RE: [ActiveDir] When you change group scopes by using a combination of the Dsquery command

2005-09-22 Thread joe 
Slight mod to this sentence

especially since the CURRENT primary use of such groups THAT WE ARE FAMILIAR
WITH is distributing emails. 


I am seeing more and more use of these non-NT Security enabled groups in
functions other than email delivery.


And for this

> I take "both could be used for either" to actually mean "both could be 
> used for DISTRIBUTION" since they are both technically not equally 
> interchangeable, as you clarified in your email.

Both can be used for distribution, both can be used for security, however
both can not be used for "NT Security" when there is a dependency of the SID
being placed in the token of the user to initiate the secured response.

I was watching UNIX based apps and even one Windows based app using AD
non-NT Security enabled groups for security several years ago. It makes a
ton of sense since you don't have the concern of token bloat due to SIDs.
For an application based security environment I think it makes far more
sense than, for instance, checking for a control access right on an object
based on the SID in the token. Look around at how much trouble people have
dealing with SIDs in comparison to a DN.

All of the SID stuff is very Windows-centric for a directory that is pushing
to be the centerpiece of a multiple platform SSO enabler. If I am sitting on
a UNIX box and I need to determine who has access to some aspect of the
system am I going to use a SID? How hard is it to chase that back to a
unique principal, think of what the procedure needs to be to chase that down
for an OS that can natively resolve it. Also consider the length of time it
can take to resolve SIDs on an OS that can natively resolve it, ever sit
there waiting for SIDs to turn into names? Consider SID resolution has to go
through objectsid for an entire forest, then sidHistory, and then chase into
every trusted realm that isn't part of the forest. It is pretty complicated.
Now bring into the picture ADAM SIDs as well which don't resolve so well
with the native interfaces... 

Of course the thing that makes this a bit painful is the whole resolving
full group membership for a given user across a forest or multiple forests.
It is less painful though now that the QP knows how to use the implicit
indexes of the linked attributes but still not as easy as it might me.

I totally disagree that anything from .NET is the global answer to this.
Forcing that to be the answer really closes down the answer to the Windows
world which already has an answer, SIDs and NT Security.

   joe



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, September 23, 2005 2:18 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] When you change group scopes by using a combination
of the Dsquery command 

>>>As an aside, I dislike the use of the word distribution groups and
security groups because both could be used for either. Any group can be a
distribution group, the groups are simply NT security enabled or not NT
security enabled.

Which is why you need to distinguish between them. "Non-NT Security Enabled
Group" does not sound as logical as "Distribution Group", especially since
the primary use of such groups is distributing emails. In the same vein, "NT
Security Enabled Group" is less sexy than simply saying "Security Group",
again since the primary use of such group is in the
security/permissioning/delegation space, although it could serve the
"distributing" purposes too, as you mentioned.
 
I take "both could be used for either" to actually mean "both could be used
for DISTRIBUTION" since they are both technically not equally
interchangeable, as you clarified in your email.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of joe
Sent: Thu 9/22/2005 10:22 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] When you change group scopes by using a combination
of the Dsquery command 





That is why ADMOD doesn't currently support a group scope type of switch
along with other bitwise type ops (such as disable, etc). There are
difficulties as you will see below.

I expect the fix for this is probably pretty inefficient and could be quite
slow if updating a lot of objects, my guess is that it does a lookup on
every object prior to updating it to get the current value, no other way to
really do it, this means two calls for every update. A more efficient way
would be to create a query that picks out the NT security enabled groups and
changes their scope and then do it again for non NT security enabled groups.
Of course you would have to use the older un-fixed version of dsmod or use
admod.

As an aside, I dislike the use of the word distribution groups and security
groups because both could be

[ActiveDir] GPO Restricted Groups gotchas ?

2005-09-22 Thread Mark . H . Lunsford 

I would like to use restricted groups
policies to specifiy local Administrative access to application servers.
I am sure this has already been tried. I would like to know how this worked
or did not work for those who have tried it  and where there any unexpected
gotchas that happened ?

Thank You ! And have a nice day !

**
Mark Lunsford
KAISER PERMANENTE

RE: [ActiveDir] When you change group scopes by using a combination of the Dsquery command

2005-09-22 Thread deji 
>>>As an aside, I dislike the use of the word distribution groups and
security groups because both could be used for either. Any group can be a
distribution group, the groups are simply NT security enabled or not NT
security enabled.

Which is why you need to distinguish between them. "Non-NT Security Enabled
Group" does not sound as logical as "Distribution Group", especially since
the primary use of such groups is distributing emails. In the same vein, "NT
Security Enabled Group" is less sexy than simply saying "Security Group",
again since the primary use of such group is in the
security/permissioning/delegation space, although it could serve the
"distributing" purposes too, as you mentioned.
 
I take "both could be used for either" to actually mean "both could be used
for DISTRIBUTION" since they are both technically not equally
interchangeable, as you clarified in your email.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of joe
Sent: Thu 9/22/2005 10:22 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] When you change group scopes by using a combination
of the Dsquery command 





That is why ADMOD doesn't currently support a group scope type of switch
along with other bitwise type ops (such as disable, etc). There are
difficulties as you will see below.

I expect the fix for this is probably pretty inefficient and could be quite
slow if updating a lot of objects, my guess is that it does a lookup on
every object prior to updating it to get the current value, no other way to
really do it, this means two calls for every update. A more efficient way
would be to create a query that picks out the NT security enabled groups and
changes their scope and then do it again for non NT security enabled groups.
Of course you would have to use the older un-fixed version of dsmod or use
admod.

As an aside, I dislike the use of the word distribution groups and security
groups because both could be used for either. Any group can be a
distribution group, the groups are simply NT security enabled or not NT
security enabled.

  joe


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Thursday, September 22, 2005 8:36 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] When you change group scopes by using a combination of
the Dsquery command

When you change group scopes by using a combination of the Dsquery command
the Dsmod command, all the group types are changed to either distribution
groups or security groups on a Windows Server 2003-based
computer:
http://support.microsoft.com/?kbid=898063

--
Letting your vendors set your risk analysis these days? 
http://www.threatcode.com

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] When you change group scopes by using a combination of the Dsquery command

2005-09-22 Thread joe 


That is why ADMOD doesn't currently support a group scope type of switch
along with other bitwise type ops (such as disable, etc). There are
difficulties as you will see below.

I expect the fix for this is probably pretty inefficient and could be quite
slow if updating a lot of objects, my guess is that it does a lookup on
every object prior to updating it to get the current value, no other way to
really do it, this means two calls for every update. A more efficient way
would be to create a query that picks out the NT security enabled groups and
changes their scope and then do it again for non NT security enabled groups.
Of course you would have to use the older un-fixed version of dsmod or use
admod.

As an aside, I dislike the use of the word distribution groups and security
groups because both could be used for either. Any group can be a
distribution group, the groups are simply NT security enabled or not NT
security enabled. 

  joe
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Thursday, September 22, 2005 8:36 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] When you change group scopes by using a combination of
the Dsquery command 

When you change group scopes by using a combination of the Dsquery command
the Dsmod command, all the group types are changed to either distribution
groups or security groups on a Windows Server 2003-based
computer:
http://support.microsoft.com/?kbid=898063

--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] LDAP search limitations

2005-09-22 Thread joe 
Sorry no, I am on crack. 

I was thinking maxvals for ranging and applied it to max objects for a page.
It is definitely 1000 objects per page just like in 2K. I was just
explaining yet again to someone at work why we need to keep DL sizes under
1000 direct members on 2K DCs. I seem to be thinking a lot about Exchange
specific AD stuff as of late.  

On the positive side, the reasoning is the same for both limits. :o)


Looking forward to the wine and beer and mixed drinks and just plain
relaxing and not running 10-20 hours every day and then sleeping the
remainder. The next time I sign a book deal it will be after I have written
the book. Writing part time to a deadline (especially one that gets moved
up) is equivalent to saying you don't want a personal life. :o)

You should probably be getting on a plane pretty soon to get here huh? ;o)


Thanks for catching my mistake. 


   joe

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Friday, September 23, 2005 12:13 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP search limitations

Hey Joe

I'm missing something here, so hopefully you can clarify it for me.

MaxPageSize is set at 1000 in both Windows 2000 and 2003.  MaxValRange
increased from 1000 in 2K to 1500 in 2K3. My understanding is that the
MaxPageSize corresponds to the maximum number of objects returned in a
single search result, whereas MaxValRange is all about the number of values
returned in a search result for a single attribute.  

I would have thought Neil's query was more about the MaxPageSize?

Tony
PS.  Happy to to discuss this over a bottle of decent red wine with you and
the others next week. :-)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, 23 September 2005 6:44 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP search limitations

The limit is 1000 on 2K and 1500 on K3/ADAM. These values can be tweaked. 

The general purpose reason is to conserve resources on the LDAP server.
Consider result sets have to be pulled into memory to be encoded to send
back to clients. If you have lots and lots of simultaneous queries with huge
resultsets you could quickly cause harm to an LDAP server as it runs low on
resources.

As to why MS did it and others didn't. Possibly the others are not thinking
properly about large scale or heavily loaded implementations. 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, September 22, 2005 12:31 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] LDAP search limitations

Apologies for asking this question, since it's been posed before (?), but
can anyone offer me a brief description of why AD only returns (by
default)
1024 entries when an LDAP search is performed? Is it a question of
performance? Why is the searcher not offered all records that meet the
search criteria?

Questions have arisen as to why MS implemented a limit since (apparently),
other LDAP implementations do not enforce these limits.

thanks,
neil





---
Neil Ruston
Nomura International Plc
Tel: 020 7521 3481
[EMAIL PROTECTED]




PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any
attachment(s) to it. If verification of this email is sought then please
request a hard copy. Unless otherwise stated this email: (1) is not, and
should not be treated or relied upon as, investment research; (2) contains
views or opinions that are solely those of the author and do not necessarily
represent those of NIplc; (3) is intended for informational purposes only
and is not a recommendation, solicitation or offer to buy or sell securities
or related financial instruments.  NIplc does not provide investment
services to private customers.  Authorised and regulated by the Financial
Services Authority.  Registered in England no.
1550505 VAT No. 447 2492 35.  Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP.  A member of the Nomura group of companies.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/active

RE: [ActiveDir] dns suffix search list

2005-09-22 Thread deji 
This is not in DHCP. This is GPO or script thing. Something like this:
http://www.mail-archive.com/activedir@mail.activedir.org/msg32800.html, for
non-XP clients
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Dan Holme
Sent: Thu 9/22/2005 8:28 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dns suffix search list



Marcus:  What scope option is that?  Funny... I thot it was there too and
couldn't find the option...

 

Tom:

http://www.microsoft.com/technet/scriptcenter/scripts/network/client/modify/n
wmovb21.mspx  is the WMI script

also 

Group Policy allows configuring the DNS Suffix Search Order.

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, September 22, 2005 8:08 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dns suffix search list

 

By lots of machines, are you referring to workstations?  If so, are they in a
scope that's managed by DHCP?  You could manipulate the search suffix that
way... 

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Thursday, September 22, 2005 2:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dns suffix search list

 

I'm only running win2k

I'd like to make the script query a text file of client names, so i can just
execute it from my desktop rather than a script.

how would i go about doing that?

Thanks

-Original Message- 
From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED] 
Sent: Thu 9/22/2005 2:31 PM 
To: ActiveDir@mail.activedir.org 
Cc: 
Subject: RE: [ActiveDir] dns suffix search list

 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] dns suffix search list

2005-09-22 Thread Phil Renouf 
You can not modify the search suffix list via DHCP.
 
Phil 
On 9/22/05, Dan Holme <[EMAIL PROTECTED]> wrote:


Marcus:  What scope option is that?  Funny… I thot it was there too and couldn't find the option…

 
Tom:

http://www.microsoft.com/technet/scriptcenter/scripts/network/client/modify/nwmovb21.mspx  is the WMI script
also 
Group Policy allows configuring the DNS Suffix Search Order.
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
On Behalf Of [EMAIL PROTECTED]Sent: Thursday, September 22, 2005 8:08 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dns suffix search list
 
By lots of machines, are you referring to workstations?  If so, are they in a scope that's managed by DHCP?  You could manipulate the search suffix that way… 

 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
On Behalf Of Kern, TomSent: Thursday, September 22, 2005 2:50 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] dns suffix search list
 

I'm only running win2k

I'd like to make the script query a text file of client names, so i can just execute it from my desktop rather than a script.


how would i go about doing that?

Thanks


-Original Message- From: Grillenmeier, Guido [mailto:
[EMAIL PROTECTED]] Sent: Thu 9/22/2005 2:31 PM 
To: ActiveDir@mail.activedir.org
 Cc: Subject: RE: [ActiveDir] dns suffix search list

 

Re: [ActiveDir] SBS migration (was SBS Server Question)

2005-09-22 Thread Susan Bradley 

Trust me... it's a religious thing  :-)

Those of us that have the religion of SBS don't see a problem with the 
wizards .:-)


We're looking to start a support group for former Enterprise Admins who 
are now SBSers 

http://msmvps.com/bradley/archive/2005/07/27/59808.aspx

I'll be honest with you ... the first time I set up 'normal' server and 
'normal' exchange I was extremely surprised how much manual stuff you 
guys do in big server land.  Forestprep and all that.  The next thing I 
was absolutely flabergasted about was how they trust you on the number 
of cals.  'You just stick in a number there?  And they trust you to be 
honest? Wow."  Blew me away.


Actually it's near impossible to get WSS [sharepoint] on a same box as 
Exchange anyway.  There are a couple of folks that tried and finally 
gave up.


Roger Seielstad wrote:


Actually, I don't think it's a religious issue. The problem with SBS is that
its not really the amalgam of Microsoft technologies that it's billed as,
and as such you can't administer it as you would with all the same apps in a
non-SBS implementation.

It's a neat package overall, but the requirement to do the wizard thing
makes it hard for people like us to deal with it.. 




Roger Seielstad
E-mail Geek
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Thursday, September 22, 2005 1:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] SBS migration (was SBS Server Question)

And that is a real difficulty.

The wizards should integrate seamlessly. Or the other tools should integrate
seamlessly. Take your pick.

I've got a couple of hundred client companies, probably 3 or 4 use SBS.
I HATE touching the SBS clients because it's a fair bet there is a wizard
for something that I'm not going to use a wizard for, because I can use one
of my scripts or a native tool and do it quicker. (You can argue that
someone that knows the wizards can do it more quickly with them -- and
that's fine -- but I don't, and shouldn't have to.)

It's a religious issue.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Thursday, September 22, 2005 12:19 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SBS migration (was SBS Server Question)

Difficulty?



What difficulty?  [please feel free to take this offline] the only difficult
issues we have in SBSland is cleaning up the messes from folks that don't
follow the wizards

[EMAIL PROTECTED] wrote:

 


Thanks!  This must be SBS Week.  Was at a user's group meeting last
   


night and the topic came up again. (Main topic was R2)  Sounds like
Microsoft is getting the message about the difficulty of working with SBS.
 


Al Maurer
Service Manager, Naming and Authentication Services IT | Information 
Technology Agilent Technologies

(719) 590-2639; Telnet 590-2639
http://activedirectory.it.agilent.com
--
"Cry 'Havoc!' and let slip the dogs of war"  - Anthony, in Julius
   

Caesar III i. 
 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
   



 


CPA aka Ebitz - SBS Rocks [MVP]
Sent: Tuesday, September 20, 2005 1:57 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SBS migration (was SBS Server Question)

Transition pack or www.sbsmigration.com

Transition pack is the best way however lets you keep the Remote web 
workplace and monitoring email even after you break away from SBSland.


[EMAIL PROTECTED] wrote:



   


OK, since the topic came up:  I'm trying to figure out how to migrate
 


off SBS2003.
 


Scenario is a recent acquisition where we want to migrate from company
 


SBS to corporate AD (standard 2003 domain).  Trusts are out.  Hack is both
dangerous and illegal.
 


MS offers a Transition Pack (for a cost) to upgrade the SBS2003 to
 


normal AD.  Is there any other way?  LDIF export?
 


Thanks,
AL

Al Maurer
Service Manager, Naming and Authentication Services IT | Information 
Technology Agilent Technologies

(719) 590-2639; Telnet 590-2639
http://activedirectory.it.agilent.com
--
"Cry 'Havoc!' and let slip the dogs of war"  - Anthony, in Julius
 

Caesar III i. 
 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan 
Bradley, CPA aka Ebitz - SBS Rocks [MVP]

Sent: Wednesday, September 14, 2005 12:06 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SBS Server Question

Nope.  No trusts, no forests.  We're the spoiled only PDC that must 
hold all the FSMO roles.  We can do some funky stuff with pass through
 



 


authentication, but no trusts.

US versus THEM:
http://www.sbslinks.com/Us_v_them.htm

In SBS 2000/2003 the 'correct' terminology is Yes, an 'additi

RE: [ActiveDir] LDAP search limitations

2005-09-22 Thread Tony Murray 
Hey Joe

I'm missing something here, so hopefully you can clarify it for me.

MaxPageSize is set at 1000 in both Windows 2000 and 2003.  MaxValRange
increased from 1000 in 2K to 1500 in 2K3. My understanding is that the
MaxPageSize corresponds to the maximum number of objects returned in a
single search result, whereas MaxValRange is all about the number of
values returned in a search result for a single attribute.  

I would have thought Neil's query was more about the MaxPageSize?

Tony
PS.  Happy to to discuss this over a bottle of decent red wine with you
and the others next week. :-)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, 23 September 2005 6:44 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP search limitations

The limit is 1000 on 2K and 1500 on K3/ADAM. These values can be
tweaked. 

The general purpose reason is to conserve resources on the LDAP server.
Consider result sets have to be pulled into memory to be encoded to send
back to clients. If you have lots and lots of simultaneous queries with
huge resultsets you could quickly cause harm to an LDAP server as it
runs low on resources.

As to why MS did it and others didn't. Possibly the others are not
thinking properly about large scale or heavily loaded implementations. 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, September 22, 2005 12:31 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] LDAP search limitations

Apologies for asking this question, since it's been posed before (?),
but can anyone offer me a brief description of why AD only returns (by
default)
1024 entries when an LDAP search is performed? Is it a question of
performance? Why is the searcher not offered all records that meet the
search criteria?

Questions have arisen as to why MS implemented a limit since
(apparently), other LDAP implementations do not enforce these limits.

thanks,
neil





---
Neil Ruston
Nomura International Plc
Tel: 020 7521 3481
[EMAIL PROTECTED]




PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete
your copy from your system. You must not copy, distribute or take any
further action in reliance on it. Email is not a secure method of
communication and Nomura International plc ('NIplc') will not, to the
extent permitted by law, accept responsibility or liability for (a) the
accuracy or completeness of, or (b) the presence of any virus, worm or
similar malicious or disabling code in, this message or any
attachment(s) to it. If verification of this email is sought then please
request a hard copy. Unless otherwise stated this email: (1) is not, and
should not be treated or relied upon as, investment research; (2)
contains views or opinions that are solely those of the author and do
not necessarily represent those of NIplc; (3) is intended for
informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments.  NIplc
does not provide investment services to private customers.  Authorised
and regulated by the Financial Services Authority.  Registered in
England no.
1550505 VAT No. 447 2492 35.  Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP.  A member of the Nomura group of companies.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/



This e-mail message has been scanned for Viruses and Content and cleared
by NetIQ MailMarshal at Gen-i



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] SBS migration (was SBS Server Question)

2005-09-22 Thread Roger Seielstad 
Actually, I don't think it's a religious issue. The problem with SBS is that
its not really the amalgam of Microsoft technologies that it's billed as,
and as such you can't administer it as you would with all the same apps in a
non-SBS implementation.

It's a neat package overall, but the requirement to do the wizard thing
makes it hard for people like us to deal with it.. 



Roger Seielstad
E-mail Geek
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Thursday, September 22, 2005 1:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] SBS migration (was SBS Server Question)

And that is a real difficulty.

The wizards should integrate seamlessly. Or the other tools should integrate
seamlessly. Take your pick.

I've got a couple of hundred client companies, probably 3 or 4 use SBS.
I HATE touching the SBS clients because it's a fair bet there is a wizard
for something that I'm not going to use a wizard for, because I can use one
of my scripts or a native tool and do it quicker. (You can argue that
someone that knows the wizards can do it more quickly with them -- and
that's fine -- but I don't, and shouldn't have to.)

It's a religious issue.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Thursday, September 22, 2005 12:19 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SBS migration (was SBS Server Question)

Difficulty?



What difficulty?  [please feel free to take this offline] the only difficult
issues we have in SBSland is cleaning up the messes from folks that don't
follow the wizards

[EMAIL PROTECTED] wrote:

>Thanks!  This must be SBS Week.  Was at a user's group meeting last
night and the topic came up again. (Main topic was R2)  Sounds like
Microsoft is getting the message about the difficulty of working with SBS.
>
>Al Maurer
>Service Manager, Naming and Authentication Services IT | Information 
>Technology Agilent Technologies
>(719) 590-2639; Telnet 590-2639
>http://activedirectory.it.agilent.com
>--
>"Cry 'Havoc!' and let slip the dogs of war"  - Anthony, in Julius
Caesar III i. 
>
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,

>CPA aka Ebitz - SBS Rocks [MVP]
>Sent: Tuesday, September 20, 2005 1:57 PM
>To: ActiveDir@mail.activedir.org
>Subject: Re: [ActiveDir] SBS migration (was SBS Server Question)
>
>Transition pack or www.sbsmigration.com
>
>Transition pack is the best way however lets you keep the Remote web 
>workplace and monitoring email even after you break away from SBSland.
>
>[EMAIL PROTECTED] wrote:
>
>  
>
>>OK, since the topic came up:  I'm trying to figure out how to migrate
off SBS2003.
>>
>>Scenario is a recent acquisition where we want to migrate from company
SBS to corporate AD (standard 2003 domain).  Trusts are out.  Hack is both
dangerous and illegal.
>>
>>MS offers a Transition Pack (for a cost) to upgrade the SBS2003 to
normal AD.  Is there any other way?  LDIF export?
>>
>>Thanks,
>>AL
>>
>>Al Maurer
>>Service Manager, Naming and Authentication Services IT | Information 
>>Technology Agilent Technologies
>>(719) 590-2639; Telnet 590-2639
>>http://activedirectory.it.agilent.com
>>--
>>"Cry 'Havoc!' and let slip the dogs of war"  - Anthony, in Julius
Caesar III i. 
>>
>>
>>-Original Message-
>>From: [EMAIL PROTECTED]
>>[mailto:[EMAIL PROTECTED] On Behalf Of Susan 
>>Bradley, CPA aka Ebitz - SBS Rocks [MVP]
>>Sent: Wednesday, September 14, 2005 12:06 PM
>>To: ActiveDir@mail.activedir.org
>>Subject: Re: [ActiveDir] SBS Server Question
>>
>>Nope.  No trusts, no forests.  We're the spoiled only PDC that must 
>>hold all the FSMO roles.  We can do some funky stuff with pass through

>>authentication, but no trusts.
>>
>>US versus THEM:
>>http://www.sbslinks.com/Us_v_them.htm
>>
>>In SBS 2000/2003 the 'correct' terminology is Yes, an 'additional 
>>domain controller' is supported and not calling it a BDC.
>>
>>Member servers are covered by the SBS cals but last I read in the PUR 
>>the additional DC would need server cals.  [that's my interpretation 
>>anyway but I get a headache reading that doc in the first place]
>>
>>Honestly ...keep in mind that with XPs, they will used cached 
>>credentials and you can log into that profile even if the network is 
>>down.  Now comes the fun... who's doing the DHCP? The recommended way 
>>is to have the SBS box to do that...so you still have fun.  If the SBS

>>box goes down, I normally have ways around the temporarily failure 
>>[and even then I can count on one hand the time my network has been
affected
>>power mostly, then NICs, then switches, and one harddrive falling off 
>>a RAID.  Get good equipment [and honestly either reinstall those OEMs 
>>and stay away from those preins

RE: [ActiveDir] dns suffix search list

2005-09-22 Thread Dan Holme 








Marcus:  What scope option is that?  Funny…
I thot it was there too and couldn’t find the option…

 

Tom:

http://www.microsoft.com/technet/scriptcenter/scripts/network/client/modify/nwmovb21.mspx
 is the WMI script

also 

Group Policy allows configuring the DNS
Suffix Search Order.

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of [EMAIL PROTECTED]
Sent: Thursday, September 22, 2005
8:08 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dns
suffix search list



 

By lots of machines, are you referring to
workstations?  If so, are they in a scope that’s managed by
DHCP?  You could manipulate the search suffix that way… 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Thursday, September 22, 2005
2:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dns
suffix search list



 



I'm only running win2k





I'd like to make the script query a text file of client names, so i can
just execute it from my desktop rather than a script.





how would i go about doing that?





Thanks







-Original
Message- 
From: Grillenmeier, Guido
[mailto:[EMAIL PROTECTED] 
Sent: Thu 9/22/2005 2:31 PM 
To: ActiveDir@mail.activedir.org

Cc: 
Subject: RE: [ActiveDir] dns
suffix search list





 

RE: [ActiveDir] SBS migration (was SBS Server Question)

2005-09-22 Thread Roger Seielstad 
The bigger trick is getting yourself a client cert to get on Corpnet
wireless 



Roger Seielstad
E-mail Geek
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Thursday, September 22, 2005 4:13 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SBS migration (was SBS Server Question)

Very Cool.  I would love to see that list :-)

Wireless aircard and a tablet PC...you just gotta bring your own
connectivity that's all.

See ya next week!

