[ActiveDir] Logging on to a Domain Controller

[Abbiss, Mark]

Title: Message



I am 
going round in circles and am now completely confused !
 
I 
would like to give a group of our 2nd level administrators the ability to log on 
to all Domain Controllers. I have applied a group policy to the "Domain 
Controllers " OU which sets the "Computer configuration -> windows 
settings -> security settings -> local policies -> user rights 
assignment " to give this group "Log on locally" rights. I have also 
ensured that the group policy is applied to all authorised users. I have no 
problem logging on as I am an Enterprise Admin, however, the other 
admins are denied the ability to log on.
 
Therefore, I modified the local DC security settings to give the 
same group the "Log on locally" right. Still they cannot log 
on.
 
Please, what could I be missing ? Do I need to set access rights anywhere 
else ? Can I do anything to troubleshoot what rights this group is getting 
?
 
Many 
thanks for any help.

Re: [ActiveDir] Logging on to a Domain Controller

[Al Lilianstrom]

Are they attempting to log on via the console or by Terminal Services? 
If the later did you grant them access in the Terminal Server configuraton?

al
Abbiss, Mark wrote:
I am going round in circles and am now completely confused !
 
I would like to give a group of our 2nd level administrators the ability 
to log on to all Domain Controllers. I have applied a group policy to 
the "Domain Controllers " OU which sets the "Computer configuration -> 
windows settings -> security settings -> local policies -> user rights 
assignment " to give this group "Log on locally" rights. I have also 
ensured that the group policy is applied to all authorised users. I have 
no problem logging on as I am an Enterprise Admin, however, the other 
admins are denied the ability to log on.
 
Therefore, I modified the local DC security settings to give the 
same group the "Log on locally" right. Still they cannot log on.
 
Please, what could I be missing ? Do I need to set access rights 
anywhere else ? Can I do anything to troubleshoot what rights this group 
is getting ?
 
Many thanks for any help.
--
Al Lilianstrom
CD/CSS/CSI
[EMAIL PROTECTED]
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Logging on to a Domain Controller

[joe]

Title: Message



Someone is going to ask it so it might as well be 
me
 
Why are you letting non-domain admins log onto domain 
controllers?
 
  joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, 
MarkSent: Monday, September 13, 2004 8:33 AMTo: 
'[EMAIL PROTECTED]'Subject: [ActiveDir] Logging on to a 
Domain Controller

I am 
going round in circles and am now completely confused !
 
I 
would like to give a group of our 2nd level administrators the ability to log on 
to all Domain Controllers. I have applied a group policy to the "Domain 
Controllers " OU which sets the "Computer configuration -> windows 
settings -> security settings -> local policies -> user rights 
assignment " to give this group "Log on locally" rights. I have also 
ensured that the group policy is applied to all authorised users. I have no 
problem logging on as I am an Enterprise Admin, however, the other 
admins are denied the ability to log on.
 
Therefore, I modified the local DC security settings to give the 
same group the "Log on locally" right. Still they cannot log 
on.
 
Please, what could I be missing ? Do I need to set access rights anywhere 
else ? Can I do anything to troubleshoot what rights this group is getting 
?
 
Many 
thanks for any help.

Re: [ActiveDir] Logging on to a Domain Controller

[James_Day]

Hi Mark

The default domain controller policy also sets the rights to log on
locally.  We were attempting to deny logon local rights to our Service
accounts, and found that this GPO overrides the one we put in to deny the
service account group to log on locally (apparently GPO does not let the
same setting in two different GPOs to merge - either one wins for that
specific setting or the other wins for that setting).  We ended up making
the changes to the default domain controller GPO and it then allowed us to
deny our service accounts terminal and local logon rights.  It seems to
work now.

Regards;

James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
(202) 354-1464 (direct)
(202) 371-1549 (fax)
[EMAIL PROTECTED]


   
  
  Al Lilianstrom   
  
  <[EMAIL PROTECTED]To:   [EMAIL PROTECTED]
  
  v> cc:   (bcc: James 
Day/Contractor/NPS)   
  Sent by:   Subject:  Re: [ActiveDir] Logging 
on to a Domain Controller 
  [EMAIL PROTECTED]

  tivedir.org  
  
   
  
   
  
  09/13/2004 07:54 AM EST  
  
  Please respond to
  
  ActiveDir
  
   
  




Are they attempting to log on via the console or by Terminal Services?
If the later did you grant them access in the Terminal Server configuraton?

 al

Abbiss, Mark wrote:
> I am going round in circles and am now completely confused !
>
> I would like to give a group of our 2nd level administrators the ability
> to log on to all Domain Controllers. I have applied a group policy to
> the "Domain Controllers " OU which sets the "Computer configuration ->
> windows settings -> security settings -> local policies -> user rights
> assignment " to give this group "Log on locally" rights. I have also
> ensured that the group policy is applied to all authorised users. I have
> no problem logging on as I am an Enterprise Admin, however, the other
> admins are denied the ability to log on.
>
> Therefore, I modified the local DC security settings to give the
> same group the "Log on locally" right. Still they cannot log on.
>
> Please, what could I be missing ? Do I need to set access rights
> anywhere else ? Can I do anything to troubleshoot what rights this group
> is getting ?
>
> Many thanks for any help.

