches, which doesn't work well in a lot of environments. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Cariglia, Daniel [mailto:[EMAIL PROTECTED] Sent: Monday, March 15, 2004 4:43 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Microsoft Patch I am in the process of looking at alternatives to distribute/manage Microsoft patches. We have SUS running in a lab setup and it seems alright. My question is are there superior products out there that someone has used and can recommend that work well with AD? Running AD with an empty root and 2 child domains where the users reside, users are either Windows 2000 Pro or XP Pro. Any suggestions would be appreciated. Thank You, Dan
RE: [ActiveDir] Group Policy
Darren, now I am puzzled... I would have sworn that what I have described once worked with W2K (if I am not mistaken, it was SP1), but So I checked... 2 DCs in the test domain (W2K native): 1 W2K3 (holds all FSMOs) 1 W2K SP4 (GC) Test 1: On W2K3: 1) Defined Default Domain Policy with 6 chars password length. 2) Defined Default DC Policy with 8 chars length. 3) ReACL-ed the Default Domain Policy and denied it to Enterprise Domain Controllers 4) gpupdate + gpresult shows that default domain policy is not applied at DCs. 5) Trying to set user's password to 6 chars works (just as you have said) == Default DC password complexity settings are indeed ignored 6) Canceled the Deny for enterprise DCs on default domain policy + gpupdate + gpresult 7) Default Domain Policy (6 chars) is enforced (meanwhile everything as expected) Test 2 (things stop making sense): 1) Default domain Policy is configured not to define password complexity 2) W2K3 local machine policy is set to 5 chars 3) W2K local machine policy set to 6 chars 4) sync the domain gpupdate secedit /refreshpolicy 5) on W2K setting 5 char password works (local policy set to 6) 6) on W2K3 5 char password works (local policy set to 5) 7) trying 4 chars fails on both DCs Test 3 (the other way around): 1) Default domain Policy is configured not to define password complexity 2) W2K3 local machine policy is set to 6 chars 3) W2K local machine policy set to 5 chars 4) sync the domain gpupdate secedit /refreshpolicy 5) on W2K3 setting 5 char password fails (local policy set to 6) 6) on W2K 5 char password fails ! (local policy set to 5) 7) trying 4 chars fails on both DCs Now I've been lurking this mail list for quite a while and been listening to Joe :), so I fire up Network Monitor on W2K3 (local=6) while trying to set 5 char password on W2K (local=5) and I see nothing, accept some LDAP chatter about cn=configuration,dc=domain,dc=com... and yet the password reset to 5 chars fails. What is going on here ??? What am I missing ? Test 4 (back to reality): 1) set default domain policy to 6 chars + sync the DCs + check that GPO setting have replicated) 2) gpupdate secedit /refreshpolicy 3) local policies are overridden as expected and 6 char passwords are enforced Guy On Tue, 2004-03-16 at 07:08, Darren Mar-Elia wrote: Yea, that's the right way to do it Joe. Guy, I'm kinda surprised you actually saw that behavior. I was under the impression that password complexity was one of those account policies that was completely ignored by DCs unless its linked to a domain policy. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, March 15, 2004 5:03 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy I would think you could do this by simply linking another policy for the member machines at a lower OU level that still encompasses all of those machines. I know I did this for lockout policy once. - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Monday, March 15, 2004 3:22 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy Actually I did it once. This way you can enforce different password complexity requirements for domain accounts vs. machine local accounts by applying stricter password complexity to GPO that is linked to Domain Controllers OU. This is rather simple: in Default Domain Controller Security policy you block inheritance and define different password length/complexity then in default domain policy. Standalone computers will receive the security settings from default domain policy and DC from it's own. Of course you must watch out for other settings defined in the default domain GPO. Never found any use for this, but it was one of those nice-to-know things. Guy -- Smith Wesson - the original point and click interface On Mon, 2004-03-15 at 07:56, joe wrote: Yes they do. The default domain policy is where your domain security policy is located at. What implications are there for blocking it... I am not sure, never tried... Let us know. :o) - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Shukovsky Jr Sent: Thursday, February 26, 2004 12:12 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Group Policy Do W2k domain controllers need to process default domain policy as well as default dc policy? If so and the DC's OU is set to block default domain policy what implications will/can this have? thanks in advance. This E-mail, including any attachments, may be intended solely for the personal and
