RE: [ActiveDir] Handling different schemas - managing maintaining updates

[Grillenmeier, Guido]

The AD schema analyzer is quite useful for comparing schemas to
find missing attributes and classes (and to export them to LDIF so as to allow
an import to the target schema).  Note however, that it doesn’t find
differences at the level of properties you have set for your schema objects,
for example it doesn’t find the difference in the searchFlags for an attribute that
exists in both schemas.   



As such you need to know how close you want your schema to match
and likely need to an exact compare either using custom scripts or LDIF dumps
of the complete schema coupled with text-compare tools.



In general I would want to question what your goal is – like Al
I am assuming you want to make the schema more manageable. Basically a
convenience so you don’t have to worry about managing and documenting the differences. 
That’s quite different from a technical necessity, where you may need to fully
replicate all objects in your AD along with all attributes (except the ones
managed by the system) – in this case, you may need to keep your schemas fully in
sync.



I would not much discuss the security with respect to the Schema
classes and attributes stored in the different Forest schemas – I would not say
that there is much of a risk in knowing you have XYZ attributes defined in
either schema. The discussion is much more relevant as to which data do you
plan to replicate between the two?  Let’s assume you are storing sensitive data
in one of your forests, for example, you may store the social security number
of your employees in a company specific attribute called “MyCompany-Employee-SSN”,
and you have even done everything to hide this data from normal read access (i.e.
you’ve configured it as a confidential attribute).  Do you want this data to be
replicated to the other forests?  If not, then I would also not suggest to add
the special schema attribute to your other forests schema, since this way you
hinder it from being synced by accident (not saying you couldn’t sync it
elsewhere).  



If later there is a necessity to replicate the data across to
the other forest(s) you could add a simple procedure in your ITIL processes
that would ensure that the target schemas need to be updated appropriately
prior to replicating the data.



/Guido





From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Al Mulnick
Sent: Thursday, September 14, 2006 3:29 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Handling different schemas - managing 
maintaining updates





Yep, the schema analyzer would
be a good tool to have hold of. 

I have to ask though: is the goal to make this mish-mosh manageable by making
it all the same (i.e. cookie-cutter?)
Or is there some other goal you're describing? 

I'm assuming that you want it to be the same across the enterprise to make it
more manageable. Often this is done so that a central team to can control it
and /or so that people can implement workable IdM systems. Realistically,
such a system cannot be implemented without some known similarities so it makes
sense. 

I don't see any particular security related issues with schema entries unless
your schema gives away company secrets of some sort. It's just a holder for the
most part, and it's the data/information that it contains that would be of
value. Knowing that it may exist is of lesser value, but is a risk that must be
addressed. 

ITIL? Nice to have. Of course the term, trust, but verify keeps
ringing in my head but it's still nice to have such a process in use.

Al



On 9/13/06, Joe Kaplan [EMAIL PROTECTED] wrote:

I like this advice as well.In terms of some of
the nuts and bolts of how
one might do this, as a software guy, I'm a huge proponent of source code
control/configuration management systems and simple, text-based file formats 
for the stuff you stick in your source repository.As
such,I believe LDIF
files are the one true way to maintain your custom schema stuff.

The ADSchemaAnalyzer (usually associated with ADAM) is probably a useful 
tool for doing a lot of the compare and extract work here.

Joe K.

- Original Message -
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Wednesday, September 13, 2006 8:37 AM
Subject: RE: [ActiveDir] Handling different schemas - managing 
maintaining
updates


Without wishing to appear facetious :) - I would suggest if the company 
follows ITIL practices then they already have a change mgmt and config mgmt
process and/or system which helps achieve your goal.

As far as best practices are concerned, I would aim for a 'core' schema
config which is present in all instances of ADAM or AD schemas but manage 
differences via the ITIL framework (mentioned above).

neil



List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: 

RE: [ActiveDir] Isolating a DC

[Grillenmeier, Guido]

Agree, isolating by site is often confused with requiring a
separate subnet and thus extra efforts on the networking infrastructure. Thats
actually not the case. You can create your AD site and just assign it a
32bit masked IP address as the subnet  if the other sites are properly
configured, this will ensure that no client will try to leverage the DC in this
special site.



Realize that a separate site doesnt take care of the generic
DC lookups performed by clients (e.g. when they join the domain or when all DCs
in their site fail)  however, adjusting the priorities in DNS and
configuring the DNS mnemonics appropriately for the DC in the special site will
also take care of this extra challenge (should be described in the Exchange
Server Site doc for which Brian previously provided the link).