--

Al Lilianstrom
CD/CSS/CSI
[EMAIL PROTECTED]
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Unauthorized DHCP Requests

[Coleman, Hunter]

Our network folks are starting to roll out Cisco's Access 
Control Server. They plan to tie it into our AD, and eventually configure all of 
the network devices so that machines won't get on the network unless they're 
joined to the AD and have successfully authenticated. I'm not sure who else 
besides Cisco has this kind of thing, but I suspect they're not the only 
one.
 
Hunter


From: Joe L. Casale 
[mailto:[EMAIL PROTECTED] Sent: Sunday, September 12, 2004 
4:33 PMTo: [EMAIL PROTECTED]Subject: RE: 
[ActiveDir] Unauthorized DHCP Requests


Yea, it's ugly as heck 
to manage though. Mac reservations for all, but anyone can spoof that if they 
have a wit. Your problem is a common one, but not a simple 
one.
 
If you hear of a 
slicker solution then that, pray tell!
 
jlc
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of EdwinSent: Thursday, September 09, 2004 4:21 
AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Unauthorized DHCP 
Requests
 
Our domain is using a Win2K3 server 
which is also a domain controller as its DHCP solution.  Often I look at 
the DHCP tables and notice that there are unauthorized machines that connect to 
our network.  This seems to occur from employees who bring in their laptop 
during the weekend when the workload is light and management does not have as 
much a presence.
 
The workstations within the domain 
all follow a naming scheme.  For example, ORL-RM3-204-2 which means, the 
server is located in Orlando, physically located in Room3, desk 
number 204 and the number of times that that particular workstation has been 
replaced.
 
So if I see a workstation in the 
DHCP tables that does not follow that naming scheme, then I know that something 
else has managed to get an IP Address from the 
network.
 
Is there a way to prevent 
unauthorized machines from retrieving an IP address?  If so, is there also 
a way to make an exception to the rule should a non-standard naming convention 
machine require authorized access to the network?
 
Thank you all for your 
replies.
 
Edwin

RE: [ActiveDir] Unauthorized DHCP Requests

[Ayers, Diane]

Hunter:
 
With Cisco ACS, how are you going to 
deal with non-MS based devices that get DHCP addresses?  That's always been 
the hang-up for us to shift to a setup like you 
describe.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Coleman, 
HunterSent: Monday, September 13, 2004 6:41 AMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Unauthorized 
DHCP Requests

Our network folks are starting to roll out Cisco's Access 
Control Server. They plan to tie it into our AD, and eventually configure all of 
the network devices so that machines won't get on the network unless they're 
joined to the AD and have successfully authenticated. I'm not sure who else 
besides Cisco has this kind of thing, but I suspect they're not the only 
one.
 
Hunter


From: Joe L. Casale 
[mailto:[EMAIL PROTECTED] Sent: Sunday, September 12, 2004 
4:33 PMTo: [EMAIL PROTECTED]Subject: RE: 
[ActiveDir] Unauthorized DHCP Requests


Yea, it's ugly as heck 
to manage though. Mac reservations for all, but anyone can spoof that if they 
have a wit. Your problem is a common one, but not a simple 
one.
 
If you hear of a 
slicker solution then that, pray tell!
 
jlc
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of EdwinSent: Thursday, September 09, 2004 4:21 
AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Unauthorized DHCP 
Requests
 
Our domain is using a Win2K3 server 
which is also a domain controller as its DHCP solution.  Often I look at 
the DHCP tables and notice that there are unauthorized machines that connect to 
our network.  This seems to occur from employees who bring in their laptop 
during the weekend when the workload is light and management does not have as 
much a presence.
 
The workstations within the domain 
all follow a naming scheme.  For example, ORL-RM3-204-2 which means, the 
server is located in Orlando, physically located in Room3, desk 
number 204 and the number of times that that particular workstation has been 
replaced.
 
So if I see a workstation in the 
DHCP tables that does not follow that naming scheme, then I know that something 
else has managed to get an IP Address from the 
network.
 
Is there a way to prevent 
unauthorized machines from retrieving an IP address?  If so, is there also 
a way to make an exception to the rule should a non-standard naming convention 
machine require authorized access to the network?
 
Thank you all for your 
replies.
 
Edwin

RE: [ActiveDir] Unauthorized DHCP Requests

[Coleman, Hunter]

It's part of our plan to force a pure MS environment 
:-).
 
I asked our network group about this last week, and was 
told that the non-MS devices would need a "placeholder" account in AD. I haven't 
had a chance to check through the documentation to verify this. I'll post back 
whatever I can dig up.