Michael B. Smith wrote:

>I'm an Exchange MVP. We were invited to come up with a list of "why we 
>hate to support SBS" about a month ago for submission to the SBS 
>product team (apparently one of "our" product managers is across the 
>hall from one of "your" product managers). I think we came up with 11 
>specific items dealing mainly with Exchange/User management and the 
>integration of ISA/RRAS. I'll see if I archived the list.
>
>I think the groups and the mailing lists are gonna be really quiet next 
>week, with little connectivity on campus for us!
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, 
>CPA aka Ebitz - SBS Rocks [MVP]
>Sent: Thursday, September 22, 2005 4:31 PM
>To: ActiveDir@mail.activedir.org
>Subject: Re: [ActiveDir] SBS migration (was SBS Server Question)
>
>Amen brother.
>
>I wish though you would be more specific though as I just happen to be 
>meeting with some folks next week and would love the inside from big 
>server land.  [Please feel free to ping me directly]
>
>Our OU structure sucks.  We know that.  But ...boy ... you ain't 
>ripping my fingers off RWW or my monitoring email.  :-)
>
>Michael B. Smith wrote:
>
>  
>
>>And that is a real difficulty.
>>
>>The wizards should integrate seamlessly. Or the other tools should 
>>integrate seamlessly. Take your pick.
>>
>>I've got a couple of hundred client companies, probably 3 or 4 use SBS.
>>I HATE touching the SBS clients because it's a fair bet there is a 
>>wizard for something that I'm not going to use a wizard for, because I 
>>can use one of my scripts or a native tool and do it quicker. (You can 
>>argue that someone that knows the wizards can do it more quickly with 
>>them -- and that's fine -- but I don't, and shouldn't have to.)
>>
>>It's a religious issue.
>>
>>-Original Message-
>>From: [EMAIL PROTECTED]
>>[mailto:[EMAIL PROTECTED] On Behalf Of Susan 
>>Bradley,
>>
>>
>
>  
>
>>CPA aka Ebitz - SBS Rocks [MVP]
>>Sent: Thursday, September 22, 2005 12:19 PM
>>To: ActiveDir@mail.activedir.org
>>Subject: Re: [ActiveDir] SBS migration (was SBS Server Question)
>>
>>Difficulty?
>>
>>
>>
>>What difficulty?  [please feel free to take this offline] the only 
>>difficult issues we have in SBSland is cleaning up the messes from 
>>folks that don't follow the wizards
>>
>>[EMAIL PROTECTED] wrote:
>>
>> 
>>
>>
>>
>>>Thanks!  This must be SBS Week.  Was at a user's group meeting last
>>>   
>>>
>>>  
>>>
>>night and the topic came up again. (Main topic was R2)  Sounds like 
>>Microsoft is getting the message about the difficulty of working with 
>>SBS.
>> 
>>
>>
>>
>>>Al Maurer
>>>Service Manager, Naming and Authentication Services IT | Information 
>>>Technology Agilent Technologies
>>>(719) 590-2639; Telnet 590-2639
>>>http://activedirectory.it.agilent.com
>>>--
>>>"Cry 'Havoc!' and let slip the dogs of war"  - Anthony, in Julius
>>>   
>>>
>>>  
>>>
>>Caesar III i. 
>> 
>>
>>
>>
>>>-Original Message-
>>>From: [EMAIL PROTECTED]
>>>[mailto:[EMAIL PROTECTED] On Behalf Of Susan 
>>>Bradley,
>>>   
>>>
>>>  
>>>
>> 
>>
>>
>>
>>>CPA aka Ebitz - SBS Rocks [MVP]
>>>Sent: Tuesday, September 20, 2005 1:57 PM
>>>To: ActiveDir@mail.activedir.org
>>>Subject: Re: [ActiveDir] SBS migration (was SBS Server Question)
>>>
>>>Transition pack or www.sbsmigration.com
>>>
>>>Transition pack is the best way however lets you keep the Remote web 
>>>workplace and monitoring email even after you break away from SBSland.
>>>
>>>[EMAIL PROTECTED] wrote:
>>>
>>>
>>>
>>>   
>>>
>>>  
>>>
OK, since the topic came up:  I'm trying to figure out how to 
migrate
 



>>off SBS2003.
>> 
>>
>>
>>
Scenario is a recent acquisition where we want to migrate from 
company
 



>>SBS to corporate AD (standard 2003 domain).  Trusts are out.  Hack is 
>>both dangerous and illegal.
>> 
>>
>>
>>
MS offers a Transition Pack (for a cost) to upgrade the SBS2003 to
 



>>normal AD.  Is there any other way?  LDIF export?
>> 
>>
>>
>>
Thanks,
AL

Al Maurer
Service Manager, Naming and Authentication Services IT | Information 
Technology Agilent Technologies
(719) 590-2639; Telnet 590-2639
http://activedirectory.it.agilent.com
>>

RE: [ActiveDir] Kerberos Delegation

2005-09-22 Thread Ken Schaefer 








But isn’t the whole point of this
thread to get Delegation working? In that case, the Sharepoint/IIS server
should be connecting to ISA Server as the end user. Or am I missing something
here?

 

Cheers

Ken

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad
Sent: Thursday, 22 September 2005
11:57 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos
Delegation



 

By default, the IIS app
pool and (I believe) sharepoint both run under Network Service. Therefore, when
Sharepoint makes the request outbound, it will be making it within the context
of the NetworkService account, which means its going to present the server's
domain credentials.



 




Roger Seielstad
E-mail Geek 



 



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken
 Schaefer
Sent: Wednesday, September 21,
2005 11:45 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos
Delegation

Could I ask why
he’d need to do that?

 

Cheers

Ken

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad
Sent: Thursday, 22 September 2005
4:23 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos
Delegation



 

So have you granted
domain\IISServer$ access through ISA?



 




Roger Seielstad
E-mail Geek 



 



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes
Sent: Wednesday, September 21,
2005 8:16 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos
Delegation

Well I have some screen
shots for you of AuthDiag and of wfetch, if you don’t mind I can send it
to you offline.

 

This is the weird part,
if I use wfetch to connect using Anonymous as authentication I get the web page
requested. 

 

If I specify any other
auth type i.e. NTLM or Kerberos I get a ISA server page telling me I am not
authorized to view this page.

 

With anonymous connection
I get:

WWW-Authenticate:
Negotiate

WWW-Authenticate: NTLM

 

With a specified auth
type I don’t get any of that (The screen shots explain)

 

AuthDiag still only
reports Test Authentication NTLM NO Kerberos.

 

I still have a copy of
the old Metabase.xml to prove that it was storing the incorrect settings when
IIS MMC was showing something else…..

 

Let me know if I can ping
the screen shots to you.

 

Thanks Ken, am I going to
get to see you at Redmond?


C

 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken
 Schaefer
Sent: 21 September 2005 03:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos
Delegation



 

Odd.

 

If you use WFetch
(it’s in the IIS6 Res Kit) or just plain telnet, and request a page, what
WWW-Authenticate headers are coming back? You should see:

 

WWW-Authenticate: Negotiate

WWW-Authenticate: NTLM

 

(basically the webserver
sends back a list of the auth mechanisms it supports, and the browser picks the
first one in the list that it supports). If you are only seeing the NTLM
option, then something’s up with IIS or Sharepoint. If you are seeing
both, then AuthDiag is lying to you.

 

Cheers

Ken

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes
Sent: Wednesday, 21 September 2005
10:39 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos
Delegation



 

Yeah Im not sure about
that either at the moment IIS is REALLY ACTING WEIRD, KEN where are you :P - .

 

I had the Share Point
website in the IIS MMC specify SPSAppPool (which was a App pool I created) when
I checked the MetaBase.XML file ( you know I love looking at the guts of
systemsJ ) it was still specifying DefaultAppPool (and I
mean I had rebooted the server a few times) also DO NOT RUN: 

 

Cscript adsutil.vbs set
w3svc/1/ntauthenticationproviders “Negotiate,NTLM”

Iisreset

 

I know it seems logical
but I KEPT the quotations in there and what it ended up doing was: ““Negotiate,NTLM”” ***Note the
double quotes

 

And all auth was being
defaulted to Anonymous (thank heavens for a network sniffer J )

 

Even though I fixed
these issues and I have made sure my Metabase.xml file is correct with
“Negotiate,NTLM” and with the correct App Pool with the correct
user etc,  when I run AuthDiag the only “Test Authentication”
option I get is NTLM, the Server Settings Node though specifies
“Negotiate,NTLM” for that Site. 

 

When I check my ISA
server I STILL see User – Anonymous so I am a bit stumped at the moment
!!!

 

YEAH it going to be
so cool to meet up with you guys in Redmond
next week J

 

C

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: 20 September 2005 10:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos
Delegation



 

Hi Carlos

 

As I said, I'm just starting
to look at Kerberos delegation, so take everything I say with a large pinch of
salt.  :-)

 

Anyway, here's the logic
I was foll

RE: [ActiveDir] Cannot modify a distribution list

2005-09-22 Thread Mayuresh Kshirsagar 



Hi All,
 
Yes by owned I meant setting the managedby attribute. I 
then set the permissions for the user in the security tab giving him full access 
rights and then I could modify using that user.
 
Thanks,
Mayuresh.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Coleman, 
HunterSent: Thursday, September 22, 2005 9:18 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cannot modify a 
distribution list

"If you mean ownership as in setting an owner from the 
Exchange tab or the managed by tab, neither allows you to modify the 
membership."
 
Setting an account in 
the Managed By tab and checking the box "Manager can update membership list" 
will allow the account to modify the list members. All the checkbox is doing is 
setting an Allow Write Members ACE. The account *won't* be able to modify other 
attributes of the list, such as the description, based strictly on the Managed 
By information.
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Thursday, September 22, 2005 8:11 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cannot modify a 
distribution list

If you mean ownership as in setting an owner from the 
Exchange tab or the managed by tab, neither allows you to modify the membership. 
You need to grant the person the ability to update the membership list. Now if 
you have an older version of ADUC, you won't see that checkbox under the managed 
by tab. 
 
If you have set this, and you have a multidomain forest, 
and the group is mail enabled, and the person is trying to manage through 
outlook, you probably have another issue which I don't have time to go into here 
but in that situation, don't use outlook to manage the membership. Outlook is a 
tool to read mail, not manage group membership. I don't use ADUC to check my 
calendar, so I don't have a problem avoiding using Outlook to manage 
groups.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh 
KshirsagarSent: Thursday, September 22, 2005 3:58 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Cannot modify a 
distribution list

Hi 
Gurus,
 
I have 
created a Distribution list which is owned by a particular user. Now I log as 
that user and try to modify the distribution list, say setting the description 
attribute. but am getting the error:
 
***Call Modify...ldap_modify_s(ld, 
'CN=testgrp1,OU=Exchange Test,OU=CV,OU=Views,OU=Mayuresh,DC=meta,DC=test',[1] 
attrs);Error: Modify: Insufficient Rights. <50>
 
If I 
bind as the administrator, then I can modify the distribution list. any pointers 
as to why this is happening?
 
Regards,
Mayuresh.

RE: [ActiveDir] dns suffix search list

2005-09-22 Thread Roger Seielstad 
I believe you can do it through WMI, but I don't have any of that code
handy. 



Roger Seielstad
E-mail Geek
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Thursday, September 22, 2005 11:06 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] dns suffix search list

I know this was discussed on the list earlier(can't seem to find it), but is
this article correct and are these the only ways to programmatically alter
the dns suffix search list?
http://support.microsoft.com/kb/q275553/
 
 
Is there an easy way to do this for many computers, say from a text file?
 
Thanks
.+-wmibb+?KE0+v*?.+-jq.+-j!ij)j!ribb4-

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] dns suffix search list

2005-09-22 Thread Marcus.Oh 








By lots of machines, are you referring to
workstations?  If so, are they in a scope that’s managed by DHCP?  You could
manipulate the search suffix that way… 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Thursday, September 22, 2005
2:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dns
suffix search list



 



I'm only running win2k





I'd like to make the script query a text file of client names, so i can
just execute it from my desktop rather than a script.





how would i go about doing that?





Thanks







-Original
Message- 
From: Grillenmeier, Guido
[mailto:[EMAIL PROTECTED] 
Sent: Thu 9/22/2005 2:31 PM 
To: ActiveDir@mail.activedir.org 
Cc: 
Subject: RE: [ActiveDir] dns
suffix search list





 

[ActiveDir] When you change group scopes by using a combination of the Dsquery command

2005-09-22 Thread Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] 
When you change group scopes by using a combination of the Dsquery 
command the Dsmod command, all the group types are changed to either 
distribution groups or security groups on a Windows Server 2003-based 
computer:

http://support.microsoft.com/?kbid=898063

--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Domain Controller Security

2005-09-22 Thread joe 



Changes are made in the directory which allows people more 
access than they should have. 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of DeStefano, 
DanSent: Thursday, September 22, 2005 4:22 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Domain 
Controller Security


I am not asking for 
exact procedures, just more of methods how.
 
 
Dan
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Hutchins, 
MikeSent: Thursday, September 
22, 2005 2:37 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Domain Controller 
Security
 
Oh, and as 
for how, easy, but I won't tell here...
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of DeStefano, 
DanSent: Thursday, September 
22, 2005 12:09 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Domain Controller 
Security
I thought 
that in ad domains are considered security boundaries. In the cert exams, namely 
the 70-219, they are considered as such. Also, how would a domain admin of a 
child domain elevate his privileges?
 
 
Dan
 





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Phil 
RenoufSent: Thursday, 
September 22, 2005 1:28 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Domain Controller 
Security
 

Even as a domain admin of a Child domain 
they will still be able to munge your forest or elevate their priviledges. The 
security boundary in AD is at the forest, not the 
domain.

 

Phil 

On 9/22/05, Gideon Ashcraft <[EMAIL PROTECTED]> 
wrote: 

The only thing to do is to make him an 
admin of that site, or better yet make that site a child domain and make him a 
domain admin of that child domain. I know from experience that using a DC as 
anything but a DC is a freakin pain in the ass, my predecessor set a DC up as a 
print/file server and another as a SQL server (finally able to demote that one 
now, soon hopefully). But my citrix profiles are on the domain controller, and 
after months of trying to set delegation up properly in AD and setting up 
permissions in the appropriate folders on the DC, the only way I was able to get 
my Helpdesk admin set up to create accounts with my scripts so that I didn't 
have to do it was to make him a domain admin. My company is too damn cheap to 
get me another server to put the citrix profiles somewhere else. Oh yeah, and 
its an app server for network install of office (can you feel my pain). 


 

So, if there is only one server in the 
site and its a DC, the only way to get him to do anything is to make him a 
domain admin (make it a child domain so he can't climb up the 
tree)

 

Gideon 
Ashcraft

Network 
Admin

Screen Actors 
Guildct: RE: [ActiveDir] Domain 
Controller Security 
Look 
through the archives.
 
The short 
answer is... "Just don't do it". You can't possibly secure this regardless of 
what anyone says. If someone says it can be made safe, stop asking them 
technical questions about Domain Controllers and Active Directory. 

 
Either you 
trust the person or you don't. If you don't trust the person, then don't put the 
person in a position to show you the meaning of screwed. 

 
 




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of van Donk, FredSent: Tuesday, September 20, 2005 4:52 
PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Domain Controller 
Security 

I have a contractor in a remote 
site. There is only 1 server in that site which is a 
DC.

 

He needs to administer that server. 


-Create 
shares

-Make file/share 
permissions

-Change user passwords in the User 
OU for that site.

 

He is not allowed to log on to any 
other server is the domain.

 

When I make him a "Server Operator" 
he can logon to any server in the domain.

 

Any idea on how to lock him down to 
that one server and then how to lock him down on that one OU where he should 
only be allowed to change the passwords of the 
users.

 

Thanks!

Fred

 

 

List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ 

 

  
  

  NOTICE: The information 
  contained in this transmission is privileged, confidential, and intended 
  only for the use of the individual or entity named above. If you are not 
  the intended recipient, you are hereby notified that any disclosure, 
  copying, distribution, or the taking of any action in reliance on the 
  contents of this transmission is strictly prohibited. If you have received 
  this transmission in error, please notify Eze Castle Integration, Inc. by 
  e-mail and destroy the original message and all copies. Thank 
  you.
 

  
  
NOTICE: The information 
  contained in this transmission is privileged, confidential, and intended 
  only for the use of the individual or entity named above. If you are not 
  the intended recipient, you are hereby notified that any d

Re: [ActiveDir] SBS migration (was SBS Server Question)

2005-09-22 Thread Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] 

Very Cool.  I would love to see that list :-)

Wireless aircard and a tablet PC...you just gotta bring your own 
connectivity that's all.


See ya next week!

Michael B. Smith wrote:


I'm an Exchange MVP. We were invited to come up with a list of "why we
hate to support SBS" about a month ago for submission to the SBS product
team (apparently one of "our" product managers is across the hall from
one of "your" product managers). I think we came up with 11 specific
items dealing mainly with Exchange/User management and the integration
of ISA/RRAS. I'll see if I archived the list.

I think the groups and the mailing lists are gonna be really quiet next
week, with little connectivity on campus for us!

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Thursday, September 22, 2005 4:31 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SBS migration (was SBS Server Question)

Amen brother.

I wish though you would be more specific though as I just happen to be
meeting with some folks next week and would love the inside from big
server land.  [Please feel free to ping me directly]

Our OU structure sucks.  We know that.  But ...boy ... you ain't ripping
my fingers off RWW or my monitoring email.  :-)

Michael B. Smith wrote:

 


And that is a real difficulty.

The wizards should integrate seamlessly. Or the other tools should 
integrate seamlessly. Take your pick.


I've got a couple of hundred client companies, probably 3 or 4 use SBS.
I HATE touching the SBS clients because it's a fair bet there is a 
wizard for something that I'm not going to use a wizard for, because I 
can use one of my scripts or a native tool and do it quicker. (You can 
argue that someone that knows the wizards can do it more quickly with 
them -- and that's fine -- but I don't, and shouldn't have to.)


It's a religious issue.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
   



 


CPA aka Ebitz - SBS Rocks [MVP]
Sent: Thursday, September 22, 2005 12:19 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SBS migration (was SBS Server Question)

Difficulty?



What difficulty?  [please feel free to take this offline] the only 
difficult issues we have in SBSland is cleaning up the messes from 
folks that don't follow the wizards


[EMAIL PROTECTED] wrote:



   


Thanks!  This must be SBS Week.  Was at a user's group meeting last
  

 

night and the topic came up again. (Main topic was R2)  Sounds like 
Microsoft is getting the message about the difficulty of working with 
SBS.



   


Al Maurer
Service Manager, Naming and Authentication Services IT | Information 
Technology Agilent Technologies

(719) 590-2639; Telnet 590-2639
http://activedirectory.it.agilent.com
--
"Cry 'Havoc!' and let slip the dogs of war"  - Anthony, in Julius
  

 

Caesar III i. 



   


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan 
Bradley,
  

 




   


CPA aka Ebitz - SBS Rocks [MVP]
Sent: Tuesday, September 20, 2005 1:57 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SBS migration (was SBS Server Question)

Transition pack or www.sbsmigration.com

Transition pack is the best way however lets you keep the Remote web 
workplace and monitoring email even after you break away from SBSland.


[EMAIL PROTECTED] wrote:



  

 


OK, since the topic came up:  I'm trying to figure out how to migrate


   


off SBS2003.


   

Scenario is a recent acquisition where we want to migrate from 
company


   

SBS to corporate AD (standard 2003 domain).  Trusts are out.  Hack is 
both dangerous and illegal.



   


MS offers a Transition Pack (for a cost) to upgrade the SBS2003 to


   


normal AD.  Is there any other way?  LDIF export?


   


Thanks,
AL

Al Maurer
Service Manager, Naming and Authentication Services IT | Information 
Technology Agilent Technologies

(719) 590-2639; Telnet 590-2639
http://activedirectory.it.agilent.com
--
"Cry 'Havoc!' and let slip the dogs of war"  - Anthony, in Julius


   

Caesar III i. 



   


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan 
Bradley, CPA aka Ebitz - SBS Rocks [MVP]

Sent: Wednesday, September 14, 2005 12:06 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SBS Server Question

Nope.  No trusts, no forests.  We're the spoiled only PDC that must 
hold all the FSMO roles.  We can do some funky stuff with pass 
through


   




   


authentication, but no trusts.

US versus THEM:
http://www.sbslinks.com/Us_v_them.htm

In SBS 2000/2003 the 'correct' terminology is Yes, an 'additional 
domain controller' is supported and not calling it a BDC.


Member servers are covered b

RE: [ActiveDir] SBS migration (was SBS Server Question)

2005-09-22 Thread Michael B. Smith 
I'm an Exchange MVP. We were invited to come up with a list of "why we
hate to support SBS" about a month ago for submission to the SBS product
team (apparently one of "our" product managers is across the hall from
one of "your" product managers). I think we came up with 11 specific
items dealing mainly with Exchange/User management and the integration
of ISA/RRAS. I'll see if I archived the list.

I think the groups and the mailing lists are gonna be really quiet next
week, with little connectivity on campus for us!

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Thursday, September 22, 2005 4:31 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SBS migration (was SBS Server Question)

Amen brother.

I wish though you would be more specific though as I just happen to be
meeting with some folks next week and would love the inside from big
server land.  [Please feel free to ping me directly]

Our OU structure sucks.  We know that.  But ...boy ... you ain't ripping
my fingers off RWW or my monitoring email.  :-)

Michael B. Smith wrote:

>And that is a real difficulty.
>
>The wizards should integrate seamlessly. Or the other tools should 
>integrate seamlessly. Take your pick.
>
>I've got a couple of hundred client companies, probably 3 or 4 use SBS.
>I HATE touching the SBS clients because it's a fair bet there is a 
>wizard for something that I'm not going to use a wizard for, because I 
>can use one of my scripts or a native tool and do it quicker. (You can 
>argue that someone that knows the wizards can do it more quickly with 
>them -- and that's fine -- but I don't, and shouldn't have to.)
>
>It's a religious issue.
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,

>CPA aka Ebitz - SBS Rocks [MVP]
>Sent: Thursday, September 22, 2005 12:19 PM
>To: ActiveDir@mail.activedir.org
>Subject: Re: [ActiveDir] SBS migration (was SBS Server Question)
>
>Difficulty?
>
>
>
>What difficulty?  [please feel free to take this offline] the only 
>difficult issues we have in SBSland is cleaning up the messes from 
>folks that don't follow the wizards
>
>[EMAIL PROTECTED] wrote:
>
>  
>
>>Thanks!  This must be SBS Week.  Was at a user's group meeting last
>>
>>
>night and the topic came up again. (Main topic was R2)  Sounds like 
>Microsoft is getting the message about the difficulty of working with 
>SBS.
>  
>
>>Al Maurer
>>Service Manager, Naming and Authentication Services IT | Information 
>>Technology Agilent Technologies
>>(719) 590-2639; Telnet 590-2639
>>http://activedirectory.it.agilent.com
>>--
>>"Cry 'Havoc!' and let slip the dogs of war"  - Anthony, in Julius
>>
>>
>Caesar III i. 
>  
>
>>-Original Message-
>>From: [EMAIL PROTECTED]
>>[mailto:[EMAIL PROTECTED] On Behalf Of Susan 
>>Bradley,
>>
>>
>
>  
>
>>CPA aka Ebitz - SBS Rocks [MVP]
>>Sent: Tuesday, September 20, 2005 1:57 PM
>>To: ActiveDir@mail.activedir.org
>>Subject: Re: [ActiveDir] SBS migration (was SBS Server Question)
>>
>>Transition pack or www.sbsmigration.com
>>
>>Transition pack is the best way however lets you keep the Remote web 
>>workplace and monitoring email even after you break away from SBSland.
>>
>>[EMAIL PROTECTED] wrote:
>>
>> 
>>
>>
>>
>>>OK, since the topic came up:  I'm trying to figure out how to migrate
>>>  
>>>
>off SBS2003.
>  
>
>>>Scenario is a recent acquisition where we want to migrate from 
>>>company
>>>  
>>>
>SBS to corporate AD (standard 2003 domain).  Trusts are out.  Hack is 
>both dangerous and illegal.
>  
>
>>>MS offers a Transition Pack (for a cost) to upgrade the SBS2003 to
>>>  
>>>
>normal AD.  Is there any other way?  LDIF export?
>  
>
>>>Thanks,
>>>AL
>>>
>>>Al Maurer
>>>Service Manager, Naming and Authentication Services IT | Information 
>>>Technology Agilent Technologies
>>>(719) 590-2639; Telnet 590-2639
>>>http://activedirectory.it.agilent.com
>>>--
>>>"Cry 'Havoc!' and let slip the dogs of war"  - Anthony, in Julius
>>>  
>>>
>Caesar III i. 
>  
>
>>>-Original Message-
>>>From: [EMAIL PROTECTED]
>>>[mailto:[EMAIL PROTECTED] On Behalf Of Susan 
>>>Bradley, CPA aka Ebitz - SBS Rocks [MVP]
>>>Sent: Wednesday, September 14, 2005 12:06 PM
>>>To: ActiveDir@mail.activedir.org
>>>Subject: Re: [ActiveDir] SBS Server Question
>>>
>>>Nope.  No trusts, no forests.  We're the spoiled only PDC that must 
>>>hold all the FSMO roles.  We can do some funky stuff with pass 
>>>through
>>>  
>>>
>
>  
>
>>>authentication, but no trusts.
>>>
>>>US versus THEM:
>>>http://www.sbslinks.com/Us_v_them.htm
>>>
>>>In SBS 2000/2003 the 'correct' terminology is Yes, an 'additional 
>>>domain controller' is supported and not calling it a BDC.
>>>
>>>Member servers are covered by the SBS cals but last I read in the PUR

RE: [ActiveDir] dns suffix search list

2005-09-22 Thread Brian Desmond 
Netsh can probably do it. It's fully documented int eh XP/2003 help and
support thing on the start menu if it can. 

 

Thanks,
Brian Desmond

  [EMAIL PROTECTED]

 

c - 312.731.3132

 

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Thursday, September 22, 2005 2:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dns suffix search list

 

I'm only running win2k

I'd like to make the script query a text file of client names, so i can just
execute it from my desktop rather than a script.

how would i go about doing that?

Thanks

-Original Message- 
From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED] 
Sent: Thu 9/22/2005 2:31 PM 
To: ActiveDir@mail.activedir.org 
Cc: 
Subject: RE: [ActiveDir] dns suffix search list

 

<>

RE: [ActiveDir] Domain Controller Security

2005-09-22 Thread Mark Parris 








“And in the 3k R2
world, if that DC were a “caching-only” DC, does that change the
situation?”

 

This is a Longhorn Server
feature in the 2007 timeframe

 

Mark

 









From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of [EMAIL PROTECTED]
Sent: 22 September 2005 19:37
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain
Controller Security



 

Most of the answers to
Fred’s business need deal with the security issue of the domain: valid,
certainly, but if the contractor really has a need to access files &
shares, how would he do it?  Seems this DC is the sole site server and
acting as a file server in addition to it’s DC duties.

 

Short of buying another
server, an idea I read about on this list was to install vm software and run
the file services as a virtual server.  Anybody tried that?

 

And in the 3k R2 world,
if that DC were a “caching-only” DC, does that change the
situation?

 

AL



Al Maurer 
Service Manager, Naming and Authentication Services 
IT | Information Technology 
Agilent Technologies 
(719) 590-2639; Telnet 590-2639 
http://activedirectory.it.agilent.com 
-- 
"Cry 'Havoc!' and let slip the dogs of war"  -
Anthony, in Julius Caesar III i. 











From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Phil Renouf
Sent: Thursday, September 22, 2005
12:43 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Domain
Controller Security



 



When Windows 2000 first came out the domain was
thought of as the security boundary and Microsoft even stated that in
documentation, books and certifications. Through the course of using AD there
were a few things that came to light as some talented and curious folks started
noticing things and that has led to the security boundary stance being revised.
The original statement was a mistake and I believe Microsoft has recognized and
admitted that. Any up to date documentation will reflect that notion of
the forest being the security boundary. 





 





I don't think anyone is going to get into how
privilege escalation can be done, I know I certainly won't get into it other
than to make people aware that it is possible.





 





Phil

 





On 9/22/05, DeStefano, Dan <[EMAIL PROTECTED]>
wrote: 



I thought that in ad domains are considered
security boundaries. In the cert exams, namely the 70-219, they are considered
as such. Also, how would a domain admin of a child domain elevate his
privileges? 

 

 

Dan

 













From:
[EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]] On
Behalf Of Phil Renouf
Sent: Thursday, September 22, 2005
1:28 PM
To: ActiveDir@mail.activedir.org
Subject: Re:
[ActiveDir] Domain Controller Security



 



Even as a domain admin of a Child domain
they will still be able to munge your forest or elevate their priviledges. The
security boundary in AD is at the forest, not the domain. 





 





Phil

 





On 9/22/05, Gideon Ashcraft < [EMAIL PROTECTED]> wrote: 





The only thing to do is to make him an
admin of that site, or better yet make that site a child domain and make him a
domain admin of that child domain. I know from experience that using a DC as
anything but a DC is a freakin pain in the ass, my predecessor set a DC up as a
print/file server and another as a SQL server (finally able to demote that one
now, soon hopefully). But my citrix profiles are on the domain controller, and
after months of trying to set delegation up properly in AD and setting up permissions
in the appropriate folders on the DC, the only way I was able to get my
Helpdesk admin set up to create accounts with my scripts so that I didn't have
to do it was to make him a domain admin. My company is too damn cheap to get me
another server to put the citrix profiles somewhere else. Oh yeah, and its an
app server for network install of office (can you feel my pain). 





