date:20040513




I've not done it directly, but its possible to use IPSec 
policies to block specific ports, which would do exactly what you're trying to 
do.
 
Roger
-- 
Roger D. Seielstad - 
MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 

 

  
  
  From: Mike Hogenauer 
  [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 
  2004 4:14 PMTo: [EMAIL PROTECTED]Subject: 
  [ActiveDir] TCP Port Blocking
  
  
  Sorry for 
  the newbie sounding question. 
   
  How can I 
  use Group Policy to block certain ports in all workstation in a certain OU? 
  Ex: for the SASSER virus it’s recommended to block TCP 5554 9996. I have 
  remote users that I wanted apply a GP to that will block these ports. 
  
   
  Thanks 
  
   
  Mike
   
  Mike 
  Hogenauer
  [EMAIL PROTECTED]
  Rendition 
  Networks, Inc.
  10735 
  Willows Rd NE, Suite 
  150
  Redmond, 
  WA 98052
  425.636.2115 
  | Fax: 425.497.1149

RE: [ActiveDir] OT: Research Question

2004-05-13 Thread Lou Vega

Title: OT: Research Question









“programmers *and* it professionals” – so….us
programmers are not it professionals? ;-)

 

 

-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of DL.ActiveDirectory
Sent: Thursday, May
 13, 2004 4:22 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OT:
Research Question

 

No, it’s quite
alright. One of the assignments I had this week was ‘ask programmers and
it professionals what factors in business are most important to them and
why.” So I went and asked all the ones I knew. I’m using all the
answers to formulate the results for class.

 

Mitch

 

 

-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Posted At: Thursday, May 13, 2004
2:34 PM
Posted To: ~AD Discussion~
Conversation: [ActiveDir] OT:
Research Question
Subject: RE: [ActiveDir] OT:
Research Question

 

Maybe
I've misunderstood the question.  You're asking for an answer to the
question?

 











From: DL.ActiveDirectory [mailto:[EMAIL PROTECTED]

Sent: Thursday, May 13, 2004 2:46
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OT:
Research Question

Yes, but
having live data from people I 'know' (so to speak) makes this a much more
personal assignment, and one that I am more likely to get a good grade on since
I have a kindred feeling for the research data.

I am
using ALL the answers I get, as each one adds a little more to the over all
picture. Plus, this isn't the only list this got posted on. ;)

 

Mitch

-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Posted At: Thursday, May 13, 2004
12:44 PM
Posted To: ~AD Discussion~
Conversation: [ActiveDir] OT:
Research Question
Subject: RE: [ActiveDir] OT:
Research Question

 

lol. 

 

Mitch,
you probably want to >insert favorite search engine< for surveys. 
Places like Monster.com, Yahoo.com, Dice.com, etc all keep that kind of
information as well for marketing purposes.  They may share. I'm sure the
bureau of labor and statistics would keep such information as well.  Not
to mention psychological websites, those related to workplace issues (OSHA?)
and industry magazines that also conduct such salary and well-being surveys.

 

Happy
hunting.

 

Al

 















From: Zach Huseby
[mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 13, 2004 12:59
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OT:
Research Question

the 2nd
and the 18th of each month.

 

 

 















From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of DL.ActiveDirectory
Sent: Thursday, May 13, 2004 10:05
AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] OT: Research
Question

Hello,

I am doing research for a college project, and I
would appreciate any feedback I can get on the following question:

As an IT professional, what factors
in your employment make
a difference to you?  Why?

I really appreciate the time you take to give me some
insight into your world.

Thank you,

Mitch

Noob college student

RE: [ActiveDir] OT: Research Question

Title: OT: Research Question



I'm somewhat idealistic as well.  I only want what 
most people want which is to feel needed and important.  Good bosses tend 
to figure that out and that no amount of money is worth being treated 
badly.  Sadly, most bosses aren't that way now are they?  

 
As Joe mentions, salary is the greens fee.  Without 
it, there's no way you can sustain a high level of output for a decent length of 
time, mostly because other influences such as family life will create pressures 
to change.  Great for consulting, but not so much for long term 
employees.  Seems that many feel like they get what they pay for, so it 
matters to have a decent pay scale for the area and expertise you work 
in.
 
Environment is important.  Nobody is going to 
continually beat themselves up to go to work in a bad environment (people, 
surroundings, etc) when there are options.  I've found that if the greens 
fee isn't paid properly, then the environment tolerance is very low. It's not to 
say that working for less to be a part of a great environment where you feel 
you're needed isn't going to happen and cause less stress, but it's infrequently 
found.
 
I'm not sure it's important to have influence so much as it 
is to feel as if you're important and that you're being heard.  More 
importantly that you're providing a needed function.  Similar reasons are 
noted or people that join the peace corps or other charity organization.  
There's reward for input and you feel important.  
 
 
All of that said, I'd say that good pay is lower on 
the scale.  It's not important, it's expected.  A fulfilling work 
experience and feeling of contribution are important and higher on the scale for 
long term jobs.  That often encompasses challenge, input, influence, and 
generally feeling like you're contributing to the success of the 
organization.  We all know that there are at least 6 right answers to any 
given situation.  We at least want to feel like we contributed one of 
them.
 
 
Note that it's also expected that they treat your family 
well.  Work-life balance is also important whether you have a family or are 
single and would like to have some sort of companionship other than a pet rock 
and a computer.
 
-ajm


From: joe [mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 13, 2004 3:42 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Research 
Question

Hmm 
 
Salary (being paid is a way of being told job well 
done)
Coworkers (getting paid a lot doesn't help much if you have 
sucky co-workers)
Management (Bad management can make no amount of money 
enough after a while)
Influence (hard to state this one, basically having input 
into what is being done and knowing it will be considered)
 
  joe
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
DL.ActiveDirectorySent: Thursday, May 13, 2004 2:46 
PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 
OT: Research Question


Yes, but having live 
data from people I 'know' (so to speak) makes this a much more personal 
assignment, and one that I am more likely to get a good grade on since I have a 
kindred feeling for the research data.
I am using ALL the 
answers I get, as each one adds a little more to the over all picture. Plus, 
this isn't the only list this got posted on. ;)
 
Mitch
-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Mulnick, 
AlPosted At: 
Thursday, May 13, 
2004 12:44 
PMPosted To: ~AD Discussion~Conversation: [ActiveDir] OT: Research 
QuestionSubject: RE: 
[ActiveDir] OT: Research Question
 
lol. 

 
Mitch, you 
probably want to >insert favorite search engine< for surveys.  Places 
like Monster.com, Yahoo.com, Dice.com, etc all keep that kind of information as 
well for marketing purposes.  They may share. I'm sure the bureau of labor 
and statistics would keep such information as well.  Not to mention 
psychological websites, those related to workplace issues (OSHA?) and industry 
magazines that also conduct such salary and well-being 
surveys.
 
Happy 
hunting.
 
Al
 



From: Zach 
Huseby [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 12:59 
PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Research 
Question
the 2nd 
and the 18th of each month.
 
 
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of 
DL.ActiveDirectorySent: Thursday, May 13, 2004 10:05 
AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] OT: Research 
Question
Hello,
I am doing research for a college 
project, and I would appreciate any feedback I can get on the following 
question:
As an IT 
professional, what factors in your 
employment make a difference 
to you?  Why?
I really appreciate the time you 
take to give me some insight into your world.
Thank 
you,
Mitch
Noob college 
student

RE: [ActiveDir] A root dc question

Global Catalogs are global catalogs. Period. There is no real distinction
between domains when it comes to Global Catalogs. Here's why...

GC's are read only, but only through "normal" (i.e. user) interaction.
Something has to be able to write to the GC on every DC in a forest, and
that something is the System account. By launching a process as System
(which anyone with admin privs to ANY DC in ANY domain could do), you can
modify the contents of a Universal Group (which exists in the GC). So,
you're not elevating privs in the root. You're using existing privileges to
inject an account into a Uni Group, to own the world.

We realize you're not trying to hack AD. We're trying to explain to you what
the reality is vs. what the documentation says happens.

The books that Joe mentioned (both by Robbie Allen, I believe) are well
worth your time and money. I also think that the Microsoft "Building
Enterprise Active Directory Services: Notes from the Field" book might be
worth it. There are some sections written there that compare concepts
between AD and NDS, which might help you make that transition.

Links to most of the books recommended here over time are available here:
http://www.wiredeuclid.com/modules.php?op=modload&name=books&file=index&req=
view_subcat&sid=7 (link may wrap - this will take you there as well:
http://tinyurl.com/28j9n)

Roger
--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.
 

> -Original Message-
> From: Kern, Tom [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, May 13, 2004 1:59 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] A root dc question
> 
> you mean writing oneself into a GC in the root domain? its my 
> understanding that GC's have a subset of all AD, but only 
> have a read-only version of the domain parttion they are not 
> a memeber of. so i couldn't just write myself into a GC in my 
> domain for a uni group from another domain, no?
> as stated earlier, i don't want to "hack" my AD forest so 
> please don't divluge any info you feel is compromising to AD 
> secrity. I just want to be clear on and learn some AD 
> internals i can't really seem to find in any book. i guess 
> this is one of them, so if you can clarify without giving 
> away a hack or hole, that would be great(if thats at all possible).
> thanks
> 
> -Original Message-
> From: Roger Seielstad [mailto:[EMAIL PROTECTED]
> Sent: Thursday, May 13, 2004 1:10 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] A root dc question
> 
> 
> Basically, ite because the GC (which is the same on all 
> domain controllers
> within a forest) is writable on every domain, anyone with 
> Domain Admin privs
> can write themselves into Universal Groups - one of which is 
> Enterprise
> Admins - through a relatively trivial process (there are 
> scripts available
> on the Internet, I believe).
> 
> Last I checked, that means the child domain admin now has 
> what amounts to
> local admin rights on every DC in every domain in the forest. In other
> words, they now 0wn your forest.
> 
> --
> Roger D. Seielstad - MTS MCSE MS-MVP
> Sr. Systems Administrator
> Inovis Inc.
>  
> 
> > -Original Message-
> > From: Kern, Tom [mailto:[EMAIL PROTECTED] 
> > Sent: Thursday, May 13, 2004 10:20 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] A root dc question
> > 
> > how would one force an escallation of privilges? is this just 
> > taking advantage of a security hole in AD? or is this 
> > standard ability? a backdoor to prevent a lockout, like the 
> > ability to change a domain admin pw if you're physically at 
> > the machine with a linux boot disk?
> > and if its a flaw, why hasn't it been fixed by MS?
> > 
> > -Original Message-
> > From: Roger Seielstad [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, May 13, 2004 9:41 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] A root dc question
> > 
> > 
> > You'd be very, very wrong. Through *standard* practices, 
> > you're correct.
> > However, you have sufficient rights to force an escallation 
> > of privileges
> > and insert your account into the Enterprise Admins group
> > 
> > --
> > Roger D. Seielstad - MTS MCSE MS-MVP
> > Sr. Systems Administrator
> > Inovis Inc.
> >  
> > 
> > > -Original Message-
> > > From: Kern, Tom [mailto:[EMAIL PROTECTED] 
> > > Sent: Thursday, May 13, 2004 9:16 AM
> > > To: [EMAIL PROTECTED]
> > > Subject: RE: [ActiveDir] A root dc question
> > > 
> > > 1. what do you mean by "an admin in any domain has the power 
> > > of being an Entrprise admin"? i, being a domain admin of a 
> > > child domain, do not have the power to put myself into the 
> > > Enterprise admins group. A domain or enterprise admin in the 
> > > root domain  would have to do that for me.
> > >  
> > > Also, as a domain ad

RE: [ActiveDir] Enumerating DCs from a workstation that is not me mber of domain.

Title: RE: [ActiveDir] Enumerating DCs from a workstation that is not member of domain.



Huh?  Wouldn't the name resolution calls work 
better then?
http://msdn.microsoft.com/library/default.asp?url="">
 
 
 
 
Al
 
 
 
 


From: AD [mailto:[EMAIL PROTECTED] Sent: 
Thursday, May 13, 2004 3:46 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Enumerating DCs 
from a workstation that is not member of domain.


Believe it or not Mike I gave 
that idea a lot of thought. NSLookup -t NS DomainName.com. But I would have to 
create a shell object, capture the output to a file and then parse it. Not 
the cleanest solution.
 
I was hoping to find an object that will 
kinda do it all.


From: [EMAIL PROTECTED] on 
behalf of Thommes, Michael M.Sent: Thu 5/13/2004 10:10 
AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 
Enumerating DCs from a workstation that is not member of 
domain.

Couldn't you just query DNS (ie, nslookup aa.bb.cc) and look at 
the IPs returned?Mike Thommes-Original Message-From: 
AD [mailto:[EMAIL PROTECTED]]Sent: Thursday, 
May 13, 2004 8:47 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] 
Enumerating DCs from a workstation that is notmember of 
domain.Hey Guys,I am looking for a vb script or vb.net code 
that would return domain controllers (names or ip addresses) of a specific 
domain name on a workstation that is NOT member of the domain.When you 
add a computer to a domain (right click "my computer", properties, Computer 
Name, Change) you specify a domain name. When you click on ok it will ask you 
for a username and password right? When you click "ok" the computer must talk 
with a domain controller to add your computer to the domain right? I basically 
need that functionality.Thank you in advance.Yves 
St-CyrList info   : http://www.activedir.org/mail_list.htmList 
FAQ    : http://www.activedir.org/list_faq.htmList 
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List 
info   : http://www.activedir.org/mail_list.htmList 
FAQ    : http://www.activedir.org/list_faq.htmList 
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: Research Question

Title: OT: Research Question



Damn, I want to wear a NASA hat.
 
:o)


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Lou 
VegaSent: Thursday, May 13, 2004 3:59 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Research 
Question


1) Pay is definitely 
nice.
2) I like the 
challenges involved with my job. (You want a 700 OU AD structure with 
decentralized web based administration when?)
3) Lots of cool “toys” 
in the lab (blades, SANs, Coops, and a dual AMD 64bit processor test boxen with 
green neon lights and a see-through case!)
4) I get to wear a hat 
(currently my MCSD one, but last week was my NASA one)
5) A lot of what I do 
is seen as PFM (and *sometimes* 
it’s better left unexplained!)
 
Some things that 
stink
1) the lab has no 
windows – I’ve thought about a small web enabled video camera installed outside 
the building so I can “surf” to see what it’s like outside from my desktop or 
the server racks.
2) The refrigerator 
does not automatically restock itself with Mt. Dew when it runs 
low.
 
 
-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Ellis, 
DebbieSent: Thursday, May 13, 
2004 2:50 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Research 
Question
 
1.   
Pay
2.   
Benefits
3.   
Flexibility
 




From: 
DL.ActiveDirectory [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 1:50 
PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Research 
Question
 
Paydays?
 

Thank 
you, 
Mitch 
Lawrence 
 
-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Zach 
HusebySent: Thursday, May 13, 
2004 11:59 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Research 
Question
 
the 2nd 
and the 18th of each month.
 
 
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of 
DL.ActiveDirectorySent: Thursday, May 13, 2004 10:05 
AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] OT: Research 
Question
Hello,
I am doing research for a college 
project, and I would appreciate any feedback I can get on the following 
question:
As an IT 
professional, what factors in your 
employment make a difference 
to you?  Why?
I really appreciate the time you 
take to give me some insight into your world.
Thank 
you,
Mitch
Noob college 
student

RE: [ActiveDir] DNS issues?




But you're missing my question - do the child domain's know 
about each other's zones, via either replication (i.e. secondarying the zones) 
or a correct referral scheme?
 
-- 
Roger D. Seielstad - 
MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 
 

  
  
  From: Todd L. Graham 
  [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 12:51 
  PMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] DNS issues? 
  
  
  When I do an IP config 
  I’m getting the correct IP addresses listed for the DNS servers.  DNS is 
  set to have the child domains replicate with the root.  
  
   
  
  Todd
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Roger 
  SeielstadSent: Thursday, May 
  13, 2004 9:26 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS issues? 
  
   
  When 
  you say you're getting the "correct" DNS servers, what do you 
  mean?
   
  Also, 
  are you replicating DNS zones for the child domains between sites? It strikes 
  me like what's really happening is that your child domains don't hold each 
  other's DNS zones, so you can only see the local info.
  
   
  -- 
  Roger D. Seielstad - 
  MTS MCSE MS-MVP Sr. Systems 
  Administrator Inovis 
  Inc. 
  
   
  
 



From: Todd 
L. Graham [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 8:30 
AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] DNS issues? 

I 
have a problem with my DNS over the WAN and VPN.  Here is the 
issue.  For some reason DNS will not resolve names over the WAN, or 
VPN.  I can only connect to resources by IP address.  This problem 
started when I upgraded my network in January.  We switched to a Cisco 
IP phone system along with all Cisco gear (VPN concentrator, PIX firewall, 
switches, routers…lots of money spent).  We also upgraded our network 
at the same time from W2k to Server 2003.  We have a Point to Point T 
between our sights and a T1 for internet access here.  We have about 30 
people who VPN into the network on the VPN concentrator.  Our AD (I 
actually run all IT for 3 companies, same owners) is one Root domain with 3 
child domains 1 for each company.  All common resources and user 
accounts are in the root. Computer accounts and private resources are in 
each child domain.  The child domains share nothing. Due to the phone 
system we have several V-LAN’s one for voice, VPN, Guest, and computer 
network.
 
When 
I am at the other location I can’t browse the network, or attach to mapped 
drives from my logon script (they don’t even appear).  I can only 
attach to resources if I create a new mapped drive by IP address.  When 
I do an IP config I get all the right DNS servers listed.  I can only 
ping them by IP address.  The same situation happens when I VPN from 
home.  We had DNS only on the network.  My Cisco vendor told me 
it’s not their gear.  I added WINS to see if this would help…it did 
not. Any suggestions on what I could have configured incorrectly?  
Could it be the Cisco routers?  
  
 
Thank 
you for the help! 
 
 
 Todd 
Graham
IT Manager 
Urell Inc.
617-600-9355
[EMAIL PROTECTED]

RE: [ActiveDir] A root dc question

Understood, but I think we're not seeing the trees for the forest here :)

As I said earlier, I don't want a "how to" for AD hacking.
Actually, I only wanted to know how dependent a child domain was on the root dc, which 
you've more than answered and I thank you all.
Now i guess what i'm asking is just a good reference, not so i can figure out how to 
compromise a forest, but to understand how the AD internals work on a non-hand holding 
level so i can know among many other things, how such a thing could happen.
Not how to do it. 
and, joe, if the 2 books you mentioned are the best start, then thats great and thanks.
i know how tricky it is to answer some questions where the answer might prove 
dangerous or annoying at best, so i'm not asking for it. and i apologize for making 
you guys talk in circles.
i guess the real answer is, "If you gotta ask, you don't know"
my apologies to louis armstrong.

Thanks again.

-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 13, 2004 3:25 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question


There are multiple vectors which one could utilize. Discussing any of them
probably isn't good because we don't have methods to protect against them
except to limit who gets access to what in the first place and even that is
not a guarantee, just puts that much more burden on the person trying to do
damage. Ditto for various simple (and complex) D.O.S. techniques. I know of
some real doozies but you won't catch me uttering them anywhere near a
public forum and usually not even in private except with a very small closed
set of people who I am positive have my back and would treat the info the
same. The info isn't NDA but it actually isn't something I want people
knowing about simply from the point of safety of me, myself, and my butt.
This is one of the few things I am not all about being upfront and talkative
about. If I saw an easy way for MS to correct the shortcomings I would
probably spout until they did, I unfortunately do not so will remain mum
except that it is possible and people should be careful on who they make
domain admins or give an local logon DC access rights to. Once more...
Domains are not security boundaries.

If your enterprise admins do not feel they could be compromised, not many
words you can use to convince them otherwise, they would have to see it or
finally "see the light". I doubt proving the fact to them will get you
enterprise admin, most likely it would get domain admin as well as any local
logon rights to a DC removed from you. You could possibly, depending on your
org, talk them into letting you have your own forest. That may even be
tough.

You can't fully protect a DC or a domain. However you should handle the easy
ones like being very tight on who can log on or control services on a DC and
who the admins are. The goal is to make it as difficult as possible to
someone trying to do you harm while still maintaining needed functionality.
There are some things that you have to make a very hard call on, be insecure
or not allow someone functionality they think they need. I've had lots of
people tell me they needed to be admins on domains, my security model has
never been one though that I think their functionality requires reducing
security. 

  joe


 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Thursday, May 13, 2004 1:59 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question

you mean writing oneself into a GC in the root domain? its my understanding
that GC's have a subset of all AD, but only have a read-only version of the
domain parttion they are not a memeber of. so i couldn't just write myself
into a GC in my domain for a uni group from another domain, no?
as stated earlier, i don't want to "hack" my AD forest so please don't
divluge any info you feel is compromising to AD secrity. I just want to be
clear on and learn some AD internals i can't really seem to find in any
book. i guess this is one of them, so if you can clarify without giving away
a hack or hole, that would be great(if thats at all possible).
thanks

-Original Message-
From: Roger Seielstad [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 13, 2004 1:10 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question


Basically, ite because the GC (which is the same on all domain controllers
within a forest) is writable on every domain, anyone with Domain Admin privs
can write themselves into Universal Groups - one of which is Enterprise
Admins - through a relatively trivial process (there are scripts available
on the Internet, I believe).

Last I checked, that means the child domain admin now has what amounts to
local admin rights on every DC in every domain in the forest. In other
words, they now 0wn your forest.

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis

RE: [ActiveDir] Enumerating DCs from a workstation that is not member of domain.

2004-05-13 Thread Lee, Wook

Title: RE: [ActiveDir] Enumerating DCs from a workstation that is not member of domain.



Sounds to me like you need to hardcode a domain account and password in an ADSI bind, then do a dsgetdc. Not sure whether you can do that in VB or VBscript, but I believe that's what the domain join and tools like nltest do. Now the scripting gurus can wade in.
 
Wook
 
"Once my Valentine,
  Her name escapes me like a
    Restore mode password."


From: ADSent: Thu 5/13/2004 12:45 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Enumerating DCs from a workstation that is not member of domain.


Believe it or not Mike I gave that idea a lot of thought. NSLookup -t NS DomainName.com. But I would have to create a shell object, capture the output to a file and then parse it. Not the cleanest solution.
 
I was hoping to find an object that will kinda do it all.


From: [EMAIL PROTECTED] on behalf of Thommes, Michael M.Sent: Thu 5/13/2004 10:10 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Enumerating DCs from a workstation that is not member of domain.

Couldn't you just query DNS (ie, nslookup aa.bb.cc) and look at the IPs returned?Mike Thommes-Original Message-From: AD [mailto:[EMAIL PROTECTED]]Sent: Thursday, May 13, 2004 8:47 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Enumerating DCs from a workstation that is notmember of domain.Hey Guys,I am looking for a vb script or vb.net code that would return domain controllers (names or ip addresses) of a specific domain name on a workstation that is NOT member of the domain.When you add a computer to a domain (right click "my computer", properties, Computer Name, Change) you specify a domain name. When you click on ok it will ask you for a username and password right? When you click "ok" the computer must talk with a domain controller to add your computer to the domain right? I basically need that functionality.Thank you in advance.Yves St-CyrList info   : http://www.activedir.org/mail_list.htmList FAQ    : http://www.activedir.org/list_faq.htmList archive: http://www.mail-archive.com/[EMAIL PROTECTED]/List info   : http://www.activedir.org/mail_list.htmList FAQ    : http://www.activedir.org/list_faq.htmList archive: http://www.mail-archive.com/[EMAIL PROTECTED]/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] A root dc question

Understood, but I think we're not seeing the trees for the forest here :)

As I said earlier, I don't want a "how to" for AD hacking.
Actually, I only wanted to know how dependent a child domain was on the root dc, which 
you've more than answered and I thank you all.
Now i guess what i'm asking is just a good reference, not so i can figure out how to 
compromise a forest, but to understand how the AD internals work on a non-hand holding 
level so i can know among many other things, how such a thing could happen.
Not how to do it. 
and, joe, if the 2 books you mentioned are the best start, then thats great and thanks.
i know how tricky it is to answer some questions where the answer might prove 
dangerous or annoying at best, so i'm not asking for it. and i apologize for making 
you guys talk in circles.
i guess the real answer is, "If you gotta ask, you don't know"
my apologies to louis armstrong.

Thanks again.

-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 13, 2004 3:25 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question


There are multiple vectors which one could utilize. Discussing any of them
probably isn't good because we don't have methods to protect against them
except to limit who gets access to what in the first place and even that is
not a guarantee, just puts that much more burden on the person trying to do
damage. Ditto for various simple (and complex) D.O.S. techniques. I know of
some real doozies but you won't catch me uttering them anywhere near a
public forum and usually not even in private except with a very small closed
set of people who I am positive have my back and would treat the info the
same. The info isn't NDA but it actually isn't something I want people
knowing about simply from the point of safety of me, myself, and my butt.
This is one of the few things I am not all about being upfront and talkative
about. If I saw an easy way for MS to correct the shortcomings I would
probably spout until they did, I unfortunately do not so will remain mum
except that it is possible and people should be careful on who they make
domain admins or give an local logon DC access rights to. Once more...
Domains are not security boundaries.