From: Ayers, Diane [mailto:[EMAIL PROTECTED] 
Sent: Monday, September 13, 2004 8:19 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Unauthorized 
DHCP Requests

Hunter:
 
With Cisco ACS, how are you going to 
deal with non-MS based devices that get DHCP addresses?  That's always been 
the hang-up for us to shift to a setup like you 
describe.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Coleman, 
HunterSent: Monday, September 13, 2004 6:41 AMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Unauthorized 
DHCP Requests

Our network folks are starting to roll out Cisco's Access 
Control Server. They plan to tie it into our AD, and eventually configure all of 
the network devices so that machines won't get on the network unless they're 
joined to the AD and have successfully authenticated. I'm not sure who else 
besides Cisco has this kind of thing, but I suspect they're not the only 
one.
 
Hunter


From: Joe L. Casale 
[mailto:[EMAIL PROTECTED] Sent: Sunday, September 12, 2004 
4:33 PMTo: [EMAIL PROTECTED]Subject: RE: 
[ActiveDir] Unauthorized DHCP Requests


Yea, it's ugly as heck 
to manage though. Mac reservations for all, but anyone can spoof that if they 
have a wit. Your problem is a common one, but not a simple 
one.
 
If you hear of a 
slicker solution then that, pray tell!
 
jlc
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of EdwinSent: Thursday, September 09, 2004 4:21 
AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Unauthorized DHCP 
Requests
 
Our domain is using a Win2K3 server 
which is also a domain controller as its DHCP solution.  Often I look at 
the DHCP tables and notice that there are unauthorized machines that connect to 
our network.  This seems to occur from employees who bring in their laptop 
during the weekend when the workload is light and management does not have as 
much a presence.
 
The workstations within the domain 
all follow a naming scheme.  For example, ORL-RM3-204-2 which means, the 
server is located in Orlando, physically located in Room3, desk 
number 204 and the number of times that that particular workstation has been 
replaced.
 
So if I see a workstation in the 
DHCP tables that does not follow that naming scheme, then I know that something 
else has managed to get an IP Address from the 
network.
 
Is there a way to prevent 
unauthorized machines from retrieving an IP address?  If so, is there also 
a way to make an exception to the rule should a non-standard naming convention 
machine require authorized access to the network?
 
Thank you all for your 
replies.
 
Edwin

[ActiveDir] ADSI & DC W2K3

[JCARROS]

Hi 
List,
 
 I have problem wiht ADSI script inside an *.asp 
when it validate over a Windows 2003 Server STD DC, if the consult is to a 
Windows 2000 Server DC, it´s OK. Any have similar problem ? The domain is 
Windows 2000 Native.
 
For 
instance
set Ad = 
GetObject("WinNT://DomainName/UserName") response.write ad.fullname 

 
Thanks.AVISO LEGAL:Esta información es privada y confidencial y está dirigida únicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha información por favor elimine el mensaje. La distribución o copia de este mensaje está estrictamente prohibida. Esta comunicación es sólo para propósitos de información y no debe ser considerada como propuesta, aceptación ni como una declaración de voluntad oficial de REPSOL YPF S.A. y/o subsidiarias y/o afiliadas. La transmisión de e-mails no garantiza que el correo electrónico sea seguro o libre de error. Por consiguiente, no manifestamos que esta información sea completa o precisa. Toda información está sujeta a alterarse sin previo aviso. 

This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, disseminastribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from REPSOL YPF S.A. and/or subsidiaries and/or affiliates. Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice.

RE: [ActiveDir] Unauthorized DHCP Requests

[Ken Cornetet]

Title: Message



Resistance is futile - you will be assimilated.

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Coleman, HunterSent: Monday, September 13, 2004 
  9:31 AMTo: '[EMAIL PROTECTED]'Subject: RE: 
  [ActiveDir] Unauthorized DHCP Requests
  It's part of our plan to force a pure MS environment 
  :-).
   
  I asked our network group about this last week, and was 
  told that the non-MS devices would need a "placeholder" account in AD. I 
  haven't had a chance to check through the documentation to verify this. I'll 
  post back whatever I can dig up.
  
  
  From: Ayers, Diane [mailto:[EMAIL PROTECTED] 
  Sent: Monday, September 13, 2004 8:19 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Unauthorized 
  DHCP Requests
  
  Hunter:
   
  With Cisco ACS, how are you going to 
  deal with non-MS based devices that get DHCP addresses?  That's always 
  been the hang-up for us to shift to a setup like you 
  describe.
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, 
  HunterSent: Monday, September 13, 2004 6:41 AMTo: 
  '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Unauthorized 
  DHCP Requests
  
  Our network folks are starting to roll out Cisco's Access 
  Control Server. They plan to tie it into our AD, and eventually configure all 
  of the network devices so that machines won't get on the network unless 
  they're joined to the AD and have successfully authenticated. I'm not sure who 
  else besides Cisco has this kind of thing, but I suspect they're not the only 
  one.
   
  Hunter
  
  
  From: Joe L. Casale 
  [mailto:[EMAIL PROTECTED] Sent: Sunday, September 12, 2004 
  4:33 PMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] Unauthorized DHCP Requests
  
  
  Yea, it's ugly as 
  heck to manage though. Mac reservations for all, but anyone can spoof that if 
  they have a wit. Your problem is a common one, but not a simple 
  one.
   