 





So, if there is only one server in the
site and its a DC, the only way to get him to do anything is to make him a
domain admin (make it a child domain so he can't climb up the tree) 





 





Gideon Ashcraft





Network Admin





Screen Actors Guild






ct: RE: [ActiveDir] Domain Controller Security 



Look through
the archives.

 

The short
answer is... "Just don't do it". You can't possibly secure this
regardless of what anyone says. If someone says it can be made safe, stop
asking them technical questions about Domain Controllers and Active Directory. 

 

Either you
trust the person or you don't. If you don't trust the person, then don't put
the person in a position to show you the meaning of screwed. 

 

 











From:
[EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]] On
Behalf Of van Donk, Fred
Sent: Tuesday, September 20, 2005
4:52 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Domain
Controller Security

 



I have a contractor in a remote
site. There is only 1 server in that site which is a DC.





 





He needs to administer tha

RE: [ActiveDir] Domain Controller Security

2005-09-22 Thread joe 



Had I been in the audience when Guido was 
demonstrating how to compromise forests (if he was showing enough for people to 
figure it out) I probably would have been throwing things at him if I didn't 
outright drag him off the stage. Guido is tall but I am not too proud to bite. 

 
:o)
 
Just serious. People shouldn't need that demonstrated and 
people that know how to do it shouldn't feel that is it something they should 
show-off. You never know when someone might choose to use it against 
you.
 
People either can figure it out or they can't. It may 
hold a wow factor so folks can say, "cool you should see what I found out 
at xyz conference" but is dangerous to be showing off just like if I started 
showing off how to do other evil "really can hurt you" things I know how to do 
with AD or Exchange or other vendors' apps. Things that would curl 
folks toenails to see. About as far as I will go in the sharing is with 
Dean to get him to verify I am not crazy and then Stuart Kwan (of the Ottawa 
Kwan Clan) or ~Eric or someone else in a position to fix the problem. Of 
course, people can always just say, well you are just saying that and I don't 
believe you. I don't have a problem with that. :o)
 
  joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Gil 
KirkpatrickSent: Thursday, September 22, 2005 4:15 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Domain 
Controller Security

See, for instance, the demo Guido did in the security 
workshop with Sanjay at DEC last year.
 
-g


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Hutchins, 
MikeSent: Thursday, September 22, 2005 11:37 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Domain 
Controller Security

Oh, and as for how, easy, but I won't tell 
here...


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of DeStefano, 
DanSent: Thursday, September 22, 2005 12:09 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Domain 
Controller Security


I thought that in ad 
domains are considered security boundaries. In the cert exams, namely the 
70-219, they are considered as such. Also, how would a domain admin of a child 
domain elevate his privileges?
 
 
Dan
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Phil 
RenoufSent: Thursday, 
September 22, 2005 1:28 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Domain Controller 
Security
 

Even as a domain admin of a Child domain 
they will still be able to munge your forest or elevate their priviledges. The 
security boundary in AD is at the forest, not the 
domain.

 

Phil 

On 9/22/05, Gideon Ashcraft <[EMAIL PROTECTED]> 
wrote: 

The only thing to do is to make him an 
admin of that site, or better yet make that site a child domain and make him a 
domain admin of that child domain. I know from experience that using a DC as 
anything but a DC is a freakin pain in the ass, my predecessor set a DC up as a 
print/file server and another as a SQL server (finally able to demote that one 
now, soon hopefully). But my citrix profiles are on the domain controller, and 
after months of trying to set delegation up properly in AD and setting up 
permissions in the appropriate folders on the DC, the only way I was able to get 
my Helpdesk admin set up to create accounts with my scripts so that I didn't 
have to do it was to make him a domain admin. My company is too damn cheap to 
get me another server to put the citrix profiles somewhere else. Oh yeah, and 
its an app server for network install of office (can you feel my pain). 


 

So, if there is only one server in the 
site and its a DC, the only way to get him to do anything is to make him a 
domain admin (make it a child domain so he can't climb up the 
tree)

 

Gideon 
Ashcraft

Network 
Admin

Screen Actors 
Guildct: RE: [ActiveDir] Domain 
Controller Security 
Look 
through the archives.
 
The short 
answer is... "Just don't do it". You can't possibly secure this regardless of 
what anyone says. If someone says it can be made safe, stop asking them 
technical questions about Domain Controllers and Active Directory. 

 
Either you 
trust the person or you don't. If you don't trust the person, then don't put the 
person in a position to show you the meaning of screwed. 

 
 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of van Donk, FredSent: Tuesday, September 20, 2005 4:52 
PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Domain Controller 
Security 

I have a contractor in a remote 
site. There is only 1 server in that site which is a 
DC.

 

He needs to administer that server. 


-Create 
shares

-Make file/share 
permissions

-Change user passwords in the User 
OU for that site.

 

He is not allowed to log on to any 
other server is the domain.

 

When I make him a "Server Operator" 
he can logon to any server in the domain.

 

Any idea on how to lock him down to 
that one server and then how to lock him down on

RE: [ActiveDir] Domain Controller Security

2005-09-22 Thread Hutchins, Mike 



what is the main security device in AD? What "features" 
does it have?
 
nuff said


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of DeStefano, 
DanSent: Thursday, September 22, 2005 2:22 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Domain 
Controller Security


I am not asking for 
exact procedures, just more of methods how.
 
 
Dan
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Hutchins, 
MikeSent: Thursday, September 
22, 2005 2:37 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Domain Controller 
Security
 
Oh, and as 
for how, easy, but I won't tell here...
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of DeStefano, 
DanSent: Thursday, September 
22, 2005 12:09 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Domain Controller 
Security
I thought 
that in ad domains are considered security boundaries. In the cert exams, namely 
the 70-219, they are considered as such. Also, how would a domain admin of a 
child domain elevate his privileges?
 
 
Dan
 





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Phil 
RenoufSent: Thursday, 
September 22, 2005 1:28 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Domain Controller 
Security
 

Even as a domain admin of a Child domain 
they will still be able to munge your forest or elevate their priviledges. The 
security boundary in AD is at the forest, not the 
domain.

 

Phil 

On 9/22/05, Gideon Ashcraft <[EMAIL PROTECTED]> 
wrote: 

The only thing to do is to make him an 
admin of that site, or better yet make that site a child domain and make him a 
domain admin of that child domain. I know from experience that using a DC as 
anything but a DC is a freakin pain in the ass, my predecessor set a DC up as a 
print/file server and another as a SQL server (finally able to demote that one 
now, soon hopefully). But my citrix profiles are on the domain controller, and 
after months of trying to set delegation up properly in AD and setting up 
permissions in the appropriate folders on the DC, the only way I was able to get 
my Helpdesk admin set up to create accounts with my scripts so that I didn't 
have to do it was to make him a domain admin. My company is too damn cheap to 
get me another server to put the citrix profiles somewhere else. Oh yeah, and 
its an app server for network install of office (can you feel my pain). 


 

So, if there is only one server in the 
site and its a DC, the only way to get him to do anything is to make him a 
domain admin (make it a child domain so he can't climb up the 
tree)

 

Gideon 
Ashcraft

Network 
Admin

Screen Actors 
Guildct: RE: [ActiveDir] Domain 
Controller Security 
Look 
through the archives.
 
The short 
answer is... "Just don't do it". You can't possibly secure this regardless of 
what anyone says. If someone says it can be made safe, stop asking them 
technical questions about Domain Controllers and Active Directory. 

 
Either you 
trust the person or you don't. If you don't trust the person, then don't put the 
person in a position to show you the meaning of screwed. 

 
 




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of van Donk, FredSent: Tuesday, September 20, 2005 4:52 
PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Domain Controller 
Security 

I have a contractor in a remote 
site. There is only 1 server in that site which is a 
DC.

 

He needs to administer that server. 


-Create 
shares

-Make file/share 
permissions

-Change user passwords in the User 
OU for that site.

 

He is not allowed to log on to any 
other server is the domain.

 

When I make him a "Server Operator" 
he can logon to any server in the domain.

 

Any idea on how to lock him down to 
that one server and then how to lock him down on that one OU where he should 
only be allowed to change the passwords of the 
users.

 

Thanks!

Fred

 

 

List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ 

 

  
  

  NOTICE: The information 
  contained in this transmission is privileged, confidential, and intended 
  only for the use of the individual or entity named above. If you are not 
  the intended recipient, you are hereby notified that any disclosure, 
  copying, distribution, or the taking of any action in reliance on the 
  contents of this transmission is strictly prohibited. If you have received 
  this transmission in error, please notify Eze Castle Integration, Inc. by 
  e-mail and destroy the original message and all copies. Thank 
  you.
 

  
  
NOTICE: The information 
  contained in this transmission is privileged, confidential, and intended 
  only for the use of the individual or entity named above. If you are not 
  the intended recipient, you are hereby notified that any disclosure,

RE: [ActiveDir] OT: exchange max. dist. list size

2005-09-22 Thread james . masters 








Thanks for the replies…

 

Michael is right, I believe… looks
like more of an outlook thing (we’re using Outlook 2003 and Exchange 2003
Std.)

 

This sums it up:

 

http://support.microsoft.com/default.aspx?scid=kb;en-us;238569&Product=out

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Wednesday, September 21,
2005 3:55 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:
exchange max. dist. list size



 

James is probably actually referring to
Outlook personal distribution lists. That sounds about right … around 150
users, depending on length of addresses.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Wednesday, September 21,
2005 3:44 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:
exchange max. dist. list size



 

I have thousands of people in DLs…

 



Thanks,
Brian Desmond

[EMAIL PROTECTED]

 

c -
312.731.3132

 

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, September 21,
2005 11:24 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: exchange
max. dist. list size



 

Has anyone encountered the max distribution list size in
exchange?

 

Seems like it’s 8KB, or between 100-200 email
addresses?

 

Am I missing something?

 

Thanks,

James

RE: [ActiveDir] Domain Controller Security

2005-09-22 Thread joe 



I would first recommend that the DAs manage the shares. 
Most likely you will need a project type share and home drive share. So you set 
up shares called Proj and U which map directly to the appropriate folders in the 
OS of PROJ and U which are on a disk that has nothing to do with the OS or AD. 

 
You grant everyone FC on those shares[1]. Then the 
filesystem gets FC for the local admin at the root of those two folders. 
He/She then adds new folders as necessary and grants the required rights to 
those folders. No need for ability to manipulate shares nor log onto the server 
locally.
 
The caching only DC is called the RO-DC: Read-Only DC. At 
this point in time I would say it should be no different. No one can answer for 
sure until we see the actual implementation and people outside of MS start 
figuring out the holes that exist. Anyone who thinks that having an RO-DC (or 
the other chatter about "separation" between admin and DA) means your issues 
with administrator/DA separation are really solved are probably going to be 
quite surprised to find that to not be the case. I would be extremely 
happy if this is corrected, but I really don't expect anything near it. In 
fact, I do not foresee anytime in the near future a time when you can allow 
non-trusted people to have local access to your DCs. The security model is just 
such that you can't guarantee anything. 
 
ADAM is a step closer to this lockdown, but ADAM is much 
more secure by default than AD due to better default SDs and lack of a bunch of 
the "junk" that has been bolted onto AD. Many of the same tricks won't 
work to compromise it. In fact, the only way I can think of off the top of 
my head for a local admin to do anything other than blow away a properly 
secured ADAM instance they don't have access to is to do a raw DIT edit. I 
could be wrong as I haven't done a real intensive sit down and think about it 
exercise, but I expect I am right.
 
 
   joe
 
 
 
[1] I hate, literally hate, setting up different perms on 
the share and the file system. Most admins can't figure out what is screwed up 
when something gets screwed up when that is in place.
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Thursday, September 22, 2005 3:37 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
Domain Controller Security


Most of the answers to 
Fred’s business need deal with the security issue of the domain: valid, 
certainly, but if the contractor really has a need to access files & shares, 
how would he do it?  Seems this DC is the sole site server and acting as a 
file server in addition to it’s DC duties.
 
Short of buying another 
server, an idea I read about on this list was to install vm software and run the 
file services as a virtual server.  Anybody tried 
that?
 
And in the 3k R2 world, 
if that DC were a “caching-only” DC, does that change the 
situation?
 
AL

Al 
Maurer 
Service Manager, Naming and Authentication 
Services 
IT | Information 
Technology 
Agilent Technologies (719) 590-2639; Telnet 
590-2639 
http://activedirectory.it.agilent.com -- "Cry 'Havoc!' and let slip the 
dogs of war"  - Anthony, in Julius Caesar III i. 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Phil 
RenoufSent: Thursday, 
September 22, 2005 12:43 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Domain Controller 
Security
 

When Windows 2000 first came out the domain was thought 
of as the security boundary and Microsoft even stated that in documentation, 
books and certifications. Through the course of using AD there were a few things 
that came to light as some talented and curious folks started noticing things 
and that has led to the security boundary stance being revised. The original 
statement was a mistake and I believe Microsoft has recognized and admitted 
that. Any up to date documentation will reflect that notion of the forest 
being the security boundary. 

 

I don't think anyone is going to get into how privilege 
escalation can be done, I know I certainly won't get into it other than to make 
people aware that it is possible.

 

Phil 

On 9/22/05, DeStefano, Dan <[EMAIL PROTECTED]> 
wrote: 

I thought that in ad 
domains are considered security boundaries. In the cert exams, namely the 
70-219, they are considered as such. Also, how would a domain admin of a child 
domain elevate his privileges? 
 
 
Dan
 





From: [EMAIL PROTECTED] [mailto: 
[EMAIL PROTECTED]] On 
Behalf Of Phil RenoufSent: Thursday, September 22, 2005 1:28 
PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Domain Controller 
Security
 

Even as a domain admin of a Child domain they will still 
be able to munge your forest or elevate their priviledges. The security boundary 
in AD is at the forest, not the domain. 

 

Phil 

On 9/22/05, Gideon 
Ashcraft < 
[EMAIL PROTECTED]> wrote: 


The only thing to do is to make him an adm

Re: [ActiveDir] SBS migration (was SBS Server Question)

2005-09-22 Thread Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] 

Amen brother.

I wish though you would be more specific though as I just happen to be 
meeting with some folks next week and would love the inside from big 
server land.  [Please feel free to ping me directly]


Our OU structure sucks.  We know that.  But ...boy ... you ain't ripping 
my fingers off RWW or my monitoring email.  :-)


Michael B. Smith wrote:


And that is a real difficulty.

The wizards should integrate seamlessly. Or the other tools should
integrate seamlessly. Take your pick.

I've got a couple of hundred client companies, probably 3 or 4 use SBS.
I HATE touching the SBS clients because it's a fair bet there is a
wizard for something that I'm not going to use a wizard for, because I
can use one of my scripts or a native tool and do it quicker. (You can
argue that someone that knows the wizards can do it more quickly with
them -- and that's fine -- but I don't, and shouldn't have to.)

It's a religious issue.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Thursday, September 22, 2005 12:19 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SBS migration (was SBS Server Question)

Difficulty?



What difficulty?  [please feel free to take this offline] the only
difficult issues we have in SBSland is cleaning up the messes from folks
that don't follow the wizards

[EMAIL PROTECTED] wrote:

 


Thanks!  This must be SBS Week.  Was at a user's group meeting last
   


night and the topic came up again. (Main topic was R2)  Sounds like
Microsoft is getting the message about the difficulty of working with
SBS.
 


Al Maurer
Service Manager, Naming and Authentication Services IT | Information 
Technology Agilent Technologies

(719) 590-2639; Telnet 590-2639
http://activedirectory.it.agilent.com
--
"Cry 'Havoc!' and let slip the dogs of war"  - Anthony, in Julius
   

Caesar III i. 
 


-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
   



 


CPA aka Ebitz - SBS Rocks [MVP]
Sent: Tuesday, September 20, 2005 1:57 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SBS migration (was SBS Server Question)

Transition pack or www.sbsmigration.com

Transition pack is the best way however lets you keep the Remote web 
workplace and monitoring email even after you break away from SBSland.


[EMAIL PROTECTED] wrote:



   


OK, since the topic came up:  I'm trying to figure out how to migrate
 


off SBS2003.
 


Scenario is a recent acquisition where we want to migrate from company
 


SBS to corporate AD (standard 2003 domain).  Trusts are out.  Hack is
both dangerous and illegal.
 


MS offers a Transition Pack (for a cost) to upgrade the SBS2003 to
 


normal AD.  Is there any other way?  LDIF export?
 


Thanks,
AL

Al Maurer
Service Manager, Naming and Authentication Services IT | Information 
Technology Agilent Technologies

(719) 590-2639; Telnet 590-2639
http://activedirectory.it.agilent.com
--
"Cry 'Havoc!' and let slip the dogs of war"  - Anthony, in Julius
 

Caesar III i. 
 


-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Susan 
Bradley, CPA aka Ebitz - SBS Rocks [MVP]

Sent: Wednesday, September 14, 2005 12:06 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SBS Server Question

Nope.  No trusts, no forests.  We're the spoiled only PDC that must 
hold all the FSMO roles.  We can do some funky stuff with pass through
 



 


authentication, but no trusts.

US versus THEM:
http://www.sbslinks.com/Us_v_them.htm

In SBS 2000/2003 the 'correct' terminology is Yes, an 'additional 
domain controller' is supported and not calling it a BDC.


Member servers are covered by the SBS cals but last I read in the PUR 
the additional DC would need server cals.  [that's my interpretation 
anyway but I get a headache reading that doc in the first place]


Honestly ...keep in mind that with XPs, they will used cached 
credentials and you can log into that profile even if the network is 
down.  Now comes the fun... who's doing the DHCP? The recommended way 
is to have the SBS box to do that...so you still have fun.  If the SBS
 



 

box goes down, I normally have ways around the temporarily failure 
[and even then I can count on one hand the time my network has been
 


affected
 

power mostly, then NICs, then switches, and one harddrive falling off 
a RAID.  Get good equipment [and honestly either reinstall those OEMs 
and stay away from those preinstalled versions] and we do just fine.




Medeiros, Jose wrote:



  

 


Hi Susan,

Since we have an SBS MVP on the Active Dir list, let me ask a
   


question.
 


Can I now make an SBS 2003 server a child domain in an AD 2003
   

forest? 
 


Before you ask why, some one asked me this recent

RE: [ActiveDir] Domain Controller Security

2005-09-22 Thread DeStefano, Dan 








Cool, thanks for the info –
excellent as usual, joe.

 

 

Dan

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, September 22, 2005
2:39 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain
Controller Security



 

The docs are wrong. Many
of us have been hounding MS on this for years. They really started
straightening out docs with K3. Some of the older 2K docs still suggest this
security boundary at the domain. It really came to a head when Lucent put out a
paper on this and it started getting quoted in the newsgroups and some of us
just flamed the crap out of it. 

 

No one here or anywhere
should really publish how to exploit rights on a DC to take over a forest. The
answer is pretty self-evident if someone understands the underpinnings and
processes used in AD and since we can't fully protect against it, it
is better left undocumented. If there was a guaranteed safe way to protect
ourselves, then we could publish that workaround and some time later
publish the issue.

 

  joe 

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of DeStefano, Dan
Sent: Thursday, September 22, 2005
2:09 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Controller
Security

I thought that in ad
domains are considered security boundaries. In the cert exams, namely the
70-219, they are considered as such. Also, how would a domain admin of a child
domain elevate his privileges?

 

 

Dan

 













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf
Sent: Thursday, September 22, 2005
1:28 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Domain
Controller Security



 



Even as a domain admin of a Child domain they will
still be able to munge your forest or elevate their priviledges. The security
boundary in AD is at the forest, not the domain.





 





Phil

 





On 9/22/05, Gideon Ashcraft <[EMAIL PROTECTED]> wrote:




The only thing to do is to make him an admin of that
site, or better yet make that site a child domain and make him a domain admin
of that child domain. I know from experience that using a DC as anything but a
DC is a freakin pain in the ass, my predecessor set a DC up as a print/file
server and another as a SQL server (finally able to demote that one now, soon
hopefully). But my citrix profiles are on the domain controller, and after
months of trying to set delegation up properly in AD and setting up permissions
in the appropriate folders on the DC, the only way I was able to get my
Helpdesk admin set up to create accounts with my scripts so that I didn't have
to do it was to make him a domain admin. My company is too damn cheap to get me
another server to put the citrix profiles somewhere else. Oh yeah, and its an
app server for network install of office (can you feel my pain). 





 





So, if there is only one server in the site and
its a DC, the only way to get him to do anything is to make him a domain admin
(make it a child domain so he can't climb up the tree)





 





Gideon Ashcraft





Network Admin





Screen Actors Guild






ct: RE: [ActiveDir] Domain Controller Security 



Look
through the archives.

 

The
short answer is... "Just don't do it". You can't possibly secure this
regardless of what anyone says. If someone says it can be made safe, stop
asking them technical questions about Domain Controllers and Active Directory. 

 

Either
you trust the person or you don't. If you don't trust the person, then don't
put the person in a position to show you the meaning of screwed. 

 

 











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of van Donk, Fred
Sent: Tuesday, September 20, 2005
4:52 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Domain
Controller Security

 



I have a contractor in a remote
site. There is only 1 server in that site which is a DC.





 





He needs to administer that server. 





-Create shares





-Make file/share permissions





-Change user passwords in the User
OU for that site.





 





He is not allowed to log on to any
other server is the domain.





 





When I make him a "Server
Operator" he can logon to any server in the domain.





 





Any idea on how to lock him down to
that one server and then how to lock him down on that one OU where he should
only be allowed to change the passwords of the users.





 





Thanks!





Fred





 





 





List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/






 


 
  
  
  NOTICE: The information contained in this transmission is privileged,
  confidential, and intended only for the use of the individual or entity named
  above. If you are not the intended recipient, you are hereby notified that
  any disclosure, copying, distribution, or the taking of any action in
  reliance on the con

RE: [ActiveDir] Domain Controller Security

2005-09-22 Thread deji 
VM would be an option, but moving the files and share, re-permissioning,
repointing scripts and re-educating users may make that unattractive.
 
BTW, I heard that "caching-only" will not make it into the final R2. Can
anyone confirm or refute?
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED]
Sent: Thu 9/22/2005 12:36 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Controller Security



Most of the answers to Fred's business need deal with the security issue of
the domain: valid, certainly, but if the contractor really has a need to
access files & shares, how would he do it?  Seems this DC is the sole site
server and acting as a file server in addition to it's DC duties.

 

Short of buying another server, an idea I read about on this list was to
install vm software and run the file services as a virtual server.  Anybody
tried that?

 

And in the 3k R2 world, if that DC were a "caching-only" DC, does that change
the situation?

 

AL

Al Maurer 
Service Manager, Naming and Authentication Services 
IT | Information Technology 
Agilent Technologies 
(719) 590-2639; Telnet 590-2639 
http://activedirectory.it.agilent.com 
-- 
"Cry 'Havoc!' and let slip the dogs of war"  - Anthony, in Julius Caesar III
i. 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf
Sent: Thursday, September 22, 2005 12:43 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Domain Controller Security

 

When Windows 2000 first came out the domain was thought of as the security
boundary and Microsoft even stated that in documentation, books and
certifications. Through the course of using AD there were a few things that
came to light as some talented and curious folks started noticing things and
that has led to the security boundary stance being revised. The original
statement was a mistake and I believe Microsoft has recognized and admitted
that. Any up to date documentation will reflect that notion of the forest
being the security boundary. 

 

I don't think anyone is going to get into how privilege escalation can be
done, I know I certainly won't get into it other than to make people aware
that it is possible.

 

Phil

 

On 9/22/05, DeStefano, Dan <[EMAIL PROTECTED]> wrote: 

I thought that in ad domains are considered security boundaries. In the cert
exams, namely the 70-219, they are considered as such. Also, how would a
domain admin of a child domain elevate his privileges? 

 

 

Dan

 



From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]
 ] On Behalf Of Phil Renouf
Sent: Thursday, September 22, 2005 1:28 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Domain Controller Security

 

Even as a domain admin of a Child domain they will still be able to munge
your forest or elevate their priviledges. The security boundary in AD is at
the forest, not the domain. 

 

Phil

 

On 9/22/05, Gideon Ashcraft < [EMAIL PROTECTED]
 > wrote: 

The only thing to do is to make him an admin of that site, or better yet make
that site a child domain and make him a domain admin of that child domain. I
know from experience that using a DC as anything but a DC is a freakin pain
in the ass, my predecessor set a DC up as a print/file server and another as
a SQL server (finally able to demote that one now, soon hopefully). But my
citrix profiles are on the domain controller, and after months of trying to
set delegation up properly in AD and setting up permissions in the
appropriate folders on the DC, the only way I was able to get my Helpdesk
admin set up to create accounts with my scripts so that I didn't have to do
it was to make him a domain admin. My company is too damn cheap to get me
another server to put the citrix profiles somewhere else. Oh yeah, and its an
app server for network install of office (can you feel my pain). 

 

So, if there is only one server in the site and its a DC, the only way to get
him to do anything is to make him a domain admin (make it a child domain so
he can't climb up the tree) 

 

Gideon Ashcraft

Network Admin

Screen Actors Guild






ct: RE: [ActiveDir] Domain Controller Security 

Look through the archives.

 

The short answer is... "Just don't do it". You can't possibly secure this
regardless of what anyone says. If someone says it can be made safe, stop
asking them technical questions about Domain Controllers and Active
Directory. 

 

Either you trust the person or you don't. If you don't trust the person, then
don't put the person in a position to show you the meaning of screwed. 

 

 

___

RE: [ActiveDir] Domain Controller Security

2005-09-22 Thread DeStefano, Dan 








I am not asking for exact procedures, just
more of methods how.

 

 

Dan

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hutchins, Mike
Sent: Thursday, September 22, 2005
2:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain
Controller Security



 

Oh, and as for how, easy,
but I won't tell here...

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of DeStefano, Dan
Sent: Thursday, September 22, 2005
12:09 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain
Controller Security

I thought that in ad
domains are considered security boundaries. In the cert exams, namely the
70-219, they are considered as such. Also, how would a domain admin of a child
domain elevate his privileges?

 

 

Dan

 













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf
Sent: Thursday, September 22, 2005
1:28 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Domain
Controller Security



 



Even as a domain admin of a Child domain they will
still be able to munge your forest or elevate their priviledges. The security
boundary in AD is at the forest, not the domain.





 





Phil

 





On 9/22/05, Gideon Ashcraft <[EMAIL PROTECTED]> wrote:




The only thing to do is to make him an admin of that
site, or better yet make that site a child domain and make him a domain admin
of that child domain. I know from experience that using a DC as anything but a
DC is a freakin pain in the ass, my predecessor set a DC up as a print/file
server and another as a SQL server (finally able to demote that one now, soon
hopefully). But my citrix profiles are on the domain controller, and after
months of trying to set delegation up properly in AD and setting up permissions
in the appropriate folders on the DC, the only way I was able to get my
Helpdesk admin set up to create accounts with my scripts so that I didn't have
to do it was to make him a domain admin. My company is too damn cheap to get me
another server to put the citrix profiles somewhere else. Oh yeah, and its an
app server for network install of office (can you feel my pain). 





 





So, if there is only one server in the site and
its a DC, the only way to get him to do anything is to make him a domain admin
(make it a child domain so he can't climb up the tree)





 





Gideon Ashcraft





Network Admin





Screen Actors Guild






ct: RE: [ActiveDir] Domain Controller Security 



Look
through the archives.

