RE: [ActiveDir] Users and Computers
Title: Message Hello Andrew, no, that's not able to extract in AD. The most popular solution for that request is to log that to a central file or database within the logon-script. Gruesse - Sincerely, Ulf B. Simon-Weidner From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Caple, AndrewSent: Wednesday, September 08, 2004 7:07 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Users and Computers Good afternoon everyone, Is it possible to extract: which user logged onto what computer through Active Directory? As both get authenticated at some point I assume that the records must be stored somewhere? Thanks, Andrew
Re: [ActiveDir] RPC Netlogon to AD
It uses either Kerberos or NTLM based on the best protocol that can be negotiated (using the Negotiate protocol). I dont believe you can disable the netlogon. Also, your question doesnt make sense to me as the server IS using Kerberos (or NTLM) to authenticate the user to AD.Oh, I don't know that Netlogon uses either kerberos or NTLM, ethereal can't parse it, maybe bec it's being sent encrypted. So, how does it work ? It tries kerberos first and only if it doesn't work then it will try NTLM ? If you want to ensure you are using Kerberos, you can set the OWA serverto only allow Kerberos authentication. This can be set using a grouppolicy.Which policy ? Group Policy -- Computer Configuration -- Windows Settings --Security Settings -- Local Policies -- Security Options -- ? Thanks lara Lara Adianto [EMAIL PROTECTED] wrote: Hi list, In the process of authenticating a user login to OWA, I noticed that the front end server use DC RPC RPC_Netlogon to authenticate the user to AD. However, as the stub data is encrypted, I couldn't really figure out how the authentication is actually done. Is it NTLM ? Kerberos ? or something else ? Is there any way to disable RPC_Netlogon authentication and configure Front End to use kerberos to authenticate the user to AD ? thankslara La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit- Guy de Maupassant - Do you Yahoo!?Yahoo! Mail Address AutoComplete - You start. We finish. La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit- Guy de Maupassant - Do you Yahoo!? Express yourself with Y! Messenger! Free. Download now.
[ActiveDir] ADC Issues
-BEGIN PGP SIGNED MESSAGE- We are seeing quite a few MSADC 8139 errors that talk about ensuring the servers are in sync. We have confirmed our Win2k DC's and Ex5.5 servers are in sync to within sub 1 second. Any ideas why these we still get this alert. Roy The contents of this email are intended exclusively for the addressee. If you are not the addressee you must not read use or disclose the email contents ; you should notify us immediately [ by clicking Reply ] and delete this email. Nationwide monitors e-mails to ensure its systems operate effectively and to minimise the risk of viruses. Whilst it has taken reasonable steps to scan this email, it does not accept liability for any virus that may be contained in it. Nationwide Building Society, Nationwide Life Limited and Nationwide Unit Trust Managers Limited represent only the Nationwide Marketing Group, which is authorised and regulated by the Financial Services Authority for life assurance, pensions and unit trust products. -BEGIN PGP SIGNATURE- Version: PGPsdk version 1.1.1 (C) 1997 Pretty Good Privacy, Inc. iQEVAwUBQT7o0G4wJNdvwuyFAQFrMggAgOJrp2U6jaanDvFWhjWsQ1/qe3eqrFev 4T4wRB8nnplvBJXHnut3AQCpGPVm5Ns7MJVIxDMb2b6C99u1fZhFqtGctG8WiJgB uIailaK5u/1L0ddE+FFlzLfcVxn5IhqUn73GFSqcgRTP9q4S7LBo/LVeAsc53Tgo DtvK/f6rN/Xbg1liNuk2K+Cv2zD82iSr8GUILi72rX8czrLL2cN35tDEHLRPPJ1M InHA+RCb5C5RSVwQjk8yzlExSd4x9a/6+morZDPo87BdlVx4Tk59+jCST8RMThMQ lwseP1e/XPDOYM+uq3AJwlqTRkKeiMXiyEUSh/bD4JaZE55ZBx7n/A== =4WWE -END PGP SIGNATURE- ALTERNATIVE.HTM Description: Binary data
[ActiveDir] ADC Issue
-BEGIN PGP SIGNED MESSAGE- We are seeing quite a few MSADC 8139 errors that talk about ensuring the servers are in sync. We have confirmed our Win2k DC's and Ex5.5 servers are in sync to within sub 1 second. Any ideas why these we still get this alert. Roy The contents of this email are intended exclusively for the addressee. If you are not the addressee you must not read use or disclose the email contents ; you should notify us immediately [ by clicking Reply ] and delete this email. Nationwide monitors e-mails to ensure its systems operate effectively and to minimise the risk of viruses. Whilst it has taken reasonable steps to scan this email, it does not accept liability for any virus that may be contained in it. Nationwide Building Society, Nationwide Life Limited and Nationwide Unit Trust Managers Limited represent only the