  If you hear of a 
  slicker solution then that, pray tell!
   
  jlc
   
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of EdwinSent: Thursday, September 09, 2004 4:21 
  AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Unauthorized DHCP 
  Requests
   
  Our domain is using a Win2K3 
  server which is also a domain controller as its DHCP solution.  Often I 
  look at the DHCP tables and notice that there are unauthorized machines that 
  connect to our network.  This seems to occur from employees who bring in 
  their laptop during the weekend when the workload is light and management does 
  not have as much a presence.
   
  The workstations within the domain 
  all follow a naming scheme.  For example, ORL-RM3-204-2 which means, the 
  server is located in Orlando, physically located in Room3, desk 
  number 204 and the number of times that that particular workstation has been 
  replaced.
   
  So if I see a workstation in the 
  DHCP tables that does not follow that naming scheme, then I know that 
  something else has managed to get an IP Address from the 
  network.
   
  Is there a way to prevent 
  unauthorized machines from retrieving an IP address?  If so, is there 
  also a way to make an exception to the rule should a non-standard naming 
  convention machine require authorized access to the 
  network?
   
  Thank you all for your 
  replies.
   
  Edwin

RE: [ActiveDir] Unauthorized DHCP Requests

[Tyson Leslie]

We were looking into exactly this problem, and came across 
a few options.  If you want to get fancy, (with a fair bit more work), you 
could go with an 802.1x solution, and automatically VLAN people (or not) as they 
connect to the network.  We also stumbled across a neat solution, that 
requires much less effort: SAFE DHCP, from MetaInfo.  (http://www.metainfo.com/index.cfm/page/safedhcp)  

 
We haven't actually implemented it yet, so I can't vouch 
for how well it works, but there's a couple of layers of authentication you can 
use (MAC and 2-factor with an A-key).
 
AFAIK, you cannot base rules on names, just given MAC 
addresses.
 
HTH,
 
    Tyson.


From: Edwin [mailto:[EMAIL PROTECTED] 
Sent: Thursday, September 09, 2004 4:21 AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] Unauthorized DHCP 
Requests


Our domain is using a Win2K3 server 
which is also a domain controller as its DHCP solution.  Often I look at 
the DHCP tables and notice that there are unauthorized machines that connect to 
our network.  This seems to occur from employees who bring in their laptop 
during the weekend when the workload is light and management does not have as 
much a presence.
 
The workstations within the domain 
all follow a naming scheme.  For example, ORL-RM3-204-2 which means, the 
server is located in Orlando, physically located in Room3, desk 
number 204 and the number of times that that particular workstation has been 
replaced.
 
So if I see a workstation in the 
DHCP tables that does not follow that naming scheme, then I know that something 
else has managed to get an IP Address from the 
network.
 
Is there a way to prevent 
unauthorized machines from retrieving an IP address?  If so, is there also 
a way to make an exception to the rule should a non-standard naming convention 
machine require authorized access to the network?
 
Thank you all for your 
replies.
 
Edwin

[ActiveDir] GPOs through trust?

[[EMAIL PROTECTED]]

Hi All,

I have a question about whether GPOs get applied in a situation where
domain trust is used..

Assume AD domain DA trusts DB.  There is a user U1 defined in DB.
U1 belongs to a group G1 on DB.  A particular GPO applies to G1 in DB.

Now when user U1 signs into domain DA, using trust, does the GPO get
applied, despite the fact that it's actually defined on DB, for G1
which also does not exist on DA?

(Hopefully that makes sense...)

Thanks!

-- Idan


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] ADSI & DC W2K3

[Mulnick, Al]

No, but I don't use the Winnt provider either.  Any 
particular reason to use the winnt provider vs. the LDAP 
provider?
 
Al


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Monday, September 13, 2004 10:30 
AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] 
ADSI & DC W2K3Sensitivity: Private

Hi 
List,
 
 I have problem wiht ADSI script inside an *.asp 
when it validate over a Windows 2003 Server STD DC, if the consult is to a 
Windows 2000 Server DC, it´s OK. Any have similar problem ? The domain is 
Windows 2000 Native.
 
For 
instance
set Ad = 
GetObject("WinNT://DomainName/UserName") response.write ad.fullname 

 
Thanks.

AVISO LEGAL:Esta información es privada y confidencial y 
está dirigida únicamente a su destinatario. Si usted no es el destinatario 
original de este mensaje y por este medio pudo acceder a dicha información por 
favor elimine el mensaje. La distribución o copia de este mensaje está 
estrictamente prohibida. Esta comunicación es sólo para propósitos de 
información y no debe ser considerada como propuesta, aceptación ni como una 
declaración de voluntad oficial de REPSOL YPF S.A. y/o subsidiarias y/o 
afiliadas. La transmisión de e-mails no garantiza que el correo electrónico sea 
seguro o libre de error. Por consiguiente, no manifestamos que esta información 
sea completa o precisa. Toda información está sujeta a alterarse sin previo 
aviso.This information is private and confidential and intended for the 
recipient only. If you are not the intended recipient of this message you are 
hereby notified that any review, disseminastribution or copying of this message 
is strictly prohibited. This communication is for information purposes only and 
shall not be regarded neither as a proposal, acceptance nor as a statement of 
will or official statement from REPSOL YPF S.A. and/or subsidiaries and/or 
affiliates. Email transmission cannot be guaranteed to be secure or error-free. 
Therefore, we do not represent that this information is complete or accurate and 
it should not be relied upon as such. All information is subject to change 
without notice. 

