RE: [ActiveDir] Storage of AD passwords???
LOL. :o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brent Westmoreland Sent: Sunday, May 02, 2004 9:18 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Storage of AD passwords??? Yeah I know, I should have included a goofy emoticon to indicate a playful jab. I've yet to find one that looks like me though $-) On May 2, 2004, at 11:04 AM, joe wrote: I don't disagree with inetOrgPerson or even its use of it. I do strongly disagree with vendors requiring you to change your environment to use it for their applications. If you started with inetOrgPerson I would be just as against vendors forcing you to change to use user objects. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brent Westmoreland Sent: Friday, April 30, 2004 4:09 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Storage of AD passwords??? The AD attribute for a user object password is a unicodePwd. If you use the inetOrgPerson object (which Joe strongly disagrees with) that is available in windows server 2003; the password will be concurrently stored in the userPassword and unicodePwd attribute. The values of these attributes are typically not visible from any of the various and sundry administrative tools. Windows 2000 uses the RC4-HMAC 128 bit Cipher as the default Kerberos Encryption type. This was due to export restrictions of DES that were in place at the time of Windows 2000 release. Msft did add support for DES prior to win2k release. Any user in an AD domain that has changed his/her password will have both RC4 and DES keys associated with his/her account. On Apr 29, 2004, at 9:33 AM, Douglas M. Long wrote: I have been looking for how Active Directory stores passwords, and have had no luck. Does anyone know what format the password is stored (eg crypt, md5)? Also, what is the password attribute (is it userPassword)? TYIA List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Kerberos Info
Yep, I agree. 'tiswhy I included their myth's link. =) We (and when I say we I mean our UNIX folks, not me) have been working on kerberos integration with AD for a couple of years now. Massive issues with cross realm (cross domain) and service location and some small issues with keytab generation. Also now with Windows 2003, HPUX can't use the keytabs because they use the weakest form of encryption I guess which MS disabled in K3. Its all fun. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike WelbornSent: Sunday, May 02, 2004 8:34 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos Info JoeIf you are interested in true *nix integration with Active Directory, check out a company named Vintela. They have a great solution but you will pay for it. Mike W. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Sunday, May 02, 2004 6:09 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Kerberos Info In line with an earlier post where I said that LDAP isn't for authentication, kerberos is. Here are some kerberos links for folks. The last one is from a vendor who sells a product to help but it interesting reading due to them pointing out some of the shortcomings of some of the *nix solutions to integrate into the Windows world. Good things to know BEFORE you dive into trying to do it. http://www.microsoft.com/windows2000/techinfo/howitworks/security/kerberos.asp http://www.microsoft.com/windowsserver2003/technologies/security/kerberos/default.mspx http://www.vintela.com/support/docs/vas/2.4/VAS_Myths.pdf joe
RE: [ActiveDir] Why doesn't Rick post much anymore?
I spent over an hour in a bedroom on the top floor of the Westin with Missy... I will never be the same. Interestingly, she tells a slightly different story. You did leave after around an hour, and quite satisfied. However, you never left the bathroom. And, you were alone. Small, quiet white boy... Oh, my goodness. joe (who will be wearing a disguise next year...) Oh, yeah - I'm QUITE sure of that... ;op Rick Kingslan MCSE, MCSA, MCT, CISSP Microsoft MVP: Windows Server / Directory Services Windows Server / Rights Management Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, May 02, 2004 10:27 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Why doesn't Rick post much anymore? Actually I was wearing 7 stiletto's the whole time but in reality, Rick is considerably taller than I am. As you found, I am a just a small quiet coy simple white boy from the midwest. My issue is the company that I keep. :o) I spent over an hour in a bedroom on the top floor of the Westin with Missy... I will never be the same. :o) joe (who will be wearing a disguise next year...) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Monday, April 26, 2004 9:11 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Why doesn't Rick post much anymore? Actually, the real trick is that at 4'7, he's ths shortest of the four of us, and he knows he doesn't want to be on our bad side at next year's summit! -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Sunday, April 25, 2004 10:53 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Why doesn't Rick post much anymore? Some of you long timers on this list know that I've been a long time poster here. And, some might ask the question, Gee... Why doesn't Rick post anymore?. Interesting question, simple answer. Joe, Al, Roger You guys are big mouths and no one can get a word in edge-wise. Now, you all know the truth. Oh, and for those of you that know me, I'm totally kidding these three. Finally meeting all three at the MVP Summit this year was great. I am honored to know you guys, and learn much from you daily. Now, SHUT UP ALREADY!!! ;op Rick Kingslan MCSE, MCSA, MCT, CISSP Microsoft MVP: Windows Server / Directory Services Windows Server / Rights Management Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] SCECLI 1202 Events
Title: Message Thanks for that, Joe. Rick has an attention problem. I can't take responsibility or be accountable for my actions, like most of my fellow citizens in the US. That would be un-American - and eventually bankrupt the glut of lawyers in the States, and would have a devastating impact on our economy. So, I'm sorry that it took Joe so long to pick up on the fact that I was not answering your posts timely. It's clearly his fault for not being more attentive. ;o) Rick Kingslan MCSE, MCSA, MCT, CISSPMicrosoft MVP:Windows Server / Directory ServicesWindows Server / Rights ManagementAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzoneWebLog - www.msmvps.com/willhack4food From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Sunday, May 02, 2004 9:57 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] SCECLI 1202 Events Trying grepping (findstr'ing) the INF files in your sysvol structure for power users or the SID S-1-5-32-547. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, April 26, 2004 6:46 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] SCECLI 1202 Events Hi Rick, I cant find any entry for power users in domain controller policy. Is there any way where we can trace this out and solve the issue.. I have used ADSIEDIT yesterday to delete old objects. Actually, I had a DC which crashed so I installed this new one and then seized the roles(PDC,RID) and done the meta cleaup + adsiedit. TIA, Athif -Original Message-From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Sunday, 25 April 2004 8:52 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] SCECLI 1202 Events True - but, if the user doesn't exist, it SHOULDN'T be listed at all. Best practice dictates removing all rights to defined users that don't need them and undefinedusers that don't exist. In this case, Power User doesn't exist, and therefore any place that hte user is defined, the user should be removed. Rick Kingslan MCSE, MCSA, MCT, CISSPMicrosoft MVP:Windows Server / Directory ServicesWindows Server / Rights ManagementAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzoneWebLog - www.msmvps.com/willhack4food From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Sunday, April 25, 2004 12:37 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] SCECLI 1202 Events Even easier, just scroll through te log and see what policy/right/whatever it's trying to apply with Power Users. --Brian -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Sun 4/25/2004 9:40 AM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] SCECLI 1202 Events Power Users do not exist on DC's. Go to the Default Domain Controller Policy and look through all of the User Rights and remove any entries for the Power User principal. You should also be receiving event 1000's, also - yes? Rick Kingslan MCSE, MCSA, MCT, CISSPMicrosoft MVP:Windows Server / Directory ServicesWindows Server / Rights ManagementAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzoneWebLog - www.msmvps.com/willhack4food From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Sunday, April 25, 2004 8:33 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] SCECLI 1202 Events Hello everybody, I am getting this event very frequently. Event id 1202 "Security policies are propagated with warning. 