/Guido





From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Matt Hargraves
Sent: Wednesday, September 13, 2006 8:26 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Isolating a DC





Yeah, I didn't mean to sound so
negative it just seems like isolating by site (which is a logical, not
physical barrier) is a more holistic solution which provides the isolation
required, while allowing the DCs to continue to potentially (in an emergency
situation) perform the duties of user authentication without having to change
anything. 

The IPSec solution just seems like serious overkill that's unnecessary.






On 9/13/06, Akomolafe, Deji
 [EMAIL PROTECTED] wrote:









I thought his original request was to make sure that no other
client talks to the isolated server except those permitted.






















Sincerely, 

_

 (, / |
/)
/) /) 
 /---| (/_ __ ___// _
// _ 
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/
/) 

(/ 
Microsoft MVP - Directory Services
www.akomolafe.com- we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday?
-anon 



















From: Matt Hargraves
Sent: Wed 9/13/2006 7:26 AM






To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Isolating a DC















Isolating via site will still
leave the DC available in case of emergencies (your authentication DCs go
down), whereas IPSec makes them completely unavailable for any purposes for
clients. I've actually never heard of anyone doing this and would
consider it a very bad idea unless you have significant redundancy in your
'normal' environment. 

BTW, from a Microsoft presentation a little over a year ago, they have 4
Exchange server sites, only 1 of them (Redmond) isolates their DCs from
authentication and reserves it for Exchange, the other 3 use their Exchange (a
*very* DC/GC intensive app) servers for authentication also. 

Site is only a logical separation. IPSec might as well be a physical
barrier. Unless there is a serious reason why you would rather have none
of your clients to be able to authenticate instead of authenticating against
these DCs (as I said, in case of an emergency), then you should probably avoid
putting a IP filter on these boxes. If you isolate via site, then the
only way that clients are going to authenticate against them is if all DCs are
down in their site, which since you're a single physical site org, means that
all of the authentication DCs are down, which is probably a more serious
problem than OMG, a (gasp) *user* authenticated against my application
DC. 






On 9/13/06, Lucas, Bryan [EMAIL PROTECTED] wrote: 

Thanks to all for the responses.

This (isolating via ipsec) is probably the right direction for me. 
We're a single site, single domain at a single physical location, but
the idea of building another site isn't appealing from a keep it 
simple perspective.

Are there any technical reasons why a separate site would be better than 
isolation through IPSec?Will I cause clients/apps, who initially
don't
know they are denied, delays when they try to access the ipsec isolated 
DC?

Bryan Lucas
Server Administrator
Texas Christian University 
-Original Message-
From: [EMAIL PROTECTED]
[mailto: [EMAIL PROTECTED]]
On Behalf Of James Eaton-Lee
Sent: Wednesday, September 13, 2006 5:39 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Isolating a DC

Akomolafe, Deji wrote:

 I highly recommend that you read
http://www.windowsitpro.com/articles/print.cfm?articleid=37935

 Then, as a fall-back option, look for the isolation using IPSec
 whitepapers on Microsoft site. I can't find them now, but I know that 
 they exist. They show you how to restrict communication with a
specific
 server or network using IPSec.

I think what you're referring to is the excellent Server and Domain
Isolation using IPSec content, at: 

http://www.microsoft.com/technet/security/topics/architectureanddesign/i

psec/default.mspx

If all you're looking for is host-based firewalling, however, 
there's other content online that'll explain this a little more
concisely, such as this presentation from the Virginia Tech 

RE: [ActiveDir] Block Inheritance on DC OU

[Grillenmeier, Guido]

Are we actually talking blocking
GPO inheritance, or ACL inheritance?



If GPO I tend to agree with
Darren (as with anything on GPO J), as I dont think
that any change in either the Default Domain or the Default Domain Controller policy
should be implemented without testing (so if blocking the GPOs was setup
to protect the DCs it should give you more headaches than
benefits as youd need to apply all policy settings from the domain policy
separately to the default DC policy).



If ACLs on the OU, I wouldnt
say its a big deal. All the ACLs required for the DCs to do their work
are set explicitly at the DC OU level. The inheritance really only matters for
the pre-win2k compatible group ACE, which is not required on the DC
OU (just happens to be set for inheritance from the root of the domain). Not
saying its a good idea to block ACL inheritance on this OU, but it doesnt
hurt you.



/Guido







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Darren Mar-Elia
Sent: Wednesday, September 13, 2006 6:59 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Block Inheritance on DC OU







Well, the obvious effect is that it prevents domain-linked policies
from being delivered correctly, including password policy. This is probably not
desirable. I can't think of a good scenario where this would be useful. 