 

The
short answer is... "Just don't do it". You can't possibly secure this
regardless of what anyone says. If someone says it can be made safe, stop
asking them technical questions about Domain Controllers and Active Directory. 

 

Either
you trust the person or you don't. If you don't trust the person, then don't
put the person in a position to show you the meaning of screwed. 

 

 











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of van Donk, Fred
Sent: Tuesday, September 20, 2005
4:52 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Domain
Controller Security

 



I have a contractor in a remote
site. There is only 1 server in that site which is a DC.





 





He needs to administer that server. 





-Create shares





-Make file/share permissions





-Change user passwords in the User
OU for that site.





 





He is not allowed to log on to any
other server is the domain.





 





When I make him a "Server
Operator" he can logon to any server in the domain.





 





Any idea on how to lock him down to
that one server and then how to lock him down on that one OU where he should
only be allowed to change the passwords of the users.





 





Thanks!





Fred





 





 





List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/






 


 
  
  
  NOTICE: The information contained in this transmission is privileged,
  confidential, and intended only for the use of the individual or entity named
  above. If you are not the intended recipient, you are hereby notified that
  any disclosure, copying, distribution, or the taking of any action in
  reliance on the contents of this transmission is strictly prohibited. If you
  have received this transmission in error, please notify Eze Castle
  Integration, Inc. by e-mail and destroy the original message and all copies.
  Thank you.
  
  
  
  
 


 








NOTICE:  The information contained in this transmission is privileged, confidential, and intended only for the use of the individual or entity named above.  If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or the taking of any action in reliance on the contents of this transmission is strictly prohibited.  If you have received this transmission in error, please notify Eze Castle Integration, Inc. by e-ma

RE: [ActiveDir] Domain Controller Security

2005-09-22 Thread DeStefano, Dan 








Thanks, I actually found and read that
after sending that last post.

 

 

Dan

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hutchins, Mike
Sent: Thursday, September 22, 2005
2:36 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain
Controller Security



 

Wrongo...

...snip

Active Directory uses domains and forests to represent
the logical structure of the directory hierarchy. Domains are used to manage
the various populations of users, computers, and network resources in your
enterprise. The forest represents the security boundary for Active Directory.
Within domains you can create organizational units to subdivide the various
divisions of administration



snip...





 





link to actual doc





 





http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/6f8a7c80-45fc-4916-80d9-16e6d46241f9.mspx





 





(mind if it wraps)





 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of DeStefano, Dan
Sent: Thursday, September 22, 2005
12:09 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain
Controller Security

I thought that in ad
domains are considered security boundaries. In the cert exams, namely the
70-219, they are considered as such. Also, how would a domain admin of a child
domain elevate his privileges?

 

 

Dan

 













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf
Sent: Thursday, September 22, 2005
1:28 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Domain
Controller Security



 



Even as a domain admin of a Child domain they will
still be able to munge your forest or elevate their priviledges. The security
boundary in AD is at the forest, not the domain.





 





Phil

 





On 9/22/05, Gideon Ashcraft <[EMAIL PROTECTED]> wrote:




The only thing to do is to make him an admin of that
site, or better yet make that site a child domain and make him a domain admin
of that child domain. I know from experience that using a DC as anything but a
DC is a freakin pain in the ass, my predecessor set a DC up as a print/file
server and another as a SQL server (finally able to demote that one now, soon
hopefully). But my citrix profiles are on the domain controller, and after
months of trying to set delegation up properly in AD and setting up permissions
in the appropriate folders on the DC, the only way I was able to get my
Helpdesk admin set up to create accounts with my scripts so that I didn't have
to do it was to make him a domain admin. My company is too damn cheap to get me
another server to put the citrix profiles somewhere else. Oh yeah, and its an
app server for network install of office (can you feel my pain). 





 





So, if there is only one server in the site and
its a DC, the only way to get him to do anything is to make him a domain admin
(make it a child domain so he can't climb up the tree)





 





Gideon Ashcraft





Network Admin





Screen Actors Guild






ct: RE: [ActiveDir] Domain Controller Security 



Look
through the archives.

 

The
short answer is... "Just don't do it". You can't possibly secure this
regardless of what anyone says. If someone says it can be made safe, stop
asking them technical questions about Domain Controllers and Active Directory. 

 

Either
you trust the person or you don't. If you don't trust the person, then don't
put the person in a position to show you the meaning of screwed. 

 

 











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of van Donk, Fred
Sent: Tuesday, September 20, 2005
4:52 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Domain
Controller Security

 



I have a contractor in a remote
site. There is only 1 server in that site which is a DC.





 





He needs to administer that server. 





-Create shares





-Make file/share permissions





-Change user passwords in the User
OU for that site.





 





He is not allowed to log on to any
other server is the domain.





 





When I make him a "Server
Operator" he can logon to any server in the domain.





 





Any idea on how to lock him down to
that one server and then how to lock him down on that one OU where he should
only be allowed to change the passwords of the users.





 





Thanks!





Fred





 





 





List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/






 


 
  
  
  NOTICE: The information contained in this transmission is privileged,
  confidential, and intended only for the use of the individual or entity named
  above. If you are not the intended recipient, you are hereby notified that
  any disclosure, copying, distribution, or the taking of any action in
  reliance on the contents of this transmission is strictly prohibited. If you
  have received this transmission in error, please notify Eze Castle
  Integr

RE: [ActiveDir] Domain Controller Security

2005-09-22 Thread Gil Kirkpatrick 



See, for instance, the demo Guido did in the security 
workshop with Sanjay at DEC last year.
 
-g


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Hutchins, 
MikeSent: Thursday, September 22, 2005 11:37 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Domain 
Controller Security

Oh, and as for how, easy, but I won't tell 
here...


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of DeStefano, 
DanSent: Thursday, September 22, 2005 12:09 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Domain 
Controller Security


I thought that in ad 
domains are considered security boundaries. In the cert exams, namely the 
70-219, they are considered as such. Also, how would a domain admin of a child 
domain elevate his privileges?
 
 
Dan
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Phil 
RenoufSent: Thursday, 
September 22, 2005 1:28 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Domain Controller 
Security
 

Even as a domain admin of a Child domain 
they will still be able to munge your forest or elevate their priviledges. The 
security boundary in AD is at the forest, not the 
domain.

 

Phil 

On 9/22/05, Gideon Ashcraft <[EMAIL PROTECTED]> 
wrote: 

The only thing to do is to make him an 
admin of that site, or better yet make that site a child domain and make him a 
domain admin of that child domain. I know from experience that using a DC as 
anything but a DC is a freakin pain in the ass, my predecessor set a DC up as a 
print/file server and another as a SQL server (finally able to demote that one 
now, soon hopefully). But my citrix profiles are on the domain controller, and 
after months of trying to set delegation up properly in AD and setting up 
permissions in the appropriate folders on the DC, the only way I was able to get 
my Helpdesk admin set up to create accounts with my scripts so that I didn't 
have to do it was to make him a domain admin. My company is too damn cheap to 
get me another server to put the citrix profiles somewhere else. Oh yeah, and 
its an app server for network install of office (can you feel my pain). 


 

So, if there is only one server in the 
site and its a DC, the only way to get him to do anything is to make him a 
domain admin (make it a child domain so he can't climb up the 
tree)

 

Gideon 
Ashcraft

Network 
Admin

Screen Actors 
Guildct: RE: [ActiveDir] Domain 
Controller Security 
Look 
through the archives.
 
The short 
answer is... "Just don't do it". You can't possibly secure this regardless of 
what anyone says. If someone says it can be made safe, stop asking them 
technical questions about Domain Controllers and Active Directory. 

 
Either you 
trust the person or you don't. If you don't trust the person, then don't put the 
person in a position to show you the meaning of screwed. 

 
 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of van Donk, FredSent: Tuesday, September 20, 2005 4:52 
PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Domain Controller 
Security 

I have a contractor in a remote 
site. There is only 1 server in that site which is a 
DC.

 

He needs to administer that server. 


-Create 
shares

-Make file/share 
permissions

-Change user passwords in the User 
OU for that site.

 

He is not allowed to log on to any 
other server is the domain.

 

When I make him a "Server Operator" 
he can logon to any server in the domain.

 

Any idea on how to lock him down to 
that one server and then how to lock him down on that one OU where he should 
only be allowed to change the passwords of the 
users.

 

Thanks!

Fred

 

 

List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ 

 

  
  
NOTICE: The information 
  contained in this transmission is privileged, confidential, and intended 
  only for the use of the individual or entity named above. If you are not 
  the intended recipient, you are hereby notified that any disclosure, 
  copying, distribution, or the taking of any action in reliance on the 
  contents of this transmission is strictly prohibited. If you have received 
  this transmission in error, please notify Eze Castle Integration, Inc. by 
  e-mail and destroy the original message and all copies. Thank 
  you.

RE: [ActiveDir] SBS migration (was SBS Server Question)

2005-09-22 Thread Michael B. Smith 
And that is a real difficulty.

The wizards should integrate seamlessly. Or the other tools should
integrate seamlessly. Take your pick.

I've got a couple of hundred client companies, probably 3 or 4 use SBS.
I HATE touching the SBS clients because it's a fair bet there is a
wizard for something that I'm not going to use a wizard for, because I
can use one of my scripts or a native tool and do it quicker. (You can
argue that someone that knows the wizards can do it more quickly with
them -- and that's fine -- but I don't, and shouldn't have to.)

It's a religious issue.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Thursday, September 22, 2005 12:19 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SBS migration (was SBS Server Question)

Difficulty?



What difficulty?  [please feel free to take this offline] the only
difficult issues we have in SBSland is cleaning up the messes from folks
that don't follow the wizards

[EMAIL PROTECTED] wrote:

>Thanks!  This must be SBS Week.  Was at a user's group meeting last
night and the topic came up again. (Main topic was R2)  Sounds like
Microsoft is getting the message about the difficulty of working with
SBS.
>
>Al Maurer
>Service Manager, Naming and Authentication Services IT | Information 
>Technology Agilent Technologies
>(719) 590-2639; Telnet 590-2639
>http://activedirectory.it.agilent.com
>--
>"Cry 'Havoc!' and let slip the dogs of war"  - Anthony, in Julius
Caesar III i. 
>
>
>-Original Message-
>From: [EMAIL PROTECTED] 
>[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,

>CPA aka Ebitz - SBS Rocks [MVP]
>Sent: Tuesday, September 20, 2005 1:57 PM
>To: ActiveDir@mail.activedir.org
>Subject: Re: [ActiveDir] SBS migration (was SBS Server Question)
>
>Transition pack or www.sbsmigration.com
>
>Transition pack is the best way however lets you keep the Remote web 
>workplace and monitoring email even after you break away from SBSland.
>
>[EMAIL PROTECTED] wrote:
>
>  
>
>>OK, since the topic came up:  I'm trying to figure out how to migrate
off SBS2003.
>>
>>Scenario is a recent acquisition where we want to migrate from company
SBS to corporate AD (standard 2003 domain).  Trusts are out.  Hack is
both dangerous and illegal.
>>
>>MS offers a Transition Pack (for a cost) to upgrade the SBS2003 to
normal AD.  Is there any other way?  LDIF export?
>>
>>Thanks,
>>AL
>>
>>Al Maurer
>>Service Manager, Naming and Authentication Services IT | Information 
>>Technology Agilent Technologies
>>(719) 590-2639; Telnet 590-2639
>>http://activedirectory.it.agilent.com
>>--
>>"Cry 'Havoc!' and let slip the dogs of war"  - Anthony, in Julius
Caesar III i. 
>>
>>
>>-Original Message-
>>From: [EMAIL PROTECTED] 
>>[mailto:[EMAIL PROTECTED] On Behalf Of Susan 
>>Bradley, CPA aka Ebitz - SBS Rocks [MVP]
>>Sent: Wednesday, September 14, 2005 12:06 PM
>>To: ActiveDir@mail.activedir.org
>>Subject: Re: [ActiveDir] SBS Server Question
>>
>>Nope.  No trusts, no forests.  We're the spoiled only PDC that must 
>>hold all the FSMO roles.  We can do some funky stuff with pass through

>>authentication, but no trusts.
>>
>>US versus THEM:
>>http://www.sbslinks.com/Us_v_them.htm
>>
>>In SBS 2000/2003 the 'correct' terminology is Yes, an 'additional 
>>domain controller' is supported and not calling it a BDC.
>>
>>Member servers are covered by the SBS cals but last I read in the PUR 
>>the additional DC would need server cals.  [that's my interpretation 
>>anyway but I get a headache reading that doc in the first place]
>>
>>Honestly ...keep in mind that with XPs, they will used cached 
>>credentials and you can log into that profile even if the network is 
>>down.  Now comes the fun... who's doing the DHCP? The recommended way 
>>is to have the SBS box to do that...so you still have fun.  If the SBS

>>box goes down, I normally have ways around the temporarily failure 
>>[and even then I can count on one hand the time my network has been
affected
>>power mostly, then NICs, then switches, and one harddrive falling off 
>>a RAID.  Get good equipment [and honestly either reinstall those OEMs 
>>and stay away from those preinstalled versions] and we do just fine.
>>
>>
>>
>>Medeiros, Jose wrote:
>>
>> 
>>
>>
>>
>>>Hi Susan,
>>>
>>>Since we have an SBS MVP on the Active Dir list, let me ask a
question.
>>>
>>>Can I now make an SBS 2003 server a child domain in an AD 2003
forest? 
>>>
>>>Before you ask why, some one asked me this recently at a Linux users
group meeting, as his company has several remote offices using SBS 2003.
>>>
>>>Also on SBS 4.5, one could have a BDC as a backup, can this also be
done with a DC or are you " Sh.T out of luck " when a box fails? 
>>>
>>>Jose
>>>
>>>
>>>List info   : http://www.activedir.org/List.aspx
>>>List FAQ: http://www.activedir.o

RE: [ActiveDir] Domain Controller Security

2005-09-22 Thread al_maurer 








Most of the answers to Fred’s
business need deal with the security issue of the domain: valid, certainly, but
if the contractor really has a need to access files & shares, how would he
do it?  Seems this DC is the sole site server and acting as a file server in
addition to it’s DC duties.

 

Short of buying another server, an idea I
read about on this list was to install vm software and run the file services as
a virtual server.  Anybody tried that?

 

And in the 3k R2 world, if that DC were a “caching-only”
DC, does that change the situation?

 

AL



Al Maurer 
Service
Manager, Naming and Authentication Services 
IT
| Information Technology

Agilent
Technologies 
(719)
590-2639; Telnet 590-2639 
http://activedirectory.it.agilent.com 
-- 
"Cry
'Havoc!' and let slip the dogs of war"  - Anthony, in Julius Caesar
III i. 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf
Sent: Thursday, September 22, 2005
12:43 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Domain
Controller Security



 



When Windows 2000 first came out the domain was thought of as the
security boundary and Microsoft even stated that in documentation, books and
certifications. Through the course of using AD there were a few things that
came to light as some talented and curious folks started noticing things and
that has led to the security boundary stance being revised. The original
statement was a mistake and I believe Microsoft has recognized and admitted
that. Any up to date documentation will reflect that notion of the forest
being the security boundary. 





 





I don't think anyone is going to get into how privilege escalation can
be done, I know I certainly won't get into it other than to make people aware
that it is possible.





 





Phil

 





On 9/22/05, DeStefano,
Dan <[EMAIL PROTECTED]>
wrote: 



I thought that in ad domains are considered security
boundaries. In the cert exams, namely the 70-219, they are considered as such.
Also, how would a domain admin of a child domain elevate his privileges? 

 

 

Dan

 













From: [EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]] On
Behalf Of Phil Renouf
Sent: Thursday, September 22, 2005
1:28 PM
To: ActiveDir@mail.activedir.org
Subject: Re:
[ActiveDir] Domain Controller Security



 



Even as a domain admin of a Child domain they will
still be able to munge your forest or elevate their priviledges. The security
boundary in AD is at the forest, not the domain. 





 





Phil

 





On 9/22/05, Gideon
Ashcraft <
[EMAIL PROTECTED]> wrote: 





The only thing to do is to make him an admin of that
site, or better yet make that site a child domain and make him a domain admin
of that child domain. I know from experience that using a DC as anything but a
DC is a freakin pain in the ass, my predecessor set a DC up as a print/file
server and another as a SQL server (finally able to demote that one now, soon
hopefully). But my citrix profiles are on the domain controller, and after
months of trying to set delegation up properly in AD and setting up permissions
in the appropriate folders on the DC, the only way I was able to get my
Helpdesk admin set up to create accounts with my scripts so that I didn't have
to do it was to make him a domain admin. My company is too damn cheap to get me
another server to put the citrix profiles somewhere else. Oh yeah, and its an
app server for network install of office (can you feel my pain). 





 





So, if there is only one server in the site and
its a DC, the only way to get him to do anything is to make him a domain admin
(make it a child domain so he can't climb up the tree) 





 





Gideon Ashcraft





Network Admin





Screen Actors Guild






ct: RE: [ActiveDir] Domain Controller Security 



Look through the
archives.

 

The short answer is...
"Just don't do it". You can't possibly secure this regardless of what
anyone says. If someone says it can be made safe, stop asking them technical
questions about Domain Controllers and Active Directory. 

 

Either you trust the
person or you don't. If you don't trust the person, then don't put the person
in a position to show you the meaning of screwed. 

 

 











From: [EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]] On
Behalf Of van Donk, Fred
Sent: Tuesday, September 20, 2005
4:52 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Domain
Controller Security

 



I have a contractor in a remote site. There is only 1
server in that site which is a DC.





 





He needs to administer that server. 





-Create shares





-Make file/share permissions





-Change user passwords in the User OU for that site.





 





He is not allowed to log on to any other server is
the domain.





 





When I make him a "Server Operator" he can
logon to any server in the domain.





 





Any idea on how to lock him down to that one server
and then how to lock him dow

RE: [ActiveDir] dns suffix search list

2005-09-22 Thread Almeida Pinto, Jorge de 
And additional to what Guido said...
 
you can create your own custom ADM and import it into a GPO (don't forget to 
disable the filtering, otherwise you will not see it) and attach that to the OU 
if contains Windows 2000 clients/servers (otherwise you can use group filtering)
 
The contents of the ADM would be:
 
CLASS MACHINE
CATEGORY  "System"
 CATEGORY  "Custom Settings DNS"
  KEYNAME "System\CurrentControlSet\Services\TCPIP\Parameters"
  POLICY "DNS Suffix Search List"
   EXPLAIN "EXPLANATION: Determines the DNS suffixes to attach to an 
unqualified single-label name before submission of a DNS query for that 
name.\n\nAn unqualified single-label name contains no dots, such as "example". 
This is different from a fully qualified domain name, such as 
"example.microsoft.com.".\n\nWith this setting enabled, when a user submits a 
query for a single-label name, such as "example", a local DNS client attaches a 
suffix, such as "microsoft.com", resulting in the query 
"example.microsoft.com", before sending the query to a DNS server.\n\nIf you 
enable this setting, you can specify the DNS suffixes to attach before 
submission of a query for an unqualified single-label name. The values of the 
DNS suffixes in this setting may be set using comma-separated strings, such as 
"microsoft.com,serverua.microsoft.com,office.microsoft.com". One DNS suffix is 
attached for each submission of a query. If a query is unsuccessful, a new DNS 
suffix is added in place of the failed suffix, and this new query is submitted. 
The values are used in the order they appear in the string, starting with the 
leftmost value and preceding to the right.\n\nIf you enable this setting, you 
must specify at least one suffix.\n\nIf you disable this setting, the primary 
DNS suffix and network connection-specific DNS suffixes are appended to the 
unqualified queries.\n\nIf this setting is not configured, it is not applied to 
any computers, and computers use their local configuration."
   PART "DNS Suffixes:" EDITTEXT REQUIRED
VALUENAME "SearchList"
   END PART
   END POLICY
  END CATEGORY
END CATEGORY
 
Cheers
Jorge



From: [EMAIL PROTECTED] on behalf of Grillenmeier, Guido
Sent: Thu 9/22/2005 8:31 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dns suffix search list



the article is correct for Win2000 clients/servers - but for XP clients and Win 
2003 servers you can change the DNS suffix search list via GPO.

Other option is to use a startup-script for your clients/servers setting the 
"HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\SearchList" RegKey via 
the script - the script could even query a text-file to set the suffix as 
appropriate for the respective machine.

/Guido

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Donnerstag, 22. September 2005 20:06
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] dns suffix search list

I know this was discussed on the list earlier(can't seem to find it), but is 
this article correct and are these the only ways to programmatically alter the 
dns suffix search list?
http://support.microsoft.com/kb/q275553/


Is there an easy way to do this for many computers, say from a text file?

Thanks
[EMAIL PROTECTED]  Vry&-4ibb
.BövrzÊryi 



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] dns suffix search list

2005-09-22 Thread Kern, Tom 
I'm only running win2k
I'd like to make the script query a text file of client names, so i can just 
execute it from my desktop rather than a script.
how would i go about doing that?
Thanks

-Original Message- 
From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED] 
Sent: Thu 9/22/2005 2:31 PM 
To: ActiveDir@mail.activedir.org 
Cc: 
Subject: RE: [ActiveDir] dns suffix search list


 

<>

RE: [ActiveDir] LDAP search limitations

2005-09-22 Thread joe 
The limit is 1000 on 2K and 1500 on K3/ADAM. These values can be tweaked. 

The general purpose reason is to conserve resources on the LDAP server.
Consider result sets have to be pulled into memory to be encoded to send
back to clients. If you have lots and lots of simultaneous queries with huge
resultsets you could quickly cause harm to an LDAP server as it runs low on
resources.

As to why MS did it and others didn't. Possibly the others are not thinking
properly about large scale or heavily loaded implementations. 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, September 22, 2005 12:31 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] LDAP search limitations

Apologies for asking this question, since it's been posed before (?), but
can anyone offer me a brief description of why AD only returns (by default)
1024 entries when an LDAP search is performed? Is it a question of
performance? Why is the searcher not offered all records that meet the
search criteria?

Questions have arisen as to why MS implemented a limit since (apparently),
other LDAP implementations do not enforce these limits.

thanks,
neil





---
Neil Ruston
Nomura International Plc
Tel: 020 7521 3481
[EMAIL PROTECTED]




PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments.  NIplc
does not provide investment services to private customers.  Authorised and
regulated by the Financial Services Authority.  Registered in England no.
1550505 VAT No. 447 2492 35.  Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP.  A member of the Nomura group of companies.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Domain Controller Security

2005-09-22 Thread Phil Renouf 
When Windows 2000 first came out the domain was thought of as the security boundary and Microsoft even stated that in documentation, books and certifications. Through the course of using AD there were a few things that came to light as some talented and curious folks started noticing things and that has led to the security boundary stance being revised. The original statement was a mistake and I believe Microsoft has recognized and admitted that. Any up to date documentation will reflect that notion of the forest being the security boundary.

 
I don't think anyone is going to get into how privilege escalation can be done, I know I certainly won't get into it other than to make people aware that it is possible.
 
Phil 
On 9/22/05, DeStefano, Dan <[EMAIL PROTECTED]> wrote:


I thought that in ad domains are considered security boundaries. In the cert exams, namely the 70-219, they are considered as such. Also, how would a domain admin of a child domain elevate his privileges?

 
 
Dan
 




From:
 [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Phil RenoufSent: Thursday, September 22, 2005 1:28 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Domain Controller Security
 

Even as a domain admin of a Child domain they will still be able to munge your forest or elevate their priviledges. The security boundary in AD is at the forest, not the domain.


 

Phil 

On 9/22/05, Gideon Ashcraft <
[EMAIL PROTECTED]> wrote: 


The only thing to do is to make him an admin of that site, or better yet make that site a child domain and make him a domain admin of that child domain. I know from experience that using a DC as anything but a DC is a freakin pain in the ass, my predecessor set a DC up as a print/file server and another as a SQL server (finally able to demote that one now, soon hopefully). But my citrix profiles are on the domain controller, and after months of trying to set delegation up properly in AD and setting up permissions in the appropriate folders on the DC, the only way I was able to get my Helpdesk admin set up to create accounts with my scripts so that I didn't have to do it was to make him a domain admin. My company is too damn cheap to get me another server to put the citrix profiles somewhere else. Oh yeah, and its an app server for network install of office (can you feel my pain). 


 

So, if there is only one server in the site and its a DC, the only way to get him to do anything is to make him a domain admin (make it a child domain so he can't climb up the tree)


 

Gideon Ashcraft

Network Admin

Screen Actors Guildct: RE: [ActiveDir] Domain Controller Security 

Look through the archives.
 
The short answer is... "Just don't do it". You can't possibly secure this regardless of what anyone says. If someone says it can be made safe, stop asking them technical questions about Domain Controllers and Active Directory. 

 
Either you trust the person or you don't. If you don't trust the person, then don't put the person in a position to show you the meaning of screwed. 

 
 



From:
 [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of van Donk, FredSent: Tuesday, September 20, 2005 4:52 PM
To: ActiveDir@mail.activedir.orgSubject:
 [ActiveDir] Domain Controller Security 

I have a contractor in a remote site. There is only 1 server in that site which is a DC.


 

He needs to administer that server. 

-Create shares

-Make file/share permissions

-Change user passwords in the User OU for that site.

 

He is not allowed to log on to any other server is the domain.

 

When I make him a "Server Operator" he can logon to any server in the domain.

 

Any idea on how to lock him down to that one server and then how to lock him down on that one OU where he should only be allowed to change the passwords of the users.


 

Thanks!

Fred

 

 

List info : 
http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/ 

 



NOTICE: The information contained in this transmission is privileged, confidential, and intended only for the use of the individual or entity named above. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or the taking of any action in reliance on the contents of this transmission is strictly prohibited. If you have received this transmission in error, please notify Eze Castle Integration, Inc. by e-mail and destroy the original message and all copies. Thank you.

RE: [ActiveDir] Domain Controller Security

2005-09-22 Thread joe 



The docs are wrong. Many of us have been hounding MS on 
this for years. They really started straightening out docs with K3. Some of the 
older 2K docs still suggest this security boundary at the domain. It really came 
to a head when Lucent put out a paper on this and it started getting quoted in 
the newsgroups and some of us just flamed the crap out of it. 

 
No one here or anywhere should really publish how to 
exploit rights on a DC to take over a forest. The answer is pretty self-evident 
if someone understands the underpinnings and processes used in AD and since we 
can't fully protect against it, it is better left undocumented. If 
there was a guaranteed safe way to protect ourselves, then we could publish 
that workaround and some time later publish the issue.
 
  joe 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of DeStefano, 
DanSent: Thursday, September 22, 2005 2:09 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Domain 
Controller Security


I thought that in ad 
domains are considered security boundaries. In the cert exams, namely the 
70-219, they are considered as such. Also, how would a domain admin of a child 
domain elevate his privileges?
 
 
Dan
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Phil 
RenoufSent: Thursday, 
September 22, 2005 1:28 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Domain Controller 
Security
 

Even as a domain admin of a Child domain 
they will still be able to munge your forest or elevate their priviledges. The 
security boundary in AD is at the forest, not the 
domain.