0x534 : No mapping between account names and security IDs was done." KB Article http://support.microsoft.com/default.aspx?scid=kb;en-us;324383 gives a good explantion to this and with this I culd trace that there is a problem with power users account. When I give this command 1.C:\FIND /I "Cannot find" %SYSTEMROOT%\Security\Logs\winlogon.log -- C:\WINNT\SECURITY\LOGS\WINLOGON.LOG Cannot find Power Users. Cannot find Power Users. Cannot find Power Users. 2.C:\FIND /I "power users" %SYSTEMROOT%\Security\templates\policies\gpt*.* -- C:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT0.DOM -- C:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT1.INF 3.C:\FIND /I "[Mapping]" %SYSTEMROOT%\Security\Logs\winlogon.log -- C:\WINNT\SECURITY\LOGS\WINLOGON.LOG [Mapping] gpt0.dom = Default Domain Policy [Mapping] gpt1.inf = Default Domain Policy [Mapping] gpt0.dom = Default Domain Policy [Mapping] gpt1.inf = Default Domain Policy [Mapping] gpt0.dom = Default Domain Policy [Mapping] gpt1.inf = Default Domain Policy [Mapping] gpt0.dom = Default Domain Policy [Mapping] gpt1.inf = Default Domain Policy Here, the machine is an additional domain
FW: [ActiveDir] Replication issues
reposting this again, as I still can't see it on the list... From: Grillenmeier, Guido Sent: Samstag, 1. Mai 2004 10:20To: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Replication issues as Joe already wrote, there is a difference between "out of band" and "urgent" replication. any DC that you use to set a PW for a user also apply this change "out of band" to the PDCE of the domain = this is NOT urgent replication. It is referred to as immediate replication, although it should simply be called "updatePDC", since this is what it's doing. It's not relying on AD replication at all - instead a direct RPC to the PDCE is made to apply the change at this end= this is totally independent of your site-replication schedules= however, the PDCE needs to be reachable from the DC that performs the PW change additionally, the PW will be replicated urgently to DCs within the same site of the DC where the PW was updated - and yes, this does NOT replicate accross site-boundaries however, when a user logs onto any DC in the domain that hasn't replicated the PW change (i.e. still has the old value), prior to denying logon and increasing the lockout counter, the DC will contact the PDCE and validate if the PW is not correct afterall (if it is, I believe it's updated immediately on the DC itself as well - but I'm not sure on this) also, any DC where an account gets LOCKED OUT due to too many logon retries by the user and thus reaching the AccountLockout policy will behave the same way as when setting a PW= the PDCE will also be updated immediately out-of-band via an RPC call So what's the problem? well, when you UNLOCK an account, this WON'T be updated on the PDCE via immediate replication and neither will the local DC of the user check the PDCE if the account is locked out or not. so the real problem is NOT that the PW change doesn't get back to the user's DC = the problem is that the ACCOUNT LOCKOUT status (i.e. setting the user object's lockoutTime=0) does NOT behave the same way at every change (only replicates immediately when value is not equal to 0) even though the PW change on any DC would work just fine to allow a user to log back onto the domain from any other DC, when an account is LOCKED, this will prevent him from doing so successfully - so this is the reason why you'd want to perform the account UNLOCK on the DC that's "local" to the user account and most often this task is combined with resetting a user's password. A better solution you'll have a much better life, if you simply do not configure an Account Lockout policy = what does it gain you?It is actually more of a security risk thanhelp for IT = you wantto ensure that hackerscan'tattempt too many retries at cracking a user's password, so you set the account lockout to 5-10retries. usually you don't setup the account lockout policy to tease your own users - do you really care if they need to try 50 times until they getit right? Or before they call the helpdesk and admit they've forgotten their PW? Usually not. However,setting the account lockout threshold this low is the best way for a hacker to plan a DOS attack against your domain, once he has a list of accounts = he'll justcontinuously try bogus logonsand thus lockout all of your accounts! Believe me, you'll have a hell of a lifetime trying to unlock them in a timely manner... (yes, you can use Joe's account unlock tool -but remember you'll have to wait until all of these unlocks replicate to the DCs used by the users) So you can actually INCREASE the security of your infrastructure by either disabling the Account Lockout policy or at least by setting it to a rather high value (min. 15 - 50 attempts) = a hacker will still not be able to quess the password with these few attempts, but you users will usually call the helpdesk, BEFORE they lockout their own accounts - and a PW change on ANY DC is now fully sufficient to get the user back to work. using this approach (setting account lockout to a higher value), I have reduced helpdesk calls rgd. locked out accounts by 90% for many customers - and we have combined this with increased monitoring of the eventlogs to detect PW-guessing attempts from hackers, something that you should do anyways. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of deji AgbaSent: Freitag, 30. April 2004 07:34To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Replication issues The password will get replicated "out of band" [1] back to the PDC on apassword change. Seehttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx, specifically check the piece on "immediatereplication". I missed this. Let's hope I don't get smacked too hard for it. But, are you saying password
RE: [ActiveDir] help querying for groups
Thanks Joe I do use adfind a lot for ad hoc stuff, but I havent figured out how to use it within scripts yet. The ADO query Im setting up is part one of a two-part script. Ultimately, what I want to do is find all the RPT* groups, and then place the members of each of them into a spreadsheet, like Group Members RPT001 Joe RPT002 Guido RPT002 Robbie As always, you guys have given me a lot to build upon. Thanks! mc -Original Message- From: joe [mailto:listmail@joeware.net] Sent: Sunday, May 02, 2004 10:11 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] help querying for groups Hey Mark, I am not an ADO fan but it appears you are missing the attributes you want returned in your execute... BTW, this will get you ALL groups named RPT* in the domain, it won't just get Global Groups. If you want global groups only, you need to add something to your filter... All Global Groups: (groupType=grouptype:1.2.840.113556.1.4.803:=2) All Global DLs: (groupType=2) All Global Security groups: (groupType=-2147483646) See http://msdn.microsoft.com/library/default.asp?url=""> for the group type enumeration... Of course you could always do something like: adfind -bit -b domain DN -f (objectcategory=group)(groupType=grouptype:AND:=2)(name=RPT*) or if you just want DNs you could do adfind -bit -b domain DN -f (objectcategory=group)(groupType=grouptype:AND:=2)(name=RPT*) -dn joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Friday, April 30, 2004 4:31 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] help querying for groups Hi, can someone help me troubleshoot this script? Im trying to return all of the global groups in the domain whose name starts with RPT. All Im getting is the error: Provider: Unspecified error strBase = LDAP://dc=my,dc=domain,dc=com; strFilter = ((objectCategory=group)(name=RPT*)); strScope = Subtree Set objConn = CreateObject(ADODB.Connection) objConn.Open Provider=ADsDSOObject Set ObjRS = objConn.Execute(strBase strFilter strScope) objRS.MoveFirst While Not ObjRS.EOF WScript.Echo objRS.Fields(0).Value objRS.MoveNext Wend Im trying to do this by altering one of the recipes in Robbie Allens book. Thanks! Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do
RE: [ActiveDir] User to InetOrgPerson Class