If your enterprise admins do not feel they could be compromised, not many
words you can use to convince them otherwise, they would have to see it or
finally "see the light". I doubt proving the fact to them will get you
enterprise admin, most likely it would get domain admin as well as any local
logon rights to a DC removed from you. You could possibly, depending on your
org, talk them into letting you have your own forest. That may even be
tough.

You can't fully protect a DC or a domain. However you should handle the easy
ones like being very tight on who can log on or control services on a DC and
who the admins are. The goal is to make it as difficult as possible to
someone trying to do you harm while still maintaining needed functionality.
There are some things that you have to make a very hard call on, be insecure
or not allow someone functionality they think they need. I've had lots of
people tell me they needed to be admins on domains, my security model has
never been one though that I think their functionality requires reducing
security. 

  joe


 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Thursday, May 13, 2004 1:59 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question

you mean writing oneself into a GC in the root domain? its my understanding
that GC's have a subset of all AD, but only have a read-only version of the
domain parttion they are not a memeber of. so i couldn't just write myself
into a GC in my domain for a uni group from another domain, no?
as stated earlier, i don't want to "hack" my AD forest so please don't
divluge any info you feel is compromising to AD secrity. I just want to be
clear on and learn some AD internals i can't really seem to find in any
book. i guess this is one of them, so if you can clarify without giving away
a hack or hole, that would be great(if thats at all possible).
thanks

-Original Message-
From: Roger Seielstad [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 13, 2004 1:10 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question


Basically, ite because the GC (which is the same on all domain controllers
within a forest) is writable on every domain, anyone with Domain Admin privs
can write themselves into Universal Groups - one of which is Enterprise
Admins - through a relatively trivial process (there are scripts available
on the Internet, I believe).

Last I checked, that means the child domain admin now has what amounts to
local admin rights on every DC in every domain in the forest. In other
words, they now 0wn your forest.

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis

RE: [ActiveDir] OT: Research Question

2004-05-13 Thread DL.ActiveDirectory

Title: OT: Research Question









No, it’s quite alright. One of the
assignments I had this week was ‘ask programmers and it professionals
what factors in business are most important to them and why.” So I went
and asked all the ones I knew. I’m using all the answers to formulate the
results for class.

 

Mitch

 

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Mulnick, Al
Posted At: Thursday, May
 13, 2004 2:34 PM
Posted To: ~AD Discussion~
Conversation: [ActiveDir] OT:
Research Question
Subject: RE: [ActiveDir] OT:
Research Question

 

Maybe I've misunderstood
the question.  You're asking for an answer to the question?

 







From: DL.ActiveDirectory
[mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 13, 2004 2:46
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OT:
Research Question

Yes, but having live data
from people I 'know' (so to speak) makes this a much more personal assignment,
and one that I am more likely to get a good grade on since I have a kindred
feeling for the research data.

I am using ALL the
answers I get, as each one adds a little more to the over all picture. Plus,
this isn't the only list this got posted on. ;)

 

Mitch

-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Posted At: Thursday, May 13, 2004
12:44 PM
Posted To: ~AD Discussion~
Conversation: [ActiveDir] OT:
Research Question
Subject: RE: [ActiveDir] OT:
Research Question

 

lol. 

 

Mitch,
you probably want to >insert favorite search engine< for surveys. 
Places like Monster.com, Yahoo.com, Dice.com, etc all keep that kind of
information as well for marketing purposes.  They may share. I'm sure the
bureau of labor and statistics would keep such information as well.  Not
to mention psychological websites, those related to workplace issues (OSHA?)
and industry magazines that also conduct such salary and well-being surveys.

 

Happy
hunting.

 

Al

 











From: Zach Huseby
[mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 13, 2004 12:59
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OT:
Research Question

the 2nd
and the 18th of each month.

 

 

 











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of DL.ActiveDirectory
Sent: Thursday, May 13, 2004 10:05
AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] OT: Research
Question

Hello,

I am doing research for a college project, and I
would appreciate any feedback I can get on the following question:

As an IT professional, what factors
in your employment make
a difference to you?  Why?

I really appreciate the time you take to give me some
insight into your world.

Thank you,

Mitch

Noob college student

RE: [ActiveDir] FW: Passwords

2004-05-13 Thread Salandra, Justin A.










I have no errors on that DC, it is up and
operational

 

-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Thursday, May 13, 2004 3:17
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] FW:
Passwords

 



Sounds to me like one of
your FSMO roles is messed up. Is the DC that holds the PDC emulator
down, or messed up?





 





-Original
Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Salandra, Justin A.
Sent: Thursday, May 13, 2004 1:20
PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] FW: Passwords

Anyone have any ideas why
this happens?

 

Justin A. Salandra, MCSE

Senior Network Engineer

Catholic Healthcare System

212.752.7300 - office

917.455.0110 - cell

[EMAIL PROTECTED]

 

 

-Original Message-
From: Levine, Jeffrey 
Sent: Thursday, May 13, 2004 12:10
PM
To: Salandra, Justin A.
Cc: Bruno, Thomas
Subject: Passwords

 



Justin,





 





Several employees are getting normal
messages to change their passwords, and they proceed to do so.  The
following day they are asked once again to change their password.  Any
reason?  Should they ignore it?  Please advise.



Jeffrey D. Levine 
Accountant

Carmel Richmond 
Healthcare & Rehabilitation Center

88 Old
Town Road 
Staten
Island, NY 10304 
Phone:
(718) 668-8541 
Fax:
(718) 980-6815 
[EMAIL PROTECTED]  

 

This message is a private communication.  If you
are not the intended recipient, please do not read, copy, or use it and do not
disclose it to others.  Please notify the sender of the delivery error by
replying to this message, and then delete it from your system.  Thank you.

[ActiveDir] TCP Port Blocking

2004-05-13 Thread Mike Hogenauer









Sorry for the
newbie sounding question. 

 

How can I use
Group Policy to block certain ports in all workstation in a certain OU? Ex: for
the SASSER virus it’s recommended to block TCP 5554 9996. I have remote
users that I wanted apply a GP to that will block these ports. 

 

Thanks 

 

Mike

 

Mike Hogenauer

[EMAIL PROTECTED]

Rendition
Networks, Inc.

10735 Willows Rd
  NE, Suite 150

Redmond, WA
 98052

425.636.2115
| Fax: 425.497.1149

RE: [ActiveDir] OT: Research Question

2004-05-13 Thread Lou Vega

Title: OT: Research Question








1) Pay is definitely nice.

2) I like the challenges involved with my
job. (You want a 700 OU AD structure with decentralized web based
administration when?)

3) Lots of cool “toys” in the
lab (blades, SANs, Coops, and a dual AMD 64bit processor test boxen with green
neon lights and a see-through case!)

4) I get to wear a hat (currently my MCSD
one, but last week was my NASA one)

5) A lot of what I do is seen as PFM (and *sometimes* it’s better left
unexplained!)

 

Some things that stink

1) the lab has no windows – I’ve
thought about a small web enabled video camera installed outside the building
so I can “surf” to see what it’s like outside from my desktop
or the server racks.

2) The refrigerator does not automatically
restock itself with Mt. Dew when it runs low.

 

 

-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ellis, Debbie
Sent: Thursday, May 13, 2004 2:50
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OT:
Research Question

 

1.  
Pay

2.  
Benefits

3.  
Flexibility

 









From:
DL.ActiveDirectory [mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 13, 2004 1:50
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OT:
Research Question



 

Paydays?

 



Thank you, 
Mitch Lawrence 
 



-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Zach Huseby
Sent: Thursday, May 13, 2004 11:59
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OT:
Research Question

 

the 2nd
and the 18th of each month.

 

 

 











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of DL.ActiveDirectory
Sent: Thursday, May 13, 2004 10:05
AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] OT: Research
Question

Hello,

I am doing research for a college project, and I
would appreciate any feedback I can get on the following question:

As an IT professional, what factors
in your employment make
a difference to you?  Why?

I really appreciate the time you take to give me some
insight into your world.

Thank you,

Mitch

Noob college student

RE: [ActiveDir] Enumerating DCs from a workstation that is not member of domain.

2004-05-13 Thread AD

Believe it or not Mike I gave that idea a lot of thought. NSLookup -t NS 
DomainName.com. But I would have to create a shell object, capture the output to a 
file and then parse it. Not the cleanest solution.
 
I was hoping to find an object that will kinda do it all.



From: [EMAIL PROTECTED] on behalf of Thommes, Michael M.
Sent: Thu 5/13/2004 10:10 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Enumerating DCs from a workstation that is not member of 
domain.



Couldn't you just query DNS (ie, nslookup aa.bb.cc) and look at the IPs returned?

Mike Thommes

-Original Message-
From: AD [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 13, 2004 8:47 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Enumerating DCs from a workstation that is not
member of domain.


Hey Guys,

I am looking for a vb script or vb.net code that would return domain controllers 
(names or ip addresses) of a specific domain name on a workstation that is NOT member 
of the domain.

When you add a computer to a domain (right click "my computer", properties, Computer 
Name, Change) you specify a domain name. When you click on ok it will ask you for a 
username and password right? When you click "ok" the computer must talk with a domain 
controller to add your computer to the domain right? I basically need that 
functionality.

Thank you in advance.


Yves St-Cyr
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


<>

RE: [ActiveDir] OT: Research Question

Title: OT: Research Question



Hmm 
 
Salary (being paid is a way of being told job well 
done)
Coworkers (getting paid a lot doesn't help much if you have 
sucky co-workers)
Management (Bad management can make no amount of money 
enough after a while)
Influence (hard to state this one, basically having input 
into what is being done and knowing it will be considered)
 
  joe
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
DL.ActiveDirectorySent: Thursday, May 13, 2004 2:46 
PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 
OT: Research Question


Yes, but having live 
data from people I ‘know’ (so to speak) makes this a much more personal 
assignment, and one that I am more likely to get a good grade on since I have a 
kindred feeling for the research data.
I am using ALL the 
answers I get, as each one adds a little more to the over all picture. Plus, 
this isn’t the only list this got posted on. ;)
 
Mitch
-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Mulnick, 
AlPosted At: 
Thursday, May 13, 
2004 12:44 
PMPosted To: ~AD Discussion~Conversation: [ActiveDir] OT: Research 
QuestionSubject: RE: 
[ActiveDir] OT: Research Question
 
lol. 

 
Mitch, you 
probably want to >insert favorite search engine< for surveys.  Places 
like Monster.com, Yahoo.com, Dice.com, etc all keep that kind of information as 
well for marketing purposes.  They may share. I'm sure the bureau of labor 
and statistics would keep such information as well.  Not to mention 
psychological websites, those related to workplace issues (OSHA?) and industry 
magazines that also conduct such salary and well-being 
surveys.
 
Happy 
hunting.
 
Al
 



From: Zach 
Huseby [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 12:59 
PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Research 
Question
the 2nd 
and the 18th of each month.
 
 
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of 
DL.ActiveDirectorySent: Thursday, May 13, 2004 10:05 
AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] OT: Research 
Question
Hello,
I am doing research for a college 
project, and I would appreciate any feedback I can get on the following 
question:
As an IT 
professional, what factors in your 
employment make a difference 
to you?  Why?
I really appreciate the time you 
take to give me some insight into your world.
Thank 
you,
Mitch
Noob college 
student

RE: [ActiveDir] OT: Research Question

Title: OT: Research Question



Maybe I've misunderstood the question.  You're asking 
for an answer to the question?


From: DL.ActiveDirectory 
[mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 
2004 2:46 PMTo: [EMAIL PROTECTED]Subject: RE: 
[ActiveDir] OT: Research Question


Yes, but having live 
data from people I 'know' (so to speak) makes this a much more personal 
assignment, and one that I am more likely to get a good grade on since I have a 
kindred feeling for the research data.
I am using ALL the 
answers I get, as each one adds a little more to the over all picture. Plus, 
this isn't the only list this got posted on. ;)
 
Mitch
-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Mulnick, 
AlPosted At: 
Thursday, May 13, 
2004 12:44 
PMPosted To: ~AD Discussion~Conversation: [ActiveDir] OT: Research 
QuestionSubject: RE: 
[ActiveDir] OT: Research Question
 
lol. 

 
Mitch, you 
probably want to >insert favorite search engine< for surveys.  Places 
like Monster.com, Yahoo.com, Dice.com, etc all keep that kind of information as 
well for marketing purposes.  They may share. I'm sure the bureau of labor 
and statistics would keep such information as well.  Not to mention 
psychological websites, those related to workplace issues (OSHA?) and industry 
magazines that also conduct such salary and well-being 
surveys.
 
Happy 
hunting.
 
Al
 



From: Zach 
Huseby [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 12:59 
PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Research 
Question
the 2nd 
and the 18th of each month.
 
 
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of 
DL.ActiveDirectorySent: Thursday, May 13, 2004 10:05 
AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] OT: Research 
Question
Hello,
I am doing research for a college 
project, and I would appreciate any feedback I can get on the following 
question:
As an IT 
professional, what factors in your 
employment make a difference 
to you?  Why?
I really appreciate the time you 
take to give me some insight into your world.
Thank 
you,
Mitch
Noob college 
student

RE: [ActiveDir] SMS 2003

2004-05-13 Thread Jones, Rick J.(Desktop Engineering)









I know the feeling, we have been tasked
with making sure we are only deploying to client levels that are within certain
specs.

We have developed scripting methods used
as a domain startup script to install the client only on systems that are W2K,
XP with CPU speed > 200 and Memory > 128 and HDD Space > 50MB.

I don’t know of any other way myself
to make SMS limit the install to our requirements without a scripted method of
some sort.  This is what we are doing.

 



Rick J. Jones
Desktop
Engineering Resource Group
http://www.attwireless.com
Bothell 6
Cube 1151B
Phone:425-288-6240 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rod Trent
Sent: Thursday, May 13, 2004 11:07
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] SMS 2003



 

Here's a script to get the OS. 
It'll give you a start.

 

http://www.myitforum.com/articles/11/view.asp?id=7108

 

BTW: You could also utilize remote
installation, which would auto-detect the OS.

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff
Sent: Thursday, May 13, 2004 1:13
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] SMS 2003



This means that I would have to take a
group of computers and manually push the client.  I like setting up
automation, makes my job easier.

 

S 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rod Trent
Sent: Thursday, May 13, 2004 9:00
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] SMS 2003



 

Why not just use targeted Client Push?

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff
Sent: Thursday, May 13, 2004 11:11
AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] SMS 2003



Is anyone using SMS 2003 with an AD2003
domain?  I am trying to create a logon script to detect the client’s
OS and install the appropriate SMS Client.  I need some scripting help, if
someone would be willing.  It is not going extremely well. L

 

Thanks,
S

RE: [ActiveDir] A root dc question

There are multiple vectors which one could utilize. Discussing any of them
probably isn't good because we don't have methods to protect against them
except to limit who gets access to what in the first place and even that is
not a guarantee, just puts that much more burden on the person trying to do
damage. Ditto for various simple (and complex) D.O.S. techniques. I know of
some real doozies but you won't catch me uttering them anywhere near a
public forum and usually not even in private except with a very small closed
set of people who I am positive have my back and would treat the info the
same. The info isn't NDA but it actually isn't something I want people
knowing about simply from the point of safety of me, myself, and my butt.
This is one of the few things I am not all about being upfront and talkative
about. If I saw an easy way for MS to correct the shortcomings I would
probably spout until they did, I unfortunately do not so will remain mum
except that it is possible and people should be careful on who they make
domain admins or give an local logon DC access rights to. Once more...
Domains are not security boundaries.

If your enterprise admins do not feel they could be compromised, not many
words you can use to convince them otherwise, they would have to see it or
finally "see the light". I doubt proving the fact to them will get you
enterprise admin, most likely it would get domain admin as well as any local
logon rights to a DC removed from you. You could possibly, depending on your
org, talk them into letting you have your own forest. That may even be
tough.

You can't fully protect a DC or a domain. However you should handle the easy
ones like being very tight on who can log on or control services on a DC and
who the admins are. The goal is to make it as difficult as possible to
someone trying to do you harm while still maintaining needed functionality.
There are some things that you have to make a very hard call on, be insecure
or not allow someone functionality they think they need. I've had lots of
people tell me they needed to be admins on domains, my security model has
never been one though that I think their functionality requires reducing
security. 

  joe


 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Thursday, May 13, 2004 1:59 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question

you mean writing oneself into a GC in the root domain? its my understanding
that GC's have a subset of all AD, but only have a read-only version of the
domain parttion they are not a memeber of. so i couldn't just write myself
into a GC in my domain for a uni group from another domain, no?
as stated earlier, i don't want to "hack" my AD forest so please don't
divluge any info you feel is compromising to AD secrity. I just want to be
clear on and learn some AD internals i can't really seem to find in any
book. i guess this is one of them, so if you can clarify without giving away
a hack or hole, that would be great(if thats at all possible).
thanks

-Original Message-
From: Roger Seielstad [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 13, 2004 1:10 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question


Basically, ite because the GC (which is the same on all domain controllers
within a forest) is writable on every domain, anyone with Domain Admin privs
can write themselves into Universal Groups - one of which is Enterprise
Admins - through a relatively trivial process (there are scripts available
on the Internet, I believe).

Last I checked, that means the child domain admin now has what amounts to
local admin rights on every DC in every domain in the forest. In other
words, they now 0wn your forest.

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.
 

> -Original Message-
> From: Kern, Tom [mailto:[EMAIL PROTECTED]
> Sent: Thursday, May 13, 2004 10:20 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] A root dc question
> 
> how would one force an escallation of privilges? is this just taking 
> advantage of a security hole in AD? or is this standard ability? a 
> backdoor to prevent a lockout, like the ability to change a domain 
> admin pw if you're physically at the machine with a linux boot disk?
> and if its a flaw, why hasn't it been fixed by MS?
> 
> -Original Message-
> From: Roger Seielstad [mailto:[EMAIL PROTECTED]
> Sent: Thursday, May 13, 2004 9:41 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] A root dc question
> 
> 
> You'd be very, very wrong. Through *standard* practices, you're 
> correct.
> However, you have sufficient rights to force an escallation of 
> privileges and insert your account into the Enterprise Admins 
> group
> 
> --
> Roger D. Seielstad - MTS MCSE MS-MVP
> Sr. Systems Administrator
> Inovis Inc

RE: [ActiveDir] FW: Passwords

2004-05-13 Thread Douglas M. Long




Sounds 
to me like one of your FSMO roles is messed up. Is the DC that holds 
the PDC emulator down, or messed up?
 

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Salandra, 
  Justin A.Sent: Thursday, May 13, 2004 1:20 PMTo: 
  [EMAIL PROTECTED]Subject: [ActiveDir] FW: 
  Passwords
  
  Anyone have any ideas 
  why this happens?
   
  Justin A. Salandra, MCSE
  Senior Network Engineer
  Catholic Healthcare System
  212.752.7300 - office
  917.455.0110 - cell
  [EMAIL PROTECTED]
   
   
  -Original 
  Message-From: Levine, 
  Jeffrey Sent: Thursday, May 
  13, 2004 12:10 PMTo: 
  Salandra, Justin A.Cc: 
  Bruno, ThomasSubject: 
  Passwords
   
  
  Justin,
  
   
  
  Several employees are getting 
  normal messages to change their passwords, and they proceed to do so.  
  The following day they are asked once again to change their password.  
  Any reason?  Should they ignore it?  Please 
  advise.
  Jeffrey 
  D. Levine Accountant 
  Carmel 
  Richmond 
  Healthcare 
  & Rehabilitation 
  Center 
  88 Old Town Road 
  Staten Island, 
  NY 10304 Phone: 
  (718) 668-8541 Fax: (718) 980-6815 
  [EMAIL PROTECTED] 
   
   
  This message is a private 
  communication.  If you are not the intended recipient, please do not 
  read, copy, or use it and do not disclose it to others.  Please notify 
  the sender of the delivery error by replying to this message, and then delete 
  it from your system.  Thank you.

RE: [ActiveDir] A root dc question

That one is a little tougher but just by a couple of steps. :op
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Thursday, May 13, 2004 1:47 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] A root dc question

Heck, while you're at it, may as well mention that anyone with physical
access could gain admin rights, which can gain enterprise admin rights,
which Well, you get the idea.  :) 

-Original Message-
From: Roger Seielstad [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 13, 2004 1:10 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question

Basically, ite because the GC (which is the same on all domain controllers
within a forest) is writable on every domain, anyone with Domain Admin privs
can write themselves into Universal Groups - one of which is Enterprise
Admins - through a relatively trivial process (there are scripts available
on the Internet, I believe).

Last I checked, that means the child domain admin now has what amounts to
local admin rights on every DC in every domain in the forest. In other
words, they now 0wn your forest.

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.
 

> -Original Message-
> From: Kern, Tom [mailto:[EMAIL PROTECTED]
> Sent: Thursday, May 13, 2004 10:20 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] A root dc question
> 
> how would one force an escallation of privilges? is this just taking 
> advantage of a security hole in AD? or is this standard ability? a 
> backdoor to prevent a lockout, like the ability to change a domain 
> admin pw if you're physically at the machine with a linux boot disk?
> and if its a flaw, why hasn't it been fixed by MS?
> 
> -Original Message-
> From: Roger Seielstad [mailto:[EMAIL PROTECTED]
> Sent: Thursday, May 13, 2004 9:41 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] A root dc question
> 
> 
> You'd be very, very wrong. Through *standard* practices, you're 
> correct.
> However, you have sufficient rights to force an escallation of 
> privileges and insert your account into the Enterprise Admins 
> group
> 
> --
> Roger D. Seielstad - MTS MCSE MS-MVP
> Sr. Systems Administrator
> Inovis Inc.
>  
> 
> > -Original Message-
> > From: Kern, Tom [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, May 13, 2004 9:16 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] A root dc question
> > 
> > 1. what do you mean by "an admin in any domain has the power of 
> > being an Entrprise admin"? i, being a domain admin of a child 
> > domain, do not have the power to put myself into the Enterprise 
> > admins group. A domain or enterprise admin in the root domain  would 
> > have to do that for me.
> >  
> > Also, as a domain admin in a child domain, i'm kinda limited to the 
> > damage i could do to the forest, no?I mean, i could screw up my 
> > domain royally, but i can't really do anything to screw up the 
> > forest( and completly hosing my domain would only cause replication 
> > errors generated in event logs and some repointing of exchange 
> > servers to different GC's). i can't modify the schema or install an 
> > app that does it for me. i can't link a wrong headed GPO to a site 
> > or create one on the root or any other domain. i can't create a site 
> > or subnet.
> > And if a crashed and burned all my DC's wouldn't AD remove them 
> > permantely after 60 days?
> > 
> > I'm sorry to belabour the point here and waste your time, but i 
> > really want to make a good case for our IT dept to have enterprise 
> > admin access and show why multiple seperate domain admins for 
> > multiple domains is not a good idea. as well as further my knowldge 
> > of what can and can't be done and what can and can't be screwed up.
> > i'd like to convince everyone that playing nice is in our best 
> > interest.
> > thanks, and again, i apologize for rehashing old posts.
> > 
> > -Original Message-
> > From: joe [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, May 13, 2004 8:34 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] A root dc question
> > 
> > 
> > Wow this is like déjà vu, I swear we went through this whole thought 
> > process a month or two ago on here
> > 
> > The quick summary (no I will not spout the whole thing, it should be 
> > in the
> > archives) of what I recall
> > 
> > 1. An admin in any domain has the power of being an
> Enterprise Admin,
> > domains ARE NOT security boundaries. Each child domain
> should not have
> > different admins because that can result in chaos and possible 
> > danger to the entire forest.
> > 
> > 2. You can not do DR testing with just a child domain. 
> > 
> > 3. Either your corp IT has to be involved with your DR testing or 
> > you should redesign into multiple forests.
> > 
> > 
> > 
> >  
> > 
> > -O

RE: [ActiveDir] A root dc question

you mean writing oneself into a GC in the root domain? its my understanding that GC's 
have a subset of all AD, but only have a read-only version of the domain parttion they 
are not a memeber of. so i couldn't just write myself into a GC in my domain for a uni 
group from another domain, no?
as stated earlier, i don't want to "hack" my AD forest so please don't divluge any 
info you feel is compromising to AD secrity. I just want to be clear on and learn some 
AD internals i can't really seem to find in any book. i guess this is one of them, so 
if you can clarify without giving away a hack or hole, that would be great(if thats at 
all possible).
thanks

-Original Message-
From: Roger Seielstad [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 13, 2004 1:10 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question


Basically, ite because the GC (which is the same on all domain controllers
within a forest) is writable on every domain, anyone with Domain Admin privs
can write themselves into Universal Groups - one of which is Enterprise
Admins - through a relatively trivial process (there are scripts available
on the Internet, I believe).