 

Phil 

On 9/22/05, Gideon Ashcraft <[EMAIL PROTECTED]> 
wrote: 

The only thing to do is to make him an 
admin of that site, or better yet make that site a child domain and make him a 
domain admin of that child domain. I know from experience that using a DC as 
anything but a DC is a freakin pain in the ass, my predecessor set a DC up as a 
print/file server and another as a SQL server (finally able to demote that one 
now, soon hopefully). But my citrix profiles are on the domain controller, and 
after months of trying to set delegation up properly in AD and setting up 
permissions in the appropriate folders on the DC, the only way I was able to get 
my Helpdesk admin set up to create accounts with my scripts so that I didn't 
have to do it was to make him a domain admin. My company is too damn cheap to 
get me another server to put the citrix profiles somewhere else. Oh yeah, and 
its an app server for network install of office (can you feel my pain). 


 

So, if there is only one server in the 
site and its a DC, the only way to get him to do anything is to make him a 
domain admin (make it a child domain so he can't climb up the 
tree)

 

Gideon 
Ashcraft

Network 
Admin

Screen Actors 
Guildct: RE: [ActiveDir] Domain 
Controller Security 
Look 
through the archives.
 
The short 
answer is... "Just don't do it". You can't possibly secure this regardless of 
what anyone says. If someone says it can be made safe, stop asking them 
technical questions about Domain Controllers and Active Directory. 

 
Either you 
trust the person or you don't. If you don't trust the person, then don't put the 
person in a position to show you the meaning of screwed. 

 
 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of van Donk, FredSent: Tuesday, September 20, 2005 4:52 
PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Domain Controller 
Security 

I have a contractor in a remote 
site. There is only 1 server in that site which is a 
DC.

 

He needs to administer that server. 


-Create 
shares

-Make file/share 
permissions

-Change user passwords in the User 
OU for that site.

 

He is not allowed to log on to any 
other server is the domain.

 

When I make him a "Server Operator" 
he can logon to any server in the domain.

 

Any idea on how to lock him down to 
that one server and then how to lock him down on that one OU where he should 
only be allowed to change the passwords of the 
users.

 

Thanks!

Fred

 

 

List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ 

 

  
  
NOTICE: The information 
  contained in this transmission is privileged, confidential, and intended 
  only for the use of the individual or entity named above. If you are not 
  the intended recipient, you are hereby notified that any disclosure, 
  copying, distribution, or the taking of any action in reliance on the 
  contents of this transmission is strictly prohibited. If you have received 
  this transmission in error, please notify Eze Castle Integration, Inc. by 
  e-mail and destroy the original message and all copies. Thank 
  you.

RE: [ActiveDir] Domain Controller Security

2005-09-22 Thread Hutchins, Mike 



Oh, and as for how, easy, but I won't tell 
here...


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of DeStefano, 
DanSent: Thursday, September 22, 2005 12:09 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Domain 
Controller Security


I thought that in ad 
domains are considered security boundaries. In the cert exams, namely the 
70-219, they are considered as such. Also, how would a domain admin of a child 
domain elevate his privileges?
 
 
Dan
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Phil 
RenoufSent: Thursday, 
September 22, 2005 1:28 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Domain Controller 
Security
 

Even as a domain admin of a Child domain 
they will still be able to munge your forest or elevate their priviledges. The 
security boundary in AD is at the forest, not the 
domain.

 

Phil 

On 9/22/05, Gideon Ashcraft <[EMAIL PROTECTED]> 
wrote: 

The only thing to do is to make him an 
admin of that site, or better yet make that site a child domain and make him a 
domain admin of that child domain. I know from experience that using a DC as 
anything but a DC is a freakin pain in the ass, my predecessor set a DC up as a 
print/file server and another as a SQL server (finally able to demote that one 
now, soon hopefully). But my citrix profiles are on the domain controller, and 
after months of trying to set delegation up properly in AD and setting up 
permissions in the appropriate folders on the DC, the only way I was able to get 
my Helpdesk admin set up to create accounts with my scripts so that I didn't 
have to do it was to make him a domain admin. My company is too damn cheap to 
get me another server to put the citrix profiles somewhere else. Oh yeah, and 
its an app server for network install of office (can you feel my pain). 


 

So, if there is only one server in the 
site and its a DC, the only way to get him to do anything is to make him a 
domain admin (make it a child domain so he can't climb up the 
tree)

 

Gideon 
Ashcraft

Network 
Admin

Screen Actors 
Guildct: RE: [ActiveDir] Domain 
Controller Security 
Look 
through the archives.
 
The short 
answer is... "Just don't do it". You can't possibly secure this regardless of 
what anyone says. If someone says it can be made safe, stop asking them 
technical questions about Domain Controllers and Active Directory. 

 
Either you 
trust the person or you don't. If you don't trust the person, then don't put the 
person in a position to show you the meaning of screwed. 

 
 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of van Donk, FredSent: Tuesday, September 20, 2005 4:52 
PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Domain Controller 
Security 

I have a contractor in a remote 
site. There is only 1 server in that site which is a 
DC.

 

He needs to administer that server. 


-Create 
shares

-Make file/share 
permissions

-Change user passwords in the User 
OU for that site.

 

He is not allowed to log on to any 
other server is the domain.

 

When I make him a "Server Operator" 
he can logon to any server in the domain.

 

Any idea on how to lock him down to 
that one server and then how to lock him down on that one OU where he should 
only be allowed to change the passwords of the 
users.

 

Thanks!

Fred

 

 

List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ 

 

  
  
NOTICE: The information 
  contained in this transmission is privileged, confidential, and intended 
  only for the use of the individual or entity named above. If you are not 
  the intended recipient, you are hereby notified that any disclosure, 
  copying, distribution, or the taking of any action in reliance on the 
  contents of this transmission is strictly prohibited. If you have received 
  this transmission in error, please notify Eze Castle Integration, Inc. by 
  e-mail and destroy the original message and all copies. Thank 
  you.

RE: [ActiveDir] Domain Controller Security

2005-09-22 Thread Hutchins, Mike 



Wrongo...
...snip
Active Directory uses 
domains and forests to represent the logical structure of the directory 
hierarchy. Domains are used to manage the various populations of users, 
computers, and network resources in your enterprise. The forest represents the 
security boundary for Active Directory. Within domains you can create 
organizational units to subdivide the various divisions of 
administration
snip...
 
link to actual 
doc
 
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/6f8a7c80-45fc-4916-80d9-16e6d46241f9.mspx
 
(mind if it wraps)



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of DeStefano, 
DanSent: Thursday, September 22, 2005 12:09 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Domain 
Controller Security


I thought that in ad 
domains are considered security boundaries. In the cert exams, namely the 
70-219, they are considered as such. Also, how would a domain admin of a child 
domain elevate his privileges?
 
 
Dan
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Phil 
RenoufSent: Thursday, 
September 22, 2005 1:28 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Domain Controller 
Security
 

Even as a domain admin of a Child domain 
they will still be able to munge your forest or elevate their priviledges. The 
security boundary in AD is at the forest, not the 
domain.

 

Phil 

On 9/22/05, Gideon Ashcraft <[EMAIL PROTECTED]> 
wrote: 

The only thing to do is to make him an 
admin of that site, or better yet make that site a child domain and make him a 
domain admin of that child domain. I know from experience that using a DC as 
anything but a DC is a freakin pain in the ass, my predecessor set a DC up as a 
print/file server and another as a SQL server (finally able to demote that one 
now, soon hopefully). But my citrix profiles are on the domain controller, and 
after months of trying to set delegation up properly in AD and setting up 
permissions in the appropriate folders on the DC, the only way I was able to get 
my Helpdesk admin set up to create accounts with my scripts so that I didn't 
have to do it was to make him a domain admin. My company is too damn cheap to 
get me another server to put the citrix profiles somewhere else. Oh yeah, and 
its an app server for network install of office (can you feel my pain). 


 

So, if there is only one server in the 
site and its a DC, the only way to get him to do anything is to make him a 
domain admin (make it a child domain so he can't climb up the 
tree)

 

Gideon 
Ashcraft

Network 
Admin

Screen Actors 
Guildct: RE: [ActiveDir] Domain 
Controller Security 
Look 
through the archives.
 
The short 
answer is... "Just don't do it". You can't possibly secure this regardless of 
what anyone says. If someone says it can be made safe, stop asking them 
technical questions about Domain Controllers and Active Directory. 

 
Either you 
trust the person or you don't. If you don't trust the person, then don't put the 
person in a position to show you the meaning of screwed. 

 
 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of van Donk, FredSent: Tuesday, September 20, 2005 4:52 
PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Domain Controller 
Security 

I have a contractor in a remote 
site. There is only 1 server in that site which is a 
DC.

 

He needs to administer that server. 


-Create 
shares

-Make file/share 
permissions

-Change user passwords in the User 
OU for that site.

 

He is not allowed to log on to any 
other server is the domain.

 

When I make him a "Server Operator" 
he can logon to any server in the domain.

 

Any idea on how to lock him down to 
that one server and then how to lock him down on that one OU where he should 
only be allowed to change the passwords of the 
users.

 

Thanks!

Fred

 

 

List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ 

 

  
  
NOTICE: The information 
  contained in this transmission is privileged, confidential, and intended 
  only for the use of the individual or entity named above. If you are not 
  the intended recipient, you are hereby notified that any disclosure, 
  copying, distribution, or the taking of any action in reliance on the 
  contents of this transmission is strictly prohibited. If you have received 
  this transmission in error, please notify Eze Castle Integration, Inc. by 
  e-mail and destroy the original message and all copies. Thank 
  you.

RE: [ActiveDir] LDAP search limitations

2005-09-22 Thread Al Mulnick 
Sounds like you're also using an older version of Windows and hitting a 
different limit as I'd have expected AD to limit your results to 1000 (at a 
time).  

To get more than that with .net or to work around the 1500 limit, you'll likely 
want to research ranging.  Joe K is pretty good about this sort of thing.  
Maybe a direct ping or a note to the adsi newsgroups would get a better 
explanation. 

Al 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, September 22, 2005 1:41 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP search limitations

MS did not "implement" a limit. The paging is a function of the client doing 
the LDAP query and conforms to the specs outlined in RFC 2696.
 
If you read the RFC, you will come to agree that, although RFCs are not 
(strictly speaking) "standards", you are "expected" to page your LDAP queries.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
 -anon



From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED]
Sent: Thu 9/22/2005 9:30 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] LDAP search limitations



Apologies for asking this question, since it's been posed before (?), but can 
anyone offer me a brief description of why AD only returns (by default) 1024 
entries when an LDAP search is performed? Is it a question of performance?
Why is the searcher not offered all records that meet the search criteria?

Questions have arisen as to why MS implemented a limit since (apparently), 
other LDAP implementations do not enforce these limits.

thanks,
neil





---
Neil Ruston
Nomura International Plc
Tel: 020 7521 3481
[EMAIL PROTECTED]




PLEASE READ: The information contained in this email is confidential and 
intended for the named recipient(s) only. If you are not an intended recipient 
of this email please notify the sender immediately and delete your copy from 
your system. You must not copy, distribute or take any further action in 
reliance on it. Email is not a secure method of communication and Nomura 
International plc ('NIplc') will not, to the extent permitted by law, accept 
responsibility or liability for (a) the accuracy or completeness of, or (b) the 
presence of any virus, worm or similar malicious or disabling code in, this 
message or any attachment(s) to it. If verification of this email is sought 
then please request a hard copy. Unless otherwise stated this email: (1) is 
not, and should not be treated or relied upon as, investment research; (2) 
contains views or opinions that are solely those of the author and do not 
necessarily represent those of NIplc; (3) is intended for informational 
purposes only and is not a recommendation, solicitation or offer to buy or sell 
securities or related financial instruments.  NIplc does not provide investment 
services to private customers.  Authorised and regulated by the Financial 
Services Authority.  Registered in England no. 1550505 VAT No. 447 2492 35.  
Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP.  A member of the 
Nomura group of companies.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] dns suffix search list

2005-09-22 Thread Grillenmeier, Guido 
the article is correct for Win2000 clients/servers - but for XP clients and Win 
2003 servers you can change the DNS suffix search list via GPO.

Other option is to use a startup-script for your clients/servers setting the 
"HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\SearchList" RegKey via 
the script - the script could even query a text-file to set the suffix as 
appropriate for the respective machine.

/Guido

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Donnerstag, 22. September 2005 20:06
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] dns suffix search list

I know this was discussed on the list earlier(can't seem to find it), but is 
this article correct and are these the only ways to programmatically alter the 
dns suffix search list?
http://support.microsoft.com/kb/q275553/
 
 
Is there an easy way to do this for many computers, say from a text file?
 
Thanks
[EMAIL PROTECTED]   Vry&-4ibb

RE: [ActiveDir] dns suffix search list

2005-09-22 Thread Cace, Andrew 
Tom,
  The article is incorrect.  It is possible to programmatically push a DNS 
suffix search list to remote PC's.  The following code will do it for you.

arrDNSSuffixes = Array("suffix1.com", "suffix2.com", "suffix3.com", 
"suffix4.com")
Set objWMIService = GetObject("winmgmts:" & 
"{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")

Set objNetworkSettings = objWMIService.Get("Win32_NetworkAdapterConfiguration")
objNetworkSettings.SetDNSSuffixSearchOrder(arrDNSSuffixes) 

This code should work as is, provided you find a way to populate the 
strComputer value.  In my experience, it takes about 6 seconds to connect to a 
remote computer and make the changes.

-Andrew

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Thursday, September 22, 2005 1:06 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] dns suffix search list

I know this was discussed on the list earlier(can't seem to find it), but is 
this article correct and are these the only ways to programmatically alter the 
dns suffix search list?
http://support.microsoft.com/kb/q275553/
 
 
Is there an easy way to do this for many computers, say from a text file?
 
Thanks
[EMAIL PROTECTED]   Vry&-4ibb


smime.p7s
Description: S/MIME cryptographic signature

RE: [ActiveDir] Domain Controller Security

2005-09-22 Thread DeStefano, Dan 








I thought that in ad domains are
considered security boundaries. In the cert exams, namely the 70-219, they are
considered as such. Also, how would a domain admin of a child domain elevate
his privileges?

 

 

Dan

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf
Sent: Thursday, September 22, 2005
1:28 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Domain
Controller Security



 



Even as a domain admin of a Child domain they will
still be able to munge your forest or elevate their priviledges. The security
boundary in AD is at the forest, not the domain.





 





Phil

 





On 9/22/05, Gideon Ashcraft <[EMAIL PROTECTED]> wrote:




The only thing to do is to make him an admin of that
site, or better yet make that site a child domain and make him a domain admin
of that child domain. I know from experience that using a DC as anything but a
DC is a freakin pain in the ass, my predecessor set a DC up as a print/file
server and another as a SQL server (finally able to demote that one now, soon
hopefully). But my citrix profiles are on the domain controller, and after
months of trying to set delegation up properly in AD and setting up permissions
in the appropriate folders on the DC, the only way I was able to get my
Helpdesk admin set up to create accounts with my scripts so that I didn't have
to do it was to make him a domain admin. My company is too damn cheap to get me
another server to put the citrix profiles somewhere else. Oh yeah, and its an
app server for network install of office (can you feel my pain). 





 





So, if there is only one server in the site and
its a DC, the only way to get him to do anything is to make him a domain admin
(make it a child domain so he can't climb up the tree)





 





Gideon Ashcraft





Network Admin





Screen Actors Guild






ct: RE: [ActiveDir] Domain Controller Security 



Look through the archives.

 

The short answer is...
"Just don't do it". You can't possibly secure this regardless of what
anyone says. If someone says it can be made safe, stop asking them technical
questions about Domain Controllers and Active Directory. 

 

Either you trust the
person or you don't. If you don't trust the person, then don't put the person
in a position to show you the meaning of screwed. 

 

 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of van Donk, Fred
Sent: Tuesday, September 20, 2005
4:52 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Domain
Controller Security

 



I have a contractor in a remote
site. There is only 1 server in that site which is a DC.





 





He needs to administer that server. 





-Create shares





-Make file/share permissions





-Change user passwords in the User
OU for that site.





 





He is not allowed to log on to any
other server is the domain.





 





When I make him a "Server
Operator" he can logon to any server in the domain.





 





Any idea on how to lock him down to
that one server and then how to lock him down on that one OU where he should
only be allowed to change the passwords of the users.





 





Thanks!





Fred





 





 





List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/






 








NOTICE:  The information contained in this transmission is privileged, confidential, and intended only for the use of the individual or entity named above.  If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or the taking of any action in reliance on the contents of this transmission is strictly prohibited.  If you have received this transmission in error, please notify Eze Castle Integration, Inc. by e-mail and destroy the original message and all copies.  Thank you.

[ActiveDir] dns suffix search list

2005-09-22 Thread Kern, Tom 
I know this was discussed on the list earlier(can't seem to find it), but is 
this article correct and are these the only ways to programmatically alter the 
dns suffix search list?
http://support.microsoft.com/kb/q275553/
 
 
Is there an easy way to do this for many computers, say from a text file?
 
Thanks
[EMAIL PROTECTED]   ��V�r�y�&��-�÷Š¾4���i�b��b��

RE: [ActiveDir] Domain Controller Security

2005-09-22 Thread deji 
>>>make it a child domain so he can't climb up the tree
 
Not only will (s)he be able to run up the tree, (s)he will own the tree, the
leaves, the bushes, the grasses, and, for that matter, the forest.
 
The Domain is NOT a security boundary. It is an administrative boundary.
Service administrators have the ability to cross domain boundaries within a
forest.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Gideon Ashcraft
Sent: Thu 9/22/2005 8:53 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Controller Security


The only thing to do is to make him an admin of that site, or better yet make
that site a child domain and make him a domain admin of that child domain. I
know from experience that using a DC as anything but a DC is a freakin pain
in the ass, my predecessor set a DC up as a print/file server and another as
a SQL server (finally able to demote that one now, soon hopefully). But my
citrix profiles are on the domain controller, and after months of trying to
set delegation up properly in AD and setting up permissions in the
appropriate folders on the DC, the only way I was able to get my Helpdesk
admin set up to create accounts with my scripts so that I didn't have to do
it was to make him a domain admin. My company is too damn cheap to get me
another server to put the citrix profiles somewhere else. Oh yeah, and its an
app server for network install of office (can you feel my pain).
 
So, if there is only one server in the site and its a DC, the only way to get
him to do anything is to make him a domain admin (make it a child domain so
he can't climb up the tree)
 
Gideon Ashcraft
Network Admin
Screen Actors Guild






ct: RE: [ActiveDir] Domain Controller Security 


Look through the archives.
 
The short answer is... "Just don't do it". You can't possibly secure this
regardless of what anyone says. If someone says it can be made safe, stop
asking them technical questions about Domain Controllers and Active
Directory.
 
Either you trust the person or you don't. If you don't trust the person, then
don't put the person in a position to show you the meaning of screwed.
 
 


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of van Donk, Fred
Sent: Tuesday, September 20, 2005 4:52 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Domain Controller Security


I have a contractor in a remote site. There is only 1 server in that site
which is a DC.
 
He needs to administer that server. 
-Create shares
-Make file/share permissions
-Change user passwords in the User OU for that site.
 
He is not allowed to log on to any other server is the domain.
 
When I make him a "Server Operator" he can logon to any server in the domain.
 
Any idea on how to lock him down to that one server and then how to lock him
down on that one OU where he should only be allowed to change the passwords
of the users.
 
Thanks!
Fred
 
 
List info : http://www.activedir.org/List.aspx List FAQ :
http://www.activedir.org/ListFAQ.aspx List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/ 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] LDAP search limitations

2005-09-22 Thread deji 
MS did not "implement" a limit. The paging is a function of the client doing
the LDAP query and conforms to the specs outlined in RFC 2696.
 
If you read the RFC, you will come to agree that, although RFCs are not
(strictly speaking) "standards", you are "expected" to page your LDAP
queries.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of
[EMAIL PROTECTED]
Sent: Thu 9/22/2005 9:30 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] LDAP search limitations



Apologies for asking this question, since it's been posed before (?), but can
anyone offer me a brief description of why AD only returns (by default) 1024
entries when an LDAP search is performed? Is it a question of performance?
Why is the searcher not offered all records that meet the search criteria?

Questions have arisen as to why MS implemented a limit since (apparently),
other LDAP implementations do not enforce these limits.

thanks,
neil





---
Neil Ruston
Nomura International Plc
Tel: 020 7521 3481
[EMAIL PROTECTED]




PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments.  NIplc
does not provide investment services to private customers.  Authorised and
regulated by the Financial Services Authority.  Registered in England
no. 1550505 VAT No. 447 2492 35.  Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP.  A member of the Nomura group of companies.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] OT: SAN Assessment

2005-09-22 Thread Phil Renouf 
Absolutely, it is important to work with your SAN vendor through the whole process to make sure that everything is configured properly on the SAN and that you've got everything you need since there is a lot more to a SAN than just some HBAs and some disk. They know their product better than anyone and it is important for them to be a part of the whole process. 

 
Just make sure that the people you are dealing with at your SAN vendor have specific knowledge about running Exchange on the SAN because as Al said, it does have some nuances. 
 
Phil 
On 9/22/05, Al Mulnick <[EMAIL PROTECTED]> wrote:

LOL.  I'm laughing because a company I used to get paid by thought that's how long it would take as well (I spec'd the project, and budgeted 7 weeks of lab for the environment and was being overly aggressive for that; another story.)  How long was the actual? Don't know becuase of the politics surrounding the implementation, the engineering was influenced by outsided entities that munged it all up and it's still not quite done.  At one point I offered to host 4K user density Exchange clusters on iPaq devices clustered with a bluetooth piconet.  Shame they didn't take me up on that ;)  

 
I can say that a general principal for Exchange sizing is to focus on the attaining the desired performance level first and the space second.  Exchange is highly disk dependent for performance especially as you scale up in db size and user density.

 
As for sizing, you also generally want to work with restoration times (restoration of data, service, etc) and work backwards to derive your density that you need to achieve and then play that back to the disk subsystem and layout.  Exchange is spindle hungry for most SAN implementations, very similar to other two-phase commit database applications.  There are some nuances to be aware of, but basically the same concept applies. 

 
Lawana is absolutely correct in how to get the proper configuration and how important it is.  Some SAN vendors I've dealt with include that evaluation and supported configuration service in the maintenance.  Something to check on. I have ALWAYS gone back to the SAN vendor to get the thumbs up on the configuration prior to even testing.  Saves a lot of time that way. 

 
My 0.035 anyway. 
 
ajm
 
 


From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Phil RenoufSent: Thursday, September 22, 2005 11:21 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: SAN Assessment 


As someone else mentioned, when sizing a SAN for Exchange you are more concerned about performance than the size of the storage. That means that although you need to make sure you have enough disk space, more important is ensuring that the number of disks you get will meet the performance needs of your Exchange solution. 

 
To get that performance number can be fairly involved and deals with getting performance data from your existing Exchange installation (if you have one), or doing some calculations based on assumptions if you don't have Exchange. Anyone who is experienced with sizing Exchange solutions on a SAN will have the knowledge to help you out with those assumptions. It will likely also involved doing validation of the performance you expect to get from the SAN once it is in place. This is important because you may find ways to improve performance even more by tweaking some configuration on the server or SAN, but more importantly you may find performance bottle necks that you can fix prior to going to production. 

 
Depending on the size of your Exchange environment and how complex it is that performance testing could go on for 4-6 weeks. Longer if it is an incredibly complex environment (Geo-clusters etc.)
 
Phil 
On 9/22/05, Lawana Gibson <[EMAIL PROTECTED]
> wrote: 
Good mornin',We have a SAN environment within our library.  We're running a FC4500with 1.2 TB of disk space.  I have seven servers connected to the SAN 
and a PowerVault 136T Tape Library.  We had Dell (we're a Dell shop)come in and assess our environment; we made the decision on how muchdisk space we needed, etc.  So basically they took our specifications
and produced a system (hardware, mgmt software, HBA).  We had theminstall a "turn key" system so all we had to do was start moving dataover to the disks (or LUNS).  BUTyou have to be very careful and 
make sure they are giving you the most current equipment; they are notselling you mgmt software that will not work with your serverenvironmentbasically make sure they know your network.  Make sureyour sales/technical accountant is aware of when your equipment comes 
in, who they sent to install the equipment, etc.  Have them/make themdocument everything!  I have horror stories related to our SANinstallation, but once I finally complained loud enough (and wethreatened not to pay them) they sent someone out to reconfigure our 
system.  We are now in the phase of upgrading our SAN environment...as amatter of fact I'm meeting with them n

Re: [ActiveDir] Domain Controller Security

2005-09-22 Thread Phil Renouf 
Even as a domain admin of a Child domain they will still be able to munge your forest or elevate their priviledges. The security boundary in AD is at the forest, not the domain.
 
Phil 
On 9/22/05, Gideon Ashcraft <[EMAIL PROTECTED]> wrote:

The only thing to do is to make him an admin of that site, or better yet make that site a child domain and make him a domain admin of that child domain. I know from experience that using a DC as anything but a DC is a freakin pain in the ass, my predecessor set a DC up as a print/file server and another as a SQL server (finally able to demote that one now, soon hopefully). But my citrix profiles are on the domain controller, and after months of trying to set delegation up properly in AD and setting up permissions in the appropriate folders on the DC, the only way I was able to get my Helpdesk admin set up to create accounts with my scripts so that I didn't have to do it was to make him a domain admin. My company is too damn cheap to get me another server to put the citrix profiles somewhere else. Oh yeah, and its an app server for network install of office (can you feel my pain).

 
So, if there is only one server in the site and its a DC, the only way to get him to do anything is to make him a domain admin (make it a child domain so he can't climb up the tree)
 
Gideon Ashcraft
Network Admin
Screen Actors Guildct: RE: [ActiveDir] Domain Controller Security 
Look through the archives.
 
The short answer is... "Just don't do it". You can't possibly secure this regardless of what anyone says. If someone says it can be made safe, stop asking them technical questions about Domain Controllers and Active Directory.

 
Either you trust the person or you don't. If you don't trust the person, then don't put the person in a position to show you the meaning of screwed.

 
 



From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]] On Behalf Of van Donk, FredSent:
 Tuesday, September 20, 2005 4:52 PMTo: ActiveDir@mail.activedir.orgSubject:
 [ActiveDir] Domain Controller Security 

I have a contractor in a remote site. There is only 1 server in that site which is a DC.
 
He needs to administer that server. 
-Create shares
-Make file/share permissions
-Change user passwords in the User OU for that site.
 
He is not allowed to log on to any other server is the domain.
 
When I make him a "Server Operator" he can logon to any server in the domain.
 
Any idea on how to lock him down to that one server and then how to lock him down on that one OU where he should only be allowed to change the passwords of the users.

 
Thanks!
Fred
 
 
List info : http://www.activedir.org/List.aspx List FAQ : 
http://www.activedir.org/ListFAQ.aspx List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Domain Controller Security

2005-09-22 Thread Bernard, Aric 








Allow me to logon to any DC in any domain
and I will own your entire Forest.

 

Allow me access to the console of any DC
in any domain (assuming I can use a USB port or floppy drive) even without an
account that allows me to logon locally and I will own your entire Forest. 

 

The point, as Joe so eloquently phrased
it, is “Just don’t do it!”  The forest is the security
boundary, and if someone can compromise a single DC regardless of domain they
can own your forest.


Aric

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gideon Ashcraft
Sent: Thursday, September 22, 2005
8:54 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain
Controller Security



 



The only thing to do is to make him an admin of that site, or better
yet make that site a child domain and make him a domain admin of that child
domain. I know from experience that using a DC as anything but a DC is a
freakin pain in the ass, my predecessor set a DC up as a print/file server and
another as a SQL server (finally able to demote that one now, soon hopefully).
But my citrix profiles are on the domain controller, and after months of trying
to set delegation up properly in AD and setting up permissions in the
appropriate folders on the DC, the only way I was able to get my Helpdesk admin
set up to create accounts with my scripts so that I didn't have to do it was to
make him a domain admin. My company is too damn cheap to get me another server
to put the citrix profiles somewhere else. Oh yeah, and its an app server for
network install of office (can you feel my pain).