Actually, close. Apparently, a base install of Linux doesn't include things like ping, traceroute, ssh, nor much else in the way of basic tools. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Sunday, May 02, 2004 11:17 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] User to InetOrgPerson Class Driver error. Recompile kernel snicker -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, April 22, 2004 10:42 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] User to InetOrgPerson Class Um, yeah. That's right. If I wasn't spending all day yesterday trying to fix a Linux box, I would have definitely written the same thing. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Thursday, April 22, 2004 9:40 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] User to InetOrgPerson Class Roger, you are just mad because you were typing up the same note and I typed it and sent it out faster... Oh well I have to get back to unburying myself. Just came in to spot check to see what you all were saying behind my back... I should be back hard core in a week or two. In the meanwhile I am digging out of email and work issues and also during an EMC issue I was looking at I think I figured out something else cool to put into adfind... We shall see. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, April 22, 2004 9:27 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] User to InetOrgPerson Class Please - we're trying to not encourage him... ;) Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Jerry Welch [mailto:[EMAIL PROTECTED] Sent: Thursday, April 22, 2004 9:14 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] User to InetOrgPerson Class GO JOE !! Jerry Welch CPS Systems US/Canada: 888-666-0277 International: +1 703 827 0919 (-5 GMT) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of joe Sent: Thursday, April 22, 2004 9:11 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] User to InetOrgPerson Class We aren't even considering converting or making our 200k+ user objects inetorgperson objects. We have had no requirement to do so and if someone came forth with one at this point we would ask why their product wasn't written to be flexible enough to account for the de facto most popular LDAP server out there. LDAP is a pretty flexible system yet you get vendors coming along hard coding dependencies in on their own and try to make the directories fit their apps, this is obviously not correct. Vendors (including Microsoft) take note, if you are using LDAP for anything, make your attributes/objects required mappable. Saying someone has to have an attribute with a certain name or an object with a certain name or class is not flexible and you can do better. LDAP is extensible and people do do things sometimes before Vendors write code to do the same things. Most Vendors aren't coming up with cool new things no one else never thought up, they are just polishing, implementing, and trying to sell the solutions as ready made. I, for instance, may have at some point put UIDs into an attribute called BobToy. Does it make sense, maybe not to you, maybe to me it makes all the sense in the world. You coming in saying I have to use something else means I have to change all of my stuff, repopulate the fields, possibly schema extend for you, probably do syncing (or rewriting) for now on because I am probably already using that attribute - how rude and pretentious of you as a vendor. Ditto for objectclassing for what objects I want to use for various things. Again, LDAP is extensible, AD very easily so. Schemas are easy to modify and have data populated. As a vendor, don't sit back and think you are the only one that needs to use certain data and that it wouldn't be there already unless your app was there. From the start define the data that you need but don't assume the data isn't there in an attribute already. Actually assume it is and you just have to use it. Then once you have accomplished that by making your app flexible in how it
RE: [ActiveDir] [OT] SCECLI 1202 Events
Title: Message I apologize profusely . I will try to do better. My mind has been focused on looking for career opportunities of late. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Monday, May 03, 2004 8:14 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] SCECLI 1202 Events Thanks for that, Joe. Rick has an attention problem. I can't take responsibility or be accountable for my actions, like most of my fellow citizens in the US. That would be un-American - and eventually bankrupt the glut of lawyers in the States, and would have a devastating impact on our economy. So, I'm sorry that it took Joe so long to pick up on the fact that I was not answering your posts timely. It's clearly his fault for not being more attentive. ;o) Rick Kingslan MCSE, MCSA, MCT, CISSPMicrosoft MVP:Windows Server / Directory ServicesWindows Server / Rights ManagementAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzoneWebLog - www.msmvps.com/willhack4food From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Sunday, May 02, 2004 9:57 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] SCECLI 1202 Events Trying grepping (findstr'ing) the INF files in your sysvol structure for power users or the SID S-1-5-32-547. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, April 26, 2004 6:46 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] SCECLI 1202 Events Hi Rick, I cant find any entry for power users in domain controller policy. Is there any way where we can trace this out and solve the issue.. I have used ADSIEDIT yesterday to delete old objects. Actually, I had a DC which crashed so I installed this new one and then seized the roles(PDC,RID) and done the meta cleaup + adsiedit. TIA, Athif -Original Message-From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Sunday, 25 April 2004 8:52 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] SCECLI 1202 Events True - but, if the user doesn't exist, it SHOULDN'T be listed at all. Best practice dictates removing all rights to defined users that don't need them and undefinedusers that don't exist. In this case, Power User doesn't exist, and therefore any place that hte user is defined, the user should be removed. Rick Kingslan MCSE, MCSA, MCT, CISSPMicrosoft MVP:Windows Server / Directory ServicesWindows Server / Rights ManagementAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzoneWebLog - www.msmvps.com/willhack4food From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Sunday, April 25, 2004 12:37 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] SCECLI 1202 Events Even easier, just scroll through te log and see what policy/right/whatever it's trying to apply with Power Users. --Brian -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Sun 4/25/2004 9:40 AM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] SCECLI 1202 Events Power Users do not exist on DC's. Go to the Default Domain Controller Policy and look through all of the User Rights and remove any entries for the Power User principal. You should also be receiving event 1000's, also - yes? Rick Kingslan MCSE, MCSA, MCT, CISSPMicrosoft MVP:Windows Server / Directory ServicesWindows Server / Rights ManagementAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzoneWebLog - www.msmvps.com/willhack4food From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Sunday, April 25, 2004 8:33 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] SCECLI 1202 Events Hello everybody, I am getting this event very frequently. Event id 1202 "Security policies are propagated with warning. 0x534 : No mapping between account names and security IDs was done." KB Article http://support.microsoft.com/default.aspx?scid=kb;en-us;324383 gives a good explantion to this and with this I culd trace that there is a problem with power users account. When I give this command 1.C:\FIND /I "Cannot find" %SYSTEMROOT%\Security\Logs\winlogon.log -- C:\WINNT\SECURITY\LOGS\WINLOGON.LOG Cannot find Power Users. Cannot find Power Users. Cannot find Power Users. 2.C:\FIND /I "power users" %SYSTEMROOT%\Security\templates\policies\gpt*.* -- C:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT0.DOM -- C:\WINNT\SECURITY\TEMPLATES\POLICIES\GPT1.INF 3.C:\FIND /I "[Mapping]" %SYSTEMROOT%\Security\Logs\winlogon.log -- C:\WINNT\SECURITY\LOGS\WINLOGON.LOG [Mapping] gpt0.dom = Default Domain Policy [Mapping] gpt1.inf = Default Domain Policy [Mapping] gpt0.dom = Default Domain Policy
RE: [ActiveDir] [OT] Replication issues