Nationwide Marketing Group, which is authorised and regulated by the Financial Services Authority for life assurance, pensions and unit trust products. -BEGIN PGP SIGNATURE- Version: PGPsdk version 1.7.1 (C) 1997-1999 Network Associates, Inc. and its affiliated companies. iQEVAwUBQT7rq24wJNdvwuyFAQHccAf/YEMUEO70VGDYBOz8HSy6TpTlWyMFpOWG rwf5m/eHSS89gqrgoYFnvidxnMctdEu5t4AFAEOq/S3sJ4u0apvNIsoMVq85dyVz Pi+SmnQ7C79ftqxPWo1smb1ZbRwfXo4bwtdfzy7xarIjMXhXaCr0yRVmWv2uLP+E xzjcX6PeMcRS8KiEwh4QAIRG9mHsziQb+AKgcm8BltQ+UGKWCrzcK3hYXoarnrH7 UvJOdmCCA3a0zVkZqyiuRVKg4CQjjo0p2Wn44bl0sIVcNLgo0MZaCxeIPvoZhghR q6YBl7GNHVv/3+cobwLsu1qSPUXKPztfr7dmASMBJfe6Ck5c4XVBKg== =vWZ9 -END PGP SIGNATURE- List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] RPC Netlogon to AD
Kerberos is the protocol of choice in Windows 2000/2003 domains. Kerberos will be initially used on any authentication requests between a Winsows 2000 or higher client and a Windows 2000/2003 resource. If the resource is an NT 4.0 server of if Kerberos fails, the authentication will resort to NTLM. Are you running IPSEC between the frontend server and the backend server? I don't think there is another way to encrypt this traffic. I searched and could not find a setting to disable NTLM authentication. However, I think this should work. On the OWA server, set a policy to only send NTLM. On the backend server and the domain controllers set a policy to only accept NTLMv2 and reject LM and NTLM. This should stop any NTLM authentication between the OWA server and the Backend Exchange server. Dennis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lara Adianto Sent: Wednesday, September 08, 2004 7:11 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] RPC Netlogon to AD It uses either Kerberos or NTLM based on the best protocol that can be negotiated (using the Negotiate protocol). I don't believe you can disable the netlogon. Also, your question doesn't make sense to me as the server IS using Kerberos (or NTLM) to authenticate the user to AD. Oh, I don't know that Netlogon uses either kerberos or NTLM, ethereal can't parse it, maybe bec it's being sent encrypted. So, how does it work ? It tries kerberos first and only if it doesn't work then it will try NTLM ? If you want to ensure you are using Kerberos, you can set the OWA server to only allow Kerberos authentication. This can be set using a group policy. Which policy ? Group Policy -- Computer Configuration -- Windows Settings --Security Settings -- Local Policies -- Security Options -- ? Thanks lara Lara Adianto [EMAIL PROTECTED] wrote: Hi list, In the process of authenticating a user login to OWA, I noticed that the front end server use DC RPC RPC_Netlogon to authenticate the user to AD. However, as the stub data is encrypted, I couldn't really figure out how the authentication is actually done. Is it NTLM ? Kerberos ? or something else ? Is there any way to disable RPC_Netlogon authentication and configure Front End to use kerberos to authenticate the user to AD ? thanks lara -- -- La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit - Guy de Maupassant - -- -- Do you Yahoo!? Yahoo! Mail Address AutoComplete http://us.rd.yahoo.com/mail_us/taglines/aac/*http://promotion s.yahoo.com/new_mail/static/ease.html - You start. We finish. -- -- La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit - Guy de Maupassant - -- -- Do you Yahoo!? Express yourself with Y! Messenger! Free. Download now http://us.rd.yahoo.com/mail_us/taglines/msgr/evt=26089/*http: //messenger.yahoo.com . List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Users and Computers
While I can't get this information from Active Directory, it is possible to get this information from the domain controllers. You can look through your security logs on the domain controllers for event 540. This event will give you the user who logged on and also the ip address of the machine they logged in from. If you are using DHCP, you will have to look at your DHCP server logs to determine which hardware address was assigned to that ip address. (Luckily we reserve most of our DHCP addresses.) Dennis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Wednesday, September 08, 2004 2:04 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Users and Computers Hello Andrew, no, that's not able to extract in AD. The most popular solution for that request is to log that to a central file or database within the logon-script. Gruesse - Sincerely, Ulf B. Simon-Weidner From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Caple, Andrew Sent: Wednesday, September 08, 2004 7:07 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Users and Computers Good afternoon everyone, Is it possible to extract: which user logged onto what computer through Active Directory? As both get authenticated at some point I assume that the records must be stored somewhere? Thanks, Andrew List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Users and Computers