 





So, if there is only one server in the site and its a DC, the only
way to get him to do anything is to make him a domain admin (make it a child
domain so he can't climb up the tree)





 





Gideon Ashcraft





Network Admin





Screen Actors Guild




<[EMAIL PROTECTED]>

ct: RE: [ActiveDir] Domain Controller Security 



Look
through the archives.

 

The short answer is... "Just don't do
it". You can't possibly secure this regardless of what anyone says. If
someone says it can be made safe, stop asking them technical questions about
Domain Controllers and Active Directory.

 

Either you trust the person or you don't.
If you don't trust the person, then don't put the person in a position to show
you the meaning of screwed.

 

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of van Donk, Fred
Sent: Tuesday, September 20, 2005
4:52 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Domain
Controller Security



I have a contractor in a remote site. There is only 1 server
in that site which is a DC.





 





He needs to administer that server. 





-Create shares





-Make file/share permissions





-Change user passwords in the User OU for that site.





 





He is not allowed to log on to any other server is the
domain.





 





When I make him a "Server Operator" he can logon
to any server in the domain.





 





Any idea on how to lock him down to that one server and then
how to lock him down on that one OU where he should only be allowed to change
the passwords of the users.





 





Thanks!





Fred





 





 








List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] LDAP search limitations

2005-09-22 Thread neil.ruston 
Apologies for asking this question, since it's been posed before (?), but can 
anyone offer me a brief description of why AD only returns (by default) 1024 
entries when an LDAP search is performed? Is it a question of performance? Why 
is the searcher not offered all records that meet the search criteria?

Questions have arisen as to why MS implemented a limit since (apparently), 
other LDAP implementations do not enforce these limits.

thanks,
neil





---
Neil Ruston
Nomura International Plc
Tel: 020 7521 3481
[EMAIL PROTECTED]




PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments.  NIplc
does not provide investment services to private customers.  Authorised and
regulated by the Financial Services Authority.  Registered in England
no. 1550505 VAT No. 447 2492 35.  Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP.  A member of the Nomura group of companies.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: SAN Assessment

2005-09-22 Thread Bernard, Aric 
Lawana provides some really great advice here.  I found the URL for a
document that covers a lot of the point spoken of in the message above.
Even though it does include references to specific hardware platforms
(as examples) it contains a lot of really good information that may be
of value to you.

The document is "free" but you do need to have an "HP Passport" to get
at it (you can get this quickly and easily when attempting to access the
URL).

http://h71019.www7.hp.com/activeanswers/Secure/111015-0-0-0-121.html



Aric

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Lawana Gibson
Sent: Thursday, September 22, 2005 7:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: SAN Assessment

Good mornin',
We have a SAN environment within our library.  We're running a FC4500
with 1.2 TB of disk space.  I have seven servers connected to the SAN
and a PowerVault 136T Tape Library.  We had Dell (we're a Dell shop)
come in and assess our environment; we made the decision on how much
disk space we needed, etc.  So basically they took our specifications
and produced a system (hardware, mgmt software, HBA).  We had them
install a "turn key" system so all we had to do was start moving data
over to the disks (or LUNS).  BUTyou have to be very careful and
make sure they are giving you the most current equipment; they are not
selling you mgmt software that will not work with your server
environmentbasically make sure they know your network.  Make sure
your sales/technical accountant is aware of when your equipment comes
in, who they sent to install the equipment, etc.  Have them/make them
document everything!  I have horror stories related to our SAN
installation, but once I finally complained loud enough (and we
threatened not to pay them) they sent someone out to reconfigure our
system.  We are now in the phase of upgrading our SAN environment...as a
matter of fact I'm meeting with them next week.  If I had one thing to
warn you or suggest...make sure YOU are aware of what you're getting as
far as software, HBAs and drivers, SAN management software, etc.
Because if you don't know, you could be stuck with a monster on your
hands.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala
Sent: Wednesday, September 21, 2005 10:04 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: SAN Assessment

Hi,

We're in the process of planning to migrate from Notes to Exchange and
one 
the dependenices of this migration is a SAN environment.

Has anyone utilized the services of any independent consulting bodies to

carry out a SAN assessment. Essentially, helping in the process of 
determining requirements and laying out a path to successful deployment
with 
considerations for high availability, scalability and future
considerations.

Thanks,


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] disabling users

2005-09-22 Thread joe 



Or simply pipe the SAM names into the 
command
 
net user samaccountname /domain /comment:"Inactive...Do Not 
Migrate"
 
 
 
___perl command___
 
perl -e "foreach (<>) {print `net user $_ /domain 
/comment:\\\"Inactive...Do Not Migrate\\\"`};" 
samaccountname.txt
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael 
M.Sent: Thursday, September 22, 2005 11:30 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] disabling 
users


Try 
this:
 
REM batch file for 
changing description of user account based on samaccount name input from a 
file
 
for /f %%i in 
(samaccountname.txt) do dsquery user -samid %%i | dsmod user -desc 
"Inactive...Do Not Migrate!"
 
exit
 
HTH,
Mike 
Thommes
 
-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Tom KernSent: Thursday, September 22, 2005 4:37 
AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] disabling 
users
 

I never said dn's.

 

the names are all sAMAccountNames in a csv 
file.

The consultants from ibm here ran some 
Quest tools to determine  which acoounts were inactive and ran that list by 
HR to double check.

 

They can't script either(in fact one guy 
kept arguing with me that machines change their passwords every 7 days in win2k 
NOT 30 days and wouldn't listen to me. This lis like week 7 of our 
"migration").

Anyway, now they just want to fill in the 
description attrib of the accounts in AD with something like "inactive. Don't 
Migrate" so they could filter by that in Quest instead of diabling the 
accounts.

 

so ,to get me started in my perl route, how 
would one go about doing that in perl?

 

Thanks again.

you guys help me out way too 
much.

 

sorry... 

On 9/22/05, Roger Seielstad <[EMAIL PROTECTED]> 
wrote: 
Honestly, 
I'd avoid perl like the plague. Its about the least readable language on the 
planet - especially if you haven't touched a script for a few months. 

As 
was already suggested, python is a pretty good cross platform option. 


 
Roger 
SeielstadE-mail Geek 

 
 



From: [EMAIL PROTECTED] [mailto: 
[EMAIL PROTECTED]] On 
Behalf Of Tom KernSent: Wednesday, September 21, 2005 3:56 
PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] disabling 
users 


you don't think one can get by in IT with 
just one lang?

can't you do everything in perl that you 
can do in _vbscript_ and then some?

I'm sure you can get by on windows with 
just perl.

i'm in a multi platform enviorment and 
frankly i just don't have the time to learn both _vbscript_ and 
perl.

i would end up just knowing both a little 
and badly.

my brain can't keep jumping from one to the 
other and in scripting, if you don't use one lang for a while, you forget 
it.

in which case i'd just end up bugging you 
guys on this list again for examples.

i'd like to get to the point where i can do 
it myself and trying to learn both will never work for 
me.

i have a hard enough time keeping as much 
as i can about windows and AD and exchange and some linux stuff in my 
head.

2 scripting langs will make my head 
explode. i'll never remeber them at all.

i just need to learn one and devote myself 
to learning it well instead of being a scripting jack of all trades and master 
of none.

 

as to perl books, then where can one lern 
COM on perl? 

 

thanks alot 
guys! 

On 
9/21/05, Brian Desmond 
<[EMAIL PROTECTED] 
> wrote: 
Joe Richards might 
know some Win32 Perl resources._vbscript_ isn't that hard, really. 
If you know the COM & ADSI stuff for Perl as far as methods, names, etc, 
its just a different syntax for using it._vbscript_ you have the advantage of 
the technet scriptcenter which hasexamples complete enough to copy and paste 
together and run.I'm not a CS major either, I don't even have 
any formal training in thisfield. The only things I've been taught in a 
classroom are how to read,write, and do some math. Everything I know I 
learnt going to work everyday and doing new things, asking questions here 
and there around this list andother places. I realized I needed to learn 
_vbscript_ and so I startedtackling projects with _vbscript_s, and with a bit of 
work I got to be pretty good at it. I still need a copy of the platform sdk 
on my other monitor toremember methods, parameters, etc, but I know the 
syntax. That said, if I'mfeeling lazy I still go and piece things together 
with scriptcenter snippets.My point here is that it would 
probably be long term beneficial to you to atleast be able to do simple 
things in _vbscript_ like read a file, run aexternal command, etc. As I said 
in my first message, if you post what you have, I'll try and edit it as an 
example for you.Thanks,Brian 
Desmond 
[EMAIL PROTECTED]> [EMAIL PROTECTED]c - 
312.731.3132_From: [EMAIL PROTECTED][mailto: 
[EMAIL PROTECTED]] On Behalf Of Kern, TomSent: 
Wednesday, September 21, 2005 4:30 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
disabling users I only have tim

Re: [ActiveDir] SBS migration (was SBS Server Question)

2005-09-22 Thread Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] 

Difficulty?



What difficulty?  [please feel free to take this offline] the only 
difficult issues we have in SBSland is cleaning up the messes from folks 
that don't follow the wizards


[EMAIL PROTECTED] wrote:


Thanks!  This must be SBS Week.  Was at a user's group meeting last night and 
the topic came up again. (Main topic was R2)  Sounds like Microsoft is getting 
the message about the difficulty of working with SBS.

Al Maurer 
Service Manager, Naming and Authentication Services 
IT | Information Technology 
Agilent Technologies 
(719) 590-2639; Telnet 590-2639 
http://activedirectory.it.agilent.com 
-- 
"Cry 'Havoc!' and let slip the dogs of war"  - Anthony, in Julius Caesar III i. 



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, 
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Tuesday, September 20, 2005 1:57 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SBS migration (was SBS Server Question)

Transition pack or www.sbsmigration.com

Transition pack is the best way however lets you keep the Remote web 
workplace and monitoring email even after you break away from SBSland.


[EMAIL PROTECTED] wrote:

 


OK, since the topic came up:  I'm trying to figure out how to migrate off 
SBS2003.

Scenario is a recent acquisition where we want to migrate from company SBS to 
corporate AD (standard 2003 domain).  Trusts are out.  Hack is both dangerous 
and illegal.

MS offers a Transition Pack (for a cost) to upgrade the SBS2003 to normal AD.  
Is there any other way?  LDIF export?

Thanks, 
AL


Al Maurer 
Service Manager, Naming and Authentication Services 
IT | Information Technology 
Agilent Technologies 
(719) 590-2639; Telnet 590-2639 
http://activedirectory.it.agilent.com 
-- 
"Cry 'Havoc!' and let slip the dogs of war"  - Anthony, in Julius Caesar III i. 



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, 
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Wednesday, September 14, 2005 12:06 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SBS Server Question

Nope.  No trusts, no forests.  We're the spoiled only PDC that must hold 
all the FSMO roles.  We can do some funky stuff with pass through 
authentication, but no trusts.


US versus THEM:
http://www.sbslinks.com/Us_v_them.htm

In SBS 2000/2003 the 'correct' terminology is Yes, an 'additional domain 
controller' is supported and not calling it a BDC. 

Member servers are covered by the SBS cals but last I read in the PUR 
the additional DC would need server cals.  [that's my interpretation 
anyway but I get a headache reading that doc in the first place]


Honestly ...keep in mind that with XPs, they will used cached 
credentials and you can log into that profile even if the network is 
down.  Now comes the fun... who's doing the DHCP? The recommended way is 
to have the SBS box to do that...so you still have fun.  If the SBS box 
goes down, I normally have ways around the temporarily failure [and even 
then I can count on one hand the time my network has been affected 
power mostly, then NICs, then switches, and one harddrive falling off a 
RAID.  Get good equipment [and honestly either reinstall those OEMs and 
stay away from those preinstalled versions] and we do just fine.




Medeiros, Jose wrote:



   

Hi Susan, 


Since we have an SBS MVP on the Active Dir list, let me ask a question.

Can I now make an SBS 2003 server a child domain in an AD 2003 forest? 


Before you ask why, some one asked me this recently at a Linux users group 
meeting, as his company has several remote offices using SBS 2003.

Also on SBS 4.5, one could have a BDC as a backup, can this also be done with a DC or are you " Sh.T out of luck " when a box fails? 


Jose


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



  

 




   



 



--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: SAN Assessment

2005-09-22 Thread Al Mulnick 



LOL.  I'm laughing because a company I used to 
get paid by thought that's how long it would take as well (I spec'd the project, 
and budgeted 7 weeks of lab for the environment and was being overly aggressive 
for that; another story.)  How long was the actual? Don't know becuase of 
the politics surrounding the implementation, the engineering was influenced by 
outsided entities that munged it all up and it's still not quite done.  At 
one point I offered to host 4K user density Exchange clusters on iPaq 
devices clustered with a bluetooth piconet.  Shame they didn't take me up 
on that ;)  
 
I can say that a general principal for Exchange sizing is 
to focus on the attaining the desired performance level first and the space 
second.  Exchange is highly disk dependent for performance especially as 
you scale up in db size and user density.
 
As for sizing, you also generally want to work with 
restoration times (restoration of data, service, etc) and work backwards to 
derive your density that you need to achieve and then play that back to the disk 
subsystem and layout.  Exchange is spindle hungry for most SAN 
implementations, very similar to other two-phase commit database 
applications.  There are some nuances to be aware of, but basically the 
same concept applies. 
 
Lawana is absolutely correct in how to get the proper 
configuration and how important it is.  Some SAN vendors I've dealt 
with include that evaluation and supported configuration service in the 
maintenance.  Something to check on. I have ALWAYS gone back to the SAN 
vendor to get the thumbs up on the configuration prior to even testing.  
Saves a lot of time that way. 
 
My 0.035 anyway. 
 
ajm
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Phil 
RenoufSent: Thursday, September 22, 2005 11:21 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: SAN 
Assessment

As someone else mentioned, when sizing a SAN for Exchange you are more 
concerned about performance than the size of the storage. That means that 
although you need to make sure you have enough disk space, more important is 
ensuring that the number of disks you get will meet the performance needs of 
your Exchange solution. 
 
To get that performance number can be fairly involved and deals with 
getting performance data from your existing Exchange installation (if you have 
one), or doing some calculations based on assumptions if you don't have 
Exchange. Anyone who is experienced with sizing Exchange solutions on a SAN will 
have the knowledge to help you out with those assumptions. It will likely also 
involved doing validation of the performance you expect to get from the SAN once 
it is in place. This is important because you may find ways to improve 
performance even more by tweaking some configuration on the server or SAN, but 
more importantly you may find performance bottle necks that you can fix prior to 
going to production. 
 
Depending on the size of your Exchange environment and how complex it is 
that performance testing could go on for 4-6 weeks. Longer if it is an 
incredibly complex environment (Geo-clusters etc.)
 
Phil 
On 9/22/05, Lawana 
Gibson <[EMAIL PROTECTED]> 
wrote: 
Good 
  mornin',We have a SAN environment within our library.  We're 
  running a FC4500with 1.2 TB of disk space.  I have seven servers 
  connected to the SAN and a PowerVault 136T Tape Library.  We had 
  Dell (we're a Dell shop)come in and assess our environment; we made the 
  decision on how muchdisk space we needed, etc.  So basically 
  they took our specificationsand produced a system (hardware, mgmt 
  software, HBA).  We had theminstall a "turn key" system so all 
  we had to do was start moving dataover to the disks (or 
  LUNS).  BUTyou have to be very careful and make sure they 
  are giving you the most current equipment; they are notselling you mgmt 
  software that will not work with your serverenvironmentbasically make 
  sure they know your network.  Make sureyour sales/technical 
  accountant is aware of when your equipment comes in, who they sent to 
  install the equipment, etc.  Have them/make themdocument 
  everything!  I have horror stories related to our 
  SANinstallation, but once I finally complained loud enough (and 
  wethreatened not to pay them) they sent someone out to reconfigure our 
  system.  We are now in the phase of upgrading our SAN 
  environment...as amatter of fact I'm meeting with them next 
  week.  If I had one thing towarn you or suggest...make sure YOU 
  are aware of what you're getting as far as software, HBAs and drivers, SAN 
  management software, etc.Because if you don't know, you could be stuck 
  with a monster on yourhands.-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] 
  On Behalf Of Devan PalaSent: Wednesday, September 21, 2005 10:04 AMTo: 
  ActiveDir@mail.activedir.orgSubject: 
  [ActiveDir] OT: SAN AssessmentHi,We're in the process of 
  planning t

RE: [ActiveDir] Domain Controller Security

2005-09-22 Thread Gideon Ashcraft 


The only thing to do is to make him an admin of that site, or better yet make that site a child domain and make him a domain admin of that child domain. I know from experience that using a DC as anything but a DC is a freakin pain in the ass, my predecessor set a DC up as a print/file server and another as a SQL server (finally able to demote that one now, soon hopefully). But my citrix profiles are on the domain controller, and after months of trying to set delegation up properly in AD and setting up permissions in the appropriate folders on the DC, the only way I was able to get my Helpdesk admin set up to create accounts with my scripts so that I didn't have to do it was to make him a domain admin. My company is too damn cheap to get me another server to put the citrix profiles somewhere else. Oh yeah, and its an app server for network install of office (can you feel my pain).
 
So, if there is only one server in the site and its a DC, the only way to get him to do anything is to make him a domain admin (make it a child domain so he can't climb up the tree)
 
Gideon Ashcraft
Network Admin
Screen Actors Guild<[EMAIL PROTECTED]>ct: RE: [ActiveDir] Domain Controller Security 
Look through the archives.
 
The short answer is... "Just don't do it". You can't possibly secure this regardless of what anyone says. If someone says it can be made safe, stop asking them technical questions about Domain Controllers and Active Directory.
 
Either you trust the person or you don't. If you don't trust the person, then don't put the person in a position to show you the meaning of screwed.
 
 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of van Donk, FredSent: Tuesday, September 20, 2005 4:52 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Domain Controller Security

I have a contractor in a remote site. There is only 1 server in that site which is a DC.
 
He needs to administer that server. 
-Create shares
-Make file/share permissions
-Change user passwords in the User OU for that site.
 
He is not allowed to log on to any other server is the domain.
 
When I make him a "Server Operator" he can logon to any server in the domain.
 
Any idea on how to lock him down to that one server and then how to lock him down on that one OU where he should only be allowed to change the passwords of the users.
 
Thanks!
Fred
 
 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Cannot modify a distribution list

2005-09-22 Thread Coleman, Hunter 



"If you mean ownership as in setting an owner from the 
Exchange tab or the managed by tab, neither allows you to modify the 
membership."
 
Setting an account in 
the Managed By tab and checking the box "Manager can update membership list" 
will allow the account to modify the list members. All the checkbox is doing is 
setting an Allow Write Members ACE. The account *won't* be able to modify other 
attributes of the list, such as the description, based strictly on the Managed 
By information.
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Thursday, September 22, 2005 8:11 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cannot modify a 
distribution list

If you mean ownership as in setting an owner from the 
Exchange tab or the managed by tab, neither allows you to modify the membership. 
You need to grant the person the ability to update the membership list. Now if 
you have an older version of ADUC, you won't see that checkbox under the managed 
by tab. 
 
If you have set this, and you have a multidomain forest, 
and the group is mail enabled, and the person is trying to manage through 
outlook, you probably have another issue which I don't have time to go into here 
but in that situation, don't use outlook to manage the membership. Outlook is a 
tool to read mail, not manage group membership. I don't use ADUC to check my 
calendar, so I don't have a problem avoiding using Outlook to manage 
groups.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh 
KshirsagarSent: Thursday, September 22, 2005 3:58 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Cannot modify a 
distribution list

Hi 
Gurus,
 
I have 
created a Distribution list which is owned by a particular user. Now I log as 
that user and try to modify the distribution list, say setting the description 
attribute. but am getting the error:
 
***Call Modify...ldap_modify_s(ld, 
'CN=testgrp1,OU=Exchange Test,OU=CV,OU=Views,OU=Mayuresh,DC=meta,DC=test',[1] 
attrs);Error: Modify: Insufficient Rights. <50>
 
If I 
bind as the administrator, then I can modify the distribution list. any pointers 
as to why this is happening?
 
Regards,
Mayuresh.

RE: [ActiveDir] disabling users

2005-09-22 Thread Lou Vega 








“Any programmer can write code that
a computer can understand.  Professionals write code that other
programmers can understand.”

(From MSDN Code Camp Speaker Les Smith’s
presentation on Refactoring code)

 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, September 22, 2005
10:10 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] disabling
users



 

Any language can be done in a write once,
read never format. Readabilty is a function of the person writing the code, the
language can only help you accomplish what you are trying to do and are capable
of. If I saw code that was tough to read, in any language, I stick the blame
firmly with the person who wrote it, where it belongs. I have run into
situations where I have seen thousands of lines of _vbscript_ that I simply threw
away because the logic couldn't be followed due to how the script was written,
generally I replaced it with hundreds of lines of clearly written perl that
anyone could read. If you write perl well, it can be nearly self documenting.
But that isn't enough, you still comment the code to explain intent and what
the purpose of different things is.

 

If I had to argue for a least
readable language, I would argue for cmd batch, but again, it is about the
person writing the code, not the language the code is written in. I have even
seen ASM that was written so cleanly and well with comments that anyone could
follow it.

 

I think the problem a lot of people have
with perl is its flexibility. TIMTOWTDI. It is the core design of the language,
a loop can be done in many different ways instead of 1 or 2 ways that someone
may be used to seeing. For some people, giving flexibility to them is like
giving them a longer and longer rope to hang themselves. 

 

As I once read in one of the books or
heard from a friend or something... Perl is like playing the guitar, you can
usually do something pretty quickly, but the really cool stuff will take
practice. But on the positive side, it is possible to do the really cool stuff
and usually in a way that makes you feel good.



 





I just had a bit of a conversation with
one of the Exchange Dev folks who was saying that with Monad, if I want to get
some piece of info about a mailbox from an Exchange 12 server I have to
return all of the info from the server and then filter out what I don't want to
use. The reason given was that is the Monad way... I visualize that like trying
to output whenChanged of an object and having to pull all attributes of the
object to do so. There is a tremendous hit to efficiency if that is the way it
is done. The big thing that scared me though was the comment... that is the
Monad way... What is the way? To assume you have unlimited bandwidth and time
so you can be fat and inefficient?





 





  joe[1]





 





 





 





[1] Slowly emerging from being way too
submerged in work and other things... 





 





 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad
Sent: Thursday, September 22, 2005
2:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] disabling
users

Honestly, I'd avoid perl like the plague.
Its about the least readable language on the planet - especially if you haven't
touched a script for a few months.


As was already suggested, python is a pretty good cross platform option. 



 




Roger Seielstad
E-mail Geek 



 



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Wednesday, September 21,
2005 3:56 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] disabling
users



you don't think one can get by in IT with just one lang?





can't you do everything in perl that you can do in _vbscript_ and then
some?





I'm sure you can get by on windows with just perl.





i'm in a multi platform enviorment and frankly i just don't have the
time to learn both _vbscript_ and perl.





i would end up just knowing both a little and badly.





my brain can't keep jumping from one to the other and in scripting, if
you don't use one lang for a while, you forget it.





in which case i'd just end up bugging you guys on this list again for
examples.





i'd like to get to the point where i can do it myself and trying to
learn both will never work for me.





i have a hard enough time keeping as much as i can about windows and AD
and exchange and some linux stuff in my head.





2 scripting langs will make my head explode. i'll never remeber them at
all.





i just need to learn one and devote myself to learning it well instead
of being a scripting jack of all trades and master of none.





 





as to perl books, then where can one lern COM on perl? 





 





thanks alot guys!

 





On 9/21/05, Brian
Desmond <[EMAIL PROTECTED]>
wrote: 

Joe Richards might know
some Win32 Perl resources.



_vbscript_ isn't that hard, really. If you know the COM & ADSI stuff for Perl

as far as m

RE: [ActiveDir] disabling users

2005-09-22 Thread Thommes, Michael M. 








Try this:

 

REM batch file for changing description of
user account based on samaccount name input from a file

 

for /f %%i in (samaccountname.txt) do dsquery
user -samid %%i | dsmod user -desc "Inactive...Do Not Migrate!"

 

exit

 

HTH,

Mike Thommes

 

-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Thursday, September 22, 2005
4:37 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] disabling
users

 



I never said dn's.





 





the names are all sAMAccountNames in a csv file.





The consultants from ibm here ran some Quest
tools to determine  which acoounts were inactive and ran that list by HR
to double check.





 





They can't script either(in fact one guy kept arguing
with me that machines change their passwords every 7 days in win2k NOT 30 days
and wouldn't listen to me. This lis like week 7 of our "migration").





Anyway, now they just want to fill in the description
attrib of the accounts in AD with something like "inactive. Don't
Migrate" so they could filter by that in Quest instead of diabling the
accounts.





 





so ,to get me started in my perl route, how would one
go about doing that in perl?





 





Thanks again.





you guys help me out way too much.





 





sorry...

 





On 9/22/05, Roger Seielstad <[EMAIL PROTECTED]> wrote:


Honestly,
I'd avoid perl like the plague. Its about the least readable language on the
planet - especially if you haven't touched a script for a few months. 


As was already suggested, python is a pretty good cross platform option. 



 




Roger Seielstad
E-mail Geek 



 



 







From: [EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]] On
Behalf Of Tom Kern
Sent: Wednesday, September 21,
2005 3:56 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] disabling
users

 





you don't think one can get by in IT with just one
lang?





can't you do everything in perl that you can do in
_vbscript_ and then some?





I'm sure you can get by on windows with just perl.





i'm in a multi platform enviorment and frankly i just
don't have the time to learn both _vbscript_ and perl.





i would end up just knowing both a little and badly.





my brain can't keep jumping from one to the other and
in scripting, if you don't use one lang for a while, you forget it.





in which case i'd just end up bugging you guys on this
list again for examples.





i'd like to get to the point where i can do it myself
and trying to learn both will never work for me.





i have a hard enough time keeping as much as i can
about windows and AD and exchange and some linux stuff in my head.





2 scripting langs will make my head explode. i'll
never remeber them at all.





i just need to learn one and devote myself to learning
it well instead of being a scripting jack of all trades and master of none.





 





as to perl books, then where can one lern COM on perl?






 





thanks alot guys!

 





On 9/21/05, Brian Desmond <[EMAIL PROTECTED]
> wrote: 

Joe
Richards might know some Win32 Perl resources.



_vbscript_ isn't that hard, really. If you know the COM & ADSI stuff for Perl

as far as methods, names, etc, its just a different syntax for using it.
_vbscript_ you have the advantage of the technet scriptcenter which has
examples complete enough to copy and paste together and run.



I'm not a CS major either, I don't even have any formal training in this
field. The only things I've been taught in a classroom are how to read,
write, and do some math. Everything I know I learnt going to work everyday 
and doing new things, asking questions here and there around this list and
other places. I realized I needed to learn _vbscript_ and so I started
tackling projects with _vbscript_s, and with a bit of work I got to be pretty 
good at it. I still need a copy of the platform sdk on my other monitor to
remember methods, parameters, etc, but I know the syntax. That said, if I'm
feeling lazy I still go and piece things together with scriptcenter 
snippets.



My point here is that it would probably be long term beneficial to you to at
least be able to do simple things in _vbscript_ like read a file, run a
external command, etc. As I said in my first message, if you post what you 
have, I'll try and edit it as an example for you.







