Re: [ActiveDir] Service Account Logging/Tracking
eventcombmt is OK but logparser is better as it can parse saved logs. Eventcombmt is for active logs only. M@On 4/22/06, mike kline [EMAIL PROTECTED] wrote:You have to turn on auditing in order to track logon events. Once you turn auditing on you can then search your security event logs for that logon event. When you go to set auditingyou will see two settings. Audit account logon events and audit logon events. There is a good blog entry about the differences between the two settings and what they mean. http://blogs.msdn.com/ericfitz/archive/2005/08/04/447934.aspx We set both for success, failure (per NSA guidelines). We save our logs daily on the servers and on our workstations we overwrite older events so that disk space doesn't become a huge issue. Once you have the events in the log you can search through them using a tool like Eventcomb http://www.microsoft.com/downloads/details.aspx?FamilyId=9989D151-5C55-4BD3-A9D2-B95A15C73E92displaylang=en Eventcomb can be found within this download. You can search for EventID 528 and specify the service account to narrow the search. When you say an account with elevated privileges what kind of privilegesare youtalking about? Hopefully not a domain admin account. Thanks Mike On 4/21/06, Clay, Justin (ITS) [EMAIL PROTECTED] wrote: What's the recommended method for tracking service account logins? We keep a pretty tight reign on service accounts and their passwords, but in some cases we have to provide the passwords to our customers (in this case, customers are other government organizations that we support) for use in their applications. Essentially we just want to know if someone logs into a PC or a server with a service account. We don't want a bunch of people using a service account to gain access to resources, especially if it's an account with elevated privileges. Thanks, Justin Clay ITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICEThe information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
Re: [ActiveDir] Service Account Logging/Tracking
My bad. Just saw the option to check saved logs too . SorryM@On 4/22/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote:eventcombmt is OK but logparser is better as it can parse saved logs. Eventcombmt is for active logs only. M@On 4/22/06, mike kline [EMAIL PROTECTED] wrote:You have to turn on auditing in order to track logon events. Once you turn auditing on you can then search your security event logs for that logon event. When you go to set auditingyou will see two settings. Audit account logon events and audit logon events. There is a good blog entry about the differences between the two settings and what they mean. http://blogs.msdn.com/ericfitz/archive/2005/08/04/447934.aspx We set both for success, failure (per NSA guidelines). We save our logs daily on the servers and on our workstations we overwrite older events so that disk space doesn't become a huge issue. Once you have the events in the log you can search through them using a tool like Eventcomb http://www.microsoft.com/downloads/details.aspx?FamilyId=9989D151-5C55-4BD3-A9D2-B95A15C73E92displaylang=en Eventcomb can be found within this download. You can search for EventID 528 and specify the service account to narrow the search. When you say an account with elevated privileges what kind of privilegesare youtalking about? Hopefully not a domain admin account. Thanks Mike On 4/21/06, Clay, Justin (ITS) [EMAIL PROTECTED] wrote: What's the recommended method for tracking service account logins? We keep a pretty tight reign on service accounts and their passwords, but in some cases we have to provide the passwords to our customers (in this case, customers are other government organizations that we support) for use in their applications. Essentially we just want to know if someone logs into a PC or a server with a service account. We don't want a bunch of people using a service account to gain access to resources, especially if it's an account with elevated privileges. Thanks, Justin Clay ITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICEThe information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
RE: [ActiveDir] logging users out
Guess you'll have to do that by yourself, e.g. logon-script shutdown -l -t 3600 Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of shereen naserSent: Saturday, April 22, 2006 9:38 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] logging users out Hi list, how can I set Active directory to log out users after a specific period of time, say an internet cafe wants to log the users out after one hour? I don't want to use account expires, I want the account to be still active but to log the users out and they can re-login after that no problem.