RE: [ActiveDir] ADSI & DC W2K3

[JCARROS]

Any, only that the developer´s use that in many 
case.
 
Thanks anyway


From: Mulnick, Al [mailto:[EMAIL PROTECTED] 
Sent: Monday, September 13, 2004 1:45 PMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] ADSI & DC 
W2K3Sensitivity: Private

No, but I don't use the Winnt provider either.  Any 
particular reason to use the winnt provider vs. the LDAP 
provider?
 
Al


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Monday, September 13, 2004 10:30 
AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] 
ADSI & DC W2K3Sensitivity: Private

Hi 
List,
 
 I have problem wiht ADSI script inside an *.asp 
when it validate over a Windows 2003 Server STD DC, if the consult is to a 
Windows 2000 Server DC, it´s OK. Any have similar problem ? The domain is 
Windows 2000 Native.
 
For 
instance
set Ad = 
GetObject("WinNT://DomainName/UserName") response.write ad.fullname 

 
Thanks.

AVISO LEGAL:Esta información es privada y confidencial y 
está dirigida únicamente a su destinatario. Si usted no es el destinatario 
original de este mensaje y por este medio pudo acceder a dicha información por 
favor elimine el mensaje. La distribución o copia de este mensaje está 
estrictamente prohibida. Esta comunicación es sólo para propósitos de 
información y no debe ser considerada como propuesta, aceptación ni como una 
declaración de voluntad oficial de REPSOL YPF S.A. y/o subsidiarias y/o 
afiliadas. La transmisión de e-mails no garantiza que el correo electrónico sea 
seguro o libre de error. Por consiguiente, no manifestamos que esta información 
sea completa o precisa. Toda información está sujeta a alterarse sin previo 
aviso.This information is private and confidential and intended for the 
recipient only. If you are not the intended recipient of this message you are 
hereby notified that any review, disseminastribution or copying of this message 
is strictly prohibited. This communication is for information purposes only and 
shall not be regarded neither as a proposal, acceptance nor as a statement of 
will or official statement from REPSOL YPF S.A. and/or subsidiaries and/or 
affiliates. Email transmission cannot be guaranteed to be secure or error-free. 
Therefore, we do not represent that this information is complete or accurate and 
it should not be relied upon as such. All information is subject to change 
without notice. AVISO LEGAL:Esta información es privada y confidencial y está dirigida únicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha información por favor elimine el mensaje. La distribución o copia de este mensaje está estrictamente prohibida. Esta comunicación es sólo para propósitos de información y no debe ser considerada como propuesta, aceptación ni como una declaración de voluntad oficial de REPSOL YPF S.A. y/o subsidiarias y/o afiliadas. La transmisión de e-mails no garantiza que el correo electrónico sea seguro o libre de error. Por consiguiente, no manifestamos que esta información sea completa o precisa. Toda información está sujeta a alterarse sin previo aviso. 

This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, disseminastribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from REPSOL YPF S.A. and/or subsidiaries and/or affiliates. Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice.

RE: [ActiveDir] ADSI & DC W2K3 [?? Probable Spam]

[Lou Vega]

I haven’t run into this type of problem
in either W2K or W2K3 DC’s…though I haven’t used the WinNT
provider in a long time. Any chance you can post the complete snippet of code
and the error being returned?

I know one thing to keep in mind with W2K3
you many need to use ADS_SECURE_AUTHENTICATION when binding…I had to
update some of my code that way.

r/

Lou

 

 

-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, September 13, 2004
1:06 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] ADSI
& DC W2K3 [?? Probable Spam]
Sensitivity: Private

 

Any, only that the
developer´s use that in many case.

 

Thanks anyway

 







From: Mulnick, Al
[mailto:[EMAIL PROTECTED] 
Sent: Monday, September 13, 2004
1:45 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] ADSI
& DC W2K3
Sensitivity: Private

No, but I don't use the
Winnt provider either.  Any particular reason to use the winnt provider
vs. the LDAP provider?

 

Al

 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of [EMAIL PROTECTED]
Sent: Monday, September 13, 2004
10:30 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] ADSI & DC
W2K3
Sensitivity: Private



Hi List,





 






I have problem wiht ADSI script inside an *.asp when it validate over a Windows
2003 Server STD DC, if the consult is to a Windows 2000 Server DC, it´s OK. Any
have similar problem ? The domain is Windows 2000 Native.





 





For instance





set Ad =
GetObject("WinNT://DomainName/UserName") 
response.write ad.fullname 





 





Thanks.