Last I checked, that means the child domain admin now has what amounts to
local admin rights on every DC in every domain in the forest. In other
words, they now 0wn your forest.

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.
 

> -Original Message-
> From: Kern, Tom [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, May 13, 2004 10:20 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] A root dc question
> 
> how would one force an escallation of privilges? is this just 
> taking advantage of a security hole in AD? or is this 
> standard ability? a backdoor to prevent a lockout, like the 
> ability to change a domain admin pw if you're physically at 
> the machine with a linux boot disk?
> and if its a flaw, why hasn't it been fixed by MS?
> 
> -Original Message-
> From: Roger Seielstad [mailto:[EMAIL PROTECTED]
> Sent: Thursday, May 13, 2004 9:41 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] A root dc question
> 
> 
> You'd be very, very wrong. Through *standard* practices, 
> you're correct.
> However, you have sufficient rights to force an escallation 
> of privileges
> and insert your account into the Enterprise Admins group
> 
> --
> Roger D. Seielstad - MTS MCSE MS-MVP
> Sr. Systems Administrator
> Inovis Inc.
>  
> 
> > -Original Message-
> > From: Kern, Tom [mailto:[EMAIL PROTECTED] 
> > Sent: Thursday, May 13, 2004 9:16 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] A root dc question
> > 
> > 1. what do you mean by "an admin in any domain has the power 
> > of being an Entrprise admin"? i, being a domain admin of a 
> > child domain, do not have the power to put myself into the 
> > Enterprise admins group. A domain or enterprise admin in the 
> > root domain  would have to do that for me.
> >  
> > Also, as a domain admin in a child domain, i'm kinda limited 
> > to the damage i could do to the forest, no?I mean, i could 
> > screw up my domain royally, but i can't really do anything to 
> > screw up the forest( and completly hosing my domain would 
> > only cause replication errors generated in event logs and 
> > some repointing of exchange servers to different GC's). i 
> > can't modify the schema or install an app that does it for 
> > me. i can't link a wrong headed GPO to a site or create one 
> > on the root or any other domain. i can't create a site or subnet.
> > And if a crashed and burned all my DC's wouldn't AD remove 
> > them permantely after 60 days?
> > 
> > I'm sorry to belabour the point here and waste your time, but 
> > i really want to make a good case for our IT dept to have 
> > enterprise admin access and show why multiple seperate domain 
> > admins for multiple domains is not a good idea. as well as 
> > further my knowldge of what can and can't be done and what 
> > can and can't be screwed up.
> > i'd like to convince everyone that playing nice is in our 
> > best interest.
> > thanks, and again, i apologize for rehashing old posts.
> > 
> > -Original Message-
> > From: joe [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, May 13, 2004 8:34 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] A root dc question
> > 
> > 
> > Wow this is like déjà vu, I swear we went through this whole 
> > thought process
> > a month or two ago on here
> > 
> > The quick summary (no I will not spout the whole thing, it 
> > should be in the
> > archives) of what I recall
> > 
> > 1. An admin in any domain has the power of being an 
> Enterprise Admin,
> > domains ARE NOT security boundaries. Each child domain 
> should not have
> > different admins because that can result in chaos and 
> > possible danger to the
> > entire forest.

RE: [ActiveDir] OT: Research Question

2004-05-13 Thread Ellis, Debbie

Title: OT: Research Question









 Pay
 Benefits
 Flexibility


 









From:
DL.ActiveDirectory [mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 13, 2004 1:50
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OT:
Research Question



 

Paydays?

 



Thank you, 
Mitch Lawrence 
 



-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Zach Huseby
Sent: Thursday, May 13, 2004 11:59
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OT:
Research Question

 

the 2nd and the 18th of
each month.

 

 

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of DL.ActiveDirectory
Sent: Thursday, May 13, 2004 10:05
AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] OT: Research
Question

Hello,

I am doing research for a college project, and I
would appreciate any feedback I can get on the following question:

As an IT professional, what factors
in your employment make
a difference to you?  Why?

I really appreciate the time you take to give me some
insight into your world.

Thank you,

Mitch

Noob college student

RE: [ActiveDir] OT: Research Question

2004-05-13 Thread DL.ActiveDirectory

Title: OT: Research Question









Yes, but having live data from people I ‘know’
(so to speak) makes this a much more personal assignment, and one that I am
more likely to get a good grade on since I have a kindred feeling for the
research data.

I am using ALL the answers I get, as each
one adds a little more to the over all picture. Plus, this isn’t the only
list this got posted on. ;)

 

Mitch

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Mulnick, Al
Posted At: Thursday, May
 13, 2004 12:44 PM
Posted To: ~AD Discussion~
Conversation: [ActiveDir] OT:
Research Question
Subject: RE: [ActiveDir] OT:
Research Question

 

lol. 

 

Mitch, you probably want
to >insert favorite search engine< for surveys.  Places like
Monster.com, Yahoo.com, Dice.com, etc all keep that kind of information as well
for marketing purposes.  They may share. I'm sure the bureau of labor and
statistics would keep such information as well.  Not to mention
psychological websites, those related to workplace issues (OSHA?) and industry
magazines that also conduct such salary and well-being surveys.

 

Happy hunting.

 

Al

 







From: Zach Huseby
[mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 13, 2004 12:59
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OT:
Research Question

the 2nd and the 18th of
each month.

 

 

 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of DL.ActiveDirectory
Sent: Thursday, May 13, 2004 10:05
AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] OT: Research
Question

Hello,

I am doing research for a college project, and I
would appreciate any feedback I can get on the following question:

As an IT professional, what factors
in your employment make
a difference to you?  Why?

I really appreciate the time you take to give me some
insight into your world.

Thank you,

Mitch

Noob college student

RE: [ActiveDir] OT: Research Question

2004-05-13 Thread James_Day





The 7th and 22nd more or less, and the Quiznos they opened up right
downstairs saving me the 1 block walk to Subway.

James R. Day
National Parks Service - AD Core Team
(202) 354-1464
Fax (202) 371-1549
[EMAIL PROTECTED]


|-+-->
| |   " Patrick - IT |
| |   Department"|
| |   <[EMAIL PROTECTED]|
| |   com>   |
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   05/13/2004 01:48 PM AST|
| |   Please respond to  |
| |   ActiveDir  |
|-+-->
  
>--|
  |
  |
  |   To:   <[EMAIL PROTECTED]>
   |
  |   cc:   (bcc: James Day/Contractor/NPS)
  |
  |   Subject:  RE: [ActiveDir] OT: Research Question  
  |
  
>--|




The 5th and the 20th for me and being the only guy in the IT dept.





  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] Behalf Of Zach Huseby
  Sent: Thursday, May 13, 2004 12:59 PM
  To: [EMAIL PROTECTED]
  Subject: RE: [ActiveDir] OT: Research Question





  the 2nd and the 18th of each month.














  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of
  DL.ActiveDirectory
  Sent: Thursday, May 13, 2004 10:05 AM
  To: [EMAIL PROTECTED]
  Subject: [ActiveDir] OT: Research Question


  Hello,


  I am doing research for a college project, and I would appreciate any
  feedback I can get on the following question:


  As an IT professional, what factors in your employment make a
  difference to you?  Why?


  I really appreciate the time you take to give me some insight into
  your world.


  Thank you,


  Mitch


  Noob college student



List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: Research Question

2004-05-13 Thread Creamer, Mark

Title: OT: Research Question









Wook’s
haiku

RE: [ActiveDir] SMS 2003

2004-05-13 Thread Rod Trent




Here's a script to get the OS.  It'll give you a 
start.
 
http://www.myitforum.com/articles/11/view.asp?id=7108
 
BTW: You could also utilize remote installation, which 
would auto-detect the OS.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Steve 
ShaffSent: Thursday, May 13, 2004 1:13 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] SMS 
2003



This means that I would 
have to take a group of computers and manually push the client.  I like 
setting up automation, makes my job easier.
 
S 





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Rod TrentSent: Thursday, May 13, 2004 9:00 
AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] SMS 
2003
 
Why not just use 
targeted Client Push?
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Steve 
ShaffSent: Thursday, May 13, 
2004 11:11 AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] SMS 
2003

Is anyone using SMS 
2003 with an AD2003 domain?  I am trying to create a logon script to detect 
the client’s OS and install the appropriate SMS Client.  I need some 
scripting help, if someone would be willing.  It is not going extremely 
well. L
 
Thanks,S

RE: [ActiveDir] SMS 2003

2004-05-13 Thread Rich Milburn









If you use ccmsetup in your script, it should
automatically install the appropriate client for you, without you having to do
anything fancy in your scripting.  That’s the preferred way to install
the client anyway if you want to do it from a login script… however we
have good success with using client push, and have not had to resort to login
scripts.  AD2003, SMS2003.

 

Rich

 



Rich Milburn

MCSE, Microsoft MVP -
Directory Services

Sr Network Analyst, Field
Platform Development

Applebee's International,
Inc.

4551 W. 107th St

Overland Park, KS 66207

913-967-2819











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff
Sent: Thursday, May 13, 2004 12:13
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] SMS 2003



 



This means that I would have to take a
group of computers and manually push the client.  I like setting up
automation, makes my job easier.

 

S 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rod Trent
Sent: Thursday, May 13, 2004 9:00
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] SMS 2003



 

Why not just use targeted Client Push?

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff
Sent: Thursday, May 13, 2004 11:11
AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] SMS 2003



Is anyone using SMS 2003 with an AD2003
domain?  I am trying to create a logon script to detect the client’s
OS and install the appropriate SMS Client.  I need some scripting help, if
someone would be willing.  It is not going extremely well. L

 

Thanks,
S









---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE---  PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.

RE: [ActiveDir] A root dc question

you mean writing oneself into a GC in the root domain? its my understanding that GC's 
have a subset of all AD, but only have a read-only version of the domain parttion they 
are not a memeber of. so i couldn't just write myself into a GC in my domain for a uni 
group from another domain, no?
as stated earlier, i don't want to "hack" my AD forest so please don't divluge any 
info you feel is compromising to AD secrity. I just want to be clear on and learn some 
AD internals i can't really seem to find in any book. i guess this is one of them, so 
if you can clarify without giving away a hack or hole, that would be great(if thats at 
all possible).
thanks

-Original Message-
From: Roger Seielstad [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 13, 2004 1:10 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question


Basically, ite because the GC (which is the same on all domain controllers
within a forest) is writable on every domain, anyone with Domain Admin privs
can write themselves into Universal Groups - one of which is Enterprise
Admins - through a relatively trivial process (there are scripts available
on the Internet, I believe).

Last I checked, that means the child domain admin now has what amounts to
local admin rights on every DC in every domain in the forest. In other
words, they now 0wn your forest.

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.
 

> -Original Message-
> From: Kern, Tom [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, May 13, 2004 10:20 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] A root dc question
> 
> how would one force an escallation of privilges? is this just 
> taking advantage of a security hole in AD? or is this 
> standard ability? a backdoor to prevent a lockout, like the 
> ability to change a domain admin pw if you're physically at 
> the machine with a linux boot disk?
> and if its a flaw, why hasn't it been fixed by MS?
> 
> -Original Message-
> From: Roger Seielstad [mailto:[EMAIL PROTECTED]
> Sent: Thursday, May 13, 2004 9:41 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] A root dc question
> 
> 
> You'd be very, very wrong. Through *standard* practices, 
> you're correct.
> However, you have sufficient rights to force an escallation 
> of privileges
> and insert your account into the Enterprise Admins group
> 
> --
> Roger D. Seielstad - MTS MCSE MS-MVP
> Sr. Systems Administrator
> Inovis Inc.
>  
> 
> > -Original Message-
> > From: Kern, Tom [mailto:[EMAIL PROTECTED] 
> > Sent: Thursday, May 13, 2004 9:16 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] A root dc question
> > 
> > 1. what do you mean by "an admin in any domain has the power 
> > of being an Entrprise admin"? i, being a domain admin of a 
> > child domain, do not have the power to put myself into the 
> > Enterprise admins group. A domain or enterprise admin in the 
> > root domain  would have to do that for me.
> >  
> > Also, as a domain admin in a child domain, i'm kinda limited 
> > to the damage i could do to the forest, no?I mean, i could 
> > screw up my domain royally, but i can't really do anything to 
> > screw up the forest( and completly hosing my domain would 
> > only cause replication errors generated in event logs and 
> > some repointing of exchange servers to different GC's). i 
> > can't modify the schema or install an app that does it for 
> > me. i can't link a wrong headed GPO to a site or create one 
> > on the root or any other domain. i can't create a site or subnet.
> > And if a crashed and burned all my DC's wouldn't AD remove 
> > them permantely after 60 days?
> > 
> > I'm sorry to belabour the point here and waste your time, but 
> > i really want to make a good case for our IT dept to have 
> > enterprise admin access and show why multiple seperate domain 
> > admins for multiple domains is not a good idea. as well as 
> > further my knowldge of what can and can't be done and what 
> > can and can't be screwed up.
> > i'd like to convince everyone that playing nice is in our 
> > best interest.
> > thanks, and again, i apologize for rehashing old posts.
> > 
> > -Original Message-
> > From: joe [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, May 13, 2004 8:34 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] A root dc question
> > 
> > 
> > Wow this is like déjà vu, I swear we went through this whole 
> > thought process
> > a month or two ago on here
> > 
> > The quick summary (no I will not spout the whole thing, it 
> > should be in the
> > archives) of what I recall
> > 
> > 1. An admin in any domain has the power of being an 
> Enterprise Admin,
> > domains ARE NOT security boundaries. Each child domain 
> should not have
> > different admins because that can result in chaos and 
> > possible danger to the
> > entire forest.

RE: [ActiveDir] DNS issues?




DNS is set to replicate with the root?  Is it AD 
integrated?
 
What result do you get when you use NSLOOKUP from a child 
domain workstation?  
 
 
What does your DNS hierarchy look like?  Is it 
standard parent/child?  etc. child_domain.root_domain.com or something 
else?
 
When you say you're replicating zones, are your 
transferring them both directions?  
 
Lots of questions, but need more answers to figure this out 
better.
 
Al


From: Todd L. Graham [mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 13, 2004 12:51 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS issues? 



When I do an IP config 
I'm getting the correct IP addresses listed for the DNS servers.  DNS is 
set to have the child domains replicate with the root.  

 

Todd




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Roger 
SeielstadSent: Thursday, May 
13, 2004 9:26 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS issues? 

 
When you 
say you're getting the "correct" DNS servers, what do you 
mean?
 
Also, are 
you replicating DNS zones for the child domains between sites? It strikes me 
like what's really happening is that your child domains don't hold each other's 
DNS zones, so you can only see the local info.

 
-- 
Roger D. Seielstad - 
MTS MCSE MS-MVP Sr. Systems 
Administrator Inovis 
Inc. 

 

   
  
  
  
  From: Todd L. 
  Graham [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 8:30 
  AMTo: 
  [EMAIL PROTECTED]Subject: [ActiveDir] DNS issues? 
  
  I 
  have a problem with my DNS over the WAN and VPN.  Here is the 
  issue.  For some reason DNS will not resolve names over the WAN, or 
  VPN.  I can only connect to resources by IP address.  This problem 
  started when I upgraded my network in January.  We switched to a Cisco IP 
  phone system along with all Cisco gear (VPN concentrator, PIX firewall, 
  switches, routers...lots of money spent).  We also upgraded our network at 
  the same time from W2k to Server 2003.  We have a Point to Point T 
  between our sights and a T1 for internet access here.  We have about 30 
  people who VPN into the network on the VPN concentrator.  Our AD (I 
  actually run all IT for 3 companies, same owners) is one Root domain with 3 
  child domains 1 for each company.  All common resources and user accounts 
  are in the root. Computer accounts and private resources are in each child 
  domain.  The child domains share nothing. Due to the phone system we have 
  several V-LAN's one for voice, VPN, Guest, and computer 
  network.
   
  When 
  I am at the other location I can't browse the network, or attach to mapped 
  drives from my logon script (they don't even appear).  I can only attach 
  to resources if I create a new mapped drive by IP address.  When I do an 
  IP config I get all the right DNS servers listed.  I can only ping them 
  by IP address.  The same situation happens when I VPN from home.  We 
  had DNS only on the network.  My Cisco vendor told me it's not their 
  gear.  I added WINS to see if this would help...it did not. Any suggestions 
  on what I could have configured incorrectly?  Could it be the Cisco 
  routers?    
   
  Thank 
  you for the help! 
   
   
   Todd 
  Graham
  IT Manager 
  Urell Inc.
  617-600-9355
  [EMAIL PROTECTED]

RE: [ActiveDir] OT: Research Question

2004-05-13 Thread DL.ActiveDirectory

Title: OT: Research Question









Paydays?

 



Thank you, 
Mitch Lawrence 
 



-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Zach Huseby
Sent: Thursday, May 13, 2004 11:59
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OT:
Research Question

 

the 2nd and the 18th of
each month.

 

 

 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of DL.ActiveDirectory
Sent: Thursday, May 13, 2004 10:05
AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] OT: Research
Question

Hello,

I am doing research for a college project, and I
would appreciate any feedback I can get on the following question:

As an IT professional, what factors
in your employment make
a difference to you?  Why?

I really appreciate the time you take to give me some
insight into your world.

Thank you,

Mitch

Noob college student

RE: [ActiveDir] A root dc question

Heck, while you're at it, may as well mention that anyone with physical
access could gain admin rights, which can gain enterprise admin rights,
which Well, you get the idea.  :) 

-Original Message-
From: Roger Seielstad [mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 13, 2004 1:10 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question

Basically, ite because the GC (which is the same on all domain controllers
within a forest) is writable on every domain, anyone with Domain Admin privs
can write themselves into Universal Groups - one of which is Enterprise
Admins - through a relatively trivial process (there are scripts available
on the Internet, I believe).

Last I checked, that means the child domain admin now has what amounts to
local admin rights on every DC in every domain in the forest. In other
words, they now 0wn your forest.

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.
 

> -Original Message-
> From: Kern, Tom [mailto:[EMAIL PROTECTED]
> Sent: Thursday, May 13, 2004 10:20 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] A root dc question
> 
> how would one force an escallation of privilges? is this just taking 
> advantage of a security hole in AD? or is this standard ability? a 
> backdoor to prevent a lockout, like the ability to change a domain 
> admin pw if you're physically at the machine with a linux boot disk?
> and if its a flaw, why hasn't it been fixed by MS?
> 
> -Original Message-
> From: Roger Seielstad [mailto:[EMAIL PROTECTED]
> Sent: Thursday, May 13, 2004 9:41 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] A root dc question
> 
> 
> You'd be very, very wrong. Through *standard* practices, you're 
> correct.
> However, you have sufficient rights to force an escallation of 
> privileges and insert your account into the Enterprise Admins 
> group
> 
> --
> Roger D. Seielstad - MTS MCSE MS-MVP
> Sr. Systems Administrator
> Inovis Inc.
>  
> 
> > -Original Message-
> > From: Kern, Tom [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, May 13, 2004 9:16 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] A root dc question
> > 
> > 1. what do you mean by "an admin in any domain has the power of 
> > being an Entrprise admin"? i, being a domain admin of a child 
> > domain, do not have the power to put myself into the Enterprise 
> > admins group. A domain or enterprise admin in the root domain  would 
> > have to do that for me.
> >  
> > Also, as a domain admin in a child domain, i'm kinda limited to the 
> > damage i could do to the forest, no?I mean, i could screw up my 
> > domain royally, but i can't really do anything to screw up the 
> > forest( and completly hosing my domain would only cause replication 
> > errors generated in event logs and some repointing of exchange 
> > servers to different GC's). i can't modify the schema or install an 
> > app that does it for me. i can't link a wrong headed GPO to a site 
> > or create one on the root or any other domain. i can't create a site 
> > or subnet.
> > And if a crashed and burned all my DC's wouldn't AD remove them 
> > permantely after 60 days?
> > 
> > I'm sorry to belabour the point here and waste your time, but i 
> > really want to make a good case for our IT dept to have enterprise 
> > admin access and show why multiple seperate domain admins for 
> > multiple domains is not a good idea. as well as further my knowldge 
> > of what can and can't be done and what can and can't be screwed up.
> > i'd like to convince everyone that playing nice is in our best 
> > interest.
> > thanks, and again, i apologize for rehashing old posts.
> > 
> > -Original Message-
> > From: joe [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, May 13, 2004 8:34 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] A root dc question
> > 
> > 
> > Wow this is like déjà vu, I swear we went through this whole thought 
> > process a month or two ago on here
> > 
> > The quick summary (no I will not spout the whole thing, it should be 
> > in the
> > archives) of what I recall
> > 
> > 1. An admin in any domain has the power of being an
> Enterprise Admin,
> > domains ARE NOT security boundaries. Each child domain
> should not have
> > different admins because that can result in chaos and possible 
> > danger to the entire forest.
> > 
> > 2. You can not do DR testing with just a child domain. 
> > 
> > 3. Either your corp IT has to be involved with your DR testing or 
> > you should redesign into multiple forests.
> > 
> > 
> > 
> >  
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
> > Sent: Wednesday, May 12, 2004 4:37 PM
> > To: ActiveDir (E-mail)
> > Subject: [ActiveDir] A root dc question
> > 
> > My apologies if this seems basic and/or silly.
> >

RE: [ActiveDir] OT: Research Question

Title: OT: Research Question



lol. 
 
Mitch, you probably want to >insert favorite search 
engine< for surveys.  Places like Monster.com, Yahoo.com, Dice.com, etc 
all keep that kind of information as well for marketing purposes.  They may 
share. I'm sure the bureau of labor and statistics would keep such information 
as well.  Not to mention psychological websites, those related to workplace 
issues (OSHA?) and industry magazines that also conduct such salary and 
well-being surveys.
 
Happy hunting.
 
Al


From: Zach Huseby 
[mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 12:59 
PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 
OT: Research Question

the 2nd and the 18th of each month.
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
DL.ActiveDirectorySent: Thursday, May 13, 2004 10:05 
AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] OT: 
Research Question

Hello,
I am doing research for a 
college project, and I would appreciate any feedback I can get on the following 
question:
As 
an IT professional, what factors in 
your employment make a difference to you?  
Why?
I really appreciate the 
time you take to give me some insight into your world.
Thank you,
Mitch
Noob 
college student

[ActiveDir] any chance you can turn off read receipts?

2004-05-13 Thread Patrick - IT Department

Title: Mensagem









Its getting
annoying

 

-Original
Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Elton Gouvêa Pimentel
Sent: Wednesday, May 12, 2004
12:35 PM
To: [EMAIL PROTECTED]
Subject: RES: [ActiveDir] AD
Replication

 

By using NTDSUTIL I
wasn´t capable of "seeing" the deleted servers. How should I procced
when using ADSI 

 

Thanks,

Elton Pimentel. 

-Mensagem
original-
De:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de [EMAIL PROTECTED]
Enviada em: Wednesday, May 12,
2004 11:58 AM
Para: [EMAIL PROTECTED]
Assunto: RE: [ActiveDir] AD
Replication

These might be those
servers which you have removed for some reason or which are not existing now. 
You can use ADSIEDIT or NTDSUTIL to delete these
objects permanently and itz always recommended to delete Orphaned Objects.

Good Luck, 
Athif 

-Original
Message- 
From: Elton Gouvêa Pimentel [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, 12 May 2004 5:48 PM 
To: [EMAIL PROTECTED] 
Subject: [ActiveDir] AD Replication 
Importance: High 

 

After running the Status
Report on one of my servers I have found the folloeing error : 

 Directory Partition:
DC=grupomagnesita 

 
Partner Name: **DELETED SERVER #23 
  
Partner GUID: D271B00C-3C58-41A7-89AA-8BDBE1CA5E3E 
  
Last Attempted Replication: 5/12/2004 10:46:07 AM (local) 
  
Last Successful Replication: 4/28/2004 5:08:13 PM (local) 
  
Number of Failures:  330 
  
Failure Reason Error Code:  8524 
  
Failure Description: The DSA operation is unable to proceed because of a DNS
lookup failure. 
  
Synchronization Flags: DRS_WRIT_REP,DRS_INIT_SYNC,DRS_PER_SYNC 
  
USN of Last Property Updated:  1844895 
  
USN of Last Object Updated:  1844895 
  
Transport: 
I am also did not like to have the following
objects : 
   Directory Partition:
DC=grupomagnesita 

 
Partner Name: **DELETED SERVER #1 
  
Partner GUID: 1E78703D-BB56-4B46-8543-E686A19C6256 
  
USN:  2887160 

 
Partner Name: **DELETED SERVER #2 
  
Partner GUID: 1E8A9C55-D7CD-4165-B6F6-F4E64E275B3C 
  
USN:  930034 

 
Partner Name: **DELETED SERVER #3 
  
Partner GUID: 208797D8-D997-4B0F-9A70-E512D4D21C32 
  
USN:  1647173 

 
Partner Name: **DELETED SERVER #4 
  
Partner GUID: 247D5197-111A-4498-90DD-7A39F67EAE5C 
  
USN:  375753 

Does anybody have a clue
how to sort this out  

Thanks, 

Elton Pimentel. 