Thanks,
Brian Desmond

 [EMAIL PROTECTED]>
[EMAIL PROTECTED]



c - 312.731.3132





_

From: [EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]] On Behalf Of Kern, Tom
Sent: Wednesday, September 21, 2005 4:30 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] disabling users 



I only have time to learn one scripting lang.

i figured perl is the better way to go as i have to work with linux and
solaris as well.



know of any good docs,books,sites on perl and COM+ or adsi? 

something that will teach you both like the _vbscript_ resources do?



i really think there is a market for perl and AD/win32 out there t

Re: [ActiveDir] Domain Controller Security

2005-09-22 Thread Phil Renouf 
I remember a conversation about creating OU's under the Domain Controllers OU and how MSFT didn't recommend it, or didn't support it or something. joe?
 
That aside, you can't give local logon to a DC, there are no local accounts on a DC only domain accounts. That means that if he can log on to that DC he has enough rights to do some bad things (which has already been covered in this thread so I won't bother getting into it again).

 
As joe just said: don't do this.
 
Phil 
On 9/22/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:

You might consider a lower level OU under the Domain Controllers OU with a different GPO that grants him local logon to just that DC. 
Thank You ! And have a nice day !**Mark LunsfordKAISER PERMANENTESecurity OperationsRemedy Group: NOPS SECURITY EDOS SYS
Direct Manager: Bud FurrowEmail: [EMAIL PROTECTED]Outside Phone: 925-926-5898Tie Line Phone: 8-473-5898
C ell: 925-200-4077**



"Gil Kirkpatrick" <[EMAIL PROTECTED]> 
Sent by: [EMAIL PROTECTED] 
09/21/2005 05:03 PM 




Please respond toActiveDir@mail.activedir.org






To
 


cc



Subject
RE: [ActiveDir] Domain Controller Security






Yes, untrusted admin + DC logon access = no more security.If you're trying to lock him down, then you can't give him access to the
DC. Can you give him a member server for the file shares and justdelegate the password administraion on the OU?-g-Original Message-From: 
[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of ASB
Sent: Wednesday, September 21, 2005 4:53 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Domain Controller Security
That sounds dangerous.If you give him access to that server, particularly local logonaccess, you might as well just put him in the Enterprise Admin groupand save both of you a few moments of work.
-ASBFAST, CHEAP, SECURE: Pick Any TWOhttp://www.ultratech-llc.com/KB/On 9/20/05, van Donk, Fred <
[EMAIL PROTECTED]> wrote:> I have a contractor in a remote site. There is only 1 server in that
site> which is a DC.>> He needs to administer that server.> -Create shares> -Make file/share permissions> -Change user passwords in the User OU for that site.>> He is not allowed to log on to any other server is the domain.
>> When I make him a "Server Operator" he can logon to any server in the> domain.>> Any idea on how to lock him down to that one server and then how tolock him> down on that one OU where he should only be allowed to change the
passwords> of the users.>> Thanks!> FredList info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspxList archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspxList archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] SBS migration (was SBS Server Question)

2005-09-22 Thread al_maurer 
Thanks!  This must be SBS Week.  Was at a user's group meeting last night and 
the topic came up again. (Main topic was R2)  Sounds like Microsoft is getting 
the message about the difficulty of working with SBS.

Al Maurer 
Service Manager, Naming and Authentication Services 
IT | Information Technology 
Agilent Technologies 
(719) 590-2639; Telnet 590-2639 
http://activedirectory.it.agilent.com 
-- 
"Cry 'Havoc!' and let slip the dogs of war"  - Anthony, in Julius Caesar III i. 


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, 
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Tuesday, September 20, 2005 1:57 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SBS migration (was SBS Server Question)

Transition pack or www.sbsmigration.com

Transition pack is the best way however lets you keep the Remote web 
workplace and monitoring email even after you break away from SBSland.

[EMAIL PROTECTED] wrote:

>OK, since the topic came up:  I'm trying to figure out how to migrate off 
>SBS2003.
>
>Scenario is a recent acquisition where we want to migrate from company SBS to 
>corporate AD (standard 2003 domain).  Trusts are out.  Hack is both dangerous 
>and illegal.
>
>MS offers a Transition Pack (for a cost) to upgrade the SBS2003 to normal AD.  
>Is there any other way?  LDIF export?
>
>Thanks, 
>AL
>
>Al Maurer 
>Service Manager, Naming and Authentication Services 
>IT | Information Technology 
>Agilent Technologies 
>(719) 590-2639; Telnet 590-2639 
>http://activedirectory.it.agilent.com 
>-- 
>"Cry 'Havoc!' and let slip the dogs of war"  - Anthony, in Julius Caesar III 
>i. 
>
>
>-Original Message-
>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, 
>CPA aka Ebitz - SBS Rocks [MVP]
>Sent: Wednesday, September 14, 2005 12:06 PM
>To: ActiveDir@mail.activedir.org
>Subject: Re: [ActiveDir] SBS Server Question
>
>Nope.  No trusts, no forests.  We're the spoiled only PDC that must hold 
>all the FSMO roles.  We can do some funky stuff with pass through 
>authentication, but no trusts.
>
>US versus THEM:
>http://www.sbslinks.com/Us_v_them.htm
>
>In SBS 2000/2003 the 'correct' terminology is Yes, an 'additional domain 
>controller' is supported and not calling it a BDC. 
>
>Member servers are covered by the SBS cals but last I read in the PUR 
>the additional DC would need server cals.  [that's my interpretation 
>anyway but I get a headache reading that doc in the first place]
>
>Honestly ...keep in mind that with XPs, they will used cached 
>credentials and you can log into that profile even if the network is 
>down.  Now comes the fun... who's doing the DHCP? The recommended way is 
>to have the SBS box to do that...so you still have fun.  If the SBS box 
>goes down, I normally have ways around the temporarily failure [and even 
>then I can count on one hand the time my network has been affected 
>power mostly, then NICs, then switches, and one harddrive falling off a 
>RAID.  Get good equipment [and honestly either reinstall those OEMs and 
>stay away from those preinstalled versions] and we do just fine.
>
>
>
>Medeiros, Jose wrote:
>
>  
>
>>Hi Susan, 
>>
>>Since we have an SBS MVP on the Active Dir list, let me ask a question.
>>
>>Can I now make an SBS 2003 server a child domain in an AD 2003 forest? 
>>
>>Before you ask why, some one asked me this recently at a Linux users group 
>>meeting, as his company has several remote offices using SBS 2003.
>>
>>Also on SBS 4.5, one could have a BDC as a backup, can this also be done with 
>>a DC or are you " Sh.T out of luck " when a box fails? 
>>
>>Jose
>>
>>
>>List info   : http://www.activedir.org/List.aspx
>>List FAQ: http://www.activedir.org/ListFAQ.aspx
>>List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>>
>> 
>>
>>
>>
>
>  
>

-- 
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Kerberos Delegation

2005-09-22 Thread Carlos Magalhaes 
Yes agreed however I have changed the Identity for the SPS AppPool to a service 
account that I have created and registered SPN's, it doesn't seem to be 
accessing ISA with those credentials though I keep see a HTTP request coming 
through with Anonymous as the user.
 
C



From: [EMAIL PROTECTED] on behalf of Roger Seielstad
Sent: Thu 9/22/2005 3:56 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos Delegation


By default, the IIS app pool and (I believe) sharepoint both run under Network 
Service. Therefore, when Sharepoint makes the request outbound, it will be 
making it within the context of the NetworkService account, which means its 
going to present the server's domain credentials.
 


Roger Seielstad
E-mail Geek 

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer
Sent: Wednesday, September 21, 2005 11:45 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos Delegation



Could I ask why he'd need to do that?

 

Cheers

Ken

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad
Sent: Thursday, 22 September 2005 4:23 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos Delegation

 

So have you granted domain\IISServer$ access through ISA?

 


Roger Seielstad
E-mail Geek 

 

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes
Sent: Wednesday, September 21, 2005 8:16 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos Delegation

Well I have some screen shots for you of AuthDiag and of wfetch, if you don't 
mind I can send it to you offline.

 

This is the weird part, if I use wfetch to connect using Anonymous as 
authentication I get the web page requested. 

 

If I specify any other auth type i.e. NTLM or Kerberos I get a ISA server page 
telling me I am not authorized to view this page.

 

With anonymous connection I get:

WWW-Authenticate: Negotiate

WWW-Authenticate: NTLM

 

With a specified auth type I don't get any of that (The screen shots explain)

 

AuthDiag still only reports Test Authentication NTLM NO Kerberos.

 

I still have a copy of the old Metabase.xml to prove that it was storing the 
incorrect settings when IIS MMC was showing something else.

 

Let me know if I can ping the screen shots to you.

 

Thanks Ken, am I going to get to see you at Redmond?


C

 

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer
Sent: 21 September 2005 03:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos Delegation

 

Odd.

 

If you use WFetch (it's in the IIS6 Res Kit) or just plain telnet, and request 
a page, what WWW-Authenticate headers are coming back? You should see:

 

WWW-Authenticate: Negotiate

WWW-Authenticate: NTLM

 

(basically the webserver sends back a list of the auth mechanisms it supports, 
and the browser picks the first one in the list that it supports). If you are 
only seeing the NTLM option, then something's up with IIS or Sharepoint. If you 
are seeing both, then AuthDiag is lying to you.

 

Cheers

Ken

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes
Sent: Wednesday, 21 September 2005 10:39 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos Delegation

 

Yeah Im not sure about that either at the moment IIS is REALLY ACTING WEIRD, 
KEN where are you :P - .

 

I had the Share Point website in the IIS MMC specify SPSAppPool (which was a 
App pool I created) when I checked the MetaBase.XML file ( you know I love 
looking at the guts of systems:-) ) it was still specifying DefaultAppPool (and 
I mean I had rebooted the server a few times) also DO NOT RUN: 

 

Cscript adsutil.vbs set w3svc/1/ntauthenticationproviders "Negotiate,NTLM"

Iisreset

 

I know it seems logical but I KEPT the quotations in there and what it ended up 
doing was: ""Negotiate,NTLM"" ***Note the double quotes

 

And all auth was being defaulted to Anonymous (thank heavens for a network 
sniffer :-) )

 

Even though I fixed these issues and I have made sure my Metabase.xml file is 
correct with "Negotiate,NTLM" and with the correct App Pool with the correct 
user etc,  when I run AuthDiag the only "Test Authentication" option I get is 
NTLM, the Server Settings Node though specifies "Negotiate,NTLM" for that Site. 

 

When I check my ISA server I STILL see User - Anonymous so I am a bit stumped 
at the moment !!!

 

YEAH it going to be so cool to meet up with you guys in Redmond next week 
:-)

 

C

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: 20 September 2005 10:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerber

RE: [ActiveDir] Kerberos Delegation

2005-09-22 Thread Carlos Magalhaes 
Yup I ignored the setup :) I created a service account for the AppPool in AD 
and set the relevant SPN's for Kerberos delegation, I also enabled that AD 
account for constrained Delegation.
 
Thanks for you input Brian :)
 
C



From: [EMAIL PROTECTED] on behalf of Brian Desmond
Sent: Thu 9/22/2005 4:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos Delegation



Sharepoint will unless you ignore the recommendations in the setup wizard run 
under a service account you create for it. You can however ignore the 
recommendations to make a service account for it when you're setting up the 
site/portal app pool and it will run under network service.

 

Thanks,
Brian Desmond

[EMAIL PROTECTED]  

 

c - 312.731.3132

 

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad
Sent: Thursday, September 22, 2005 9:57 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos Delegation

 

By default, the IIS app pool and (I believe) sharepoint both run under Network 
Service. Therefore, when Sharepoint makes the request outbound, it will be 
making it within the context of the NetworkService account, which means its 
going to present the server's domain credentials.

 


Roger Seielstad
E-mail Geek 

 

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer
Sent: Wednesday, September 21, 2005 11:45 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos Delegation

Could I ask why he'd need to do that?

 

Cheers

Ken

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad
Sent: Thursday, 22 September 2005 4:23 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos Delegation

 

So have you granted domain\IISServer$ access through ISA?

 


Roger Seielstad
E-mail Geek 

 

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes
Sent: Wednesday, September 21, 2005 8:16 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos Delegation

Well I have some screen shots for you of AuthDiag and of wfetch, if you don't 
mind I can send it to you offline.

 

This is the weird part, if I use wfetch to connect using Anonymous as 
authentication I get the web page requested. 

 

If I specify any other auth type i.e. NTLM or Kerberos I get a ISA server page 
telling me I am not authorized to view this page.

 

With anonymous connection I get:

WWW-Authenticate: Negotiate

WWW-Authenticate: NTLM

 

With a specified auth type I don't get any of that (The screen shots explain)

 

AuthDiag still only reports Test Authentication NTLM NO Kerberos.

 

I still have a copy of the old Metabase.xml to prove that it was storing the 
incorrect settings when IIS MMC was showing something else.

 

Let me know if I can ping the screen shots to you.

 

Thanks Ken, am I going to get to see you at Redmond?


C

 

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer
Sent: 21 September 2005 03:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos Delegation

 

Odd.

 

If you use WFetch (it's in the IIS6 Res Kit) or just plain telnet, and request 
a page, what WWW-Authenticate headers are coming back? You should see:

 

WWW-Authenticate: Negotiate

WWW-Authenticate: NTLM

 

(basically the webserver sends back a list of the auth mechanisms it supports, 
and the browser picks the first one in the list that it supports). If you are 
only seeing the NTLM option, then something's up with IIS or Sharepoint. If you 
are seeing both, then AuthDiag is lying to you.

 

Cheers

Ken

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes
Sent: Wednesday, 21 September 2005 10:39 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos Delegation

 

Yeah Im not sure about that either at the moment IIS is REALLY ACTING WEIRD, 
KEN where are you :P - .

 

I had the Share Point website in the IIS MMC specify SPSAppPool (which was a 
App pool I created) when I checked the MetaBase.XML file ( you know I love 
looking at the guts of systems:-) ) it was still specifying DefaultAppPool (and 
I mean I had rebooted the server a few times) also DO NOT RUN: 

 

Cscript adsutil.vbs set w3svc/1/ntauthenticationproviders "Negotiate,NTLM"

Iisreset

 

I know it seems logical but I KEPT the quotations in there and what it ended up 
doing was: ""Negotiate,NTLM"" ***Note the double quotes

 

And all auth was being defaulted to Anonymous (thank heavens for a network 
sniffer :-) )

 

Even though I fixed these issues and I have made sure my Metabase.xml file is 
correct with "Negotiate,NTLM" and with the correct App Pool w

Re: [ActiveDir] OT: SAN Assessment

2005-09-22 Thread Phil Renouf 
As someone else mentioned, when sizing a SAN for Exchange you are more concerned about performance than the size of the storage. That means that although you need to make sure you have enough disk space, more important is ensuring that the number of disks you get will meet the performance needs of your Exchange solution.

 
To get that performance number can be fairly involved and deals with getting performance data from your existing Exchange installation (if you have one), or doing some calculations based on assumptions if you don't have Exchange. Anyone who is experienced with sizing Exchange solutions on a SAN will have the knowledge to help you out with those assumptions. It will likely also involved doing validation of the performance you expect to get from the SAN once it is in place. This is important because you may find ways to improve performance even more by tweaking some configuration on the server or SAN, but more importantly you may find performance bottle necks that you can fix prior to going to production.

 
Depending on the size of your Exchange environment and how complex it is that performance testing could go on for 4-6 weeks. Longer if it is an incredibly complex environment (Geo-clusters etc.)
 
Phil 
On 9/22/05, Lawana Gibson <[EMAIL PROTECTED]> wrote:
Good mornin',We have a SAN environment within our library.  We're running a FC4500with 1.2 TB of disk space.  I have seven servers connected to the SAN
and a PowerVault 136T Tape Library.  We had Dell (we're a Dell shop)come in and assess our environment; we made the decision on how muchdisk space we needed, etc.  So basically they took our specifications
and produced a system (hardware, mgmt software, HBA).  We had theminstall a "turn key" system so all we had to do was start moving dataover to the disks (or LUNS).  BUTyou have to be very careful and
make sure they are giving you the most current equipment; they are notselling you mgmt software that will not work with your serverenvironmentbasically make sure they know your network.  Make sureyour sales/technical accountant is aware of when your equipment comes
in, who they sent to install the equipment, etc.  Have them/make themdocument everything!  I have horror stories related to our SANinstallation, but once I finally complained loud enough (and wethreatened not to pay them) they sent someone out to reconfigure our
system.  We are now in the phase of upgrading our SAN environment...as amatter of fact I'm meeting with them next week.  If I had one thing towarn you or suggest...make sure YOU are aware of what you're getting as
far as software, HBAs and drivers, SAN management software, etc.Because if you don't know, you could be stuck with a monster on yourhands.-Original Message-From: 
[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Devan PalaSent: Wednesday, September 21, 2005 10:04 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: SAN AssessmentHi,We're in the process of planning to migrate from Notes to Exchange andone
the dependenices of this migration is a SAN environment.Has anyone utilized the services of any independent consulting bodies tocarry out a SAN assessment. Essentially, helping in the process ofdetermining requirements and laying out a path to successful deployment
withconsiderations for high availability, scalability and futureconsiderations.Thanks,List info   : http://www.activedir.org/List.aspxList FAQ: 
http://www.activedir.org/ListFAQ.aspxList archive:http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Domain Controller Security

2005-09-22 Thread van Donk, Fred 



Thanks all for your replies. Joe: I got you loud and clear 
and agree.
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Thursday, September 22, 2005 10:10 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Domain 
Controller Security

Look through the archives.
 
The short answer is... "Just don't do it". You can't 
possibly secure this regardless of what anyone says. If someone says it can be 
made safe, stop asking them technical questions about Domain Controllers and 
Active Directory.
 
Either you trust the person or you don't. If you don't 
trust the person, then don't put the person in a position to show you the 
meaning of screwed.
 
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of van Donk, FredSent: Tuesday, September 20, 2005 
4:52 PMTo: ActiveDir@mail.activedir.orgSubject: 
[ActiveDir] Domain Controller Security

I have a contractor 
in a remote site. There is only 1 server in that site which is a 
DC.
 
He needs to 
administer that server. 
-Create 
shares
-Make file/share 
permissions
-Change user 
passwords in the User OU for that site.
 
He is not allowed to 
log on to any other server is the domain.
 
When I make him a 
"Server Operator" he can logon to any server in the domain.
 
Any idea on how to 
lock him down to that one server and then how to lock him down on that one OU 
where he should only be allowed to change the passwords of the 
users.
 
Thanks!
Fred
 
 

RE: [ActiveDir] Domain Controller Security

2005-09-22 Thread joe 



Look through the archives.
 
The short answer is... "Just don't do it". You can't 
possibly secure this regardless of what anyone says. If someone says it can be 
made safe, stop asking them technical questions about Domain Controllers and 
Active Directory.
 
Either you trust the person or you don't. If you don't 
trust the person, then don't put the person in a position to show you the 
meaning of screwed.
 
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of van Donk, FredSent: Tuesday, September 20, 2005 
4:52 PMTo: ActiveDir@mail.activedir.orgSubject: 
[ActiveDir] Domain Controller Security

I have a contractor 
in a remote site. There is only 1 server in that site which is a 
DC.
 
He needs to 
administer that server. 
-Create 
shares
-Make file/share 
permissions
-Change user 
passwords in the User OU for that site.
 
He is not allowed to 
log on to any other server is the domain.
 
When I make him a 
"Server Operator" he can logon to any server in the domain.
 
Any idea on how to 
lock him down to that one server and then how to lock him down on that one OU 
where he should only be allowed to change the passwords of the 
users.
 
Thanks!
Fred
 
 

RE: [ActiveDir] Cannot modify a distribution list

2005-09-22 Thread joe 



If you mean ownership as in setting an owner from the 
Exchange tab or the managed by tab, neither allows you to modify the membership. 
You need to grant the person the ability to update the membership list. Now if 
you have an older version of ADUC, you won't see that checkbox under the managed 
by tab. 
 
If you have set this, and you have a multidomain forest, 
and the group is mail enabled, and the person is trying to manage through 
outlook, you probably have another issue which I don't have time to go into here 
but in that situation, don't use outlook to manage the membership. Outlook is a 
tool to read mail, not manage group membership. I don't use ADUC to check my 
calendar, so I don't have a problem avoiding using Outlook to manage 
groups.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh 
KshirsagarSent: Thursday, September 22, 2005 3:58 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Cannot modify a 
distribution list

Hi 
Gurus,
 
I have 
created a Distribution list which is owned by a particular user. Now I log as 
that user and try to modify the distribution list, say setting the description 
attribute. but am getting the error:
 
***Call Modify...ldap_modify_s(ld, 
'CN=testgrp1,OU=Exchange Test,OU=CV,OU=Views,OU=Mayuresh,DC=meta,DC=test',[1] 
attrs);Error: Modify: Insufficient Rights. <50>
 
If I 
bind as the administrator, then I can modify the distribution list. any pointers 
as to why this is happening?
 
Regards,
Mayuresh.

RE: [ActiveDir] disabling users

2005-09-22 Thread joe 



Any language can be done in a write once, read never 
format. Readabilty is a function of the person writing the code, the language 
can only help you accomplish what you are trying to do and are capable of. If I 
saw code that was tough to read, in any language, I stick the blame firmly with 
the person who wrote it, where it belongs. I have run into situations where I 
have seen thousands of lines of _vbscript_ that I simply threw away because the 
logic couldn't be followed due to how the script was written, generally I 
replaced it with hundreds of lines of clearly written perl that anyone could 
read. If you write perl well, it can be nearly self documenting. But that isn't 
enough, you still comment the code to explain intent and what the purpose of 
different things is.
 
If I had to argue for a least readable language, I 
would argue for cmd batch, but again, it is about the person writing the code, 
not the language the code is written in. I have even seen ASM that was written 
so cleanly and well with comments that anyone could follow 
it.
 
I think the problem a lot of people have with perl is its 
flexibility. TIMTOWTDI. It is the core design of the language, a loop can be 
done in many different ways instead of 1 or 2 ways that someone may be used to 
seeing. For some people, giving flexibility to them is like giving them a longer 
and longer rope to hang themselves. 
 
As I once read in one of the books or heard from a friend 
or something... Perl is like playing the guitar, you can usually do something 
pretty quickly, but the really cool stuff will take practice. But on the 
positive side, it is possible to do the really cool stuff and usually in a way 
that makes you feel good.
 
I just 
had a bit of a conversation with one of the Exchange Dev folks who was saying 
that with Monad, if I want to get some piece of info about a mailbox from 
an Exchange 12 server I have to return all of the info from the server and then 
filter out what I don't want to use. The reason given was that is the Monad 
way... I visualize that like trying to output whenChanged of an object and 
having to pull all attributes of the object to do so. There is a tremendous hit 
to efficiency if that is the way it is done. The big thing that scared me though 
was the comment... that is the Monad way... What is the way? To assume you have 
unlimited bandwidth and time so you can be fat and 
inefficient?
 
  joe[1]
 
 
 
[1] 
Slowly emerging from being way too submerged in work and other things... 

 



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Roger 
SeielstadSent: Thursday, September 22, 2005 2:28 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] disabling 
users

Honestly, I'd avoid perl like the plague. Its about the 
least readable language on the planet - especially if you haven't touched a 
script for a few months.
As was already suggested, python is a pretty good cross 
platform option. 
 
Roger SeielstadE-mail Geek 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Tom 
KernSent: Wednesday, September 21, 2005 3:56 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] disabling 
users

you don't think one can get by in IT with just one lang?
can't you do everything in perl that you can do in _vbscript_ and then 
some?
I'm sure you can get by on windows with just perl.
i'm in a multi platform enviorment and frankly i just don't have the time 
to learn both _vbscript_ and perl.
i would end up just knowing both a little and badly.
my brain can't keep jumping from one to the other and in scripting, if you 
don't use one lang for a while, you forget it.
in which case i'd just end up bugging you guys on this list again for 
examples.
i'd like to get to the point where i can do it myself and trying to learn 
both will never work for me.
i have a hard enough time keeping as much as i can about windows and AD and 
exchange and some linux stuff in my head.
2 scripting langs will make my head explode. i'll never remeber them at 
all.
i just need to learn one and devote myself to learning it well instead of 
being a scripting jack of all trades and master of none.
 
as to perl books, then where can one lern COM on perl? 
 
thanks alot guys! 
On 9/21/05, Brian 
Desmond <[EMAIL PROTECTED]> 
wrote: 
Joe 
  Richards might know some Win32 Perl resources._vbscript_ isn't 
  that hard, really. If you know the COM & ADSI stuff for Perl as far as 
  methods, names, etc, its just a different syntax for using it._vbscript_ you 
  have the advantage of the technet scriptcenter which hasexamples complete 
  enough to copy and paste together and run.I'm not a CS major 
  either, I don't even have any formal training in thisfield. The only 
  things I've been taught in a classroom are how to read,write, and do some 
  math. Everything I know I learnt going to work everyday and doing new 
  things, asking questions here and there around this list andother places. 
  I realize

RE: [ActiveDir] OT: SAN Assessment

2005-09-22 Thread Lawana Gibson 
Good mornin',
We have a SAN environment within our library.  We're running a FC4500
with 1.2 TB of disk space.  I have seven servers connected to the SAN
and a PowerVault 136T Tape Library.  We had Dell (we're a Dell shop)
come in and assess our environment; we made the decision on how much
disk space we needed, etc.  So basically they took our specifications
and produced a system (hardware, mgmt software, HBA).  We had them
install a "turn key" system so all we had to do was start moving data
over to the disks (or LUNS).  BUTyou have to be very careful and
make sure they are giving you the most current equipment; they are not
selling you mgmt software that will not work with your server
environmentbasically make sure they know your network.  Make sure
your sales/technical accountant is aware of when your equipment comes
in, who they sent to install the equipment, etc.  Have them/make them
document everything!  I have horror stories related to our SAN
installation, but once I finally complained loud enough (and we
threatened not to pay them) they sent someone out to reconfigure our
system.  We are now in the phase of upgrading our SAN environment...as a
matter of fact I'm meeting with them next week.  If I had one thing to
warn you or suggest...make sure YOU are aware of what you're getting as
far as software, HBAs and drivers, SAN management software, etc.
Because if you don't know, you could be stuck with a monster on your
hands.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala
Sent: Wednesday, September 21, 2005 10:04 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: SAN Assessment

Hi,

We're in the process of planning to migrate from Notes to Exchange and
one 
the dependenices of this migration is a SAN environment.

Has anyone utilized the services of any independent consulting bodies to

carry out a SAN assessment. Essentially, helping in the process of 
determining requirements and laying out a path to successful deployment
with 
considerations for high availability, scalability and future
considerations.

Thanks,


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Kerberos Delegation

2005-09-22 Thread Brian Desmond 








Sharepoint will unless you ignore the recommendations in the setup wizard
run under a service account you create for it. You can however ignore the
recommendations to make a service account for it when you’re setting up
the site/portal app pool and it will run under network service.

 



Thanks,
Brian
Desmond

[EMAIL PROTECTED]

 

c -
312.731.3132

 

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad
Sent: Thursday, September 22, 2005
9:57 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos
Delegation



 

By default, the IIS app pool and (I
believe) sharepoint both run under Network Service. Therefore, when Sharepoint
makes the request outbound, it will be making it within the context of the
NetworkService account, which means its going to present the server's domain
credentials.