AVISO LEGAL:
Esta información es privada y confidencial y está dirigida únicamente a su
destinatario. Si usted no es el destinatario original de este mensaje y por
este medio pudo acceder a dicha información por favor elimine el mensaje. La distribución
o copia de este mensaje está estrictamente prohibida. Esta comunicación es sólo
para propósitos de información y no debe ser considerada como propuesta,
aceptación ni como una declaración de voluntad oficial de REPSOL YPF S.A. y/o
subsidiarias y/o afiliadas. La transmisión de e-mails no garantiza que el
correo electrónico sea seguro o libre de error. Por consiguiente, no
manifestamos que esta información sea completa o precisa. Toda información está
sujeta a alterarse sin previo aviso.

This information is private and confidential and intended for the recipient
only. If you are not the intended recipient of this message you are hereby
notified that any review, disseminastribution or copying of this message is
strictly prohibited. This communication is for information purposes only and
shall not be regarded neither as a proposal, acceptance nor as a statement of
will or official statement from REPSOL YPF S.A. and/or subsidiaries and/or
affiliates. Email transmission cannot be guaranteed to be secure or error-free.
Therefore, we do not represent that this information is complete or accurate
and it should not be relied upon as such. All information is subject to change
without notice. 

AVISO LEGAL:
Esta información es privada y confidencial y está dirigida únicamente a su
destinatario. Si usted no es el destinatario original de este mensaje y por
este medio pudo acceder a dicha información por favor elimine el mensaje. La
distribución o copia de este mensaje está estrictamente prohibida. Esta comunicación
es sólo para propósitos de información y no debe ser considerada como
propuesta, aceptación ni como una declaración de voluntad oficial de REPSOL YPF
S.A. y/o subsidiarias y/o afiliadas. La transmisión de e-mails no garantiza que
el correo electrónico sea seguro o libre de error. Por consiguiente, no
manifestamos que esta información sea completa o precisa. Toda información está
sujeta a alterarse sin previo aviso.

This information is private and confidential and intended for the recipient
only. If you are not the intended recipient of this message you are hereby
notified that any review, disseminastribution or copying of this message is
strictly prohibited. This communication is for information purposes only and
shall not be regarded neither as a proposal, acceptance nor as a statement of
will or official statement from REPSOL YPF S.A. and/or subsidiaries and/or
affiliates. Email transmission cannot be guaranteed to be secure or error-free.
Therefore, we do not represent that this information is complete or accurate
and it should not be relied upon as such. All information is subject to change
without notice.

RE: [ActiveDir] GPOs through trust?

[Darren Mar-Elia]

Idan-
It makes part sense, but in general, yes, Group Policy does not have an
issue with trusts. Your described scenario below is a bit confusing. If
U1 is defined in domain DB, then I'm assuming that when you say that U1
signs into domain DA, you mean that U1 is sitting at a workstation whose
machine account resides in DA? In that case, when the user U1 logs on,
Windows will chase the GPLinks that apply to the user account in DB as
normal, and, as long as the trusts are good and both AD and SYSVOL in DB
are accessible to U1, then processing works as expected, though with
some small performance overhead due to having to pass-through the domain
trusts.  

Darren

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Monday, September 13, 2004 9:13 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] GPOs through trust?

Hi All,

I have a question about whether GPOs get applied in a situation where
domain trust is used..

Assume AD domain DA trusts DB.  There is a user U1 defined in DB.
U1 belongs to a group G1 on DB.  A particular GPO applies to G1 in DB.

Now when user U1 signs into domain DA, using trust, does the GPO get
applied, despite the fact that it's actually defined on DB, for G1 which
also does not exist on DA?

(Hopefully that makes sense...)

Thanks!

-- Idan


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPOs through trust?

[Teverovsky, Guy]

It's worth mentioning that in the case of W2K3 forest trust (user from
forest A signs to machine in forest B) the loopback GPO processing is
enabled by default.

Guy

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Monday, September 13, 2004 11:02 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GPOs through trust?

Idan-
It makes part sense, but in general, yes, Group Policy does not have an
issue with trusts. Your described scenario below is a bit confusing. If
U1 is defined in domain DB, then I'm assuming that when you say that U1
signs into domain DA, you mean that U1 is sitting at a workstation whose
machine account resides in DA? In that case, when the user U1 logs on,
Windows will chase the GPLinks that apply to the user account in DB as
normal, and, as long as the trusts are good and both AD and SYSVOL in DB
are accessible to U1, then processing works as expected, though with
some small performance overhead due to having to pass-through the domain
trusts.  

Darren

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Monday, September 13, 2004 9:13 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] GPOs through trust?

Hi All,

I have a question about whether GPOs get applied in a situation where
domain trust is used..

Assume AD domain DA trusts DB.  There is a user U1 defined in DB.
U1 belongs to a group G1 on DB.  A particular GPO applies to G1 in DB.

Now when user U1 signs into domain DA, using trust, does the GPO get
applied, despite the fact that it's actually defined on DB, for G1 which
also does not exist on DA?

(Hopefully that makes sense...)

Thanks!

-- Idan


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPOs through trust?