 

-

This email and any files transmitted with it are
confidential and intended solely for the use of the individual or entity to
whom/which they are addressed. If you have received this email in error please
notify the system manager at the following email address: [EMAIL PROTECTED]
.
Please note that any views or opinions presented in this email are solely those
of the author and do not necessarily represent those of Al Faisaliah Group.
Internet communications cannot be guaranteed to be secure or error-free as
information could be intercepted, corrupted, lost, arrive late or contain
viruses. The sender therefore does not accept liability for any errors or
omissions in the context of this message, which arise as a result of Internet
transmission.  Finally, the recipient should check this email and any
attachments for the presence of viruses. Al Faisaliah Group accepts no
liability for any damage caused by any virus transmitted by this email. 

-

RE: [ActiveDir] OT: Research Question

2004-05-13 Thread Patrick - IT Department

Title: OT: Research Question









The 5th
and the 20th for me and being the only guy in the IT dept.

 

-Original
Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Zach Huseby
Sent: Thursday, May 13, 2004 12:59
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OT:
Research Question

 

the 2nd and the 18th of
each month.

 

 

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of DL.ActiveDirectory
Sent: Thursday, May 13, 2004 10:05
AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] OT: Research
Question

Hello,

I am doing research for
a college project, and I would appreciate any feedback I can get on the
following question:

As an
IT professional, what factors in your
employment make a difference to you?  Why?

I really appreciate the
time you take to give me some insight into your world.

Thank you,

Mitch

Noob college student

RE: [ActiveDir] [OT] Enumerating DCs from a workstation that is not member of domain.

2004-05-13 Thread Lee, Wook




Don't blame me. Guido's been twisting my arm for months to wade in on this list..
 
Wook
 
"If you think 
  There's no forever,
    Add a class
  Or add an attr."
 
"Schema Change"
 
P.S. Crazy hat? What's wrong with my hat? It's a perfectly good hat. Wide brim keeps that sun off; side clips up when I feel like stylin'. Got it at Epcot Center in the Australia section. G'day, Mate ;-) ;-P
 


From: joeSent: Thu 5/13/2004 9:35 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] [OT] Enumerating DCs from a workstation that is not member of domain.

Oh no, its a rampant forest ranger with a penchant for haiku and burma-shave signs... Get him and his crazy hat
 
 
 joe
 


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, WookSent: Thursday, May 13, 2004 11:27 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Enumerating DCs from a workstation that is not member of domain.


Why wouldn't you just enumerate the domain A records from DNS? Normally, every domain controller registers it's address as an A record using the domain name.
 
Wook Lee
 
"Once my Valentine,
Her name escapes me like a
Restore mode password."


From: Michael B. SmithSent: Thu 5/13/2004 8:00 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Enumerating DCs from a workstation that is not member of domain.
See recipe 3.8 in "The Active Directory Cookbook" (rallenhome.com).

If you don't have name visibility, then it gets harder.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of AD
Sent: Thursday, May 13, 2004 9:47 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Enumerating DCs from a workstation that is not
member of domain.

Hey Guys,
 
I am looking for a vb script or vb.net code that would return domain
controllers (names or ip addresses) of a specific domain name on a
workstation that is NOT member of the domain.
 
When you add a computer to a domain (right click "my computer",
properties, Computer Name, Change) you specify a domain name. When you
click on ok it will ask you for a username and password right? When you
click "ok" the computer must talk with a domain controller to add your
computer to the domain right? I basically need that functionality. 
 
Thank you in advance.
 
 
Yves St-Cyr
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Verifying Site and Subnet Behavor one more time.

2004-05-13 Thread Myrick, Todd (NIH/CIT)

Lets say I my organization has a Class B network.

129.169.0.0/16

So I create a subnet object for 129.169.0.0/16 and associate it site A.

Then my organization starts to subnet the 129.169 network, and I now have a
network that needs its own site.  So I create a subnet object 129.169.1.0/24
and assign it to site B.

Assuming a single domain model, and site links and bridges are established
to make host in either site able to authenticate and get directed to the
proper DC's.  

A host on the 129.169.1 network will normally authenticate to DC's in Site
B.

And all other host on all other networks will normally authenticate to Site
A.

What I am trying to get at is it is okay to have a subnet object for the
Network ID, and then only require subnet objects for those subnets that need
to be isolated by sites.

Thanks,

Todd


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Orphaned GC Entry... How do I clean it up?

2004-05-13 Thread Myrick, Todd (NIH/CIT)









Okay, I will double check…

 

Todd

 









From: joe
[mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 13, 2004 11:24
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Orphaned
GC Entry... How do I clean it up?



 

Ok so you have the actual DN of the object
in the GC and you went to look at that actual DN in the default context and it
isn't there? I am simply asking because the ADC/Exchange can dork things around
a bit and you may see one name and think you are looking at the right thing
from the GAL yet the real object name is something different. The GAL is
displaying (I believe) the displayName. You can easily have an object with the
displayname of "Myrick, Todd (NIH/CIT)" yet have the username be
something like TODDISCOOL. 

 

I just wanted to be really sure before
sending you down the lingering objects direction because that means other bad
things like Al says, something isn't right, and this isn't your main problem,
it is simply a symptom. 

 

  joe

 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Myrick, Todd (NIH/CIT)
Sent: Thursday, May 13, 2004 9:47
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Orphaned
GC Entry... How do I clean it up?

Joe the account doesn’t exist in the
child domain, and I haven’t found a reference to it in any domains.

 

The GC entry point to
NTDS://IC.NIH.GOV/Users/ when I use the AD Search command.
 So the entry in the GC’s thinks the account is located in the child
domain where there is no account for that user any longer.

 

Any idea how to scrub the GC’s, I
have tried using LDP like the Q articles say, but it seems once a GC thinks a
entry is in a specific location, it really has a hard time wanting to get rid
of it.

 

Todd

 









From: joe
[mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 13, 2004 9:04
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Orphaned
GC Entry... How do I clean it up?



 

Todd are you absolutely positive it
doesn't exist in AD or maybe it simply isn't in the location you are expecting?
The -1 issue is as Al indicated an ADC match issue. It sees something on the AD
side and can't match it to the 5.5 side so it creates an object in 5.5. Then
depending on how your ADC is configured it can pop something back on the AD
side. Usually the ADC is configured to be able to create objects in certain
OU's/containers that may be different from where you are used to looking. 

 

I would also check multiple DCs in that
child domain for the object. Most likely I would test every DC. Here is a
little perl script that makes that fairly easy...

 

 

$domain=shift;
$command=shift;



 



@output=`nltest
/dclist:$domain 2>&1`;



 



@tmp=grep(/site/i,@output);
chomp @tmp;
map($_=~s/\s+([\w.]+).+/\1/,@tmp);
map($_=uc($_),@tmp);



 



print
"\nALLDC V01.00.00pl Joe Richards ([EMAIL PROTECTED]) November
2001\n\n";
if (!$domain or !$command) 
 {
  print "USAGE: ALLDC domain command\n\n";
  exit;
 }
print "Domain: $domain\n";
print "Command: $command\n";
$cnttot=0;
foreach $this (sort @tmp)
 {
  $cnttot++;
  print "  $this...\n";
  $tmpcmd=$command;
  $tmpcmd=~s//$this/ig;
  print "[$tmpcmd]\n";
  @output=`$tmpcmd 2>&1`;
  print "@output\n";
  print "x"x80,"\n\n";



 }





 



print
"\n";
print "Total Domain Controllers: $cnttot\n";

 

Note that this is a very quick and dirty
script, just intended to give some quick functionality to do something against
all DCs in a domain

 

anyway I would do something like

 

 

alldc domain.com "adfind -h
 -default -f name=idname -dn"

 

 

If you need to put quotes in the command
you want to run against every server then do it something like

 

alldc domain.com "adfind -h
 -default -f \"name=idname\" -dn"

 

 

  joe

 

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT)
Sent: Wednesday, May 12, 2004 7:37
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Orphaned
GC Entry... How do I clean it up?

I tried what is described in the KB 314282
article, but only tried it on port 389 like the instructions said.

 

The problem I have is that the object and
GUID no longer exist at all in the original child domain.  So I am
wondering since it is all the GC’s that have the lingering read-only
object, should I run the clean-up process using LDP and the
RemoveLingeringObjects option on the GC’s on port 3268?  I tried
doing on port 389, and it didn’t work.

 

I will defiantly post my results once I
figure out how to do this.

 

Todd

 









From: Coleman, Hunter
[mailto:[EMAIL PROTECTED] 
Sent: Wednesday, May 12, 2004 4:38
PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Orphaned
GC Entry... How do I clean it up?



 

Todd-

 

Not sure if this will work for you or not:
http://support.microsoft.com/default.aspx?scid=kb;en-us;314282



 





There was a similar thread back in January
or so; this is the tail end http://www.mail-archive.com/[EMAIL PROTECTED]/msg13088.html and
you can do alternate searches to get the full

[ActiveDir] FW: Passwords

2004-05-13 Thread Salandra, Justin A.










Anyone have any ideas why this happens?

 

Justin
A. Salandra, MCSE

Senior
Network Engineer

Catholic
Healthcare System

212.752.7300
- office

917.455.0110
- cell

[EMAIL PROTECTED]

 

 

-Original Message-
From: Levine, Jeffrey 
Sent: Thursday, May 13, 2004 12:10
PM
To: Salandra, Justin A.
Cc: Bruno, Thomas
Subject: Passwords

 



Justin,





 





Several employees are getting normal messages to change
their passwords, and they proceed to do so.  The following day they are
asked once again to change their password.  Any reason?  Should they
ignore it?  Please advise.



Jeffrey D. Levine
 
  Accountant
 
  Carmel Richmond
 
  Healthcare & Rehabilitation Center

  88
  Old Town Road 
  Staten
  Island, NY 10304

Phone:
(718) 668-8541 
Fax:
(718) 980-6815 
[EMAIL PROTECTED]  

 

This
message is a private communication.  If you are not the intended
recipient, please do not read, copy, or use it and do not disclose it to
others.  Please notify the sender of the delivery error by replying to
this message, and then delete it from your system.  Thank you.

RE: [ActiveDir] SMS 2003

2004-05-13 Thread Steve Shaff











This means that I would have to take a
group of computers and manually push the client.  I like setting up automation,
makes my job easier.

 

S 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rod Trent
Sent: Thursday, May 13, 2004 9:00
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] SMS 2003



 

Why not just use targeted Client Push?

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff
Sent: Thursday, May 13, 2004 11:11
AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] SMS 2003



Is anyone using SMS 2003 with an AD2003
domain?  I am trying to create a logon script to detect the client’s
OS and install the appropriate SMS Client.  I need some scripting help, if
someone would be willing.  It is not going extremely well. L

 

Thanks,
S

RE: [ActiveDir] AD Replication

2004-05-13 Thread Lou Vega

Title: Message








Thanks for that e-mail sig, I haven’t
laughed at a sig in a while J

 

 

-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook
Sent: Thursday, May 13, 2004 12:16
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD
Replication

 





How
long have these things been around? Normally, AD will retain references to
a deleted DSA for 0.5 X tombstone-expiry. If you really want to clean them up,
then you'd need to use one of the expert switches in repadmin to tell the
KCC to remove all of the connection objects and let it rebuild the connections.
ADSS isn't going to expose the deleted DSA connections, so it's won't really
help.





 





Wook





 





"Once my Valentine,





  Her name escapes me like a





    Restore mode
password."

RE: [ActiveDir] A root dc question

Basically, ite because the GC (which is the same on all domain controllers
within a forest) is writable on every domain, anyone with Domain Admin privs
can write themselves into Universal Groups - one of which is Enterprise
Admins - through a relatively trivial process (there are scripts available
on the Internet, I believe).

Last I checked, that means the child domain admin now has what amounts to
local admin rights on every DC in every domain in the forest. In other
words, they now 0wn your forest.

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.
 

> -Original Message-
> From: Kern, Tom [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, May 13, 2004 10:20 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] A root dc question
> 
> how would one force an escallation of privilges? is this just 
> taking advantage of a security hole in AD? or is this 
> standard ability? a backdoor to prevent a lockout, like the 
> ability to change a domain admin pw if you're physically at 
> the machine with a linux boot disk?
> and if its a flaw, why hasn't it been fixed by MS?
> 
> -Original Message-
> From: Roger Seielstad [mailto:[EMAIL PROTECTED]
> Sent: Thursday, May 13, 2004 9:41 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] A root dc question
> 
> 
> You'd be very, very wrong. Through *standard* practices, 
> you're correct.
> However, you have sufficient rights to force an escallation 
> of privileges
> and insert your account into the Enterprise Admins group
> 
> --
> Roger D. Seielstad - MTS MCSE MS-MVP
> Sr. Systems Administrator
> Inovis Inc.
>  
> 
> > -Original Message-
> > From: Kern, Tom [mailto:[EMAIL PROTECTED] 
> > Sent: Thursday, May 13, 2004 9:16 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] A root dc question
> > 
> > 1. what do you mean by "an admin in any domain has the power 
> > of being an Entrprise admin"? i, being a domain admin of a 
> > child domain, do not have the power to put myself into the 
> > Enterprise admins group. A domain or enterprise admin in the 
> > root domain  would have to do that for me.
> >  
> > Also, as a domain admin in a child domain, i'm kinda limited 
> > to the damage i could do to the forest, no?I mean, i could 
> > screw up my domain royally, but i can't really do anything to 
> > screw up the forest( and completly hosing my domain would 
> > only cause replication errors generated in event logs and 
> > some repointing of exchange servers to different GC's). i 
> > can't modify the schema or install an app that does it for 
> > me. i can't link a wrong headed GPO to a site or create one 
> > on the root or any other domain. i can't create a site or subnet.
> > And if a crashed and burned all my DC's wouldn't AD remove 
> > them permantely after 60 days?
> > 
> > I'm sorry to belabour the point here and waste your time, but 
> > i really want to make a good case for our IT dept to have 
> > enterprise admin access and show why multiple seperate domain 
> > admins for multiple domains is not a good idea. as well as 
> > further my knowldge of what can and can't be done and what 
> > can and can't be screwed up.
> > i'd like to convince everyone that playing nice is in our 
> > best interest.
> > thanks, and again, i apologize for rehashing old posts.
> > 
> > -Original Message-
> > From: joe [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, May 13, 2004 8:34 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] A root dc question
> > 
> > 
> > Wow this is like déjà vu, I swear we went through this whole 
> > thought process
> > a month or two ago on here
> > 
> > The quick summary (no I will not spout the whole thing, it 
> > should be in the
> > archives) of what I recall
> > 
> > 1. An admin in any domain has the power of being an 
> Enterprise Admin,
> > domains ARE NOT security boundaries. Each child domain 
> should not have
> > different admins because that can result in chaos and 
> > possible danger to the
> > entire forest.
> > 
> > 2. You can not do DR testing with just a child domain. 
> > 
> > 3. Either your corp IT has to be involved with your DR 
> > testing or you should
> > redesign into multiple forests. 
> > 
> > 
> > 
> >  
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
> > Sent: Wednesday, May 12, 2004 4:37 PM
> > To: ActiveDir (E-mail)
> > Subject: [ActiveDir] A root dc question
> > 
> > My apologies if this seems basic and/or silly.
> > 
> > 
> > Aside from creating new domains or modifying the schema, why 
> > would an admin
> > need access to the root dc of a forest(the schema, domain 
> > namming master)?
> > furthermore, why would an admin in a child domain need 
> > enterprise admin
> > privilges?
> > 
> > I only ask because we had issues with our test DR run where

RE: [ActiveDir] OT: Research Question

2004-05-13 Thread Zach Huseby

Title: OT: Research Question



the 2nd and the 18th of each month.
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
DL.ActiveDirectorySent: Thursday, May 13, 2004 10:05 
AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] OT: 
Research Question

Hello,
I am doing research for a 
college project, and I would appreciate any feedback I can get on the following 
question:
As 
an IT professional, what factors in 
your employment make a difference to you?  
Why?
I really appreciate the 
time you take to give me some insight into your world.
Thank you,
Mitch
Noob 
college student


smime.p7s
Description: S/MIME cryptographic signature

RE: [ActiveDir] [OT] Enumerating DCs from a workstation that is not member of domain.




Oh no, its a rampant forest ranger with a penchant for 
haiku and burma-shave signs... Get him and his crazy hat
 
 
 joe
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Lee, 
WookSent: Thursday, May 13, 2004 11:27 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Enumerating DCs 
from a workstation that is not member of domain.


Why wouldn't you just 
enumerate the domain A records from DNS? Normally, every domain controller 
registers it's address as an A record using the domain name.
 
Wook Lee
 
"Once my Valentine,
Her name escapes me like a
Restore mode password."


From: Michael B. SmithSent: Thu 
5/13/2004 8:00 AMTo: [EMAIL PROTECTED]Subject: 
RE: [ActiveDir] Enumerating DCs from a workstation that is not member of 
domain.
See recipe 3.8 in "The Active Directory Cookbook" (rallenhome.com).

If you don't have name visibility, then it gets harder.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of AD
Sent: Thursday, May 13, 2004 9:47 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Enumerating DCs from a workstation that is not
member of domain.

Hey Guys,
 
I am looking for a vb script or vb.net code that would return domain
controllers (names or ip addresses) of a specific domain name on a
workstation that is NOT member of the domain.
 
When you add a computer to a domain (right click "my computer",
properties, Computer Name, Change) you specify a domain name. When you
click on ok it will ask you for a username and password right? When you
click "ok" the computer must talk with a domain controller to add your
computer to the domain right? I basically need that functionality. 
 
Thank you in advance.
 
 
Yves St-Cyr
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] A root dc question

I think he was apologizing for working on Novell... :oP 

Personally I am sitting here posting because I am waiting for a second coat
of paint to dry. Before I take off some masking tape and put my furniture
back in place. And I must tell you, it is a joy to paint with white paint
when you have a curious black cat. I have little white cat footprints across
my kitchen floor now and a cat that is no longer all black. Ever see a black
cat with a white nose and white pads, pretty funny. She sneezed paint all
over my leg too.

As for the learning part, yes learn away. That is why some of us give very
long winded drawn out responses in the first place. A lot of these questions
could be answered with Yes,no,maybe, don't be stupid, or go hire someone who
knows but the goal is to increase the knowledge base around Windows AD so
that it gets run properly and less is ascertained to be Magic. A lot of
people think I give long responses because I like to talk (or write).
Actually it is because I like to hear others learn. The more everyone learns
about this stuff, the better for all of us as we will all be watching out
for the same things and beating vendors into doing things right. I actually
had a recent near experience with a vendor that had previously encountered
some knowledgeable AD guys at Cisco. When our people encountered them, it
was like, wow, your stuff actually looks good! Saved some time and
headaches. 

  joe



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Thursday, May 13, 2004 11:14 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question

Finally, i want to apolgize again. i came from a Novell enviorment and
inherited my current AD set up and i'm afraid i'm using you as a learning
tool to get deeper into AD internals and i want to apologize for wasting
your time. I've read robbie allen's Active Directory and most of the
Distributed Sytems Guide of the Windows 2k resource kit and both while
excellent don't seem to answer all my questions esp, things like this post.
Perhaps you could just recommend a book or site?
thanks for your time, everyone.

I'm not sure why you're apologizing for wanting to learn. I don't think
anyone who actively participates on this mailing list is here just to shoot
the breeze & dick around, but rather to learn and share knowledge. So, I say
fire away, I'll certainly jump in on a thread if it's something I know
about...

--Brian Desmond
[EMAIL PROTECTED]
Payton on the Web! Http://www.wpcp.org
 
v: 773.534.0034 x135
f: 773.534.0035
 
 
-Original Message-
From: Kern, Tom [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 13, 2004 9:36 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question

1. i'm not really interested in hacking my AD, so i'm not asking for that
bit of info. i just wonder why it exists and i'm sure googling it will turn
up alot of "how to's", which makes me wonder why MS doesn't have a fix for
it?

2. so aside from politics or the inability of corps to collaspe thier NT
domain structure into OU's, you're saying there really is no reason for
multiple domains at all(or maybe to limit rep traffic of the domain naming
context across the forest?)?

3. unfortunately our root domain is in Maryland and we are in New York, so
we can't really be sitting next to each other.


Finally, i want to apolgize again. i came from a Novell enviorment and
inherited my current AD set up and i'm afraid i'm using you as a learning
tool to get deeper into AD internals and i want to apologize for wasting
your time. I've read robbie allen's Active Directory and most of the
Distributed Sytems Guide of the Windows 2k resource kit and both while
excellent don't seem to answer all my questions esp, things like this post.
Perhaps you could just recommend a book or site?
thanks for your time, everyone.

-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 13, 2004 9:49 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question


Anyone with rights to get to mess with any domain controller in a forest can
compromise the forest, again a domain is not a security boundary. Someone
may not have the knowledge which appears to be the case here (and I am not
going to give that knowledge out), but it is possible just the same. 

This falls in line with something I said earlier to another post... Just
because someone doesn't know how to get around certain security precautions
doesn't mean others don't. A domain controller is a very special device on a
network, if compromised, you could have a forest wide issue. 

The number of domain admins in a forest honestly should equal the number of
enterprise admins in the forest. That number should be small. Less than 10
at the largest. Less than 5 is much better. They should also all be under
the same management chain and even better sit within walking distance of
each other so everyone is on the same page.

I often hear that ca

RE: [ActiveDir] DNS issues?

2004-05-13 Thread Todd L. Graham









When I do an IP config I’m
getting the correct IP addresses listed for the DNS servers.  DNS is set to
have the child domains replicate with the root.  

 



Todd











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad
Sent: Thursday, May 13, 2004 9:26
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DNS
issues? 



 

When
you say you're getting the "correct" DNS servers, what do you mean?

 

Also,
are you replicating DNS zones for the child domains between sites? It strikes
me like what's really happening is that your child domains don't hold each
other's DNS zones, so you can only see the local info.



 



--

Roger D. Seielstad - MTS MCSE MS-MVP 
Sr. Systems Administrator 
Inovis Inc. 



 





 







From: Todd L. Graham
[mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 13, 2004 8:30
AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] DNS issues? 

I have a problem with my DNS over the WAN and
VPN.  Here is the issue.  For some reason DNS will not resolve names
over the WAN, or VPN.  I can only connect to resources by IP
address.  This problem started when I upgraded my network in
January.  We switched to a Cisco IP phone system along with all Cisco gear
(VPN concentrator, PIX firewall, switches, routers…lots of money
spent).  We also upgraded our network at the same time from W2k to Server
2003.  We have a Point to Point T between our sights and a T1 for internet
access here.  We have about 30 people who VPN into the network on the VPN
concentrator.  Our AD (I actually run all IT for 3 companies, same owners)
is one Root domain with 3 child domains 1 for each company.  All common
resources and user accounts are in the root. Computer accounts and private resources
are in each child domain.  The child domains share nothing. Due to the
phone system we have several V-LAN’s one for voice, VPN, Guest, and
computer network.

 

When I am at the other location I can’t
browse the network, or attach to mapped drives from my logon script (they
don’t even appear).  I can only attach to resources if I create a
new mapped drive by IP address.  When I do an IP config I get all the
right DNS servers listed.  I can only ping them by IP address.  The
same situation happens when I VPN from home.  We had DNS only on the
network.  My Cisco vendor told me it’s not their gear.  I added
WINS to see if this would help…it did not. Any suggestions on what I
could have configured incorrectly?  Could it be the Cisco routers? 
  

 

Thank you for the help! 

 

 

 Todd
Graham

IT Manager 

Urell Inc.

617-600-9355

[EMAIL PROTECTED]

[ActiveDir] SMS 2003

2004-05-13 Thread Steve Shaff











Is anyone using SMS 2003 with an AD2003
domain?  I am trying to create a logon script to detect the client’s
OS and install the appropriate SMS Client.  I need some scripting help, if
someone would be willing.  It is not going extremely well. L

 

Thanks,
S

RE: [ActiveDir] Orphaned GC Entry... How do I clean it up?




Eric, I think the first question he has is that he needs to 
know which port to query.  To answer that, use the GC port.  You want 
to query the domain GC that shows the object that should not be there.  
Especially since that's the only ones that show it.
 
Repadmin is not well doc'd on the webiste help files.  
Just filed a fix-it for the web site folks a few minutes 
ago.
 
Todd, I would further suggest investigating how you got in that 
situation in the first place if indeed that is the root issue.  Having 
issues with replication can never be a good thing and may defeat the efforts 
you're expending to fix the problem.
 