LOL... three times I have seen it... Hey Guido, maybe Tony just kicked you off the list, but didn't do it the usual way, he chopped off what you see versus what you post so you don't notice he booted you. You should have heard Tony at the summit anyway... The whole time... "Yeah that Guido is too good to hang out with us... Man is he stuck up... Some one give me another Pabst Blue Ribbon, I'm thirsty." [1] Personally I think Tony didn't like your accent Guido... what was that accent, like Egyptian or Spanish or something? =) I would say look at the archive but it is a ways behind now. [1] This is of course ficticious. Tony picked thebest winesat dinnerI have had in a long time. Who knew wine could cost more than $4.99USD a bottle. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Monday, May 03, 2004 8:17 AMTo: [EMAIL PROTECTED]Subject: FW: [ActiveDir] Replication issues reposting this again, as I still can't see it on the list... From: Grillenmeier, Guido Sent: Samstag, 1. Mai 2004 10:20To: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Replication issues as Joe already wrote, there is a difference between "out of band" and "urgent" replication. any DC that you use to set a PW for a user also apply this change "out of band" to the PDCE of the domain = this is NOT urgent replication. It is referred to as immediate replication, although it should simply be called "updatePDC", since this is what it's doing. It's not relying on AD replication at all - instead a direct RPC to the PDCE is made to apply the change at this end= this is totally independent of your site-replication schedules= however, the PDCE needs to be reachable from the DC that performs the PW change additionally, the PW will be replicated urgently to DCs within the same site of the DC where the PW was updated - and yes, this does NOT replicate accross site-boundaries however, when a user logs onto any DC in the domain that hasn't replicated the PW change (i.e. still has the old value), prior to denying logon and increasing the lockout counter, the DC will contact the PDCE and validate if the PW is not correct afterall (if it is, I believe it's updated immediately on the DC itself as well - but I'm not sure on this) also, any DC where an account gets LOCKED OUT due to too many logon retries by the user and thus reaching the AccountLockout policy will behave the same way as when setting a PW= the PDCE will also be updated immediately out-of-band via an RPC call So what's the problem? well, when you UNLOCK an account, this WON'T be updated on the PDCE via immediate replication and neither will the local DC of the user check the PDCE if the account is locked out or not. so the real problem is NOT that the PW change doesn't get back to the user's DC = the problem is that the ACCOUNT LOCKOUT status (i.e. setting the user object's lockoutTime=0) does NOT behave the same way at every change (only replicates immediately when value is not equal to 0) even though the PW change on any DC would work just fine to allow a user to log back onto the domain from any other DC, when an account is LOCKED, this will prevent him from doing so successfully - so this is the reason why you'd want to perform the account UNLOCK on the DC that's "local" to the user account and most often this task is combined with resetting a user's password. A better solution you'll have a much better life, if you simply do not configure an Account Lockout policy = what does it gain you?It is actually more of a security risk thanhelp for IT = you wantto ensure that hackerscan'tattempt too many retries at cracking a user's password, so you set the account lockout to 5-10retries. usually you don't setup the account lockout policy to tease your own users - do you really care if they need to try 50 times until they getit right? Or before they call the helpdesk and admit they've forgotten their PW? Usually not. However,setting the account lockout threshold this low is the best way for a hacker to plan a DOS attack against your domain, once he has a list of accounts = he'll justcontinuously try bogus logonsand thus lockout all of your accounts! Believe me, you'll have a hell of a lifetime trying to unlock them in a timely manner... (yes, you can use Joe's account unlock tool -but remember you'll have to wait until all of these unlocks replicate to the DCs used by the users) So you can actually INCREASE the security of your infrastructure by either disabling the Account Lockout policy or at least by setting it to a rather high value (min. 15 - 50 attempts) = a hacker will still not be able to quess the password with these few attempts, but you users will usually call the helpdesk, BEFORE they lockout their
RE: [ActiveDir] [OT] Why doesn't Rick post much anymore?
Nope nope nope. There were several people around us, we most definitely weren't alone. It was interesting because everyone that came into the bedroom gasped and commented on the tremendous view. (Notice how the English 'you' can be singular or plural, quite unlike Latin which would have been very specific... Amo, Amas, Amat, Amamus, Amatis, Amant - Rick I suggest you post in Lingua Latina for clarity in the future). Yes. Disguise for next year. I think I will be disguised as Brian Desmond. Rick you can play my proud father. =) Sorry had to pull Brian into it. He is too intelligent for how young he is. Poor kid will have to deal with being a millionaire by the time he is 23. I feel sorry for him. Amo Te Rick. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Monday, May 03, 2004 8:08 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Why doesn't Rick post much anymore? I spent over an hour in a bedroom on the top floor of the Westin with Missy... I will never be the same. Interestingly, she tells a slightly different story. You did leave after around an hour, and quite satisfied. However, you never left the bathroom. And, you were alone. Small, quiet white boy... Oh, my goodness. joe (who will be wearing a disguise next year...) Oh, yeah - I'm QUITE sure of that... ;op Rick Kingslan MCSE, MCSA, MCT, CISSP Microsoft MVP: Windows Server / Directory Services Windows Server / Rights Management Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, May 02, 2004 10:27 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Why doesn't Rick post much anymore? Actually I was wearing 7 stiletto's the whole time but in reality, Rick is considerably taller than I am. As you found, I am a just a small quiet coy simple white boy from the midwest. My issue is the company that I keep. :o) I spent over an hour in a bedroom on the top floor of the Westin with Missy... I will never be the same. :o) joe (who will be wearing a disguise next year...) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Monday, April 26, 2004 9:11 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Why doesn't Rick post much anymore? Actually, the real trick is that at 4'7, he's ths shortest of the four of us, and he knows he doesn't want to be on our bad side at next year's summit! -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Sunday, April 25, 2004 10:53 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Why doesn't Rick post much anymore? Some of you long timers on this list know that I've been a long time poster here. And, some might ask the question, Gee... Why doesn't Rick post anymore?. Interesting question, simple answer. Joe, Al, Roger You guys are big mouths and no one can get a word in edge-wise. Now, you all know the truth. Oh, and for those of you that know me, I'm totally kidding these three. Finally meeting all three at the MVP Summit this year was great. I am honored to know you guys, and learn much from you daily. Now, SHUT UP ALREADY!!! ;op Rick Kingslan MCSE, MCSA, MCT, CISSP Microsoft MVP: Windows Server / Directory Services Windows Server / Rights Management Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] [OT] Replication issues
talk about feeling stupid ;-) I really didn't see my own post but saw others coming in and after I've been rather busy in the past few weeks I wanted to make sure this one got through so you know I'm still alive ;-)) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Montag, 3. Mai 2004 15:59To: [EMAIL PROTECTED]Cc: Grillenmeier, GuidoSubject: RE: [ActiveDir] [OT] Replication issues LOL... three times I have seen it... Hey Guido, maybe Tony just kicked you off the list, but didn't do it the usual way, he chopped off what you see versus what you post so you don't notice he booted you. You should have heard Tony at the summit anyway... The whole time... "Yeah that Guido is too good to hang out with us... Man is he stuck up... Some one give me another Pabst Blue Ribbon, I'm thirsty." [1] Personally I think Tony didn't like your accent Guido... what was that accent, like Egyptian or Spanish or something? =) I would say look at the archive but it is a ways behind now. [1] This is of course ficticious. Tony picked thebest winesat dinnerI have had in a long time. Who knew wine could cost more than $4.99USD a bottle. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Monday, May 03, 2004 8:17 AMTo: [EMAIL PROTECTED]Subject: FW: [ActiveDir] Replication issues reposting this again, as I still can't see it on the list... From: Grillenmeier, Guido Sent: Samstag, 1. Mai 2004 10:20To: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Replication issues as Joe already wrote, there is a difference between "out of band" and "urgent" replication. any DC that you use to set a PW for a user also apply this change "out of band" to the PDCE of the domain = this is NOT urgent replication. It is referred to as immediate replication, although it should simply be called "updatePDC", since this is what it's doing. It's not relying on AD replication at all - instead a direct RPC to the PDCE is made to apply the change at this end= this is totally independent of your site-replication schedules= however, the PDCE needs to be reachable from the DC that performs the PW change additionally, the PW will be replicated urgently to DCs within the same site of the DC where the PW was updated - and yes, this does NOT replicate accross site-boundaries however, when a user logs onto any DC in the domain that hasn't replicated the PW change (i.e. still has the old value), prior to denying logon and increasing the lockout counter, the DC will contact the PDCE and validate if the PW is not correct afterall (if it is, I believe it's updated immediately on the DC itself as well - but I'm not sure on this) also, any DC where an account gets LOCKED OUT due to too many logon retries by the user and thus reaching the AccountLockout policy will behave the same way as when setting a PW= the PDCE will also be updated immediately out-of-band via an RPC call So what's the problem? well, when you UNLOCK an account, this WON'T be updated on the PDCE via immediate replication and neither will the local DC of the user check the PDCE if the account is locked out or not. so the real problem is NOT that the PW change doesn't get back to the user's DC = the problem is that the ACCOUNT LOCKOUT status (i.e. setting the user object's lockoutTime=0) does NOT behave the same way at every change (only replicates immediately when value is not equal to 0) even though the PW change on any DC would work just fine to allow a user to log back onto the domain from any other DC, when an account is LOCKED, this will prevent him from doing so successfully - so this is the reason why you'd want to perform the account UNLOCK on the DC that's "local" to the user account and most often this task is combined with resetting a user's password. A better solution you'll have a much better life, if you simply do not configure an Account Lockout policy = what does it gain you?It is actually more of a security risk thanhelp for IT = you wantto ensure that hackerscan'tattempt too many retries at cracking a user's password, so you set the account lockout to 5-10retries. usually you don't setup the account lockout policy to tease your own users - do you really care if they need to try 50 times until they getit right? Or before they call the helpdesk and admit they've forgotten their PW? Usually not. However,setting the account lockout threshold this low is the best way for a hacker to plan a DOS attack against your domain, once he has a list of accounts = he'll justcontinuously try bogus logonsand thus lockout all of your accounts! Believe me, you'll have a hell of a lifetime trying to unlock them in a timely manner... (yes, you can use Joe's account unlock tool -but remember you'll have to wait until all
RE: [ActiveDir] Anyone experienced this? Volume dissapears after DCPromo?
Wow thanks Joe. In fact the disks on this test system were IDE (and over 137GB). Interestingly enough even though this is supposed to affect the system as a whole (both drives are identical), it only affected the D: volume I had set as the storage for the NTDS logsonce I had used NTDSUtil to reassign the path for my logs, everything came back up again, but I decided that install was unreliable for testing and blew it away to install Windows 2003 Enterprise which seems to be working quite nicely large drives and all (though this time not in a DC capacity). Either way, thanks for the article I certainly learned something new today! r/ Lou -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, May 02, 2004 9:52 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anyone experienced this? Volume dissapears after DCPromo? You don't specify whether your disks or IDE or not but I will assume yes so you may want to take a peek at http://support.microsoft.com/default.aspx?scid=kb;EN-US;305098 Basically it could be a possible LBA issue. I have seen this on XP personally and luckily one of my good friends had already encountered it and given me a heads up. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lou Vega Sent: Wednesday, April 07, 2004 11:18 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Anyone experienced this? Volume dissapears after DCPromo? Im curious if anyone else out there has experienced this. I have a Windows 2000 Advanced Server updated with SP4 and all the latest patches, etc. I ran DCPromo to add it to an existing domain. Prior to the DCPromo I had two volumes C and D each at 189 GB (its a server Im building for testing) Both volumes were formatted NTFS though there werent but a few BKF files of this server on the D volume. Immediately after my DCPromo I rebooted and got the following error message: lsass.exe - System Error : Security Accounts Manager initialization failed because of the following error: Directory Service cannot start. Error Status: 0xc2e1. Please click OK to shutdown this system and reboot into Directory Services Restore Mode, check the event log for more detailed information. Fortunately for me a Google search turned up the following KB article (http://support.microsoft.com/default.aspx?scid=kb;EN-US;258007 ) and I was able to go into DS Restore mode, and using NDSUTIL SET PATH change the path of my NTDS Log files.(so my emergency of a failed DCPromo is solved! Whooo hoo!!!) heres the kicker the reason for the error and the failure was because now the D volume is unrecognized Windows reports it as Unformatted do you want to format now? and when you try it fails. Is there a limit to the size of a volume that AD recognizes? The original cause of the error is because when I was running the DCPromo and it asked where I wanted to put the DB and Log files, I picked C:\winnt\ntds for the DB and D:\winnt\ntds for the Log files then for some reason D became unrecognized after the Promo was finished. Anyone else seen this? r/ Lou
RE: [ActiveDir] help querying for groups
You can use dsquery group /?. A tool from Resource Kit W2K3.- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-WeidnerSent: Friday, April 30, 2004 6:58 PMTo: [EMAIL PROTECTED]Subject: AW: [ActiveDir] help querying for groups Hi Mark, first thing which comes to my eyes is that the base it not started and ended with "" and "", but the whole query including base, filter and scope is. So what I'd try is modifying the line beginning with strBase with strBase = "LDAP://dc=my,dc=domain,dc=com;" and the line starting with set objRS with Set ObjRS = objConn.Execute("" strBase strFilter strScope "") HTH, Ulf Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Creamer, MarkGesendet: Freitag, 30. April 2004 22:31An: [EMAIL PROTECTED]Betreff: [ActiveDir] help querying for groups Hi, can someone help me troubleshoot this script? Im trying to return all of the global groups in the domain whose name starts with RPT. All Im getting is the error: Provider: Unspecified error strBase = "LDAP://dc=my,dc=domain,dc=com;" strFilter = "((objectCategory=group)(name=RPT*));" strScope = "Subtree" Set objConn = CreateObject("ADODB.Connection") objConn.Open "Provider=ADsDSOObject" Set ObjRS = objConn.Execute(strBase strFilter strScope) objRS.MoveFirst While Not ObjRS.EOF WScript.Echo objRS.Fields(0).Value objRS.MoveNext Wend Im trying to do this by altering one of the recipes in Robbie Allens book. Thanks! Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do AVISO LEGAL:Esta informacion es privada y confidencial y esta dirigida unicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha informacion por favor elimine el mensaje. La distribucion o copia de este mensaje esta estrictamente prohibida. Esta comunicacion es solo para propositos de informacion y no debe ser considerada como propuesta, aceptacion ni como una declaracion de voluntad oficial de REPSOL YPF S.A. y/o subsidiarias y/o afiliadas. La transmision de e-mails no garantiza que el correo electronico sea seguro o libre de error. Por consiguiente, no manifestamos que esta informacion sea completa o precisa. Toda informacion esta sujeta a alterarse sin previo aviso.This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from REPSOL YPF S.A. and/or subsidiaries and/or affiliates. Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice.