Re: [ActiveDir] Service Account Logging/Tracking
I will add something... logparser...amazing utility...(if you know little bit of scripting)http://www.logparser.comlogparser can be scripted... morover you can use parse the description field and extract the exact detail..and if you know how to use the template option of it..it could create nice html report too. and ofcourse once file is ready it can be picked up and sent to admins thru mail. -Kamlesh~Be the change you want to see in the World~On 4/22/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: eventcombmt is OK but logparser is better as it can parse saved logs. Eventcombmt is for active logs only. M@ On 4/22/06, mike kline [EMAIL PROTECTED] wrote:You have to turn on auditing in order to track logon events. Once you turn auditing on you can then search your security event logs for that logon event. When you go to set auditingyou will see two settings. Audit account logon events and audit logon events. There is a good blog entry about the differences between the two settings and what they mean. http://blogs.msdn.com/ericfitz/archive/2005/08/04/447934.aspx We set both for success, failure (per NSA guidelines). We save our logs daily on the servers and on our workstations we overwrite older events so that disk space doesn't become a huge issue. Once you have the events in the log you can search through them using a tool like Eventcomb http://www.microsoft.com/downloads/details.aspx?FamilyId=9989D151-5C55-4BD3-A9D2-B95A15C73E92displaylang=en Eventcomb can be found within this download. You can search for EventID 528 and specify the service account to narrow the search. When you say an account with elevated privileges what kind of privilegesare youtalking about? Hopefully not a domain admin account. Thanks Mike On 4/21/06, Clay, Justin (ITS) [EMAIL PROTECTED] wrote: What's the recommended method for tracking service account logins? We keep a pretty tight reign on service accounts and their passwords, but in some cases we have to provide the passwords to our customers (in this case, customers are other government organizations that we support) for use in their applications. Essentially we just want to know if someone logs into a PC or a server with a service account. We don't want a bunch of people using a service account to gain access to resources, especially if it's an account with elevated privileges. Thanks, Justin Clay ITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICEThe information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system. --
[ActiveDir] Can We configure Romaing Profiles using Script
Hi Champs, Can we configure Roaming Profiles using Script. I am in need of this because we are migrating to ThinClient and want all our users to have a Roaming Profile. Kindly update if there is a way out. i have 3 days with me to comeup with a solution. I Know someone there has a solution. We have Win2k3 DC's and Windows XP Embedded (ThinClients). -- Ravi Dogra List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Can We configure Romaing Profiles using Script
Hello Ravi, It's basically a setting of the useraccount, so you can create a share, allow everyone Full Control on the share, then change the useraccounts using ADUC Mulitselect/Multiedit or with the ds-tools: Dsmod user distinguishedname_of_user -profile \\server\profile$\$username$ Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra |Sent: Saturday, April 22, 2006 8:58 PM |To: ActiveDir@mail.activedir.org |Subject: [ActiveDir] Can We configure Romaing Profiles using Script | |Hi Champs, | |Can we configure Roaming Profiles using Script. I am in need |of this because we are migrating to ThinClient and want all |our users to have a Roaming Profile. | |Kindly update if there is a way out. i have 3 days with me to |comeup with a solution. | |I Know someone there has a solution. | |We have Win2k3 DC's and Windows XP Embedded (ThinClients). | |-- |Ravi Dogra |List info : http://www.activedir.org/List.aspx |List FAQ: http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] logging users out
Ulf is correct. Just create a logon script and you can do what you want to. -- Ravi Dogra List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Can We configure Romaing Profiles using Script
Hi Ulf, I want to minimize the effort to accomplish this task. i dont want to configure it for each and every user one by one. -- Ravi Dogra List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Can We configure Romaing Profiles using Script
No your going to need one command per user in this way. You can do it in one shot if you just shift click in ADUC and use \\server\profile$\%username%. What I would do for the script is write a script to dump the dsmod commands as a batch file based on all the usernames in an OU... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Ravi Dogra Sent: Saturday, April 22, 2006 3:52 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Can We configure Romaing Profiles using Script Hi Ulf, Do i need to run same command for all my users. I think there should be a better way to just run a single command over OU or Group or List of Users. Update me if i am wrong. Dsmod user distinguishedname_of_user -profile \\server\profile$\$username$ Thanks Ravi Dogra List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail- archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Weird Ldap issue with redhat 2.1 and AD
Return Receipt Your document: RE: [ActiveDir] Weird Ldap issue with redhat 2.1 and AD was received by: Brad W Johnson/CORP/GSK at: 04/22/2006 04:08:47 PM
RE: [ActiveDir] Can We configure Romaing Profiles using Script