 
Al


From: Eric Fleischman 
[mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 10:24 
AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 
Orphaned GC Entry... How do I clean it up?


I'm coming in to this 
thread, but it sounds like you have objects in GC partitions on DCs outside of 
domain in question which make reference to an object no longer existing in 
domain NC in question. Further, I bet GCs in that domain do not have it, only 
GCs outside of that domain.
Correct?
In that case you 
have what is called a lingering object. There are some KBs on this. I can 
discuss approaches on this dl if people want to, but it is heavily documented in 
KB already. I would look at the lingering object KBs, then come back with 
questions or thoughts after you do. Probably will save everyone some time that 
way. :)
 
~Eric
 
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Myrick, Todd 
(NIH/CIT)Sent: Thursday, May 
13, 2004 8:47 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Orphaned GC 
Entry... How do I clean it up?
 
Joe the account doesn't 
exist in the child domain, and I haven't found a reference to it in any 
domains.
 
The GC entry point to 
NTDS://IC.NIH.GOV/Users/ when I use the AD Search command. 
 So the entry in the GC's thinks the account is located in the child domain 
where there is no account for that user any longer.
 
Any idea how to scrub 
the GC's, I have tried using LDP like the Q articles say, but it seems once a GC 
thinks a entry is in a specific location, it really has a hard time wanting to 
get rid of it.
 
Todd
 




From: joe 
[mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 9:04 
AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Orphaned GC 
Entry... How do I clean it up?
 
Todd are you absolutely 
positive it doesn't exist in AD or maybe it simply isn't in the location you are 
expecting? The -1 issue is as Al indicated an ADC match issue. It sees something 
on the AD side and can't match it to the 5.5 side so it creates an object in 
5.5. Then depending on how your ADC is configured it can pop something back on 
the AD side. Usually the ADC is configured to be able to create objects in 
certain OU's/containers that may be different from where you are used to 
looking. 
 
I would also check 
multiple DCs in that child domain for the object. Most likely I would test every 
DC. Here is a little perl script that makes that fairly 
easy...
 
 
$domain=shift;$command=shift;

 
@output=`nltest 
/dclist:$domain 2>&1`;

 
@tmp=grep(/site/i,@output);chomp 
@tmp;map($_=~s/\s+([\w.]+).+/\1/,@tmp);map($_=uc($_),@tmp);

 
print 
"\nALLDC V01.00.00pl Joe Richards ([EMAIL PROTECTED]) November 2001\n\n";if 
(!$domain or !$command)  {  print "USAGE: ALLDC domain 
command\n\n";  exit; }print "Domain: $domain\n";print 
"Command: $command\n";$cnttot=0;foreach $this (sort 
@tmp) {  $cnttot++;  print "  
$this...\n";  $tmpcmd=$command;  
$tmpcmd=~s//$this/ig;  print "[$tmpcmd]\n";  
@output=`$tmpcmd 2>&1`;  print "@output\n";  print 
"x"x80,"\n\n";

 }

 
print 
"\n";print "Total Domain Controllers: 
$cnttot\n";
 
Note that this is a 
very quick and dirty script, just intended to give some quick functionality to 
do something against all DCs in a domain
 
anyway I would do 
something like
 
 
alldc domain.com 
"adfind -h  -default -f name=idname 
-dn"
 
 
If you need to put 
quotes in the command you want to run against every server then do it something 
like
 
alldc domain.com 
"adfind -h  -default -f \"name=idname\" 
-dn"
 
 
  
joe
 
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Myrick, Todd 
(NIH/CIT)Sent: Wednesday, May 
12, 2004 7:37 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Orphaned GC 
Entry... How do I clean it up?
I tried what is 
described in the KB 314282 article, but only tried it on port 389 like the 
instructions said.
 
The problem I have is 
that the object and GUID no longer exist at all in the original child 
domain.  So I am wondering since it is all the GC's that have the lingering 
read-only object, should I run the clean-up process using LDP and the 
RemoveLingeringObjects option on the GC's on port 3268?  I tried doing on 
port 389, and it didn't work.
 
I will defiantly post 
my results once I figure out how to do this.
 
Todd
 




From: Coleman, 
Hunter [mailto:[EMAIL PROTECTED] Sent: Wedne

RE: [ActiveDir] A root dc question

Any sufficiently advanced technology is indistinguishable from magic. 

  - Authur C. Clarke


Magic: an illusory feat; considered magical by naive observers

  - Princeton.edu WordNet 2.0


Magic: adj. 1. As yet unexplained, or too complicated to explain; compare
{automagically} and (Arthur C.) Clarke's Third Law: "Any sufficiently
advanced technology is indistinguishable from magic."

  - worldwideschool.org Library



 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Thursday, May 13, 2004 10:04 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question

so as I said, there's not much damage one could do to the forest, except
thru "magic". if you have mutliple domains all fairly independent of each
other and admin in child domain B screws it royally, that really won't have
affect on Admin and his users in domain A.
and by independent, all my users from domain A only access rsources and apps
in domain A. No group nesting or uni groups.
so aside from exchange and the gal, we are all seperate entites in the same
forest.
so the only way to screw things up that is forest wide, a child domain admin
would have to use this sid history hack, a hack so obscure, you call it
magic...
so, i guess multipile admins in many domains can't do so much damage after
all?

-Original Message-
From: Depp, Dennis M. [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 13, 2004 9:37 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question


If I recall correctly, a domain admin in a child domain can use the SID
history function gain access to the parent domain.  Once he has access to
the parent domain, he can then add himself to the enterprise admins group.
The part about "Use the SID history functionto gain access" is somewhat of a
mystery to me.  (Almost like magic) However, I do believe it ispassible.

Your damage is limited to the child domain unless you use the SID history
feature (i.e. magic) to hack into the parent domain.

Denny 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Thursday, May 13, 2004 9:16 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question

1. what do you mean by "an admin in any domain has the power of being an
Entrprise admin"? i, being a domain admin of a child domain, do not have the
power to put myself into the Enterprise admins group. A domain or enterprise
admin in the root domain  would have to do that for me.
 
Also, as a domain admin in a child domain, i'm kinda limited to the damage i
could do to the forest, no?I mean, i could screw up my domain royally, but i
can't really do anything to screw up the forest( and completly hosing my
domain would only cause replication errors generated in event logs and some
repointing of exchange servers to different GC's). i can't modify the schema
or install an app that does it for me. i can't link a wrong headed GPO to a
site or create one on the root or any other domain. i can't create a site or
subnet.
And if a crashed and burned all my DC's wouldn't AD remove them permantely
after 60 days?

I'm sorry to belabour the point here and waste your time, but i really want
to make a good case for our IT dept to have enterprise admin access and show
why multiple seperate domain admins for multiple domains is not a good idea.
as well as further my knowldge of what can and can't be done and what can
and can't be screwed up.
i'd like to convince everyone that playing nice is in our best interest.
thanks, and again, i apologize for rehashing old posts.

-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 13, 2004 8:34 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question


Wow this is like déjà vu, I swear we went through this whole thought process
a month or two ago on here

The quick summary (no I will not spout the whole thing, it should be in the
archives) of what I recall

1. An admin in any domain has the power of being an Enterprise Admin,
domains ARE NOT security boundaries. Each child domain should not have
different admins because that can result in chaos and possible danger to the
entire forest.

2. You can not do DR testing with just a child domain. 

3. Either your corp IT has to be involved with your DR testing or you should
redesign into multiple forests. 



 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 12, 2004 4:37 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] A root dc question

My apologies if this seems basic and/or silly.


Aside from creating new domains or modifying the schema, why would an admin
need access to the root dc of a forest(the schema, domain namming master)?
furthermore, why would an admin in a child domain need enterprise admin
privilges?

I only ask because we had issues with our test DR run wherein we didn't have
access to the root domain and/or a t

RE: [ActiveDir] Enumerating DCs from a workstation that is not member of domain.

See recipe 3.8 in "The Active Directory Cookbook" (rallenhome.com).

If you don't have name visibility, then it gets harder.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of AD
Sent: Thursday, May 13, 2004 9:47 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Enumerating DCs from a workstation that is not
member of domain.

Hey Guys,

I am looking for a vb script or vb.net code that would return domain
controllers (names or ip addresses) of a specific domain name on a
workstation that is NOT member of the domain.

When you add a computer to a domain (right click "my computer",
properties, Computer Name, Change) you specify a domain name. When you
click on ok it will ask you for a username and password right? When you
click "ok" the computer must talk with a domain controller to add your
computer to the domain right? I basically need that functionality. 

Thank you in advance.

Yves St-Cyr
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] AD and Family Educational Right to Privacy Act. (Buckley Amendment)

2004-05-13 Thread Douglas M. Long

Hi,

How (if anyone is) are you handling the Buckley Amendment?? Is there a way
to make a user and all their attributes not show up in a ldap search?? If
so, how?

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] UPN Suffixes on OU?




Thanks Joe--
 
Is there any way in the GUI user-interface to set 
that?
 
Thanks,
Michael


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Thursday, May 13, 2004 10:03 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] UPN Suffixes on 
OU?

You can define UPN Suffixes at the OU level for ADUC to 
display
 
I.E. Let's say  I set up an OU called test OU, I could 
set up a upnSuffix for that OU of test.com as well as the forest level suffix, 
joe.com. When I create a user or modify a user in that one OU with ADUC the UPN 
Suffix dropdown will have both joe.com and test.com listed. 
 
 
Note that that doesn't inherit down which I thought was 
strange but so be it. Anyway, if you don't use ADUC (use script or adsiedit) you 
can set whatever you want anyway. Though there is impact for cross forest trusts 
as Guido mentioned previously when he wasn't razzing me for Domain Local Groups. 
:o)
 
 
  joe
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B. 
SmithSent: Thursday, May 13, 2004 9:16 AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] UPN Suffixes on 
OU?

KB 269441 shows code 
to retrieve uPNSuffixes from organizationalunit entries?
 
Say 
WHAT?
 
What's that 
about?

RE: [ActiveDir] A root dc question

1. i'm not really interested in hacking my AD, so i'm not asking for that bit of info. 
i just wonder why it exists and i'm sure googling it will turn up alot of "how to's", 
which makes me wonder why MS doesn't have a fix for it?

2. so aside from politics or the inability of corps to collaspe thier NT domain 
structure into OU's, you're saying there really is no reason for  multiple domains at 
all(or maybe to limit rep traffic of the domain naming context across the forest?)?

3. unfortunately our root domain is in Maryland and we are in New York, so we can't 
really be sitting next to each other.


Finally, i want to apolgize again. i came from a Novell enviorment and inherited my 
current AD set up and i'm afraid i'm using you as a learning tool to get deeper into 
AD internals and i want to apologize for wasting your time. I've read robbie allen's 
Active Directory and most of the Distributed Sytems Guide of the Windows 2k resource 
kit and both while excellent don't seem to answer all my questions esp, things like 
this post.
Perhaps you could just recommend a book or site?
thanks for your time, everyone.

-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 13, 2004 9:49 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question


Anyone with rights to get to mess with any domain controller in a forest can
compromise the forest, again a domain is not a security boundary. Someone
may not have the knowledge which appears to be the case here (and I am not
going to give that knowledge out), but it is possible just the same. 

This falls in line with something I said earlier to another post... Just
because someone doesn't know how to get around certain security precautions
doesn't mean others don't. A domain controller is a very special device on a
network, if compromised, you could have a forest wide issue. 

The number of domain admins in a forest honestly should equal the number of
enterprise admins in the forest. That number should be small. Less than 10
at the largest. Less than 5 is much better. They should also all be under
the same management chain and even better sit within walking distance of
each other so everyone is on the same page.

I often hear that can't be done... Sure it can. I've done it in a rather
large globally distributed company. The delegation model is very strong in
AD, most people should have delegated rights. Just takes work.

  joe

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Thursday, May 13, 2004 9:16 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question

1. what do you mean by "an admin in any domain has the power of being an
Entrprise admin"? i, being a domain admin of a child domain, do not have the
power to put myself into the Enterprise admins group. A domain or enterprise
admin in the root domain  would have to do that for me.
 
Also, as a domain admin in a child domain, i'm kinda limited to the damage i
could do to the forest, no?I mean, i could screw up my domain royally, but i
can't really do anything to screw up the forest( and completly hosing my
domain would only cause replication errors generated in event logs and some
repointing of exchange servers to different GC's). i can't modify the schema
or install an app that does it for me. i can't link a wrong headed GPO to a
site or create one on the root or any other domain. i can't create a site or
subnet.
And if a crashed and burned all my DC's wouldn't AD remove them permantely
after 60 days?

I'm sorry to belabour the point here and waste your time, but i really want
to make a good case for our IT dept to have enterprise admin access and show
why multiple seperate domain admins for multiple domains is not a good idea.
as well as further my knowldge of what can and can't be done and what can
and can't be screwed up.
i'd like to convince everyone that playing nice is in our best interest.
thanks, and again, i apologize for rehashing old posts.

-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 13, 2004 8:34 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question


Wow this is like déjà vu, I swear we went through this whole thought process
a month or two ago on here

The quick summary (no I will not spout the whole thing, it should be in the
archives) of what I recall

1. An admin in any domain has the power of being an Enterprise Admin,
domains ARE NOT security boundaries. Each child domain should not have
different admins because that can result in chaos and possible danger to the
entire forest.

2. You can not do DR testing with just a child domain. 

3. Either your corp IT has to be involved with your DR testing or you should
redesign into multiple forests. 



 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 12, 2004 4:37 PM
To: ActiveDir (E-mail)
Subject: [Active

RE: [ActiveDir] Orphaned GC Entry... How do I clean it up?

2004-05-13 Thread Eric Fleischman









I’m coming in to this thread, but it
sounds like you have objects in GC partitions on DCs outside of domain in
question which make reference to an object no longer existing in domain NC in
question. Further, I bet GCs in that domain do not have it, only GCs outside of
that domain.

Correct?


In that case you have what is called a lingering object. There are some KBs on
this. I can discuss approaches on this dl if people want to, but it is heavily documented
in KB already. I would look at the lingering object KBs, then come back with
questions or thoughts after you do. Probably will save everyone some time that
way. :)

 

~Eric

 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT)
Sent: Thursday, May 13, 2004 8:47
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Orphaned
GC Entry... How do I clean it up?



 

Joe the account doesn’t exist in the
child domain, and I haven’t found a reference to it in any domains.

 

The GC entry point to
NTDS://IC.NIH.GOV/Users/ when I use the AD Search command.
 So the entry in the GC’s thinks the account is located in the child
domain where there is no account for that user any longer.

 

Any idea how to scrub the GC’s, I
have tried using LDP like the Q articles say, but it seems once a GC thinks a
entry is in a specific location, it really has a hard time wanting to get rid
of it.

 

Todd

 









From: joe
[mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 13, 2004 9:04
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Orphaned
GC Entry... How do I clean it up?



 

Todd are you absolutely positive it
doesn't exist in AD or maybe it simply isn't in the location you are expecting?
The -1 issue is as Al indicated an ADC match issue. It sees something on the AD
side and can't match it to the 5.5 side so it creates an object in 5.5. Then
depending on how your ADC is configured it can pop something back on the AD
side. Usually the ADC is configured to be able to create objects in certain
OU's/containers that may be different from where you are used to looking. 

 

I would also check multiple DCs in that
child domain for the object. Most likely I would test every DC. Here is a
little perl script that makes that fairly easy...

 

 

$domain=shift;
$command=shift;



 



@output=`nltest
/dclist:$domain 2>&1`;



 



@tmp=grep(/site/i,@output);
chomp @tmp;
map($_=~s/\s+([\w.]+).+/\1/,@tmp);
map($_=uc($_),@tmp);



 



print
"\nALLDC V01.00.00pl Joe Richards ([EMAIL PROTECTED]) November
2001\n\n";
if (!$domain or !$command) 
 {
  print "USAGE: ALLDC domain command\n\n";
  exit;
 }
print "Domain: $domain\n";
print "Command: $command\n";
$cnttot=0;
foreach $this (sort @tmp)
 {
  $cnttot++;
  print "  $this...\n";
  $tmpcmd=$command;
  $tmpcmd=~s//$this/ig;
  print "[$tmpcmd]\n";
  @output=`$tmpcmd 2>&1`;
  print "@output\n";
  print "x"x80,"\n\n";



 }





 



print
"\n";
print "Total Domain Controllers: $cnttot\n";

 

Note that this is a very quick and dirty
script, just intended to give some quick functionality to do something against
all DCs in a domain

 

anyway I would do something like

 

 

alldc domain.com "adfind -h
 -default -f name=idname -dn"

 

 

If you need to put quotes in the command
you want to run against every server then do it something like

 

alldc domain.com "adfind -h
 -default -f \"name=idname\" -dn"

 

 

  joe

 

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT)
Sent: Wednesday, May 12, 2004 7:37
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Orphaned
GC Entry... How do I clean it up?

I tried what is described in the KB 314282
article, but only tried it on port 389 like the instructions said.

 

The problem I have is that the object and
GUID no longer exist at all in the original child domain.  So I am
wondering since it is all the GC’s that have the lingering read-only
object, should I run the clean-up process using LDP and the
RemoveLingeringObjects option on the GC’s on port 3268?  I tried
doing on port 389, and it didn’t work.

 

I will defiantly post my results once I
figure out how to do this.

 

Todd

 









From: Coleman, Hunter
[mailto:[EMAIL PROTECTED] 
Sent: Wednesday, May 12, 2004 4:38
PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Orphaned
GC Entry... How do I clean it up?



 

Todd-

 

Not sure if this will work for you or not:
http://support.microsoft.com/default.aspx?scid=kb;en-us;314282



 





There was a similar thread back in January
or so; this is the tail end http://www.mail-archive.com/[EMAIL PROTECTED]/msg13088.html and
you can do alternate searches to get the full discussion. Good luck...





 





Hunter





 









From: Myrick,
Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, May 12, 2004 2:12
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Orphaned
GC Entry... How do I clean it up?

There appears to be two entries for User
in the AD Global Catalogues.  The one accou

RE: [ActiveDir] A root dc question

how would one force an escallation of privilges? is this just taking advantage of a 
security hole in AD? or is this standard ability? a backdoor to prevent a lockout, 
like the ability to change a domain admin pw if you're physically at the machine with 
a linux boot disk?
and if its a flaw, why hasn't it been fixed by MS?

-Original Message-
From: Roger Seielstad [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 13, 2004 9:41 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question


You'd be very, very wrong. Through *standard* practices, you're correct.
However, you have sufficient rights to force an escallation of privileges
and insert your account into the Enterprise Admins group

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.
 

> -Original Message-
> From: Kern, Tom [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, May 13, 2004 9:16 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] A root dc question
> 
> 1. what do you mean by "an admin in any domain has the power 
> of being an Entrprise admin"? i, being a domain admin of a 
> child domain, do not have the power to put myself into the 
> Enterprise admins group. A domain or enterprise admin in the 
> root domain  would have to do that for me.
>  
> Also, as a domain admin in a child domain, i'm kinda limited 
> to the damage i could do to the forest, no?I mean, i could 
> screw up my domain royally, but i can't really do anything to 
> screw up the forest( and completly hosing my domain would 
> only cause replication errors generated in event logs and 
> some repointing of exchange servers to different GC's). i 
> can't modify the schema or install an app that does it for 
> me. i can't link a wrong headed GPO to a site or create one 
> on the root or any other domain. i can't create a site or subnet.
> And if a crashed and burned all my DC's wouldn't AD remove 
> them permantely after 60 days?
> 
> I'm sorry to belabour the point here and waste your time, but 
> i really want to make a good case for our IT dept to have 
> enterprise admin access and show why multiple seperate domain 
> admins for multiple domains is not a good idea. as well as 
> further my knowldge of what can and can't be done and what 
> can and can't be screwed up.
> i'd like to convince everyone that playing nice is in our 
> best interest.
> thanks, and again, i apologize for rehashing old posts.
> 
> -Original Message-
> From: joe [mailto:[EMAIL PROTECTED]
> Sent: Thursday, May 13, 2004 8:34 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] A root dc question
> 
> 
> Wow this is like déjà vu, I swear we went through this whole 
> thought process
> a month or two ago on here
> 
> The quick summary (no I will not spout the whole thing, it 
> should be in the
> archives) of what I recall
> 
> 1. An admin in any domain has the power of being an Enterprise Admin,
> domains ARE NOT security boundaries. Each child domain should not have
> different admins because that can result in chaos and 
> possible danger to the
> entire forest.
> 
> 2. You can not do DR testing with just a child domain. 
> 
> 3. Either your corp IT has to be involved with your DR 
> testing or you should
> redesign into multiple forests. 
> 
> 
> 
>  
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
> Sent: Wednesday, May 12, 2004 4:37 PM
> To: ActiveDir (E-mail)
> Subject: [ActiveDir] A root dc question
> 
> My apologies if this seems basic and/or silly.
> 
> 
> Aside from creating new domains or modifying the schema, why 
> would an admin
> need access to the root dc of a forest(the schema, domain 
> namming master)?
> furthermore, why would an admin in a child domain need 
> enterprise admin
> privilges?
> 
> I only ask because we had issues with our test DR run wherein 
> we didn't have
> access to the root domain and/or a test root domain vmware'd 
> on a laptop and
> it ended miserably.
> i am in the process of convincing the higher ups in my corp 
> of letting our
> IT dept have enterpise admin access. 
> i'd like to make a case for us as to why we would need this 
> accont with
> concrete examples(aside from the DR one). ones that a semi 
> tech aware CIO
> could relate to. 
> What other compelling reasons would one need these rights for 
> in day to
> day(or not so day to day) AD administration? 
> 
> we are a multi-domain(14) win2k forest in mixed mode with 
> exchange2k in
> native mode.
> 
> Thank you in advance for any assitance.
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Enumerating DCs from a workstation that is not member of domain.

2004-05-13 Thread Thommes, Michael M.

Couldn't you just query DNS (ie, nslookup aa.bb.cc) and look at the IPs returned?

Mike Thommes

-Original Message-
From: AD [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 13, 2004 8:47 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Enumerating DCs from a workstation that is not
member of domain.

Hey Guys,

I am looking for a vb script or vb.net code that would return domain controllers 
(names or ip addresses) of a specific domain name on a workstation that is NOT member 
of the domain.

When you add a computer to a domain (right click "my computer", properties, Computer 
Name, Change) you specify a domain name. When you click on ok it will ask you for a 
username and password right? When you click "ok" the computer must talk with a domain 
controller to add your computer to the domain right? I basically need that 
functionality. 

Thank you in advance.

Yves St-Cyr
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] A root dc question

so as I said, there's not much damage one could do to the forest, except thru "magic". 
if you have mutliple domains all fairly independent of each other and admin in child 
domain B screws it royally, that really won't have affect on Admin and his users in 
domain A.
and by independent, all my users from domain A only access rsources and apps in domain 
A. No group nesting or uni groups.
so aside from exchange and the gal, we are all seperate entites in the same forest.
so the only way to screw things up that is forest wide, a child domain admin would 
have to use this sid history hack, a hack so obscure, you call it magic...
so, i guess multipile admins in many domains can't do so much damage after all?

-Original Message-
From: Depp, Dennis M. [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 13, 2004 9:37 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question


If I recall correctly, a domain admin in a child domain can use the SID history 
function gain access to the parent domain.  Once he has access to the parent domain, 
he can then add himself to the enterprise admins group.  The part about "Use the SID 
history functionto gain access" is somewhat of a mystery to me.  (Almost like magic) 
However, I do believe it ispassible.

Your damage is limited to the child domain unless you use the SID history feature 
(i.e. magic) to hack into the parent domain.

Denny 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Thursday, May 13, 2004 9:16 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question

1. what do you mean by "an admin in any domain has the power of being an Entrprise 
admin"? i, being a domain admin of a child domain, do not have the power to put myself 
into the Enterprise admins group. A domain or enterprise admin in the root domain  
would have to do that for me.
 
Also, as a domain admin in a child domain, i'm kinda limited to the damage i could do 
to the forest, no?I mean, i could screw up my domain royally, but i can't really do 
anything to screw up the forest( and completly hosing my domain would only cause 
replication errors generated in event logs and some repointing of exchange servers to 
different GC's). i can't modify the schema or install an app that does it for me. i 
can't link a wrong headed GPO to a site or create one on the root or any other domain. 
i can't create a site or subnet.
And if a crashed and burned all my DC's wouldn't AD remove them permantely after 60 
days?

I'm sorry to belabour the point here and waste your time, but i really want to make a 
good case for our IT dept to have enterprise admin access and show why multiple 
seperate domain admins for multiple domains is not a good idea. as well as further my 
knowldge of what can and can't be done and what can and can't be screwed up.
i'd like to convince everyone that playing nice is in our best interest.
thanks, and again, i apologize for rehashing old posts.