[ActiveDir] DDNS Registration Problem
Hello All, I have this problem with a handful of machines, they refuse to dynamically register in the AD DNS. The machines were registering at one point in time, but at some point they stopped doing so. I stumbled upon this because I was working on one of these machines and when I would try to contact it by name I would actually get a different machine. What had happened is the old DNS records were still there and it had not updated itself when it got a different IP address from the DHCP server. I have since deleted the old DNS entries and when I try to force DNS registration nothing happens, and I get zero errors in the event logs. The reverse records are registering properly, when I do ping a I get the correct name. When I do an NSlookup I get host not found. The DHCP and DNS services on the client are all running fine. The domain is Win2k SP4 and the clients are WinXP SP1, I have about 6000 clients that have no issues and these 20 machines which are having problems. The only other thing that I found out of norm on these machines is that RRAS had been started. I have since stopped and disabled that with no change. Any help is appreciated. Thanks, -Tim
RE: [ActiveDir] DDNS Registration Problem
When you say no error, are you seeing any errors on the DNS servers? Have you checked the routing tables on these machines? Have you checked to see what is bound to the nic(s) to see if RRAS is getting in the way? Al From: Wright, T. MR NSSB [mailto:[EMAIL PROTECTED] Sent: Monday, May 03, 2004 11:07 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] DDNS Registration Problem Hello All, I have this problem with a handful of machines, they refuse to dynamically register in the AD DNS. The machines were registering at one point in time, but at some point they stopped doing so. I stumbled upon this because I was working on one of these machines and when I would try to contact it by name I would actually get a different machine. What had happened is the old DNS records were still there and it had not updated itself when it got a different IP address from the DHCP server. I have since deleted the old DNS entries and when I try to force DNS registration nothing happens, and I get zero errors in the event logs. The reverse records are registering properly, when I do ping a I get the correct name. When I do an NSlookup I get host not found. The DHCP and DNS services on the client are all running fine. The domain is Win2k SP4 and the clients are WinXP SP1, I have about 6000 clients that have no issues and these 20 machines which are having problems. The only other thing that I found out of norm on these machines is that RRAS had been started. I have since stopped and disabled that with no change. Any help is appreciated. Thanks, -Tim
RE: [ActiveDir] Active Directory and Other LDAP Integration
Joe - I certainly agree that LDAP is not a great mechanism for authentication, for the same reasons. It is, however, available, and meets an immediate need (beats having a seperate identity store in each app server). Getting everyone to speak Kerberos is not a small task. Having a single domain allows us to get away with it (using LDAP for authentication) without hitting some of the issues you mentioned. Re Websphere, they have indeed improved in some respects, but not in others. They still insist on entering a single LDAP host instead of discovering one, but they do look at a user object's memberOf attribute now to find out which groups they belong to, and they do recursively look at the memberOf attributes of those groups until they are empty, so nested groups 'work'. There's actually an option in the security config that lets you select which directory type you're using, and one of the selections is AD. When you select it, appropriate filters are used for finding users, groups, group membership, etc. Since they have some clue about AD, seems to me it shouldn't be that hard to add the ability to discover DCs, or at the very least, to allow me to give it a static list of DCs so it can fail over if one goes away. That goes for lots of other so-called 'directory aware' products BEA WebLogic server still searches for all groups that include user X in their membership list, though. This would not be workable at all, except for the fact that our administrative model is very centralized, and we're able to keep all the applicable groups in the same OU so we can scope those searches down to there. We do keep the app servers and the DCs they use in the same data center, so the number of people who can access those network switches is realatively small. Still, I'd be a lot more comfortable with Kerberos. I'm intrigued by some stuff I've read about J2EE components you can buy that handle Kerberos, but have not had a chance to do any investigation. Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of joe Sent: Sunday, May 02, 2004 8:37 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Active Directory and Other LDAP Integration I want to say a couple of things on this point, however first off, we use cn=sAMAccountName. 1. LDAP is not a good authentication mechanism. Especially how most companies seem to do it with their products. I.E. Simple LDAP Binds. This is not in any way shape or form secure. Use kerberos, kerberos is an authentication protocol, LDAP is a directory access protocol. You can secure LDAP by using SSL or IPSec but vendors should just bite the bullet and do it securely in the first place. Why should their customers take the performance hit of SSL and IPSec because vendors don't want to do the right thing because it is hard. I am currently working on a little joeware tool that will expose how bad this is a little easier. It will sit and pick off LDAP Simple Binds and show the userid and password quickly and easily with no network monitoring experience or knowledge needed. 2. I have had a run-in with WebSphere in my distant past. They may be better now but there were quite a few issues. The IBM guys really had no understanding of AD at all. First, they liked to hard code servers in versus use the ever present dynamic method of finding AD resources. AD is built in such a way that you don't need dependance on individual servers. It is a great system, the vendors should figure out how to use it (including MS... Cough RUS, cough ADC). Second, obviously clear text words streaming across the network. Anyone who has done a network trace and seen these probably didn't stop laughing in less than 5 minutes. If you have major acceptance of some app in your company that uses clear text passwords anyone with access to the network that the authenticating system or the DC doing the authentication can have a vast majority of the passwords of the users in a very quick and easy fashion. Note, even the janitor who cleans the data center or closet that you keep your DC or Websphere server in has access, he just buys a $10 shared hub and hooks it up between the server and the switch. Heck, I am reviewing a security book right now where the guy is talking about people picking signals right out of the air off of ethernet cables... Third, they came to us and told us our AD servers weren't working correctly because the tests they did were going way slower than they did in the lab... The lab had 12 groups and 5 users... Production had that beat thousands of times over. They were doing some very crappy LDAP calls. The group membership search involved searching for all groups where the DN of the user was in the member attribute. Take a domain with lots of groups and that is a bit slow, take a multi-domain forest and it is either not done at all or extremely painful. All of your groups that are used by websphere should be in a single domain.