[Renouf, Phil]

The only GPOs that won't apply are machine account GPOs since those will
be based on the DA GPOs since the workstation is a member of the DA
domain.

Phil 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Monday, September 13, 2004 2:02 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GPOs through trust?

Idan-
It makes part sense, but in general, yes, Group Policy does not have an
issue with trusts. Your described scenario below is a bit confusing. If
U1 is defined in domain DB, then I'm assuming that when you say that U1
signs into domain DA, you mean that U1 is sitting at a workstation whose
machine account resides in DA? In that case, when the user U1 logs on,
Windows will chase the GPLinks that apply to the user account in DB as
normal, and, as long as the trusts are good and both AD and SYSVOL in DB
are accessible to U1, then processing works as expected, though with
some small performance overhead due to having to pass-through the domain
trusts.  

Darren

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Monday, September 13, 2004 9:13 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] GPOs through trust?

Hi All,

I have a question about whether GPOs get applied in a situation where
domain trust is used..

Assume AD domain DA trusts DB.  There is a user U1 defined in DB.
U1 belongs to a group G1 on DB.  A particular GPO applies to G1 in DB.

Now when user U1 signs into domain DA, using trust, does the GPO get
applied, despite the fact that it's actually defined on DB, for G1 which
also does not exist on DA?

(Hopefully that makes sense...)

Thanks!

-- Idan


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPOs through trust?

[[EMAIL PROTECTED]]

Thanks to Darren, Guy and Phil for the help -- this is pretty much the
answer I was hoping for.  :-)

Cheers,

-- Idan

On Mon, 13 Sep 2004, Renouf, Phil wrote:

> The only GPOs that won't apply are machine account GPOs since those will
> be based on the DA GPOs since the workstation is a member of the DA
> domain.
>
> Phil
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
> Sent: Monday, September 13, 2004 2:02 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] GPOs through trust?
>
> Idan-
> It makes part sense, but in general, yes, Group Policy does not have an
> issue with trusts. Your described scenario below is a bit confusing. If
> U1 is defined in domain DB, then I'm assuming that when you say that U1
> signs into domain DA, you mean that U1 is sitting at a workstation whose
> machine account resides in DA? In that case, when the user U1 logs on,
> Windows will chase the GPLinks that apply to the user account in DB as
> normal, and, as long as the trusts are good and both AD and SYSVOL in DB
> are accessible to U1, then processing works as expected, though with
> some small performance overhead due to having to pass-through the domain
> trusts.
>
> Darren
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> [EMAIL PROTECTED]
> Sent: Monday, September 13, 2004 9:13 AM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] GPOs through trust?
>
> Hi All,
>
> I have a question about whether GPOs get applied in a situation where
> domain trust is used..
>
> Assume AD domain DA trusts DB.  There is a user U1 defined in DB.
> U1 belongs to a group G1 on DB.  A particular GPO applies to G1 in DB.
>
> Now when user U1 signs into domain DA, using trust, does the GPO get
> applied, despite the fact that it's actually defined on DB, for G1 which
> also does not exist on DA?
>
> (Hopefully that makes sense...)
>
> Thanks!
>
> -- Idan
>
>
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Logging on to a Domain Controller

[ASB]

~
I would like to give a group of our 2nd level administrators the
ability to log on to all Domain Controllers.
~

Because?

-ASB


- Original Message -
From: Abbiss, Mark <[EMAIL PROTECTED]>
Date: Mon, 13 Sep 2004 14:32:47 +0200
Subject: [ActiveDir] Logging on to a Domain Controller
To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>


I am going round in circles and am now completely confused !
 
I would like to give a group of our 2nd level administrators the
ability to log on to all Domain Controllers. I have applied a group
policy to the "Domain Controllers " OU which sets the "Computer
configuration -> windows settings -> security settings -> local
policies -> user rights assignment " to give this group "Log on
locally" rights. I have also ensured that the group policy is applied
to all authorised users. I have no problem logging on as I am an
Enterprise Admin, however, the other admins are denied the ability to
log on.
 
Therefore, I modified the local DC security settings to give the same
group the "Log on locally" right. Still they cannot log on.
 
Please, what could I be missing ? Do I need to set access rights
anywhere else ? Can I do anything to troubleshoot what rights this
group is getting ?
 
Many thanks for any help.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Fun with Kerberos

[Guy Teverovsky]

I have been trying to reproduce the behavior in our test forest, but meanwhile in 
vain. I can only speculate that you need more than one DC on site (at least 1 DC and 1 
GC maybe ?).
 
In any case, meanwhile another issue popped up and it looks like it might be related.
As I have already mentioned, we have 2 forest in our environment:
1) myad.com (empty root + domains: child.myad.com, anotherchild.myad.com)
2) rd.company.com (well yes, we are R&D and have to be special :-) )
 
For myad.com we have alternative UPN suffix in the form of "company.com" ==> my 
account in child.myad.com would be [EMAIL PROTECTED]
The rd.company forest is resource forest: all user accounts are located in child 
domains of myad.com forest.
Now user CHILD\guy (Kerberos principal: [EMAIL PROTECTED]) logs on to host 
mycomp01.rd.company.com (the host is in rd.company.com forest) using UPN ([EMAIL 
PROTECTED])
 
The trust is one-way forest trust.
 