-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 13, 2004 8:34 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question


Wow this is like déjà vu, I swear we went through this whole thought process
a month or two ago on here

The quick summary (no I will not spout the whole thing, it should be in the
archives) of what I recall

1. An admin in any domain has the power of being an Enterprise Admin,
domains ARE NOT security boundaries. Each child domain should not have
different admins because that can result in chaos and possible danger to the
entire forest.

2. You can not do DR testing with just a child domain. 

3. Either your corp IT has to be involved with your DR testing or you should
redesign into multiple forests. 



 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 12, 2004 4:37 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] A root dc question

My apologies if this seems basic and/or silly.


Aside from creating new domains or modifying the schema, why would an admin
need access to the root dc of a forest(the schema, domain namming master)?
furthermore, why would an admin in a child domain need enterprise admin
privilges?

I only ask because we had issues with our test DR run wherein we didn't have
access to the root domain and/or a test root domain vmware'd on a laptop and
it ended miserably.
i am in the process of convincing the higher ups in my corp of letting our
IT dept have enterpise admin access. 
i'd like to make a case for us as to why we would need this accont with
concrete examples(aside from the DR one). ones that a semi tech aware CIO
could relate to. 
What other compelling reasons would one need these rights for in day to
day(or not so day to day) AD administration? 

we are a multi-domain(14) win2k forest in mixed mode with exchange2k in
native mode.

Thank you in advance for any assitance.
List info   : http://www.a

RE: [ActiveDir] UPN Suffixes on OU?




You can define UPN Suffixes at the OU level for ADUC to 
display
 
I.E. Let's say  I set up an OU called test OU, I could 
set up a upnSuffix for that OU of test.com as well as the forest level suffix, 
joe.com. When I create a user or modify a user in that one OU with ADUC the UPN 
Suffix dropdown will have both joe.com and test.com listed. 
 
 
Note that that doesn't inherit down which I thought was 
strange but so be it. Anyway, if you don't use ADUC (use script or adsiedit) you 
can set whatever you want anyway. Though there is impact for cross forest trusts 
as Guido mentioned previously when he wasn't razzing me for Domain Local Groups. 
:o)
 
 
  joe
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B. 
SmithSent: Thursday, May 13, 2004 9:16 AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] UPN Suffixes on 
OU?

KB 269441 shows code 
to retrieve uPNSuffixes from organizationalunit entries?
 
Say 
WHAT?
 
What's that 
about?

RE: [ActiveDir] View permissions of specific attributes

You know, I completely forgot about that advanced GUI screen You can get
that in adsiedit as well and that doesn't involve editing the dssec.dat
file... Also in XP/K3 there is an effective permissions screen if I recall,
however there are some limitations in that. 

   joe

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter
Sent: Thursday, May 13, 2004 9:39 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] View permissions of specific attributes

In ADUC, pull up the properties on the object. Click on the Security tab
(make sure that View->Advanced Features is turned up). Click on the Advanced
button. Find the entry for the user or group you want to check on in the
Permision Entries list, then click View. In the Permission Entry window,
click on the Properties tabis this what you're after?

If you don't see the specific attribute you're looking for, then it may not
appear in the list by default. You can edit the dssec.dat file on the
machine running ADUC to change what attributes show up in the list.
http://support.microsoft.com/?kbid=296490

Hunter 

-Original Message-
From: David Adner [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 13, 2004 6:24 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] View permissions of specific attributes

Unless I'm missing it, I don't see where it shows specific attributes for
the object...? 

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Carlos 
> Magalhaes
> Sent: Thursday, May 13, 2004 02:36
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] View permissions of specific attributes
> 
> Have you also thought of running dsacls.exe (the latest version is the 
> version that comes with ADAM) You can specify a path i.e.
> dsacls.exe /domain: , you can also specify a specific 
> Active Directory path that  can be denoted by prepending 
> \\server[:port]\ to the object, as in
> 
>   \\ADSERVER\CN=John
> Doe,OU=Software,OU=Engineering,DC=Widget,DC=US
> 
> Carlos Magalhaes - AD programming ? -
> http://groups.yahoo.com/group/adsianddirectoryservices
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Gil 
> Kirkpatrick
> Sent: Thursday, May 13, 2004 6:29 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] View permissions of specific attributes
> 
> Use adsiedit, right click on an object, select Properties, then select 
> the Security tab. You'll see the security descriptor information 
> there.
> 
> -gil
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of David Adner
> Sent: Wednesday, May 12, 2004 7:09 PM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] View permissions of specific attributes
> 
> I must just be missing something, but I can't seem to find out how to 
> view the permissions a user has to a specific object's attributes.
> I've been looking in adsiedit, ldp, dsacls... Am I close?  :)
> 
> I'm trying to verify a user has the necessary permissions to modify 
> certain object attributes.  Any help is appreciated.  Thx
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] A root dc question

Your last statement is incorrect, but best not to try and outline how to
crack forests as there are many companies out there following the not so
great practice of having lots of domain admins on child domains of a single
forest.

If you sit down and think for a while, you will slowly figure out different
ways that domains and forests could be penetrated. It is why you should not
allow many admins and you shouldnt allow much of anything to run as
localsystem on DCs unless the domain admins are the ones controlling those
things that are running... Think of AV Software, Monitoring Software, Update
Software, Backup Software - anything that runs as localsystem that is
commonly managed by someone outside of the domain admin group. Those should
all be closely investigated and access turned down or management given to
the domain admins. 



  joe


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Depp, Dennis M.
Sent: Thursday, May 13, 2004 9:37 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question

If I recall correctly, a domain admin in a child domain can use the SID
history function gain access to the parent domain.  Once he has access to
the parent domain, he can then add himself to the enterprise admins group.
The part about "Use the SID history functionto gain access" is somewhat of a
mystery to me.  (Almost like magic) However, I do believe it ispassible.

Your damage is limited to the child domain unless you use the SID history
feature (i.e. magic) to hack into the parent domain.

Denny 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Thursday, May 13, 2004 9:16 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question

1. what do you mean by "an admin in any domain has the power of being an
Entrprise admin"? i, being a domain admin of a child domain, do not have the
power to put myself into the Enterprise admins group. A domain or enterprise
admin in the root domain  would have to do that for me.
 
Also, as a domain admin in a child domain, i'm kinda limited to the damage i
could do to the forest, no?I mean, i could screw up my domain royally, but i
can't really do anything to screw up the forest( and completly hosing my
domain would only cause replication errors generated in event logs and some
repointing of exchange servers to different GC's). i can't modify the schema
or install an app that does it for me. i can't link a wrong headed GPO to a
site or create one on the root or any other domain. i can't create a site or
subnet.
And if a crashed and burned all my DC's wouldn't AD remove them permantely
after 60 days?

I'm sorry to belabour the point here and waste your time, but i really want
to make a good case for our IT dept to have enterprise admin access and show
why multiple seperate domain admins for multiple domains is not a good idea.
as well as further my knowldge of what can and can't be done and what can
and can't be screwed up.
i'd like to convince everyone that playing nice is in our best interest.
thanks, and again, i apologize for rehashing old posts.

-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 13, 2004 8:34 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question


Wow this is like déjà vu, I swear we went through this whole thought process
a month or two ago on here

The quick summary (no I will not spout the whole thing, it should be in the
archives) of what I recall

1. An admin in any domain has the power of being an Enterprise Admin,
domains ARE NOT security boundaries. Each child domain should not have
different admins because that can result in chaos and possible danger to the
entire forest.

2. You can not do DR testing with just a child domain. 

3. Either your corp IT has to be involved with your DR testing or you should
redesign into multiple forests. 



 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 12, 2004 4:37 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] A root dc question

My apologies if this seems basic and/or silly.


Aside from creating new domains or modifying the schema, why would an admin
need access to the root dc of a forest(the schema, domain namming master)?
furthermore, why would an admin in a child domain need enterprise admin
privilges?

I only ask because we had issues with our test DR run wherein we didn't have
access to the root domain and/or a test root domain vmware'd on a laptop and
it ended miserably.
i am in the process of convincing the higher ups in my corp of letting our
IT dept have enterpise admin access. 
i'd like to make a case for us as to why we would need this accont with
concrete examples(aside from the DR one). ones that a semi tech aware CIO
could relate to. 
What other compelling reasons would one need these rights for in day to
day(or not so day to day) AD administration? 

we

RE: [ActiveDir] Orphaned GC Entry... How do I clean it up?

2004-05-13 Thread Myrick, Todd (NIH/CIT)









Joe the account doesn’t exist in the
child domain, and I haven’t found a reference to it in any domains.

 

The GC entry point to
NTDS://IC.NIH.GOV/Users/ when I use the AD Search command.  So
the entry in the GC’s thinks the account is located in the child domain
where there is no account for that user any longer.

 

Any idea how to scrub the GC’s, I
have tried using LDP like the Q articles say, but it seems once a GC thinks a
entry is in a specific location, it really has a hard time wanting to get rid
of it.

 

Todd

 









From: joe
[mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 13, 2004 9:04
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Orphaned
GC Entry... How do I clean it up?



 

Todd are you absolutely positive it
doesn't exist in AD or maybe it simply isn't in the location you are expecting?
The -1 issue is as Al indicated an ADC match issue. It sees something on the AD
side and can't match it to the 5.5 side so it creates an object in 5.5. Then
depending on how your ADC is configured it can pop something back on the AD
side. Usually the ADC is configured to be able to create objects in certain
OU's/containers that may be different from where you are used to looking. 

 

I would also check multiple DCs in that
child domain for the object. Most likely I would test every DC. Here is a
little perl script that makes that fairly easy...

 

 

$domain=shift;
$command=shift;



 



@output=`nltest
/dclist:$domain 2>&1`;



 



@tmp=grep(/site/i,@output);
chomp @tmp;
map($_=~s/\s+([\w.]+).+/\1/,@tmp);
map($_=uc($_),@tmp);



 



print
"\nALLDC V01.00.00pl Joe Richards ([EMAIL PROTECTED]) November
2001\n\n";
if (!$domain or !$command) 
 {
  print "USAGE: ALLDC domain command\n\n";
  exit;
 }
print "Domain: $domain\n";
print "Command: $command\n";
$cnttot=0;
foreach $this (sort @tmp)
 {
  $cnttot++;
  print "  $this...\n";
  $tmpcmd=$command;
  $tmpcmd=~s//$this/ig;
  print "[$tmpcmd]\n";
  @output=`$tmpcmd 2>&1`;
  print "@output\n";
  print "x"x80,"\n\n";



 }





 



print
"\n";
print "Total Domain Controllers: $cnttot\n";

 

Note that this is a very quick and dirty
script, just intended to give some quick functionality to do something against
all DCs in a domain

 

anyway I would do something like

 

 

alldc domain.com "adfind -h
 -default -f name=idname -dn"

 

 

If you need to put quotes in the command
you want to run against every server then do it something like

 

alldc domain.com "adfind -h
 -default -f \"name=idname\" -dn"

 

 

  joe

 

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT)
Sent: Wednesday, May 12, 2004 7:37
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Orphaned
GC Entry... How do I clean it up?

I tried what is described in the KB 314282
article, but only tried it on port 389 like the instructions said.

 

The problem I have is that the object and
GUID no longer exist at all in the original child domain.  So I am wondering
since it is all the GC’s that have the lingering read-only object, should
I run the clean-up process using LDP and the RemoveLingeringObjects option on
the GC’s on port 3268?  I tried doing on port 389, and it
didn’t work.

 

I will defiantly post my results once I
figure out how to do this.

 

Todd

 









From: Coleman, Hunter
[mailto:[EMAIL PROTECTED] 
Sent: Wednesday, May 12, 2004 4:38
PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Orphaned
GC Entry... How do I clean it up?



 

Todd-

 

Not sure if this will work for you or not:
http://support.microsoft.com/default.aspx?scid=kb;en-us;314282



 





There was a similar thread back in January
or so; this is the tail end http://www.mail-archive.com/[EMAIL PROTECTED]/msg13088.html and
you can do alternate searches to get the full discussion. Good luck...





 





Hunter





 









From: Myrick,
Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, May 12, 2004 2:12
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Orphaned
GC Entry... How do I clean it up?

There appears to be two entries for User
in the AD Global Catalogues.  The one account appears to have been ADC'ed
& unADC'ed "Doe, John (XYZ)"
at some point, the other account appears to have been ADC'ed, but then deleted
(Never un ADC'ed) "Doe, John
(XYZCORP)-1".  Both accounts appear in our Domain's GC,
and All the Child domain GC's except the Child domain where the account
originated.  The "Doe, John
(XYZ)" exist in their GC, but not the "Doe, John
(XYZCORP)-1".  Both accounts were homed in the child
domain, just one got deleted, the other didn't.

 

We are now trying to ADC a mailbox in the
parent domain, to a different account all together.  The ADC process is
failing because it seems to still think the mailbox we are ADCing is linked to
 "Doe, John (XYZCORP)-1".

 

This account no longer exist in the child
domain, and we don't know how to unADC and account that doesn't exist.

 

Any help would be appreciated

 

Todd

 









Fr

RE: [ActiveDir] A root dc question

Anyone with rights to get to mess with any domain controller in a forest can
compromise the forest, again a domain is not a security boundary. Someone
may not have the knowledge which appears to be the case here (and I am not
going to give that knowledge out), but it is possible just the same. 

This falls in line with something I said earlier to another post... Just
because someone doesn't know how to get around certain security precautions
doesn't mean others don't. A domain controller is a very special device on a
network, if compromised, you could have a forest wide issue. 

The number of domain admins in a forest honestly should equal the number of
enterprise admins in the forest. That number should be small. Less than 10
at the largest. Less than 5 is much better. They should also all be under
the same management chain and even better sit within walking distance of
each other so everyone is on the same page.

I often hear that can't be done... Sure it can. I've done it in a rather
large globally distributed company. The delegation model is very strong in
AD, most people should have delegated rights. Just takes work.

  joe

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Thursday, May 13, 2004 9:16 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question

1. what do you mean by "an admin in any domain has the power of being an
Entrprise admin"? i, being a domain admin of a child domain, do not have the
power to put myself into the Enterprise admins group. A domain or enterprise
admin in the root domain  would have to do that for me.
 
Also, as a domain admin in a child domain, i'm kinda limited to the damage i
could do to the forest, no?I mean, i could screw up my domain royally, but i
can't really do anything to screw up the forest( and completly hosing my
domain would only cause replication errors generated in event logs and some
repointing of exchange servers to different GC's). i can't modify the schema
or install an app that does it for me. i can't link a wrong headed GPO to a
site or create one on the root or any other domain. i can't create a site or
subnet.
And if a crashed and burned all my DC's wouldn't AD remove them permantely
after 60 days?

I'm sorry to belabour the point here and waste your time, but i really want
to make a good case for our IT dept to have enterprise admin access and show
why multiple seperate domain admins for multiple domains is not a good idea.
as well as further my knowldge of what can and can't be done and what can
and can't be screwed up.
i'd like to convince everyone that playing nice is in our best interest.
thanks, and again, i apologize for rehashing old posts.

-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 13, 2004 8:34 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question


Wow this is like déjà vu, I swear we went through this whole thought process
a month or two ago on here

The quick summary (no I will not spout the whole thing, it should be in the
archives) of what I recall

1. An admin in any domain has the power of being an Enterprise Admin,
domains ARE NOT security boundaries. Each child domain should not have
different admins because that can result in chaos and possible danger to the
entire forest.

2. You can not do DR testing with just a child domain. 

3. Either your corp IT has to be involved with your DR testing or you should
redesign into multiple forests. 



 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 12, 2004 4:37 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] A root dc question

My apologies if this seems basic and/or silly.


Aside from creating new domains or modifying the schema, why would an admin
need access to the root dc of a forest(the schema, domain namming master)?
furthermore, why would an admin in a child domain need enterprise admin
privilges?

I only ask because we had issues with our test DR run wherein we didn't have
access to the root domain and/or a test root domain vmware'd on a laptop and
it ended miserably.
i am in the process of convincing the higher ups in my corp of letting our
IT dept have enterpise admin access. 
i'd like to make a case for us as to why we would need this accont with
concrete examples(aside from the DR one). ones that a semi tech aware CIO
could relate to. 
What other compelling reasons would one need these rights for in day to
day(or not so day to day) AD administration? 

we are a multi-domain(14) win2k forest in mixed mode with exchange2k in
native mode.

Thank you in advance for any assitance.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List arch

[ActiveDir] Enumerating DCs from a workstation that is not member of domain.

2004-05-13 Thread AD

Hey Guys,
 
I am looking for a vb script or vb.net code that would return domain controllers 
(names or ip addresses) of a specific domain name on a workstation that is NOT member 
of the domain.
 
When you add a computer to a domain (right click "my computer", properties, Computer 
Name, Change) you specify a domain name. When you click on ok it will ask you for a 
username and password right? When you click "ok" the computer must talk with a domain 
controller to add your computer to the domain right? I basically need that 
functionality. 
 
Thank you in advance.
 
 
Yves St-Cyr
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] A root dc question

You'd be very, very wrong. Through *standard* practices, you're correct.
However, you have sufficient rights to force an escallation of privileges
and insert your account into the Enterprise Admins group

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.
 

> -Original Message-
> From: Kern, Tom [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, May 13, 2004 9:16 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] A root dc question
> 
> 1. what do you mean by "an admin in any domain has the power 
> of being an Entrprise admin"? i, being a domain admin of a 
> child domain, do not have the power to put myself into the 
> Enterprise admins group. A domain or enterprise admin in the 
> root domain  would have to do that for me.
>  
> Also, as a domain admin in a child domain, i'm kinda limited 
> to the damage i could do to the forest, no?I mean, i could 
> screw up my domain royally, but i can't really do anything to 
> screw up the forest( and completly hosing my domain would 
> only cause replication errors generated in event logs and 
> some repointing of exchange servers to different GC's). i 
> can't modify the schema or install an app that does it for 
> me. i can't link a wrong headed GPO to a site or create one 
> on the root or any other domain. i can't create a site or subnet.
> And if a crashed and burned all my DC's wouldn't AD remove 
> them permantely after 60 days?
> 
> I'm sorry to belabour the point here and waste your time, but 
> i really want to make a good case for our IT dept to have 
> enterprise admin access and show why multiple seperate domain 
> admins for multiple domains is not a good idea. as well as 
> further my knowldge of what can and can't be done and what 
> can and can't be screwed up.
> i'd like to convince everyone that playing nice is in our 
> best interest.
> thanks, and again, i apologize for rehashing old posts.
> 
> -Original Message-
> From: joe [mailto:[EMAIL PROTECTED]
> Sent: Thursday, May 13, 2004 8:34 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] A root dc question
> 
> 
> Wow this is like déjà vu, I swear we went through this whole 
> thought process
> a month or two ago on here
> 
> The quick summary (no I will not spout the whole thing, it 
> should be in the
> archives) of what I recall
> 
> 1. An admin in any domain has the power of being an Enterprise Admin,
> domains ARE NOT security boundaries. Each child domain should not have
> different admins because that can result in chaos and 
> possible danger to the
> entire forest.
> 
> 2. You can not do DR testing with just a child domain. 
> 
> 3. Either your corp IT has to be involved with your DR 
> testing or you should
> redesign into multiple forests. 
> 
> 
> 
>  
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
> Sent: Wednesday, May 12, 2004 4:37 PM
> To: ActiveDir (E-mail)
> Subject: [ActiveDir] A root dc question
> 
> My apologies if this seems basic and/or silly.
> 
> 
> Aside from creating new domains or modifying the schema, why 
> would an admin
> need access to the root dc of a forest(the schema, domain 
> namming master)?
> furthermore, why would an admin in a child domain need 
> enterprise admin
> privilges?
> 
> I only ask because we had issues with our test DR run wherein 
> we didn't have
> access to the root domain and/or a test root domain vmware'd 
> on a laptop and
> it ended miserably.
> i am in the process of convincing the higher ups in my corp 
> of letting our
> IT dept have enterpise admin access. 
> i'd like to make a case for us as to why we would need this 
> accont with
> concrete examples(aside from the DR one). ones that a semi 
> tech aware CIO
> could relate to. 
> What other compelling reasons would one need these rights for 
> in day to
> day(or not so day to day) AD administration? 
> 
> we are a multi-domain(14) win2k forest in mixed mode with 
> exchange2k in
> native mode.
> 
> Thank you in advance for any assitance.
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DNS issues?

2004-05-13 Thread Strand, Ted




One issue that we have seen is that some ACL/Rulesets do 
not allow large packet sizes for DNS packets.  Of course Windows Server 
2003 enables large packets by default.  We had this problem with some of 
our other offices in other countries.  The fix was easy from the Microsoft 
side.  Get a copy of the DNSCMD tool from Microsoft and then use the 
following command on your DNS servers.  DNSCMD /Config 
/EnableEDNSProbes 0
 
This will force the DNS server to use standard size DNS 
packets.  By the way this also resolved some flakey customer name 
resolutions we were experiencing also.
 
-Ted-
 


From: joe [mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 13, 2004 8:36 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS issues? 


Do a network trace and actually look to see if your machine 
is doing the right thing and if requests being sent out are being responded to. 

 
   joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Todd L. 
GrahamSent: Thursday, May 13, 2004 8:30 AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] DNS issues? 



I 
have a problem with my DNS over the WAN and VPN.  Here is the issue.  
For some reason DNS will not resolve names over the WAN, or VPN.  I can 
only connect to resources by IP address.  This problem started when I 
upgraded my network in January.  We switched to a Cisco IP phone system 
along with all Cisco gear (VPN concentrator, PIX firewall, switches, 
routers…lots of money spent).  We also upgraded our network at the same 
time from W2k to Server 2003.  We have a Point to Point T between our 
sights and a T1 for internet access here.  We have about 30 people who VPN 
into the network on the VPN concentrator.  Our AD (I actually run all IT 
for 3 companies, same owners) is one Root domain with 3 child domains 1 for each 
company.  All common resources and user accounts are in the root. Computer 
accounts and private resources are in each child domain.  The child domains 
share nothing. Due to the phone system we have several V-LAN’s one for voice, 
VPN, Guest, and computer network.
 
When 
I am at the other location I can’t browse the network, or attach to mapped 
drives from my logon script (they don’t even appear).  I can only attach to 
resources if I create a new mapped drive by IP address.  When I do an IP 
config I get all the right DNS servers listed.  I can only ping them by IP 
address.  The same situation happens when I VPN from home.  We had DNS 
only on the network.  My Cisco vendor told me it’s not their gear.  I 
added WINS to see if this would help…it did not. Any suggestions on what I could 
have configured incorrectly?  Could it be the Cisco routers?  
  
 
Thank 
you for the help! 
 
 
 Todd 
Graham
IT Manager 
Urell Inc.
617-600-9355
[EMAIL PROTECTED]

RE: [ActiveDir] dns server scavenging processes

I've never understood why people believe that /ageallrecords will cause
static DNS entries to age off. Its simply doesn't happen.

When you edit a staticly entered DNS entry, there is a check box, which is
OFF by default, to enable aging. If you check that, it will allow aging of
the records. You'll note that any dynamically registered client has that box
checked.

You can easily test it with a  bogus zone.

Roger
--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.
 

> -Original Message-
> From: Graham Turner [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, May 13, 2004 8:47 AM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] dns server scavenging processes
> 
> Dear all, am looking to understand a bit better the processes 
> of windows dns
> server
> scavening processes;
> 
> 1. am i right in my understanding that scavenging does need 
> to be explicitly
> on a zone if it is enabled at a server level;
> 
> read somewhere that behaviour varies according to 
> AD-integrated zones /
> primary zones
> 
> documentation throughout seems a little inconsistent on this one
> 
> if then it is enabled at a server level how do you get a zone 
> managed by
> that server to be 'un-enabled' for scavenging -
> 
> 2. assuming the zone / server is enabled for scavenging have 
> read that if it
> is enabled subsequent to a record being added / refreshed 
> then those records
> will not in fact in fact be scavenged ??
> 
> have seen the /ageallrecords on dnscmd - as i read this ages 
> all the records
> in a zone - including manually entered records ??  which of 
> course are not
> able to refresh and therefore would ultimately be removed ?
> 
> this would work if of course all records in a zone were from 
> dynamic update
> capable clients but how do you handle safely the scenario 
> where you have
> some records that were dynamically added (and have since 
> become stale) that
> need to be removed without knocking out the manual records ??
> 
> TIA
> 
> GT
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] View permissions of specific attributes

2004-05-13 Thread Coleman, Hunter

In ADUC, pull up the properties on the object. Click on the Security tab
(make sure that View->Advanced Features is turned up). Click on the Advanced
button. Find the entry for the user or group you want to check on in the
Permision Entries list, then click View. In the Permission Entry window,
click on the Properties tabis this what you're after?