Title: Message Are you referring to "in the past"? Only by looking at security audit records or writing an app that stores the information, as other people have already said. But if you are referring to "currently logged on", you can get that: http://www.microsoft.com/technet/community/scriptcenter/user/scrug59.mspx From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Caple, AndrewSent: Wednesday, September 08, 2004 1:07 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Users and Computers Good afternoon everyone, Is it possible to extract: which user logged onto what computer through Active Directory? As both get authenticated at some point I assume that the records must be stored somewhere? Thanks, Andrew
RE: [ActiveDir] ADC Issue
IIRC, the 8139 error actually talks about modifications that were made on the source and target out of order. The source target was updated after the source before sync in other words. This can be caused by time sync issues as you can imagine, but in your case if the time sync is properly working, then there is another reason right? Something like the target is being modified after the source before the sync gets to it maybe? Like maybe you have an administrative process going on that maybe shouldn't be happening at the same time to the same users? Can you confirm that's the case? Keep replication times from other DC's in mind when looking at this as well. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, September 08, 2004 7:23 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] ADC Issue -BEGIN PGP SIGNED MESSAGE- We are seeing quite a few MSADC 8139 errors that talk about ensuring the servers are in sync. We have confirmed our Win2k DC's and Ex5.5 servers are in sync to within sub 1 second. Any ideas why these we still get this alert. Roy The contents of this email are intended exclusively for the addressee. If you are not the addressee you must not read use or disclose the email contents ; you should notify us immediately [ by clicking Reply ] and delete this email. Nationwide monitors e-mails to ensure its systems operate effectively and to minimise the risk of viruses. Whilst it has taken reasonable steps to scan this email, it does not accept liability for any virus that may be contained in it. Nationwide Building Society, Nationwide Life Limited and Nationwide Unit Trust Managers Limited represent only the Nationwide Marketing Group, which is authorised and regulated by the Financial Services Authority for life assurance, pensions and unit trust products. -BEGIN PGP SIGNATURE- Version: PGPsdk version 1.7.1 (C) 1997-1999 Network Associates, Inc. and its affiliated companies. iQEVAwUBQT7rq24wJNdvwuyFAQHccAf/YEMUEO70VGDYBOz8HSy6TpTlWyMFpOWG rwf5m/eHSS89gqrgoYFnvidxnMctdEu5t4AFAEOq/S3sJ4u0apvNIsoMVq85dyVz Pi+SmnQ7C79ftqxPWo1smb1ZbRwfXo4bwtdfzy7xarIjMXhXaCr0yRVmWv2uLP+E xzjcX6PeMcRS8KiEwh4QAIRG9mHsziQb+AKgcm8BltQ+UGKWCrzcK3hYXoarnrH7 UvJOdmCCA3a0zVkZqyiuRVKg4CQjjo0p2Wn44bl0sIVcNLgo0MZaCxeIPvoZhghR q6YBl7GNHVv/3+cobwLsu1qSPUXKPztfr7dmASMBJfe6Ck5c4XVBKg== =vWZ9 -END PGP SIGNATURE- List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ADC Issue
-BEGIN PGP SIGNED MESSAGE- Time sync is working on all DC's fine. We check that no other admin tasks were taking place, for a period of time, 30 minutes, we had over 700 event id for 8139, this has now dropped to just 5 in the past 2 hours. We stopped the ADC replication, restarted the ADC service, re-enable the replication schedule and all appears to be well (famous last words :-)) Thanks for the response. - ---Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 08 September 2004 14:09 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ADC Issue IIRC, the 8139 error actually talks about modifications that were made on the source and target out of order. The source target was updated after the source before sync in other words. This can be caused by time sync issues as you can imagine, but in your case if the time sync is properly working, then there is another reason right? Something like the target is being modified after the source before the sync gets to it maybe? Like maybe you have an administrative process going on that maybe shouldn't be happening at the same time to the same users? Can you confirm that's the case? Keep replication times from other DC's in mind when looking at this as well. - -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, September 