RE: [ActiveDir] DDNS Registration Problem
It sounds like those machines with the RRAS started are registering the wrong address. This can happen with multi-homed devices under RRAS. There is an MS fix for only registering a particular interface. I ran into this with some DCs (yes, that was fun). I can search for the KB numbers if this sounds like it would help. nme From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Monday, May 03, 2004 8:30 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DDNS Registration Problem When you say no error, are you seeing any errors on the DNS servers? Have you checked the routing tables on these machines? Have you checked to see what is bound to the nic(s) to see if RRAS is getting in the way? Al From: Wright, T. MR NSSB [mailto:[EMAIL PROTECTED] Sent: Monday, May 03, 2004 11:07 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] DDNS Registration Problem Hello All, I have this problem with a handful of machines, they refuse to dynamically register in the AD DNS. The machines were registering at one point in time, but at some point they stopped doing so. I stumbled upon this because I was working on one of these machines and when I would try to contact it by name I would actually get a different machine. What had happened is the old DNS records were still there and it had not updated itself when it got a different IP address from the DHCP server. I have since deleted the old DNS entries and when I try to force DNS registration nothing happens, and I get zero errors in the event logs. The reverse records are registering properly, when I do ping a I get the correct name. When I do an NSlookup I get host not found. The DHCP and DNS services on the client are all running fine. The domain is Win2k SP4 and the clients are WinXP SP1, I have about 6000 clients that have no issues and these 20 machines which are having problems. The only other thing that I found out of norm on these machines is that RRAS had been started. I have since stopped and disabled that with no change. Any help is appreciated. Thanks, -Tim
[ActiveDir] HELP I just deleted an OU
How can I get the OU with all objectes restored immediately
RE: [ActiveDir] HELP I just deleted an OU
Unplug a DC before it replicates From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grantham, CaronSent: Monday, May 03, 2004 10:05 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] HELP I just deleted an OU How can I get the OU with all objectes restored immediately
RE: [ActiveDir] HELP I just deleted an OU
It's not that simple. To perform an authoritative restore of an OU full of users, here's a rough step by step: 1) System state restore of a DC; mark OU full of users authoritative (IE mark the subtree authoritative) 2) Boot DC on to private network 3) Disable inbound replication on the DC (repadmin can do this for you) 4) put DC back on to production network; let users replicate out 5) Identify groups that the users affected are a member of 6) Boot DC in to ds restore mode; mark affected groups from step 5 as authoritative 7) Boot DC back to normal mode 8) enable inbound replication The other option is to repopulate the groups with the affected users rather than marking the groups authoritative. This approach is particularly advantageous if you have groups that span the domain boundary. If you want to repopulate the groups rather than restore them send me a note offline and I can help you with that. The same procedure would be followed for computers should the computer accounts be members of groups above and beyond their primary group membership. If they are just in the primary group they just need to restore the computer account. Group restores don't need anything like this either (except for nested group memberships). Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grantham, Caron Sent: Monday, May 03, 2004 10:05 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] HELP I just deleted an OU How can I get the OU with all objectes restored immediately
RE: [ActiveDir] HELP I just deleted an OU
Microsoft Knowledge Base Article - 241594 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Grantham, CaronSent: Monday, May 03, 2004 1:05 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] HELP I just deleted an OU How can I get the OU with all objectes restored immediately -- Confidentiality Note: This message is intended for use only by the individual or entity to which it is addressed and may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. Thank you. Visit us online at our award-winning www.clevelandclinic.org for a complete listing of Cleveland Clinic services, staff and locations from one of the country's leading hospitals. ==
RE: [ActiveDir] HELP I just deleted an OU
You might try the restore subtree using NDTSUtil http://support.microsoft.com/default.aspx?scid=kb;en-us;241594#3 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grantham, Caron Sent: Monday, May 03, 2004 1:05 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] HELP I just deleted an OU How can I get the OU with all objectes restored immediately
RE: [ActiveDir] HELP I just deleted an OU
Too late for that Caron Grantham Systems Engineer, ITS Dept ,[EMAIL PROTECTED] ( 312-742- 2731 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ayers, Diane Sent: Monday, May 03, 2004 12:14 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] HELP I just deleted an OU Unplug a DC before it replicates From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grantham, Caron Sent: Monday, May 03, 2004 10:05 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] HELP I just deleted an OU How can I get the OU with all objectes restored immediately
RE: [ActiveDir] HELP I just deleted an OU
I forgot to mention that Im working in Server 2003 . Does this KBA apply? Caron Grantham Systems Engineer, ITS Dept ,[EMAIL PROTECTED] ( 312-742- 2731 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lou Vega Sent: Monday, May 03, 2004 12:21 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] HELP I just deleted an OU You might try the restore subtree using NDTSUtil http://support.microsoft.com/default.aspx?scid=kb;en-us;241594#3 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grantham, Caron Sent: Monday, May 03, 2004 1:05 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] HELP I just deleted an OU How can I get the OU with all objectes restored immediately
RE: [ActiveDir] HELP I just deleted an OU
Here is a better KB to be reading. This one is more recent and better discusses the issues in question: 840001 How to restore deleted user accounts and their group memberships in http://support.microsoft.com/?id=840001 ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grantham, Caron Sent: Monday, May 03, 2004 12:32 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] HELP I just deleted an OU I forgot to mention that Im working in Server 2003 . Does this KBA apply? Caron Grantham Systems Engineer, ITS Dept ,[EMAIL PROTECTED] ( 312-742- 2731 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lou Vega Sent: Monday, May 03, 2004 12:21 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] HELP I just deleted an OU You might try the restore subtree using NDTSUtil http://support.microsoft.com/default.aspx?scid=kb;en-us;241594#3 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grantham, Caron Sent: Monday, May 03, 2004 1:05 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] HELP I just deleted an OU How can I get the OU with all objectes restored immediately
RE: [ActiveDir] DDNS Registration Problem
Al, No errors in the event logs on the DNS server either. I did take a look at the routing tables and everything appears to be normal, I have no problem getting from the client to the DNS server and back on port 53. The only thing bound to the NICS is MS File Print Sharing and the client for MS networks. I am really confused since the reverse records seem to be registering without any problems. -Tim From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Monday, May 03, 2004 11:30 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DDNS Registration Problem When you say no error, are you seeing any errors on the DNS servers? Have you checked the routing tables on these machines? Have you checked to see what is bound to the nic(s) to see if RRAS is getting in the way? Al From: Wright, T. MR NSSB [mailto:[EMAIL PROTECTED] Sent: Monday, May 03, 2004 11:07 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] DDNS Registration Problem Hello All, I have this problem with a handful of machines, they refuse to dynamically register in the AD DNS. The machines were registering at one point in time, but at some point they stopped doing so. I stumbled upon this because I was working on one of these machines and when I would try to contact it by name I would actually get a different machine. What had happened is the old DNS records were still there and it had not updated itself when it got a different IP address from the DHCP server. I have since deleted the old DNS entries and when I try to force DNS registration nothing happens, and I get zero errors in the event logs. The reverse records are registering properly, when I do ping a I get the correct name. When I do an NSlookup I get host not found. The DHCP and DNS services on the client are all running fine. The domain is Win2k SP4 and the clients are WinXP SP1, I have about 6000 clients that have no issues and these 20 machines which are having problems. The only other thing that I found out of norm on these machines is that RRAS had been started. I have since stopped and disabled that with no change. Any help is appreciated. Thanks, -Tim