Now user guy decides to change his password, hits ALT+CTRL+DEL, fills in his UPN, 
types the new password, hits Enter, and "The system can not change your password 
now because domain is not available".
OK... I do some searching and come up with this KB: 
"Cannot Change Password if You Use the UPN Suffix": 
http://support.microsoft.com/default.aspx?scid=kb;en-us;321074 
 
 
The cause is, I quote:
"This behavior may occur when the built-in Authenticated Users group was removed from 
the organizational unit where the user account resides. By default, the computer 
account is a member of the Authenticated Users group. If you use the "Change Password" 
dialog box, the local computer account is used to resolve the UPN. If the 
Authenticated Users group was removed from the organizational unit that contains the 
user account, you cannot successfully change the password. "
 
ok... this makes sense... but there is a slight problem: 
This is one-way trust and the computer account can not have access to the OU the user 
accounts are located in even if Authenticated users group has read access - this is 
Authenticated Users group from the wrong forest !
 
I guess the answer would still be "the behavior is by design", but this is rather 
confusing for the users - object picker wants Kerberos principals in W2K, if you logon 
using DOMAIN\Username you end up with messed up cached credentials, UPN almost works, 
but you can't change your password using UPN and the list goes on...
 
We have started to document what actions can be done using UPN, explicit Kerb 
principal and DOMAIN\username and we can't figure out a rule of thumb that can work 
for the end-users.
 
Ideas ?
 
Guy



From: [EMAIL PROTECTED] on behalf of Grillenmeier, Guido
Sent: Fri 9/10/2004 6:10 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Fun with Kerberos


Al, realize that the user accounts Guy is talking about are all in one forest - so the 
issue is not related to UPNs being unique accross more than one forest. They're just 
logging in from a machine in a different forest.
 
I've already discussed offline with Guy that the clash is between the implicit UPN of 
the regular account (which would be [EMAIL PROTECTED]) and the explicit UPN of the 
supplemental account (which had previously been set to [EMAIL PROTECTED]) => fixing 
the explicit UPN of the supplemental account fixed the clash and the related 
problems...
 
 
BTW, we're thinking that the account lockouts and the XP request for credentials is 
likely related to Kerberos preauthentication. During preauth, AD looks up accounts 
using the UPN - so if it hits the wrong account, and uses the wrong password hash for 
validation of the Kerberos preauth data this may have the same effect as logging on 
with the wrong password.
 
Here's a nice article that explains Kerberos preauthentication in more detail
http://www.windowsitlibrary.com/Content/617/06/6.html 
 
 
/Guido



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Friday, September 10, 2004 4:38 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Fun with Kerberos


No, that sounds about right.  
 
Across two forests?  Be tough for any administrative program to enforce uniqueness 
unless it was authoritative for both forests.   That said, that's something you want 
your admin processes to compensate for and ensure that all accounts are unique across 
forests that can talk to each other.
 
Al



From: Guy Teverovsky [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
Sent: Thursday, September 09, 2004 8:26 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Fun with Kerberos


ok... this starts to be more interesting. If the implicit UPN is constructed from 
samaccountname and AD DNS name, I do not see how Kerberos principals could clash. This 
is what I initially had (names cha

Re: [ActiveDir] Stopping a GC from doing Authentications

[Steve Schofield]

Here is a three articles I've used to hide the PDC emulator and also hide a
delayed replicated domain controller (A DC that only gets replicated once a
day) using SRV records.  These articles relate to using a lower SRV LDAP key
but is good to help understand how to use DNS and SRV *magic* to hide DC's.
My particular situation was to direct most LDAP calls to a few specific DC's
and take load off other DC's.   Sorry this is a bit off topic but is related
and wanted to pass info along.

Use DNS Registration to Decrease the Workload on the PDC Emulator
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dssbe_upnt_xlfh.asp

How to Optimize the Location of a Domain Controller or Global Catalog That
Resides Outside of a Client's Site
http://support.microsoft.com/default.aspx?kbid=306602

How to view and set lightweight directory access protocol policies by using
Ntdsutil.exe in Windows 2000
http://support.microsoft.com/default.aspx?kbid=315071


*  - *
*  Steve Schofield - MCP, CCA
*  [EMAIL PROTECTED]
*
*  Microsoft MVP - ASP.NET
*  http://www.deviq.com
*  - *

- Original Message - 
From: Myrick, Todd (NIH/CIT)
To: [EMAIL PROTECTED]
Sent: Thursday, September 09, 2004 2:16 PM
Subject: [ActiveDir] Stopping a GC from doing Authentications


Is it possible to configure a GC to perform GC functions, but to disable the
ability to process authentication request?  I was asked this question and
figured this would be an interesting topic here.  I know it is possible to
mess with the SRV records to lower the priority of the server, etc.

Thanks,

Todd

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/