08, 2004 7:23 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] ADC Issue We are seeing quite a few MSADC 8139 errors that talk about ensuring the servers are in sync. We have confirmed our Win2k DC's and Ex5.5 servers are in sync to within sub 1 second. Any ideas why these we still get this alert. Roy The contents of this email are intended exclusively for the addressee. If you are not the addressee you must not read use or disclose the email contents ; you should notify us immediately [ by clicking Reply ] and delete this email. Nationwide monitors e-mails to ensure its systems operate effectively and to minimise the risk of viruses. Whilst it has taken reasonable steps to scan this email, it does not accept liability for any virus that may be contained in it. Nationwide Building Society, Nationwide Life Limited and Nationwide Unit Trust Managers Limited represent only the Nationwide Marketing Group, which is authorised and regulated by the Financial Services Authority for life assurance, pensions and unit trust products. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -BEGIN PGP SIGNATURE- Version: PGPsdk version 1.7.1 (C) 1997-1999 Network Associates, Inc. and its affiliated companies. iQEVAwUBQT8bTW4wJNdvwuyFAQEw9AgA1L5t7h5TwkM6RLHBtIvJZ32b8tS88hlY u89XOGUx4CJpBOBWWm8xY7y88+H7dzwO9ZKodEXmKdRoSxDWSpNse7HzsTgc0mxw 53oygT7OU0wX7IdG8KzwAnsQN7QY9UsspqhXjbZxaO0KHB20IN87WiRWxQ4/5Wa5 fYxrgwkfqJAJM2cqrsCIlkLp4+VYgwLcIUA0NBQHT7y3L9hAVPdjDD8dZw92k8kp kE0Ymie34IdJ5uMXldf3bUQIrT9k23c7Y5zWC7BxeAQyLSECmmbEflJcrwbayjWC u1HJJV+H6Ju4TE/UaTdg6lBOkQJIA9Q/8VLGDaAjvUxnfIlRsyTCag== =nrtQ -END PGP SIGNATURE- List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Users and Computers
Title: Message The below link on JSI shows a way to pull it from the DCs. http://www.jsiinc.com/SUBQ/tip8400/rh8433.htm Dave From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Caple, AndrewSent: Tuesday, September 07, 2004 10:07 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Users and Computers Good afternoon everyone, Is it possible to extract: which user logged onto what computer through Active Directory? As both get authenticated at some point I assume that the records must be stored somewhere? Thanks, Andrew
[ActiveDir] Fun with Kerberos
Stumbled upon an issue couple of days ago and wanted to hear what you guys think about it. Suppose that your AD is called myad.com and you also configure additional UPN suffix company.com. Now I create 2 users in child.myad.com child domain: 1) sAMAccountName: guy userPrincipalName: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 2) sAMAccountName: guy$adm userPrincipalName: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] (Notice that in ADUC the userPrincipalName is constructed from 2 fields: W2K username and suffix) From AD point of view this is all nice and legit and UI will be happy to create both. But if you look at the users explicit Kerberos principals, both look the same: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] (checked with klist tgt). In our environment, if you are logged on with account #1, two things happened: 1. Once in a while LAN users had XP pop up a baloon in systrey with XP needs your user credentials 2. The corresponding account #2 was getting locked out. Renaming UPNs of supplemental accounts fixed the issue (the name clash was not intentional from the beginning as you might guess). Still I am wondering why AD allowed creation of account with Kerberos principal that already existed in AD. If AD check for sAMAccountName collisions, is there any special reason not to check Kerberos principals ? How can I prevent this from happening ? (the implications would mean that anyone with permissions to create user accounts can do some very nasty things) Guy List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Users and Computers
Title: Message Thanks everyone for your help --- it will make my life a lot easier! Andrew -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Perdue David J Contr InDyne/Enterprise ITSent: Thursday, September 09, 2004 2:00 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Users and Computers The below link on JSI shows a way to pull it from the DCs. http://www.jsiinc.com/SUBQ/tip8400/rh8433.htm Dave From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Caple, AndrewSent: Tuesday, September 07, 2004 10:07 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Users and Computers Good afternoon everyone, Is it possible to extract: which user logged onto what computer through Active Directory? As both get authenticated at some point I assume that the records must be stored somewhere? Thanks, Andrew