If you don't see the specific attribute you're looking for, then it may not
appear in the list by default. You can edit the dssec.dat file on the
machine running ADUC to change what attributes show up in the list.
http://support.microsoft.com/?kbid=296490

Hunter 

-Original Message-
From: David Adner [mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 13, 2004 6:24 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] View permissions of specific attributes

Unless I'm missing it, I don't see where it shows specific attributes for
the object...? 

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Carlos 
> Magalhaes
> Sent: Thursday, May 13, 2004 02:36
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] View permissions of specific attributes
> 
> Have you also thought of running dsacls.exe (the latest version is the 
> version that comes with ADAM) You can specify a path i.e.
> dsacls.exe /domain: , you can also specify a specific 
> Active Directory path that  can be denoted by prepending 
> \\server[:port]\ to the object, as in
> 
>   \\ADSERVER\CN=John
> Doe,OU=Software,OU=Engineering,DC=Widget,DC=US
> 
> Carlos Magalhaes - AD programming ? -
> http://groups.yahoo.com/group/adsianddirectoryservices
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Gil 
> Kirkpatrick
> Sent: Thursday, May 13, 2004 6:29 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] View permissions of specific attributes
> 
> Use adsiedit, right click on an object, select Properties, then select 
> the Security tab. You'll see the security descriptor information 
> there.
> 
> -gil
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of David Adner
> Sent: Wednesday, May 12, 2004 7:09 PM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] View permissions of specific attributes
> 
> I must just be missing something, but I can't seem to find out how to 
> view the permissions a user has to a specific object's attributes.  
> I've been looking in adsiedit, ldp, dsacls... Am I close?  :)
> 
> I'm trying to verify a user has the necessary permissions to modify 
> certain object attributes.  Any help is appreciated.  Thx
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] A root dc question

2004-05-13 Thread Depp, Dennis M.

If I recall correctly, a domain admin in a child domain can use the SID history 
function gain access to the parent domain.  Once he has access to the parent domain, 
he can then add himself to the enterprise admins group.  The part about "Use the SID 
history functionto gain access" is somewhat of a mystery to me.  (Almost like magic) 
However, I do believe it ispassible.

Your damage is limited to the child domain unless you use the SID history feature 
(i.e. magic) to hack into the parent domain.

Denny 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Thursday, May 13, 2004 9:16 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question

1. what do you mean by "an admin in any domain has the power of being an Entrprise 
admin"? i, being a domain admin of a child domain, do not have the power to put myself 
into the Enterprise admins group. A domain or enterprise admin in the root domain  
would have to do that for me.
 
Also, as a domain admin in a child domain, i'm kinda limited to the damage i could do 
to the forest, no?I mean, i could screw up my domain royally, but i can't really do 
anything to screw up the forest( and completly hosing my domain would only cause 
replication errors generated in event logs and some repointing of exchange servers to 
different GC's). i can't modify the schema or install an app that does it for me. i 
can't link a wrong headed GPO to a site or create one on the root or any other domain. 
i can't create a site or subnet.
And if a crashed and burned all my DC's wouldn't AD remove them permantely after 60 
days?

I'm sorry to belabour the point here and waste your time, but i really want to make a 
good case for our IT dept to have enterprise admin access and show why multiple 
seperate domain admins for multiple domains is not a good idea. as well as further my 
knowldge of what can and can't be done and what can and can't be screwed up.
i'd like to convince everyone that playing nice is in our best interest.
thanks, and again, i apologize for rehashing old posts.

-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 13, 2004 8:34 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question


Wow this is like déjà vu, I swear we went through this whole thought process
a month or two ago on here

The quick summary (no I will not spout the whole thing, it should be in the
archives) of what I recall

1. An admin in any domain has the power of being an Enterprise Admin,
domains ARE NOT security boundaries. Each child domain should not have
different admins because that can result in chaos and possible danger to the
entire forest.

2. You can not do DR testing with just a child domain. 

3. Either your corp IT has to be involved with your DR testing or you should
redesign into multiple forests. 



 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 12, 2004 4:37 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] A root dc question

My apologies if this seems basic and/or silly.


Aside from creating new domains or modifying the schema, why would an admin
need access to the root dc of a forest(the schema, domain namming master)?
furthermore, why would an admin in a child domain need enterprise admin
privilges?

I only ask because we had issues with our test DR run wherein we didn't have
access to the root domain and/or a test root domain vmware'd on a laptop and
it ended miserably.
i am in the process of convincing the higher ups in my corp of letting our
IT dept have enterpise admin access. 
i'd like to make a case for us as to why we would need this accont with
concrete examples(aside from the DR one). ones that a semi tech aware CIO
could relate to. 
What other compelling reasons would one need these rights for in day to
day(or not so day to day) AD administration? 

we are a multi-domain(14) win2k forest in mixed mode with exchange2k in
native mode.

Thank you in advance for any assitance.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] View permissions of specific attributes

The tools won't show you the specific permissions for every attribute. You
actually will have to look at all the permissions for the overall object and
any property set the attribute may be a part of.

For instance telephoneNumber is a member of the Personal Information
property set so in order to find out what perms people have for
telephoneNumber you will have to look at any permissions set on the whole
object and anything set for Personal Information. So looking at an object in
my test forest I see the following ACL Dump


Access list:
Effective Permissions on this object are:
Allow JOE\Domain Admins   FULL CONTROL
Allow BUILTIN\Account Operators   FULL CONTROL
Allow NT AUTHORITY\Authenticated UsersSPECIAL ACCESS
  READ PERMISSONS
Allow NT AUTHORITY\SELF   SPECIAL ACCESS
  READ PERMISSONS
  LIST CONTENTS
  READ PROPERTY
  LIST OBJECT
Allow NT AUTHORITY\SYSTEM FULL CONTROL
Allow BUILTIN\Administrators  SPECIAL ACCESS

  DELETE
  READ PERMISSONS
  WRITE PERMISSIONS
  CHANGE OWNERSHIP
  CREATE CHILD
  LIST CONTENTS
  WRITE SELF
  WRITE PROPERTY
  READ PROPERTY
  LIST OBJECT
  CONTROL ACCESS
Allow JOE\Enterprise Admins   FULL CONTROL   
Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS

  LIST CONTENTS
Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS

  READ PERMISSONS
  LIST CONTENTS
  READ PROPERTY
  LIST OBJECT
Allow JOE\RAS and IAS Servers SPECIAL ACCESS for Account
Restrictions
  READ PROPERTY
Allow JOE\RAS and IAS Servers SPECIAL ACCESS for Logon
Information
  READ PROPERTY
Allow JOE\RAS and IAS Servers SPECIAL ACCESS for Group
Membership
  READ PROPERTY
Allow JOE\RAS and IAS Servers SPECIAL ACCESS for Remote
Access Information
  READ PROPERTY
Allow JOE\Cert Publishers SPECIAL ACCESS for
userCertificate
  WRITE PROPERTY
  READ PROPERTY
Allow BUILTIN\Windows Authorization Access Group  SPECIAL ACCESS for
tokenGroupsGlobalAndUniversal
  READ PROPERTY
Allow BUILTIN\Terminal Server License Servers SPECIAL ACCESS for
terminalServer
  WRITE PROPERTY
  READ PROPERTY
Allow NT AUTHORITY\Authenticated UsersSPECIAL ACCESS for General
Information
  READ PROPERTY
Allow NT AUTHORITY\Authenticated UsersSPECIAL ACCESS for Public
Information
  READ PROPERTY
Allow NT AUTHORITY\Authenticated UsersSPECIAL ACCESS for
Personal Information
  READ PROPERTY
Allow NT AUTHORITY\Authenticated UsersSPECIAL ACCESS for Web
Information
  READ PROPERTY
Allow NT AUTHORITY\SELF   SPECIAL ACCESS for
Personal Information
  WRITE PROPERTY
  READ PROPERTY
Allow NT AUTHORITY\SELF   SPECIAL ACCESS for Phone
and Mail Options
  WRITE PROPERTY
  READ PROPERTY
Allow NT AUTHORITY\SELF   SPECIAL ACCESS for Web
Information
  WRITE PROPERTY
  READ PROPERTY
Allow BUILTIN\Pre-W

RE: [ActiveDir] DNS issues?




When you say you're getting the "correct" DNS servers, what 
do you mean?
 
Also, are you replicating DNS zones for the child domains 
between sites? It strikes me like what's really happening is that your child 
domains don't hold each other's DNS zones, so you can only see the local 
info.
 
-- 
Roger D. Seielstad - 
MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 
 

  
  
  From: Todd L. Graham 
  [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 8:30 
  AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] 
  DNS issues? 
  
  
  I 
  have a problem with my DNS over the WAN and VPN.  Here is the 
  issue.  For some reason DNS will not resolve names over the WAN, or 
  VPN.  I can only connect to resources by IP address.  This problem 
  started when I upgraded my network in January.  We switched to a Cisco IP 
  phone system along with all Cisco gear (VPN concentrator, PIX firewall, 
  switches, routers…lots of money spent).  We also upgraded our network at 
  the same time from W2k to Server 2003.  We have a Point to Point T 
  between our sights and a T1 for internet access here.  We have about 30 
  people who VPN into the network on the VPN concentrator.  Our AD (I 
  actually run all IT for 3 companies, same owners) is one Root domain with 3 
  child domains 1 for each company.  All common resources and user accounts 
  are in the root. Computer accounts and private resources are in each child 
  domain.  The child domains share nothing. Due to the phone system we have 
  several V-LAN’s one for voice, VPN, Guest, and computer 
  network.
   
  When 
  I am at the other location I can’t browse the network, or attach to mapped 
  drives from my logon script (they don’t even appear).  I can only attach 
  to resources if I create a new mapped drive by IP address.  When I do an 
  IP config I get all the right DNS servers listed.  I can only ping them 
  by IP address.  The same situation happens when I VPN from home.  We 
  had DNS only on the network.  My Cisco vendor told me it’s not their 
  gear.  I added WINS to see if this would help…it did not. Any suggestions 
  on what I could have configured incorrectly?  Could it be the Cisco 
  routers?    
   
  Thank 
  you for the help! 
   
   
   Todd 
  Graham
  IT Manager 
  Urell Inc.
  617-600-9355
  [EMAIL PROTECTED]

RE: [ActiveDir] DNS issues?

2004-05-13 Thread Charlie Kaiser

Title: Message



What happens when you run NSLookup? Can you resolve names from your 
listed DNS Servers?
How about NetDiag?
Sounds like perhaps DNS traffic might be being 
blocked?
 
**Charlie KaiserMCSE, CCNASystems 
EngineerEssex Credit / Brickwalk510 595 
5083**

  
  -Original Message-From: Todd L. Graham 
  [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 5:30 
  AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] 
  DNS issues? 
  
  I 
  have a problem with my DNS over the WAN and VPN.  Here is the 
  issue.  For some reason DNS will not resolve names over the WAN, or 
  VPN.  I can only connect to resources by IP address.  This problem 
  started when I upgraded my network in January.  We switched to a Cisco IP 
  phone system along with all Cisco gear (VPN concentrator, PIX firewall, 
  switches, routers...lots of money spent).  We also upgraded our network at 
  the same time from W2k to Server 2003.  We have a Point to Point T 
  between our sights and a T1 for internet access here.  We have about 30 
  people who VPN into the network on the VPN concentrator.  Our AD (I 
  actually run all IT for 3 companies, same owners) is one Root domain with 3 
  child domains 1 for each company.  All common resources and user accounts 
  are in the root. Computer accounts and private resources are in each child 
  domain.  The child domains share nothing. Due to the phone system we have 
  several V-LAN's one for voice, VPN, Guest, and computer 
  network.
   
  When 
  I am at the other location I can't browse the network, or attach to mapped 
  drives from my logon script (they don't even appear).  I can only attach 
  to resources if I create a new mapped drive by IP address.  When I do an 
  IP config I get all the right DNS servers listed.  I can only ping them 
  by IP address.  The same situation happens when I VPN from home.  We 
  had DNS only on the network.  My Cisco vendor told me it's not their 
  gear.  I added WINS to see if this would help...it did not. Any suggestions 
  on what I could have configured incorrectly?  Could it be the Cisco 
  routers?    
   
  Thank 
  you for the help! 
   
   
   Todd 
  Graham
  IT Manager 
  Urell Inc.
  617-600-9355
  [EMAIL PROTECTED]

RE: [ActiveDir] A root dc question

1. what do you mean by "an admin in any domain has the power of being an Entrprise 
admin"? i, being a domain admin of a child domain, do not have the power to put myself 
into the Enterprise admins group. A domain or enterprise admin in the root domain  
would have to do that for me.
 
Also, as a domain admin in a child domain, i'm kinda limited to the damage i could do 
to the forest, no?I mean, i could screw up my domain royally, but i can't really do 
anything to screw up the forest( and completly hosing my domain would only cause 
replication errors generated in event logs and some repointing of exchange servers to 
different GC's). i can't modify the schema or install an app that does it for me. i 
can't link a wrong headed GPO to a site or create one on the root or any other domain. 
i can't create a site or subnet.
And if a crashed and burned all my DC's wouldn't AD remove them permantely after 60 
days?

I'm sorry to belabour the point here and waste your time, but i really want to make a 
good case for our IT dept to have enterprise admin access and show why multiple 
seperate domain admins for multiple domains is not a good idea. as well as further my 
knowldge of what can and can't be done and what can and can't be screwed up.
i'd like to convince everyone that playing nice is in our best interest.
thanks, and again, i apologize for rehashing old posts.

-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 13, 2004 8:34 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question


Wow this is like déjà vu, I swear we went through this whole thought process
a month or two ago on here

The quick summary (no I will not spout the whole thing, it should be in the
archives) of what I recall

1. An admin in any domain has the power of being an Enterprise Admin,
domains ARE NOT security boundaries. Each child domain should not have
different admins because that can result in chaos and possible danger to the
entire forest.

2. You can not do DR testing with just a child domain. 

3. Either your corp IT has to be involved with your DR testing or you should
redesign into multiple forests. 



 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 12, 2004 4:37 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] A root dc question

My apologies if this seems basic and/or silly.


Aside from creating new domains or modifying the schema, why would an admin
need access to the root dc of a forest(the schema, domain namming master)?
furthermore, why would an admin in a child domain need enterprise admin
privilges?

I only ask because we had issues with our test DR run wherein we didn't have
access to the root domain and/or a test root domain vmware'd on a laptop and
it ended miserably.
i am in the process of convincing the higher ups in my corp of letting our
IT dept have enterpise admin access. 
i'd like to make a case for us as to why we would need this accont with
concrete examples(aside from the DR one). ones that a semi tech aware CIO
could relate to. 
What other compelling reasons would one need these rights for in day to
day(or not so day to day) AD administration? 

we are a multi-domain(14) win2k forest in mixed mode with exchange2k in
native mode.

Thank you in advance for any assitance.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] UPN Suffixes on OU?




KB 269441 shows code 
to retrieve uPNSuffixes from organizationalunit entries?
 
Say 
WHAT?
 
What's that 
about?

RE: [ActiveDir] Simple LDAP Query

Thanks Brian/Roger for the links. I seem to have gotten someone's attention
and they are working hard on fixing the SMTP situation. We shall see. :o)
 
  joe

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Thursday, May 06, 2004 5:41 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Simple LDAP Query


I use WebHost4Life.com, $10 a month for quite a lot, works great for me.
They occasionally have some problems with their MX records, or the POP3 goes
away for a little while, but as a rule, they're pretty good for non-mission
critical stuff. If you siugn-up for them, they give me 20% if you use
referral id bccd4130.
 
--Brian

-Original Message- 
From: [EMAIL PROTECTED] on behalf of joe 
Sent: Thu 5/6/2004 7:37 AM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: [ActiveDir] Simple LDAP Query


Sorry about the multiple posts on this, no I wasn't trying to be like Guido.
;o)
 
My joeware.net provider is having a tremendous time trying to keep their
outbound SMTP queues flowing and never seem to notice that it is broken
until AFTER I start telling them about it. Inbound is working fine now which
was the problem several months ago. I may have to break down and actually
set up my own email server from home and officially use it, my issue is the
whole dynamic IP thing where some email services like AOL, Hotmail, Etc will
drop those emails as spam automatically. Have looked at a couple of relay
points but they appear to be on the steep side for pricing. I may see if I
can smarthost through my cable modem providers smtp servers or just continue
to use them for outbound SMTP through outlook configuration as I am now.
 
Any suggestions?
 
BTW, the vendor hosting my joeware stuff is www.globat.com, as a rule, I
like them but they just can't seem to handle email very well. 
 
joe
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, May 05, 2004 8:06 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Simple LDAP Query


Resend...
 
 
 
Couple of things...
 
1. Listen to Brian
 
2. The RUS is what builds those lists and isn't really doing LDAP queries to
build them. Turn up logging and turn on netmon and watch what happens as
they go through the objects, it is rather startling to watch. 
 
3. You can not set search bases because queries aren't being used. The
objects being compared are coming from the config container and all over the
default container. Again, watch the logging and netmon. Very simple to see
what is happening when watching it. You will note thought that when you test
the "query" in the ESM, it will actually do an LDAP query against AD, again,
look at netmon.
 
4. You have to have some attribute (or group of attributes) that you can key
on that will uniquely "place" that object in an AL.
 
 
   joe
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Tuesday, May 04, 2004 9:56 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Simple LDAP Query


You can group contacts.
 
I spent tens of hours with PSS on this - no dice.
 
==Brian

-Original Message- 
From: Michael B. Smith [mailto:[EMAIL PROTECTED] 
Sent: Tue 5/4/2004 8:38 PM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: [ActiveDir] Simple LDAP Query



The problem is with contacts and public folders. I already do the crawl. But
contacts within the OU's are a particular pain.

 

Perhaps I'm wrong, but I figure that there HAS to be a way. :-P

 

(Hope springs eternal...)

 


  _  


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Tuesday, May 04, 2004 8:33 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Simple LDAP Query

 

You can't do that with exchg. Get a security group with everybody in the OU,
and search for (memberOf=DNToGroup). I know it's a pain - I do it. If the
OUs are constantly going to change, write an agent to crawl them every night
and update the groups. 

 

--Brian Desmond

-Original Message- 
From: Michael B. Smith [mailto:[EMAIL PROTECTED] 
Sent: Tue 5/4/2004 7:27 PM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: [ActiveDir] Simple LDAP Query

Unfortunately, I don't have the luxury of specifying my search base. I need
a query that I can, specifically, place into an "All Address Lists" object
in Exchange System Manager. So effectively I'm limited to a search base of
the domain.

 

But thanks for your response.

 


  _  


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-Weidner
Sent: Tuesday, May 04, 2004 6:00 PM
To: [EMAIL PROTECTED]
Subject: AW: [ActiveDir] Simple LDAP Query

 

Hi Michael,

 

just define it in the search base, e.g.

LDAP://ou=myou,dc=mydomain,dc=com. You define usually searchbase, filter,
attribues and scope - and searchbase does not need to be the domain, it can
be any LDAP Path.

 

HTH, Ulf

 


  _  


Von: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Im Auftrag von Michael B. Smith
Gesende

RE: [ActiveDir] DNS issues?

2004-05-13 Thread Rutherford, Robert

Title: Message

Sounds
like you are allowing DNS above your encrypt rule on your firewall... check it.
May also be worth setting up no NAT between your local lans.
BR,
Rob

-Original Message-From: Todd L. Graham
[mailto:[EMAIL PROTECTED] Sent: 13 May 2004 13:30To:
[EMAIL PROTECTED]Subject: [ActiveDir] DNS issues?

I
have a problem with my DNS over the WAN and VPN. Here is the
issue. For some reason DNS will not resolve names over the WAN, or
VPN. I can only connect to resources by IP address. This problem
started when I upgraded my network in January. We switched to a Cisco IP
phone system along with all Cisco gear (VPN concentrator, PIX firewall,
switches, routers…lots of money spent). We also upgraded our network at
the same time from W2k to Server 2003. We have a Point to Point T
between our sights and a T1 for internet access here. We have about 30
people who VPN into the network on the VPN concentrator. Our AD (I
actually run all IT for 3 companies, same owners) is one Root domain with 3
child domains 1 for each company. All common resources and user accounts
are in the root. Computer accounts and private resources are in each child
domain. The child domains share nothing. Due to the phone system we have
several V-LAN’s one for voice, VPN, Guest, and computer
network.
When
I am at the other location I can’t browse the network, or attach to mapped
drives from my logon script (they don’t even appear). I can only attach
to resources if I create a new mapped drive by IP address. When I do an
IP config I get all the right DNS servers listed. I can only ping them
by IP address. The same situation happens when I VPN from home. We
had DNS only on the network. My Cisco vendor told me it’s not their
gear. I added WINS to see if this would help…it did not. Any suggestions
on what I could have configured incorrectly? Could it be the Cisco
routers?
Thank
you for the help!
Todd
Graham
IT Manager
Urell Inc.
617-600-9355
[EMAIL PROTECTED]
The information transmitted is intended only for the person or entityto which it is addressed and may contain confidential and/orprivileged material. Any use (including retransmission or copying)of this information by persons or entities other than the intendedrecipient is prohibited. If you are not the intended recipient of thistransmission, please contact the sender and delete the materialfrom any computer. The sender is not responsible for the completeness or accuracy of this communication as it has beentransmitted over a public network. Any replies to this email may bemonitored by the MCPS-PRS Alliance for quality control and other purposes.

RE: [ActiveDir] Simple LDAP Query

You know that matches almost exactly what I said when I saw the log entries
in the lab

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mike Newell
Sent: Thursday, May 06, 2004 12:57 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Simple LDAP Query

An interesting way to do this. Thanks again Joe. 

Mike Newell
Information Systems Manager
OSI Systems

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, May 06, 2004 5:41 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Simple LDAP Query

Nope. RUS is not using the query. It is interpreting it internally which is
why you can see queries that work perfectly in ESM when you have it test the
query but blow up in very odd ways when the RUS gets a hold of it. 

   joe

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mike Newell
Sent: Thursday, May 06, 2004 1:38 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Simple LDAP Query

Hey,
Just curious but would indexing the custom attribute included in the AL
speed things up?

More asking than posting a solution.

Thanks,
Mike.

From: [EMAIL PROTECTED] on behalf of Mulnick, Al
Sent: Wed 5/5/2004 1:30 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Simple LDAP Query

It's probably that last option that will be your best option for a hosting
scenario.  It's why that kb is there in the first place and would like
provide the best results in your situation.

Al

From: joe [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 05, 2004 11:59 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Simple LDAP Query

I haven't tried it but one of the things I was looking at previously is
prepopulating the attribute that has the lists an object is part of. I think
that attribute is showInAddressBook? It should have the DN of the list that
the object is a member of. 

Here is one article on the AL stuff -
http://support.microsoft.com/default.aspx?scid=kb;EN-US;304516

Here is another talking about how RUS does the ALs -
http://support.microsoft.com/default.aspx?scid=kb;EN-US;253828

You could look at
http://support.microsoft.com/default.aspx?scid=kb;EN-US;253770 and possibly
consider if you could get away from using the RUS by beefing up your
provisioning system.

   joe

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B.
Smith
Sent: Wednesday, May 05, 2004 10:40 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Simple LDAP Query

We do Exchange hosting, and as a service it has taken off.

Each company has it's own OU and then objects (users, groups, and
contacts)
within that OU.

Each company has 3 address list objects (an "All Address Lists", a "Global
Address List", and an "Offline Address List"). Each address list is
dedicated to that company. Only mail-enabled objects for that company are
present in the address list (mail=*) and searching for
(extensionattribute10=some-unique-tag) limits the A/L to that company.

Each server hosts a relatively small number of companies and is the address
list server for the companies whose mailbox is on that server. Each server
is also a "scaled-out" server. It's not a hefty box.

Client churn is a big deal. On some servers the store maintenance doesn't
finish in the standard timeframe. Logging indicates that it is due to A/L
rebuilds.

So... I was looking to improve my A/L queries.

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Wednesday, May 05, 2004 10:06 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Simple LDAP Query

Why do you need both attributes?  And if you're trying to build an AL, why
is the speed such a big concern?  How many objects are we talking about?
What's the big picture of the solution?

From: Michael B. Smith [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 05, 2004 9:31 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Simple LDAP Query

I'm using an extensionattribute and the mail attribute right now, to do
precisely this. But it's dog slow and it complicates provisioning.

If it just can't be done, well it can't be done. I'll live with what
I've
got -- I just wanted to improve my current process.

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Wednesday, May 05, 2004 9:13 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Simple LDAP Query

Trying to figure out exactly what you want to accomplish.  You cannot
use an
OU as the criteria for Address books as previously mentioned, you can
however use an attribute, a group (as mentioned), etc. to make this
work.
You could tag each object in the particular OU with criteria such as "my
criteria for OU1". That would allow you to have a particular

RE: [ActiveDir] Orphaned GC Entry... How do I clean it up?