RE: [ActiveDir] HELP I just deleted an OU
yes, the basic restores in 2003 work the same way as in 2000, however, depending on your forest-functional level and number of domains in your environment you'll have additional tasks IF you run at Win2003 forest functional level AND IF this is NOT a forest that was upgraded from Win2000 AND IF you only have a single domain, THEN you don't need to do anything else = using a systemstate backup and running NTDSUTIL / authorithe restore / restore subtree DN of deleted OU will recover everything, incl. the links of users in the OU to the groups they belonged to. IF your deleted OU contained both users and groups, then you should do another authoritative restore on the same DC for the same subtree (without the systemstate backup). There is quite a bid more to do in a multi-domain environment or in a Win2000 domain/forest incl. a Win2003 domain forest upgraded from Win2000.Steve already pointed those issues out in his post. But I hope this situation doesn't apply to you. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grantham, CaronSent: Montag, 3. Mai 2004 19:32To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] HELP I just deleted an OU I forgot to mention that Im working in Server 2003 . Does this KBA apply? Caron Grantham Systems Engineer, ITS Dept ,[EMAIL PROTECTED] ( 312-742- 2731 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lou VegaSent: Monday, May 03, 2004 12:21 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] HELP I just deleted an OU You might try the restore subtree using NDTSUtil http://support.microsoft.com/default.aspx?scid=kb;en-us;241594#3 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grantham, CaronSent: Monday, May 03, 2004 1:05 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] HELP I just deleted an OU How can I get the OU with all objectes restored immediately
[ActiveDir] Active Directory/DNS weirdness
Okay, this is something that I've filed in the I'll live with it column for awhile: Windows 2000 Active Directory domain. Still supporting NT4 clients. Using BIND DNS that does -not- have dynamic updates enabled: whenever I create a DC, I am required to manually upload the netlogon.dns into the zone file. (This is usually a one-time upload, since it's done manually.) Whenever I reboot the PDC Emulator, my NT4 clients start throwing the following error: System can not log you on to the domain because the systems computer account in its primary domain is missing or the password on that account is incorrect... Or, System Error 1789 has occurred. The trust relationship between this workstation and the primary domain failed. 2000/XP boxen keep chugging merrily along, this behaviour only happens on NT. The MS KB answer is to drop the machine from the domain and re-add it. (Every NT workstation? Every time I reboot the server? Are you serious? Besides...I tried that and it doesn't work.) The workaround that I've found is to compact the AD database after I reboot the controller. It's a workaround only, and doesn't solve the underlying problem that it just plain shouldn't be happening. Another piece to the anecdote: I had formerly housed the PDC Emulator on a remote subnet, in a different building from my clients. When this was the case, said error would start throwing itself every few days even -without- me rebooting the PDC Emulator. I had to build a DC, install it locally and transfer the PDC FSMO role to get any sleep at all! Laura *waves at Roger Tony* *** Laura E. Hunter MCSE, MCT, MVP - Windows Networking List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Win2k SP4
Russ, MS04-001 (Q835732): Windows2000-KB835732-x86-ENU.EXE http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx Sasser worm... http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.b.worm.html James From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Saturday, 1 May 2004 6:11 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Win2k SP4 OK I finally broke down and upgraded the rest of our Win2k DC's to SP4. Is there any important post SP4 hotfixes I should be aware of that apply to AD? ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~
RE: [ActiveDir] HELP I just deleted an OU
thanks for the pointer Eric - this article was long overdue, but at least it's available now and it contains most of the information required to be prepared for a successful recovery. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Montag, 3. Mai 2004 21:12To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] HELP I just deleted an OU Here is a better KB to be reading. This one is more recent and better discusses the issues in question: 840001 How to restore deleted user accounts and their group memberships in http://support.microsoft.com/?id=840001 ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grantham, CaronSent: Monday, May 03, 2004 12:32 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] HELP I just deleted an OU I forgot to mention that Im working in Server 2003 . Does this KBA apply? Caron Grantham Systems Engineer, ITS Dept ,[EMAIL PROTECTED] ( 312-742- 2731 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lou VegaSent: Monday, May 03, 2004 12:21 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] HELP I just deleted an OU You might try the restore subtree using NDTSUtil http://support.microsoft.com/default.aspx?scid=kb;en-us;241594#3 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grantham, CaronSent: Monday, May 03, 2004 1:05 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] HELP I just deleted an OU How can I get the OU with all objectes restored immediately
RE: [ActiveDir] Active Directory/DNS weirdness
Hey Laura... Two things come to mind here. First, do the NT4 clients have the DSClient installed, and if so, does it make a difference? Second, are you still running WINS in the environment? What it sounds like is that you're having a LOT of NetBIOS name resolution issues. Remember pre-Win2k, you pretty much had to have WINS, and its an absolute requirenment for multisegment LANs and WANs. When the clients stop being able to log in, have you run NLTest or NetDom to verify the secure channel? I'd be interested in seeing the output of that. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Hunter, Laura E. [mailto:[EMAIL PROTECTED] Sent: Monday, May 03, 2004 3:36 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Active Directory/DNS weirdness Okay, this is something that I've filed in the I'll live with it column for awhile: Windows 2000 Active Directory domain. Still supporting NT4 clients. Using BIND DNS that does -not- have dynamic updates enabled: whenever I create a DC, I am required to manually upload the netlogon.dns into the zone file. (This is usually a one-time upload, since it's done manually.) Whenever I reboot the PDC Emulator, my NT4 clients start throwing the following error: System can not log you on to the domain because the systems computer account in its primary domain is missing or the password on that account is incorrect... Or, System Error 1789 has occurred. The trust relationship between this workstation and the primary domain failed. 2000/XP boxen keep chugging merrily along, this behaviour only happens on NT. The MS KB answer is to drop the machine from the domain and re-add it. (Every NT workstation? Every time I reboot the server? Are you serious? Besides...I tried that and it doesn't work.) The workaround that I've found is to compact the AD database after I reboot the controller. It's a workaround only, and doesn't solve the underlying problem that it just plain shouldn't be happening. Another piece to the anecdote: I had formerly housed the PDC Emulator on a remote subnet, in a different building from my clients. When this was the case, said error would start throwing itself every few days even -without- me rebooting the PDC Emulator. I had to build a DC, install it locally and transfer the PDC FSMO role to get any sleep at all! Laura *waves at Roger Tony* *** Laura E. Hunter MCSE, MCT, MVP - Windows Networking List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/