 




Roger Seielstad
E-mail Geek 



 



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer
Sent: Wednesday, September 21,
2005 11:45 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos
Delegation

Could I ask why he’d need to do
that?

 

Cheers

Ken

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad
Sent: Thursday, 22 September 2005
4:23 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos
Delegation



 

So have you granted domain\IISServer$
access through ISA?



 




Roger Seielstad
E-mail Geek 



 



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes
Sent: Wednesday, September 21,
2005 8:16 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos
Delegation

Well I have some screen shots for you of
AuthDiag and of wfetch, if you don’t mind I can send it to you offline.

 

This is the weird part, if I use wfetch to
connect using Anonymous as authentication I get the web page requested. 

 

If I specify any other auth type i.e. NTLM
or Kerberos I get a ISA server page telling me I am not authorized to view this
page.

 

With anonymous connection I get:

WWW-Authenticate: Negotiate

WWW-Authenticate: NTLM

 

With a specified auth type I don’t
get any of that (The screen shots explain)

 

AuthDiag still only reports Test
Authentication NTLM NO Kerberos.

 

I still have a copy of the old
Metabase.xml to prove that it was storing the incorrect settings when IIS MMC
was showing something else…..

 

Let me know if I can ping the screen shots
to you.

 

Thanks Ken, am I going to get to see you
at Redmond?


C

 

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Ken Schaefer
Sent: 21 September 2005 03:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos
Delegation



 

Odd.

 

If you use WFetch (it’s in the IIS6
Res Kit) or just plain telnet, and request a page, what WWW-Authenticate
headers are coming back? You should see:

 

WWW-Authenticate: Negotiate

WWW-Authenticate: NTLM

 

(basically the webserver sends back a list
of the auth mechanisms it supports, and the browser picks the first one in the
list that it supports). If you are only seeing the NTLM option, then
something’s up with IIS or Sharepoint. If you are seeing both, then
AuthDiag is lying to you.

 

Cheers

Ken

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes
Sent: Wednesday, 21 September 2005
10:39 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos
Delegation



 

Yeah Im not sure about that either at the
moment IIS is REALLY ACTING WEIRD, KEN where are you :P - .

 

I had the Share Point website in the IIS
MMC specify SPSAppPool (which was a App pool I created) when I checked the
MetaBase.XML file ( you know I love looking at the guts of systemsJ ) it was still
specifying DefaultAppPool (and I mean I had rebooted the server a few times)
also DO NOT RUN: 

 

Cscript adsutil.vbs set
w3svc/1/ntauthenticationproviders “Negotiate,NTLM”

Iisreset

 

I know it seems logical but I KEPT the
quotations in there and what it ended up doing was: ““Negotiate,NTLM”” ***Note the
double quotes

 

And all auth was being
defaulted to Anonymous (thank heavens for a network sniffer J )

 

Even though I fixed
these issues and I have made sure my Metabase.xml file is correct with
“Negotiate,NTLM” and with the correct App Pool with the correct
user etc,  when I run AuthDiag the only “Test Authentication”
option I get is NTLM, the Server Settings Node though specifies
“Negotiate,NTLM” for that Site. 

 

When I check my ISA
server I STILL see User – Anonymous so I am a bit stumped at the moment
!!!

 

YEAH it going to be
so cool to meet up with you guys in Redmond
next week J

 

C

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: 20 September 2005 10:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos
Delegation



 

Hi Carlos

 

As I said, I'

RE: [ActiveDir] Kerberos Delegation

2005-09-22 Thread Roger Seielstad 



I know next to nothing about ISA. The last time I 
touched it it was still called MS Proxy 2.0 I'm assuming there's a 
security group somewhere that is used to control who can do what through the ISA 
server. Actually, I know there is because I'm part of one at work (just don't 
know how to configure it). See my response to Ken as to why this would be 
necessary...
 
Roger SeielstadE-mail Geek 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Carlos 
MagalhaesSent: Thursday, September 22, 2005 2:28 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos 
Delegation


Hmmm, explain a little 
more where you would grant this access ….
 
Thanks 

Carlos
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Roger 
SeielstadSent: 22 September 
2005 08:23 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos 
Delegation
 
So have you granted 
domain\IISServer$ access through ISA?

 
Roger 
SeielstadE-mail Geek 

 
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Carlos 
MagalhaesSent: Wednesday, 
September 21, 2005 8:16 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos 
Delegation
Well I have some screen 
shots for you of AuthDiag and of wfetch, if you don’t mind I can send it to you 
offline.
 
This is the weird part, 
if I use wfetch to connect using Anonymous as authentication I get the web page 
requested. 
 
If I specify any other 
auth type i.e. NTLM or Kerberos I get a ISA server page telling me I am not 
authorized to view this page.
 
With anonymous 
connection I get:
WWW-Authenticate: 
Negotiate
WWW-Authenticate: 
NTLM
 
With a specified auth 
type I don’t get any of that (The screen shots 
explain)
 
AuthDiag still only 
reports Test Authentication NTLM NO Kerberos.
 
I still have a copy of 
the old Metabase.xml to prove that it was storing the incorrect settings when 
IIS MMC was showing something else…..
 
Let me know if I can 
ping the screen shots to you.
 
Thanks Ken, am I going 
to get to see you at Redmond?
C
 
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Ken 
SchaeferSent: 21 September 
2005 03:17 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos 
Delegation
 
Odd.
 
If you use WFetch (it’s 
in the IIS6 Res Kit) or just plain telnet, and request a page, what 
WWW-Authenticate headers are coming back? You should 
see:
 
WWW-Authenticate: 
Negotiate
WWW-Authenticate: 
NTLM
 
(basically the 
webserver sends back a list of the auth mechanisms it supports, and the browser 
picks the first one in the list that it supports). If you are only seeing the 
NTLM option, then something’s up with IIS or Sharepoint. If you are seeing both, 
then AuthDiag is lying to you.
 
Cheers
Ken
 





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Carlos 
MagalhaesSent: Wednesday, 21 
September 2005 10:39 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos 
Delegation
 
Yeah Im not sure about 
that either at the moment IIS is REALLY ACTING WEIRD, KEN where are you :P - 
.
 
I had the Share Point 
website in the IIS MMC specify SPSAppPool (which was a App pool I created) when 
I checked the MetaBase.XML file ( you know I love looking at the guts of 
systemsJ ) it was still 
specifying DefaultAppPool (and I mean I had rebooted the server a few times) 
also DO NOT RUN: 
 
Cscript adsutil.vbs 
set w3svc/1/ntauthenticationproviders “Negotiate,NTLM”
Iisreset
 
I know it seems logical 
but I KEPT the quotations in there and what it ended up doing was: 
““Negotiate,NTLM”” 
***Note the double quotes
 
And all auth was being 
defaulted to Anonymous (thank heavens for a network sniffer J 
)
 
Even though I fixed 
these issues and I have made sure my Metabase.xml file is correct with 
“Negotiate,NTLM” and with the correct App Pool with the correct user etc, 
 when I run AuthDiag the only “Test Authentication” option I get is NTLM, 
the Server Settings Node though specifies “Negotiate,NTLM” for that Site. 

 
When I check my ISA 
server I STILL see User – Anonymous so I am a bit stumped at the moment 
!!!
 
YEAH it going to be 
so cool to meet up with you guys in Redmond next week J
 
C
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Tony 
MurraySent: 20 September 2005 
10:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos 
Delegation
 
Hi 
Carlos
 
As I said, I'm just 
starting to look at Kerberos delegation, so take everything I say with a large 
pinch of salt.  :-)
 
Anyway, here's the 
logic I was following.
 
If I've understood it 
correctly, you want the server hosting SharePoint to authenticate to the ISA 
server as the end user.  Assuming you want to use constrained delegation 
(which is normal) then you need to specify the ISA Server somewhere in the 
configuration, because you are limiting (constraining) the scope of the 
delegation to the ISA Server.  If you look at the De

RE: [ActiveDir] Kerberos Delegation

2005-09-22 Thread Roger Seielstad 



By default, the IIS app pool and (I believe) sharepoint 
both run under Network Service. Therefore, when Sharepoint makes the request 
outbound, it will be making it within the context of the NetworkService account, 
which means its going to present the server's domain 
credentials.
 
Roger SeielstadE-mail Geek 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ken 
SchaeferSent: Wednesday, September 21, 2005 11:45 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos 
Delegation


Could I ask why he’d 
need to do that?
 
Cheers
Ken
 





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Roger 
SeielstadSent: Thursday, 22 
September 2005 4:23 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos 
Delegation
 
So have you granted 
domain\IISServer$ access through ISA?

 
Roger 
SeielstadE-mail Geek 

 
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Carlos 
MagalhaesSent: Wednesday, 
September 21, 2005 8:16 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos 
Delegation
Well I have some screen 
shots for you of AuthDiag and of wfetch, if you don’t mind I can send it to you 
offline.
 
This is the weird part, 
if I use wfetch to connect using Anonymous as authentication I get the web page 
requested. 
 
If I specify any other 
auth type i.e. NTLM or Kerberos I get a ISA server page telling me I am not 
authorized to view this page.
 
With anonymous 
connection I get:
WWW-Authenticate: 
Negotiate
WWW-Authenticate: 
NTLM
 
With a specified auth 
type I don’t get any of that (The screen shots 
explain)
 
AuthDiag still only 
reports Test Authentication NTLM NO Kerberos.
 
I still have a copy of 
the old Metabase.xml to prove that it was storing the incorrect settings when 
IIS MMC was showing something else…..
 
Let me know if I can 
ping the screen shots to you.
 
Thanks Ken, am I going 
to get to see you at Redmond?
C
 
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Ken 
SchaeferSent: 21 September 
2005 03:17 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos 
Delegation
 
Odd.
 
If you use WFetch (it’s 
in the IIS6 Res Kit) or just plain telnet, and request a page, what 
WWW-Authenticate headers are coming back? You should 
see:
 
WWW-Authenticate: 
Negotiate
WWW-Authenticate: 
NTLM
 
(basically the 
webserver sends back a list of the auth mechanisms it supports, and the browser 
picks the first one in the list that it supports). If you are only seeing the 
NTLM option, then something’s up with IIS or Sharepoint. If you are seeing both, 
then AuthDiag is lying to you.
 
Cheers
Ken
 





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Carlos 
MagalhaesSent: Wednesday, 21 
September 2005 10:39 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos 
Delegation
 
Yeah Im not sure about 
that either at the moment IIS is REALLY ACTING WEIRD, KEN where are you :P - 
.
 
I had the Share Point 
website in the IIS MMC specify SPSAppPool (which was a App pool I created) when 
I checked the MetaBase.XML file ( you know I love looking at the guts of 
systemsJ ) it was still 
specifying DefaultAppPool (and I mean I had rebooted the server a few times) 
also DO NOT RUN: 
 
Cscript adsutil.vbs 
set w3svc/1/ntauthenticationproviders “Negotiate,NTLM”
Iisreset
 
I know it seems logical 
but I KEPT the quotations in there and what it ended up doing was: 
““Negotiate,NTLM”” 
***Note the double quotes
 
And all auth was being 
defaulted to Anonymous (thank heavens for a network sniffer J 
)
 
Even though I fixed 
these issues and I have made sure my Metabase.xml file is correct with 
“Negotiate,NTLM” and with the correct App Pool with the correct user etc, 
 when I run AuthDiag the only “Test Authentication” option I get is NTLM, 
the Server Settings Node though specifies “Negotiate,NTLM” for that Site. 

 
When I check my ISA 
server I STILL see User – Anonymous so I am a bit stumped at the moment 
!!!
 
YEAH it going to be 
so cool to meet up with you guys in Redmond next week J
 
C
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Tony 
MurraySent: 20 September 2005 
10:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos 
Delegation
 
Hi 
Carlos
 
As I said, I'm just 
starting to look at Kerberos delegation, so take everything I say with a large 
pinch of salt.  :-)
 
Anyway, here's the 
logic I was following.
 
If I've understood it 
correctly, you want the server hosting SharePoint to authenticate to the ISA 
server as the end user.  Assuming you want to use constrained delegation 
(which is normal) then you need to specify the ISA Server somewhere in the 
configuration, because you are limiting (constraining) the scope of the 
delegation to the ISA Server.  If you look at the Delegation tab of an 
object in ADUC, you will see the section labeled "Services to which this account 
can presen

RE: [ActiveDir] Group policy stupid question

2005-09-22 Thread Kevin Sullivan 
Hi Susan,

Not a stupid question. Especially when you are just starting out with
Group Policy the filtering can be a bit tricky.

So the default for filtering is Authenticated Users have Read and Apply
Group Policy permissions. If you remove Authenticated Users from the
list and only add the Group(s) that should receive the settings and
exclude the group that should not. That will work. But your note
mentions Everyone 'except' so it sounds like you want to leave
Authenticated Users as is and simply add the 'filtered out' group to the
filter list (you are using GPMC correct?) and set the permissions for
that group to Deny the Apply Group Policy permission. If I am reading
your message correctly this should work for you. Too many 'Denies' are
usually not recommended.

A few caveats for clarity (apologies if this is already known
information). The Group Policy does not apply to the Group. It only
applies to Users and Computers. The Group is simply used for filtering
and delegation. So the Group Policy Object needs to be linked to
containers that contain those users and computers that need to be
configured.

Regarding Visio, unless you have more complex needs here it is probably
overkill. If you are doing many 'deny' ACEs on your GPOs it is a good
idea to have some way to document those permissions so that you have a
reference to go back to.

Kevin Sullivan, MVP, MCSE
Director of Product Management
DesktopStandard Corporation
Enterprise Desktop Management

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Wednesday, September 21, 2005 5:58 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Group policy stupid question

Stupid question that showcases how I don't know enough about GP

Is there a way to do a group policy group so that it's

"Everyone" but <-> "this group" 

And does Visio work the best for diagramming these structures out?



-- 
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: exchange max. dist. list size

2005-09-22 Thread Shawn Hayes 
I believe the issue is with Personal DL created in Outlook, not with Server 
based DLs and yes we have seen the issue.  I didn't want to provide the user 
with a fix because all that info is stored on the server.


Shawn

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, September 21, 2005 3:40 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: exchange max. dist. list size

I don't have exact figures, but your numbers are unbelievably low. 200 max? I 
have DLs with 2300, and those are small.
 
What gives you this impression? Are you using a tool that's barfing when 
expanding DLs with more than 200 membership?
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
 -anon



From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED]
Sent: Wed 9/21/2005 8:23 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: exchange max. dist. list size



Has anyone encountered the max distribution list size in exchange?

 

Seems like it's 8KB, or between 100-200 email addresses?

 

Am I missing something?

 

Thanks,

James

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Cannot modify a distribution list

2005-09-22 Thread Shawn Hayes 



When you say owned by a particular userwhat exactly do 
you mean?
 
Shawn 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh 
KshirsagarSent: Thursday, September 22, 2005 3:58 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Cannot modify a 
distribution list

Hi 
Gurus,
 
I have 
created a Distribution list which is owned by a particular user. Now I log as 
that user and try to modify the distribution list, say setting the description 
attribute. but am getting the error:
 
***Call Modify...ldap_modify_s(ld, 
'CN=testgrp1,OU=Exchange Test,OU=CV,OU=Views,OU=Mayuresh,DC=meta,DC=test',[1] 
attrs);Error: Modify: Insufficient Rights. <50>
 
If I 
bind as the administrator, then I can modify the distribution list. any pointers 
as to why this is happening?
 
Regards,
Mayuresh.

Re: [ActiveDir] disabling users

2005-09-22 Thread Tom Kern 
I never said dn's.
 
the names are all sAMAccountNames in a csv file.
The consultants from ibm here ran some Quest tools to determine  which acoounts were inactive and ran that list by HR to double check.
 
They can't script either(in fact one guy kept arguing with me that machines change their passwords every 7 days in win2k NOT 30 days and wouldn't listen to me. This lis like week 7 of our "migration").

Anyway, now they just want to fill in the description attrib of the accounts in AD with something like "inactive. Don't Migrate" so they could filter by that in Quest instead of diabling the accounts.

 
so ,to get me started in my perl route, how would one go about doing that in perl?
 
Thanks again.
you guys help me out way too much.
 
sorry... 
On 9/22/05, Roger Seielstad <[EMAIL PROTECTED]> wrote:

Honestly, I'd avoid perl like the plague. Its about the least readable language on the planet - especially if you haven't touched a script for a few months.

As was already suggested, python is a pretty good cross platform option. 
 
Roger SeielstadE-mail Geek 
 


From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, September 21, 2005 3:56 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] disabling users 


you don't think one can get by in IT with just one lang?
can't you do everything in perl that you can do in _vbscript_ and then some?
I'm sure you can get by on windows with just perl.
i'm in a multi platform enviorment and frankly i just don't have the time to learn both _vbscript_ and perl.
i would end up just knowing both a little and badly.
my brain can't keep jumping from one to the other and in scripting, if you don't use one lang for a while, you forget it.
in which case i'd just end up bugging you guys on this list again for examples.
i'd like to get to the point where i can do it myself and trying to learn both will never work for me.
i have a hard enough time keeping as much as i can about windows and AD and exchange and some linux stuff in my head.
2 scripting langs will make my head explode. i'll never remeber them at all.
i just need to learn one and devote myself to learning it well instead of being a scripting jack of all trades and master of none.
 
as to perl books, then where can one lern COM on perl? 
 
thanks alot guys! 
On 9/21/05, Brian Desmond <[EMAIL PROTECTED]
> wrote: 
Joe Richards might know some Win32 Perl resources._vbscript_ isn't that hard, really. If you know the COM & ADSI stuff for Perl 
as far as methods, names, etc, its just a different syntax for using it._vbscript_ you have the advantage of the technet scriptcenter which hasexamples complete enough to copy and paste together and run.
I'm not a CS major either, I don't even have any formal training in thisfield. The only things I've been taught in a classroom are how to read,write, and do some math. Everything I know I learnt going to work everyday 
and doing new things, asking questions here and there around this list andother places. I realized I needed to learn _vbscript_ and so I startedtackling projects with _vbscript_s, and with a bit of work I got to be pretty 
good at it. I still need a copy of the platform sdk on my other monitor toremember methods, parameters, etc, but I know the syntax. That said, if I'mfeeling lazy I still go and piece things together with scriptcenter 
snippets.My point here is that it would probably be long term beneficial to you to atleast be able to do simple things in _vbscript_ like read a file, run aexternal command, etc. As I said in my first message, if you post what you 
have, I'll try and edit it as an example for you.Thanks,Brian Desmond
[EMAIL PROTECTED]> [EMAIL PROTECTED]c - 312.731.3132
_From: [EMAIL PROTECTED][mailto:
 [EMAIL PROTECTED]] On Behalf Of Kern, TomSent: Wednesday, September 21, 2005 4:30 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] disabling users I only have time to learn one scripting lang.i figured perl is the better way to go as i have to work with linux and
solaris as well.know of any good docs,books,sites on perl and COM+ or adsi? something that will teach you both like the _vbscript_ resources do?i really think there is a market for perl and AD/win32 out there that is
untapped.O'reilly has let most of their win32 perl books become outdated and stop at Win NT as has Dave Roth.I'm not a programmer and i don't have time to learn multipe scripting langs,
so i always thought perl would be the best way to go.I find it as approachable as _vbscript_ but unlike _vbscript_, I don't find many rescources for using it on win32 systems.I'm afraid learning perl and working with windows might be an uphill battle.
are there resources for teaching you how to use perl withcdo,wmi,adsi,ado,etc?i'm not a total newbie to perl, i've used it on linux but i've never reallydone much on windows with activestate.
and as i've said, i'm not a programmer and i didn''t major in comp sci, so alot of this stuff is

RE: [ActiveDir] Kerberos Delegation

2005-09-22 Thread Carlos Magalhaes 








Hmmm, explain a little more where you
would grant this access ….

 

Thanks 

Carlos

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad
Sent: 22 September 2005 08:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos
Delegation



 

So have you granted domain\IISServer$
access through ISA?



 




Roger Seielstad
E-mail Geek 



 



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes
Sent: Wednesday, September 21,
2005 8:16 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos
Delegation

Well I have some screen shots for you of
AuthDiag and of wfetch, if you don’t mind I can send it to you offline.

 

This is the weird part, if I use wfetch to
connect using Anonymous as authentication I get the web page requested. 

 

If I specify any other auth type i.e. NTLM
or Kerberos I get a ISA server page telling me I am not authorized to view this
page.

 

With anonymous connection I get:

WWW-Authenticate: Negotiate

WWW-Authenticate: NTLM

 

With a specified auth type I don’t
get any of that (The screen shots explain)

 

AuthDiag still only reports Test
Authentication NTLM NO Kerberos.

 

I still have a copy of the old
Metabase.xml to prove that it was storing the incorrect settings when IIS MMC
was showing something else…..

 

Let me know if I can ping the screen shots
to you.

 

Thanks Ken, am I going to get to see you
at Redmond?


C

 

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Ken Schaefer
Sent: 21 September 2005 03:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos
Delegation



 

Odd.

 

If you use WFetch (it’s in the IIS6
Res Kit) or just plain telnet, and request a page, what WWW-Authenticate
headers are coming back? You should see:

 

WWW-Authenticate: Negotiate

WWW-Authenticate: NTLM

 

(basically the webserver sends back a list
of the auth mechanisms it supports, and the browser picks the first one in the
list that it supports). If you are only seeing the NTLM option, then
something’s up with IIS or Sharepoint. If you are seeing both, then
AuthDiag is lying to you.

 

Cheers

Ken

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes
Sent: Wednesday, 21 September 2005
10:39 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos
Delegation



 

Yeah Im not sure about that either at the
moment IIS is REALLY ACTING WEIRD, KEN where are you :P - .

 

I had the Share Point website in the IIS
MMC specify SPSAppPool (which was a App pool I created) when I checked the
MetaBase.XML file ( you know I love looking at the guts of systemsJ ) it was still
specifying DefaultAppPool (and I mean I had rebooted the server a few times)
also DO NOT RUN: 

 

Cscript adsutil.vbs set
w3svc/1/ntauthenticationproviders “Negotiate,NTLM”

Iisreset

 

I know it seems logical but I KEPT the
quotations in there and what it ended up doing was: ““Negotiate,NTLM”” ***Note the
double quotes

 

And all auth was being
defaulted to Anonymous (thank heavens for a network sniffer J )

 

Even though I fixed
these issues and I have made sure my Metabase.xml file is correct with
“Negotiate,NTLM” and with the correct App Pool with the correct
user etc,  when I run AuthDiag the only “Test Authentication”
option I get is NTLM, the Server Settings Node though specifies
“Negotiate,NTLM” for that Site. 

 

When I check my ISA
server I STILL see User – Anonymous so I am a bit stumped at the moment
!!!

 

YEAH it going to be
so cool to meet up with you guys in Redmond
next week J

 

C

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: 20 September 2005 10:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos
Delegation



 

Hi Carlos

 

As I said, I'm just starting to look at
Kerberos delegation, so take everything I say with a large pinch of salt. 
:-)

 

Anyway, here's the logic I was following.

 

If I've understood it correctly, you want
the server hosting SharePoint to authenticate to the ISA server as the end
user.  Assuming you want to use constrained delegation (which is normal)
then you need to specify the ISA Server somewhere in the configuration, because
you are limiting (constraining) the scope of the delegation to the ISA
Server.  If you look at the Delegation tab of an object in ADUC, you will
see the section labeled "Services to which this account can present delegated
credentials:"  It would seem logical to me to have to specify the ISA
here.  Now whether you need to do configure this setting in ADUC on the
account being used for the identity of the application pool, or the SharePoint
server itself I don't know. 



 





Cheers





Tony





 





PS.  See you next week :-)



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes
Sent: Wednesday, 21 September 2005
1:38 a

[ActiveDir] Cannot modify a distribution list

2005-09-22 Thread Mayuresh Kshirsagar 



Hi 
Gurus,
 
I have 
created a Distribution list which is owned by a particular user. Now I log as 
that user and try to modify the distribution list, say setting the description 
attribute. but am getting the error:
 
***Call Modify...ldap_modify_s(ld, 
'CN=testgrp1,OU=Exchange Test,OU=CV,OU=Views,OU=Mayuresh,DC=meta,DC=test',[1] 
attrs);Error: Modify: Insufficient Rights. <50>
 
If I 
bind as the administrator, then I can modify the distribution list. any pointers 
as to why this is happening?
 
Regards,
Mayuresh.

RE: [ActiveDir] Domain Controller Security

2005-09-22 Thread Mark . H . Lunsford 

You might consider a lower level OU
under the Domain Controllers OU with a different GPO that grants him local
logon to just that DC. 

Thank You ! And have a nice day !

**
Mark Lunsford
KAISER PERMANENTE
Security Operations
Remedy Group: NOPS SECURITY EDOS SYS
Direct Manager: Bud Furrow
Email: [EMAIL PROTECTED]
Outside Phone: 925-926-5898
Tie Line Phone: 8-473-5898
C ell: 925-200-4077
**






"Gil Kirkpatrick"
<[EMAIL PROTECTED]> 
Sent by: [EMAIL PROTECTED]
09/21/2005 05:03 PM



Please respond to
ActiveDir@mail.activedir.org





To



cc



Subject
RE: [ActiveDir] Domain Controller
Security








Yes, untrusted admin + DC logon access = no more security.

If you're trying to lock him down, then you can't give him access to the
DC. Can you give him a member server for the file shares and just
delegate the password administraion on the OU?

-g

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of ASB
Sent: Wednesday, September 21, 2005 4:53 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Domain Controller Security

That sounds dangerous.

If you give him access to that server, particularly local logon
access, you might as well just put him in the Enterprise Admin group
and save both of you a few moments of work.


-ASB
 FAST, CHEAP, SECURE: Pick Any TWO
 http://www.ultratech-llc.com/KB/


On 9/20/05, van Donk, Fred <[EMAIL PROTECTED]> wrote:
> I have a contractor in a remote site. There is only 1 server in that
site
> which is a DC.
>
> He needs to administer that server.
> -Create shares
> -Make file/share permissions
> -Change user passwords in the User OU for that site.
>
> He is not allowed to log on to any other server is the domain.
>
> When I make him a "Server Operator" he can logon to any
server in the
> domain.
>
> Any idea on how to lock him down to that one server and then how to
lock him
> down on that one OU where he should only be allowed to change the
passwords
> of the users.
>
> Thanks!
> Fred
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] The new acctinfo2.dll

2005-09-22 Thread TIROA YANN 



Ok thanks Phil .
 
I 
will look with my TAM.
 
Best 
Regards,
 
Yann
 


De : [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] De la part de Phil 
RenoufEnvoyé : mercredi 21 septembre 2005 
18:19À : ActiveDir@mail.activedir.orgObjet : Re: 
[ActiveDir] The new acctinfo2.dll

I believe that acctinfo2.dll has been available for quite some time. If you 
have a TAM just ask them for the file and they should be able to get it to 
you.
 
Phil 
On 9/21/05, TIROA 
YANN <[EMAIL PROTECTED]> 
wrote: 
Hello 
  folks ;o)I heard that the new acctinfo2.dll has been released 
  Can someone could confirm me this and point me to link to download 
  it ? Thanks for help :)Cordialement,Yann 
  TIROACentre de Ressources Informatique.Campus Scientifique de la 
  DOUA.Bât. Gabriel Lippmann - 2 ème étage - salle 238.43, Bd du 11 
  Novembre 1918. 69622 Villeurbanne Cedex.List info   
  : http://www.activedir.org/List.aspxList 
  FAQ: http://www.activedir.org/ListFAQ.aspx 
  List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/