Todd are you absolutely positive it doesn't exist in AD or 
maybe it simply isn't in the location you are expecting? The -1 issue is as Al 
indicated an ADC match issue. It sees something on the AD side and can't match 
it to the 5.5 side so it creates an object in 5.5. Then depending on how your 
ADC is configured it can pop something back on the AD side. Usually the ADC is 
configured to be able to create objects in certain OU's/containers that may be 
different from where you are used to looking. 
 
I would also check multiple DCs in that child domain for 
the object. Most likely I would test every DC. Here is a little perl script that 
makes that fairly easy...
 
 
$domain=shift;$command=shift;
 
@output=`nltest /dclist:$domain 
2>&1`;
 
@tmp=grep(/site/i,@output);chomp 
@tmp;map($_=~s/\s+([\w.]+).+/\1/,@tmp);map($_=uc($_),@tmp);
 
print "\nALLDC V01.00.00pl Joe Richards ([EMAIL PROTECTED]) 
November 2001\n\n";if (!$domain or !$command)  {  print 
"USAGE: ALLDC domain command\n\n";  exit; }print "Domain: 
$domain\n";print "Command: $command\n";$cnttot=0;foreach $this (sort 
@tmp) {  $cnttot++;  print "  
$this...\n";  $tmpcmd=$command;  
$tmpcmd=~s//$this/ig;  print "[$tmpcmd]\n";  
@output=`$tmpcmd 2>&1`;  print "@output\n";  print 
"x"x80,"\n\n";
 }
 
print "\n";print "Total Domain Controllers: 
$cnttot\n";
 
Note that this is a very quick and dirty script, just 
intended to give some quick functionality to do something against all DCs in a 
domain
 
anyway I would do something like
 
 
alldc domain.com "adfind -h  -default -f 
name=idname -dn"
 
 
If you need to put quotes in the command you want to run 
against every server then do it something like
 

alldc domain.com "adfind -h  -default -f 
\"name=idname\" -dn"
 
 
  joe
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd 
(NIH/CIT)Sent: Wednesday, May 12, 2004 7:37 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Orphaned GC 
Entry... How do I clean it up?


I tried what is 
described in the KB 314282 article, but only tried it on port 389 like the 
instructions said.
 
The problem I have is 
that the object and GUID no longer exist at all in the original child 
domain.  So I am wondering since it is all the GC’s that have the lingering 
read-only object, should I run the clean-up process using LDP and the 
RemoveLingeringObjects option on the GC’s on port 3268?  I tried doing on 
port 389, and it didn’t work.
 
I will defiantly post 
my results once I figure out how to do this.
 
Todd
 




From: Coleman, 
Hunter [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 12, 2004 4:38 
PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Orphaned GC 
Entry... How do I clean it up?
 
Todd-
 
Not sure if this will 
work for you or not: http://support.microsoft.com/default.aspx?scid=kb;en-us;314282

 

There was a similar 
thread back in January or so; this is the tail end http://www.mail-archive.com/[EMAIL PROTECTED]/msg13088.html and 
you can do alternate searches to get the full discussion. Good 
luck...

 

Hunter

 



From: Myrick, 
Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 12, 2004 2:12 
PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Orphaned GC 
Entry... How do I clean it up?
There appears to be two 
entries for User in the AD Global Catalogues.  The one account appears to 
have been ADC'ed & unADC'ed "Doe, John 
(XYZ)" at some point, the other account appears to have been ADC'ed, 
but then deleted (Never un ADC'ed) "Doe, John 
(XYZCORP)-1".  Both accounts appear in our Domain's GC, and All 
the Child domain GC's except the Child domain where the account originated. 
 The "Doe, John (XYZ)" exist 
in their GC, but not the "Doe, John (XYZCORP)-1".  Both accounts 
were homed in the child domain, just one got deleted, the other 
didn't.
 
We are now trying to 
ADC a mailbox in the parent domain, to a different account all together. 
 The ADC process is failing because it seems to still think the mailbox we 
are ADCing is linked to  "Doe, John 
(XYZCORP)-1".
 
This account no longer 
exist in the child domain, and we don't know how to unADC and account that 
doesn't exist.
 
Any help would be 
appreciated
 
Todd
 




From: Mulnick, 
Al [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 12, 2004 3:54 
PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Orphaned GC 
Entry... How do I clean it up?
 
Can you redescribe that 
for us?  It sounds like you have a GC that wasn't supposed to be there, but 
I'm not sure I follow completely.
 
 
 



From: Myrick, 
Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 12, 2004 3:09 
PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Orphaned GC Entry... 
How do I clean it up?
Greetings all, we are seeing an 
entry appear in our GC's that is not in the original location.  It appears 
after it was deleted, it did not replicate out the deleted item, and now us 
causing ADC issues.
 
http://support.microsoft.com/default.aspx?scid=kb;en-us;293474
 
The recommended MS way

RE: [ActiveDir] Need to confirm a behavior in AD Sites as it pertains to authenti cation.




Well if they are standard plain jane NT4 (i.e. no dsclient) 
then they will do everything through some form of pass through authentication 
like they do in NT4... I.E. The machine comes up, the workstation authenticates 
its machine account to a DC of the domain it is a member of by looking up the 1C 
record in WINS, finding it in lmhosts, finding it via broadcast (order could be 
different depending on node type). Once authenticated, all authentication 
attempts except for local id logon will be forced through that secure channel. 
If the user and machine are in the same domain, the authentication attempt will 
be handled by the DC that authenticated the machine, if they are different the 
DC will chase through its secure channel to a DC of the trusted domain that it 
had previously set up a secure channel for.
 
I am unsure how dsclient will impact the authentication 
process on an NT4 machine as I have not really dug into it. 
 
   joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rocky 
HabeebSent: Wednesday, May 12, 2004 11:33 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Need to confirm 
a behavior in AD Sites as it pertains to authenti cation.

Eric 
or Joe,
 
Who do 
NT4 clients select to log on in a mixed mode environment?
 
Rocky 
Habeeb

 

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Eric 
  FleischmanSent: Wednesday, May 12, 2004 10:52 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Need to 
  confirm a behavior in AD Sites as it pertains to authenti 
  cation.
  
  A few things Joe didn’t mention that I 
  bet are very related or that I’d slightly 
correct:
  0) Once a domain is upgraded from NT4 to 
  Windows 200X (0 or 3), even in 2k mixed mode, 2k+ clients will preferentially 
  select 2k+ DCs. I mention this as you used the term BDC to describe DCs in the 
  hub sites, and that tells me they are NT4. If they are NT4, the 2k+ clients 
  will prefer 2k+ DCs. For info on this, search KB for piling on scenarios or 
  some other such terms. It is referred to as PDCe piling on scenarios 
  typically.
  1) When a domain goes from 2k mixed to 
  either 2k native or 2k03 functional we have a GC dependency on logon. That is, 
  even if you have a remote 2k DC in the hub site that is not a GC, a GC 
  elsewhere will be consulted to crack group memberships. This is why you would 
  either want to a) make it a gc b) go to 2k03 and use universal group caching 
  c) set nogclogon. That’s my order of preference for those 
  choices.
  2) You explicitly used the term “secure 
  channel” which has nothing to do with Exchange’s DSAccess DC selection methodology. So that should be 
  unrelated, unless you used the term secure channel when you didn’t mean secure 
  channel. ;)
   
  This should all be documented in KB, 
  somewhere.
   
  ~Eric
   
   
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of joeSent: Wednesday, May 12, 
  2004 9:37 
  AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Need to confirm 
  a behavior in AD Sites as it pertains to authenti 
  cation.
   
  I see it looks like 
  you have your answers but I wanted to put this in fairly short hopefully 
  simple terms.
   
  The client really 
  isn't too involved in selecting the DC it should use, it follows a basic 
  system.
   
  If the client knows 
  its site, it will simply query for the proper SRV records for that site. It 
  will UDP ping what is returned and if the response back is, hey you are from a 
  different site, it will readjust and ask for the SRV records for its correct 
  site. If it can't find any responding DCs in its site, it will ask for the 
  global domain records and take ANY DC in the domain. 
  
   
  All the hard work is 
  in the DCs figuring out which sites to register DNS records for, this is based 
  on site link metrics and other things that you associate with replication 
  topology. You have the deep tech answers there but the basics here are if a 
  site isn't covered for a specific domain, the closest DC for that domain based 
  on site link costs will publish records to get it covered. This can be 
  impacted I believe if you have site link bridging disabled though. Your 
  assumptions on what does the coverage when all things being equal is the 
  alphabetical sorting of things matches with experience I have had. 
  
   
   
  Keep in mind Exchange 
  does some interesting things too though. For secure channel it *should* do the 
  normal stuff like any W2K+ machine, but for DSACCESS all bets are off. IT does 
  its own figuring of things out based on reading the config container. This 
  should work out to be the same (or very close) to what you get with normal 
  means through DNS but you can't guarantee it. For instance if you have a 
  scavenging issue in AD, DCs that should no longer be in a DNS List for a 
  site could still be but t

[ActiveDir] dns server scavenging processes

2004-05-13 Thread Graham Turner

Dear all, am looking to understand a bit better the processes of windows dns
server
scavening processes;

1. am i right in my understanding that scavenging does need to be explicitly
on a zone if it is enabled at a server level;

read somewhere that behaviour varies according to AD-integrated zones /
primary zones

documentation throughout seems a little inconsistent on this one

if then it is enabled at a server level how do you get a zone managed by
that server to be 'un-enabled' for scavenging -

2. assuming the zone / server is enabled for scavenging have read that if it
is enabled subsequent to a record being added / refreshed then those records
will not in fact in fact be scavenged ??

have seen the /ageallrecords on dnscmd - as i read this ages all the records
in a zone - including manually entered records ??  which of course are not
able to refresh and therefore would ultimately be removed ?

this would work if of course all records in a zone were from dynamic update
capable clients but how do you handle safely the scenario where you have
some records that were dynamically added (and have since become stale) that
need to be removed without knocking out the manual records ??

TIA

GT

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] A root dc question

It is a migration similar to any migration. Serious project depending on
size and requiring considerable communication. If you have corporate email
through say Exchange in the forest that adds even more complexity.

  joe
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Thursday, May 13, 2004 8:41 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question

is there any painless way to break away from a forest and create your own
with little end user discomfort and downtime while still maintaining your
own domain structure intact?

-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 13, 2004 8:34 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question


Wow this is like déjà vu, I swear we went through this whole thought process
a month or two ago on here

The quick summary (no I will not spout the whole thing, it should be in the
archives) of what I recall

1. An admin in any domain has the power of being an Enterprise Admin,
domains ARE NOT security boundaries. Each child domain should not have
different admins because that can result in chaos and possible danger to the
entire forest.

2. You can not do DR testing with just a child domain. 

3. Either your corp IT has to be involved with your DR testing or you should
redesign into multiple forests. 



 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 12, 2004 4:37 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] A root dc question

My apologies if this seems basic and/or silly.


Aside from creating new domains or modifying the schema, why would an admin
need access to the root dc of a forest(the schema, domain namming master)?
furthermore, why would an admin in a child domain need enterprise admin
privilges?

I only ask because we had issues with our test DR run wherein we didn't have
access to the root domain and/or a test root domain vmware'd on a laptop and
it ended miserably.
i am in the process of convincing the higher ups in my corp of letting our
IT dept have enterpise admin access. 
i'd like to make a case for us as to why we would need this accont with
concrete examples(aside from the DR one). ones that a semi tech aware CIO
could relate to. 
What other compelling reasons would one need these rights for in day to
day(or not so day to day) AD administration? 

we are a multi-domain(14) win2k forest in mixed mode with exchange2k in
native mode.

Thank you in advance for any assitance.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Managing accounts for 'outsiders'

I LOVE the door analogy If you don't mind I might use that some time.
That is a great visual with serious impact.

I think some folks painting the doors are color blind too... They see grey
wall and grey door and everyone else is like why is there a purple door in
the middle of that green wall? [1]   Just to say that some people are
extremely blind to security and its implication. There are a lot of people
who feel that if it is secure enough to keep them out, no one else could
possibly get in. 

Other than that, yes, security is ongoing, everyone should always be looking
and when you find something you need to fix it or report it and not think,
this isn't my job. I understand the desire for the latter. If you open your
mouth to point out things that are wrong, you could be setting yourself up
to be a target or you could give yourself extra responsibility. In the end
though, you know you have done the job the correct way and if anything
happens, you can sit and know you did your best. Anyway, if everyone was
that way instead of trying to hide in the corners, IT Management couldn't
screw everyone, they would have no one left to play with.

  joe


[1] I could be incorrect on what colors are seen as what in that situation,
please work with me here... :oP




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Wednesday, May 12, 2004 2:51 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Managing accounts for 'outsiders'

Given all of that, we're back to the two major tenets of security: 1)
security is everyone's business and 2) only secure the things you really
want to keep safe[1]

Outside of that, an argument can be made that a perimiter defense is
yesterday's approach to security.  A la keep out the bad guys and you won't
have to worry about keeping tight security.  As you can see from the many
posts generated, security is not a product or a one-time pass at something.
It's not the same as locking the door, painting it the same color as the
wall and hoping that nobody realizes what's in there.  Truth is, somebody
will wonder why a doorknob is stuck in the middle of the wall and will open
it and see your valuables.

Comes back to giving access to resources secured by Active Directory.  Do
you grant access to external employees using Active Directory or not?  I
don't think that anyone that has an ID in my environment should be secured
with a different environment.  I should be able to get them to sign the same
agreement or better as my FTE's and simplify my administration.  I would of
course want them more limited than some employees that are FTE's, but not by
much.  I would really want my FTE's to be just as limited as my
contractor's.  Kind of a different way to look at it.




[1] in other words, know your assets and their worth, and protect them
accordingly 

-Original Message-
From: Roger Seielstad [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 12, 2004 10:38 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Managing accounts for 'outsiders'

We classify 2 types of non-FTE's: Contractors and Consultants

Contractors are, as you point out, in place of FTE's. They get our hardware,
and more or less normal user access, just like FTE's.

Consultants are required to supply their own hardware, and are physically
segmented off our network, onto an Internet-only VLAN.

In no case do we ever publish internal resources outside, without using some
form of VPN access

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.
 

> -Original Message-
> From: joe [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, May 12, 2004 10:12 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Managing accounts for 'outsiders'
> 
> I read this post and then I read the responses and think people are 
> seeing this different ways. So I will do my best to tie what I think 
> you may be asking together and opine a bit (as usual).
> 
> There is the case of normal contractors that come in and do work, they 
> could be called agency employees for instance. Like myself, say I do 
> long term consulting for company X, I come in daily just like any full 
> time employee only I am expected to actually get work done. In this 
> case I would say the outside person should be treated like a normal 
> employee, you have of course locked down your HR and other systems 
> that should only be accessed by true-blue employees so giving them NOS 
> access is not only fine, but required for them to work and interact 
> with your real employees in any meaningful sense.
> 
> As for the case of outside vendors who come in to support very special 
> or specific things. Depending on the scope and the interaction they 
> have to have with other internal employees I would give or not give 
> them access with leaning towards not. The larger your company the more 
> likely someone has added something to the

RE: [ActiveDir] A root dc question

is there any painless way to break away from a forest and create your own with little 
end user discomfort and downtime while still maintaining your own domain structure 
intact?

-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 13, 2004 8:34 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question

Wow this is like déjà vu, I swear we went through this whole thought process
a month or two ago on here

The quick summary (no I will not spout the whole thing, it should be in the
archives) of what I recall

1. An admin in any domain has the power of being an Enterprise Admin,
domains ARE NOT security boundaries. Each child domain should not have
different admins because that can result in chaos and possible danger to the
entire forest.

2. You can not do DR testing with just a child domain. 

3. Either your corp IT has to be involved with your DR testing or you should
redesign into multiple forests. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 12, 2004 4:37 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] A root dc question

My apologies if this seems basic and/or silly.

Aside from creating new domains or modifying the schema, why would an admin
need access to the root dc of a forest(the schema, domain namming master)?
furthermore, why would an admin in a child domain need enterprise admin
privilges?

I only ask because we had issues with our test DR run wherein we didn't have
access to the root domain and/or a test root domain vmware'd on a laptop and
it ended miserably.
i am in the process of convincing the higher ups in my corp of letting our
IT dept have enterpise admin access. 
i'd like to make a case for us as to why we would need this accont with
concrete examples(aside from the DR one). ones that a semi tech aware CIO
could relate to. 
What other compelling reasons would one need these rights for in day to
day(or not so day to day) AD administration? 

we are a multi-domain(14) win2k forest in mixed mode with exchange2k in
native mode.

Thank you in advance for any assitance.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DNS issues?




Do a network trace and actually look to see if your machine 
is doing the right thing and if requests being sent out are being responded to. 

 
   joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Todd L. 
GrahamSent: Thursday, May 13, 2004 8:30 AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] DNS issues? 



I 
have a problem with my DNS over the WAN and VPN.  Here is the issue.  
For some reason DNS will not resolve names over the WAN, or VPN.  I can 
only connect to resources by IP address.  This problem started when I 
upgraded my network in January.  We switched to a Cisco IP phone system 
along with all Cisco gear (VPN concentrator, PIX firewall, switches, 
routers…lots of money spent).  We also upgraded our network at the same 
time from W2k to Server 2003.  We have a Point to Point T between our 
sights and a T1 for internet access here.  We have about 30 people who VPN 
into the network on the VPN concentrator.  Our AD (I actually run all IT 
for 3 companies, same owners) is one Root domain with 3 child domains 1 for each 
company.  All common resources and user accounts are in the root. Computer 
accounts and private resources are in each child domain.  The child domains 
share nothing. Due to the phone system we have several V-LAN’s one for voice, 
VPN, Guest, and computer network.
 
When 
I am at the other location I can’t browse the network, or attach to mapped 
drives from my logon script (they don’t even appear).  I can only attach to 
resources if I create a new mapped drive by IP address.  When I do an IP 
config I get all the right DNS servers listed.  I can only ping them by IP 
address.  The same situation happens when I VPN from home.  We had DNS 
only on the network.  My Cisco vendor told me it’s not their gear.  I 
added WINS to see if this would help…it did not. Any suggestions on what I could 
have configured incorrectly?  Could it be the Cisco routers?  
  
 
Thank 
you for the help! 
 
 
 Todd 
Graham
IT Manager 
Urell Inc.
617-600-9355
[EMAIL PROTECTED]

RE: [ActiveDir] DNS issues?




We do our dhcp in our PIXen, a sample config for a small 
remote location is below.
 
The one thing I would want you to test is to see whether 
you have the DNS UDP and TCP ports open across the VPN. It sounds as if you do 
not.
 
dhcpd address 192.168.100.100-192.168.100.149 
insidedhcpd dns 192.168.100.161dhcpd wins 192.168.100.159dhcpd lease 
3600dhcpd ping_timeout 750dhcpd domain brnets.localdhcpd option 150 
ip 192.168.100.7dhcpd enable inside


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Todd L. 
GrahamSent: Thursday, May 13, 2004 8:30 AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] DNS issues? 



I 
have a problem with my DNS over the WAN and VPN.  Here is the issue.  
For some reason DNS will not resolve names over the WAN, or VPN.  I can 
only connect to resources by IP address.  This problem started when I 
upgraded my network in January.  We switched to a Cisco IP phone system 
along with all Cisco gear (VPN concentrator, PIX firewall, switches, 
routers…lots of money spent).  We also upgraded our network at the same 
time from W2k to Server 2003.  We have a Point to Point T between our 
sights and a T1 for internet access here.  We have about 30 people who VPN 
into the network on the VPN concentrator.  Our AD (I actually run all IT 
for 3 companies, same owners) is one Root domain with 3 child domains 1 for each 
company.  All common resources and user accounts are in the root. Computer 
accounts and private resources are in each child domain.  The child domains 
share nothing. Due to the phone system we have several V-LAN’s one for voice, 
VPN, Guest, and computer network.
 
When 
I am at the other location I can’t browse the network, or attach to mapped 
drives from my logon script (they don’t even appear).  I can only attach to 
resources if I create a new mapped drive by IP address.  When I do an IP 
config I get all the right DNS servers listed.  I can only ping them by IP 
address.  The same situation happens when I VPN from home.  We had DNS 
only on the network.  My Cisco vendor told me it’s not their gear.  I 
added WINS to see if this would help…it did not. Any suggestions on what I could 
have configured incorrectly?  Could it be the Cisco routers?  
  
 
Thank 
you for the help! 
 
 
 Todd 
Graham
IT Manager 
Urell Inc.
617-600-9355
[EMAIL PROTECTED]

RE: [ActiveDir] A root dc question

Wow this is like déjà vu, I swear we went through this whole thought process
a month or two ago on here

The quick summary (no I will not spout the whole thing, it should be in the
archives) of what I recall

1. An admin in any domain has the power of being an Enterprise Admin,
domains ARE NOT security boundaries. Each child domain should not have
different admins because that can result in chaos and possible danger to the
entire forest.

2. You can not do DR testing with just a child domain. 

3. Either your corp IT has to be involved with your DR testing or you should
redesign into multiple forests. 



 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 12, 2004 4:37 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] A root dc question

My apologies if this seems basic and/or silly.


Aside from creating new domains or modifying the schema, why would an admin
need access to the root dc of a forest(the schema, domain namming master)?
furthermore, why would an admin in a child domain need enterprise admin
privilges?

I only ask because we had issues with our test DR run wherein we didn't have
access to the root domain and/or a test root domain vmware'd on a laptop and
it ended miserably.
i am in the process of convincing the higher ups in my corp of letting our
IT dept have enterpise admin access. 
i'd like to make a case for us as to why we would need this accont with
concrete examples(aside from the DR one). ones that a semi tech aware CIO
could relate to. 
What other compelling reasons would one need these rights for in day to
day(or not so day to day) AD administration? 

we are a multi-domain(14) win2k forest in mixed mode with exchange2k in
native mode.

Thank you in advance for any assitance.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] DNS issues?

2004-05-13 Thread Todd L. Graham









I have a problem with my DNS over the WAN and VPN.  Here is the
issue.  For some reason DNS will not resolve names over the WAN, or
VPN.  I can only connect to resources by IP address.  This problem
started when I upgraded my network in January.  We switched to a Cisco IP
phone system along with all Cisco gear (VPN concentrator, PIX firewall,
switches, routers…lots of money spent).  We also upgraded our
network at the same time from W2k to Server 2003.  We have a Point to
Point T between our sights and a T1 for internet access here.  We have
about 30 people who VPN into the network on the VPN concentrator.  Our AD
(I actually run all IT for 3 companies, same owners) is one Root domain with 3
child domains 1 for each company.  All common resources and user accounts
are in the root. Computer accounts and private resources are in each child
domain.  The child domains share nothing. Due to the phone system we have
several V-LAN’s one for voice, VPN, Guest, and computer network.

 

When I am at the other location I can’t browse the network, or
attach to mapped drives from my logon script (they don’t even
appear).  I can only attach to resources if I create a new mapped drive by
IP address.  When I do an IP config I get all the right DNS servers
listed.  I can only ping them by IP address.  The same situation
happens when I VPN from home.  We had DNS only on the network.  My
Cisco vendor told me it’s not their gear.  I added WINS to see if
this would help…it did not. Any suggestions on what I could have
configured incorrectly?  Could it be the Cisco routers? 
  

 

Thank you for the help! 

 

 

 Todd Graham

IT Manager 

Urell Inc.

617-600-9355

[EMAIL PROTECTED]

RE: [ActiveDir] View permissions of specific attributes

2004-05-13 Thread David Adner

Unless I'm missing it, I don't see where it shows specific attributes for
the object...? 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Carlos Magalhaes
> Sent: Thursday, May 13, 2004 02:36
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] View permissions of specific attributes
> 
> Have you also thought of running dsacls.exe (the latest 
> version is the version that comes with ADAM) You can specify 
> a path i.e. 
> dsacls.exe /domain: , you can also specify a 
> specific Active Directory path that  can be denoted by 
> prepending \\server[:port]\ to the object, as in
> 
>   \\ADSERVER\CN=John 
> Doe,OU=Software,OU=Engineering,DC=Widget,DC=US
> 
> Carlos Magalhaes - AD programming ? -
> http://groups.yahoo.com/group/adsianddirectoryservices 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Gil 
> Kirkpatrick
> Sent: Thursday, May 13, 2004 6:29 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] View permissions of specific attributes
> 
> Use adsiedit, right click on an object, select Properties, 
> then select the Security tab. You'll see the security 
> descriptor information there.
> 
> -gil
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of David Adner
> Sent: Wednesday, May 12, 2004 7:09 PM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] View permissions of specific attributes
> 
> I must just be missing something, but I can't seem to find 
> out how to view the permissions a user has to a specific 
> object's attributes.  I've been looking in adsiedit, ldp, 
> dsacls... Am I close?  :)
> 
> I'm trying to verify a user has the necessary permissions to 
> modify certain object attributes.  Any help is appreciated.  Thx
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Authentication port