Hello Ravi, the easiest way is using the gui, by selecting all users in question in Active Directory Users and Computers, then choose Properties and set the checkbox next to the profile field and enter the profilepath in there. You can use %username% in there as well. Will set it for all users. You can also combine the dstools: Dsquery user ou=whatever,dc=example,dc=com -limit 0 | dsmod -profile ... This should give you an example how to do this. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra |Sent: Saturday, April 22, 2006 9:52 PM |To: ActiveDir@mail.activedir.org |Subject: Re: [ActiveDir] Can We configure Romaing Profiles using Script | |Hi Ulf, | |Do i need to run same command for all my users. I think there |should be a better way to just run a single command over OU or |Group or List of Users. | |Update me if i am wrong. | |Dsmod user distinguishedname_of_user -profile |\\server\profile$\$username$ | |Thanks |Ravi Dogra |List info : http://www.activedir.org/List.aspx |List FAQ: http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Can We configure Romaing Profiles using Script
Ravi, I wonder if you could probably do this the old fashioned way with the NET command. You could have a MKPROF.BAT file something like:- NET USER %1% /PROFILE //server/profiles/%1% /DOMAIN Then if you export all the users to a second file and edit it so that each line contains :- CALL MKPROF username1 Provided the users can create folders in the //server/profiles directory they will get a roaming profile created when they log off Dave. P.S. You originally said thin client. If you want to set the TS profile seperately I don't think this works... -Original Message- From: [EMAIL PROTECTED] on behalf of Ravi Dogra Sent: Sat 22/04/2006 21:04 To: ActiveDir@mail.activedir.org Cc: Subject: Re: [ActiveDir] Can We configure Romaing Profiles using Script Hi Ulf, I want to minimize the effort to accomplish this task. i dont want to configure it for each and every user one by one. -- Ravi Dogra List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you. http://www.stockport.gov.uk ** winmail.dat
Re: [ActiveDir] Can We configure Romaing Profiles using Script
Ravi, If you are still running 2000 you can also use ADModify to do the same thing that Ulf described for 2003. You can get ADModify here http://www.gotdotnet.com/workspaces/workspace.aspx?id=f5cbbfa9-e46b-4a7a-8ed8-3e44523f32e2 Thanks Mike On 4/22/06, Ulf B. Simon-Weidner [EMAIL PROTECTED] wrote: Hello Ravi,the easiest way is using the gui, by selecting all users in question inActive Directory Users and Computers, then choose Properties and set the checkbox next to the profile field and enter the profilepath in there. Youcan use %username% in there as well. Will set it for all users.You can also combine the dstools:Dsquery user ou=whatever,dc=example,dc=com -limit 0 | dsmod -profile ... This should give you an example how to do this.Gruesse - Sincerely,Ulf B. Simon-WeidnerMVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidnerWebsite: http://www.windowsserverfaq.orgProfile: http://mvp.support.microsoft.com/profile="">D|-Original Message-|From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED]] On Behalf Of Ravi Dogra|Sent: Saturday, April 22, 2006 9:52 PM|To: ActiveDir@mail.activedir.org|Subject: Re: [ActiveDir] Can We configure Romaing Profiles using Script||Hi Ulf,||Do i need to run same command for all my users. I think there|should be a better way to just run a single command over OU or |Group or List of Users.||Update me if i am wrong.||Dsmod user distinguishedname_of_user -profile|\\server\profile$\$username$||Thanks|Ravi Dogra|List info : http://www.activedir.org/List.aspx|List FAQ: http://www.activedir.org/ListFAQ.aspx|List archive:|http://www.mail- archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Can We configure Romaing Profiles using Script
One more Question i have is related to Thinclient deployment. We are using Wyse. and have windows xp embedded. now the problem is when user logs on to the thin client and tries to open Microsoft Document Imaging it starts configuring which is unsuccessfull as users dont have priviledges. and then the error is ignored. User can now use Document Imaging to view Tiff files. but the thing is that whenever he logs off and logs back in this happens again. i know its just because its not getting configured as users profile gets flushed back at the time of logoff. so nothing is saved for him or anybody accept administrator as he have a local profile on machine saved. I think there is some problem with the Image we have. XP Embedded. Kindly Update. -- Ravi Dogra List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Can We configure Romaing Profiles using Script
I think there is some problem with the Image we have. XP Embedded. Yes it sounds like it... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Ravi Dogra Sent: Saturday, April 22, 2006 5:36 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Can We configure Romaing Profiles using Script One more Question i have is related to Thinclient deployment. We are using Wyse. and have windows xp embedded. now the problem is when user logs on to the thin client and tries to open Microsoft Document Imaging it starts configuring which is unsuccessfull as users dont have priviledges. and then the error is ignored. User can now use Document Imaging to view Tiff files. but the thing is that whenever he logs off and logs back in this happens again. i know its just because its not getting configured as users profile gets flushed back at the time of logoff. so nothing is saved for him or anybody accept administrator as he have a local profile on machine saved. I think there is some problem with the Image we have. XP Embedded. Kindly Update. -- Ravi Dogra List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail- archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Can We configure Romaing Profiles using Script
Thanks, i am already in touch with concerned people. -- Ravi Dogra List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