Darren









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Wednesday, September 13, 2006 9:37 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Block Inheritance on DC OU

The company I am currently working for has block
inheritance enabled for the Domain Controllers OU and apparently
whoever enabled this setting is no longer with the company (or they wont
fess up to why they did this).



Although I am curious, what sort of ramifications does
enabling block inheritance on the Domain Controllers OU
pose? And what reason would you have to enable this setting on the Domain
Controllers OU? With any other OU, it would be fairly obvious, but
being that these are the Domain Controllers it would seem to be a unique
situation.



Thanks as always for your input,

~Ben

RE: [ActiveDir] Block Inheritance on DC OU

[Dave Wade]

You say "Obvious" but is this obvious? What 
happens in the case of password policy. This can only be set at the top level of 
the domain. Does this block actually prevent it being applied? I would guess 
that is does, but I wonder if any one has tested it or has any docs on what actually happens. 






From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Darren Mar-EliaSent: Wednesday, September 13, 
2006 6:59 PMTo: ActiveDir@mail.activedir.orgSubject: RE: 
[ActiveDir] Block Inheritance on DC OU

Well, 
the obvious effect is that it prevents domain-linked policies from being 
delivered correctly, including password policy. This is probably not desirable. 
I can't think of a good scenario where this would be useful. 

Darren




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of WATSON, BENSent: Wednesday, September 13, 2006 
9:37 AMTo: ActiveDir@mail.activedir.orgSubject: 
[ActiveDir] Block Inheritance on DC OU
The company I am currently working for has block 
inheritance enabled for the Domain Controllers OU and apparently whoever 
enabled this setting is no longer with the company (or they wont fess up to why 
they did this).

Although I am curious, what sort of ramifications does enabling block inheritance on the Domain Controllers OU pose? And what 
reason would you have to enable this setting on the Domain Controllers 
OU? With any other OU, it would be fairly obvious, but being that these 
are the Domain Controllers it would seem to be a unique 
situation.

Thanks as always for your input,
~Ben

**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this email,  or any response to it,  under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. 

If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. 

Thank you.

http://www.stockport.gov.uk
**

[ActiveDir] CSVDE Export

[Mark Parris]

Morning,I am using csvde to create a CSV file for importing into another system and this runs (CRONS - say no more) on regular basis.the syntax is csvde -f accusers.csv -d "OU=User Accounts,OU=Office,OU=Company,DC=abc,DC=defghi,DC=inet" -l "name,mail,givenName,sn,userprincipalname,physicalDeliveryOfficeName"on occasions the fields come out as listed and other times they are in a different order. I would like them to be consistent at all times.Does anyone know why they shuffle? Am I missing a flag or is there a better utility to create CSV filesmany thanksmark

[ActiveDir] Any impacts to domain controller when changingits IP?

[Jobsz]

Dear all,

Because our company is being merged by another company, in the process of
integration we need change the internal IP address and computer name.

Our domain controller of Windows Server 2003.
We have to change its computer name and internal IP but no need to change
The domain name, because we want to let run for 3 months.

Anyone could tell me what impacts brought by these changes?

Any suggestions would be appreciated!


With best regards
Jobs.Zhao

RE: [ActiveDir] Sharepoint in the DMZ

[Group, Russ]

Title: Sharepoint in the DMZ



Thank you

Is he in NY?

Thanks
Russ


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ramon 
LinanSent: Wednesday, September 13, 2006 9:14 AMTo: 
ActiveDir@mail.activedir.orgSubject: FW: [ActiveDir] Sharepoint in 
the DMZ 




Hi Russ,

I have a friend with a lot of experience as Sharepoint 
administrator in different environments, this is what he 
suggested.



BTW, although he is currently working in the same 
company than me, he is looking to move to another company, in case you need 
someone.

Rezuma





 
They should only open port 443 from the internet and use SSL if it will be used 
with AD users. If its dual purpose for outlook web access, it still only needs 
443. You can hide the purpose of this port from port scanners by using a load 
balancer or port redirection.

When 
connecting servers in the DMZ to servers on the inside, the best way is to 
create a IPSec tunnel from web server to inside (dbase or exchange)) server 
using the MS built in networking and run the tunnel over a non-standard port 
such as 5066. That will minimize how many ports are open from the DMZ to inside 
and will also take care of forgetting to open a port or two when more traffic 
needs to pass such as NetBIOS or AD type traffic. Because its a non-standard 
port, it makes it harder to find and identify for specific exploit types such as 
SQL injection on port 1433 against SQL server.

I dont 
have an opinion on using a child domain, it will work fine but if security is 
the reason, Id build a separate domain and use a trust maybe. 


What do 
you think?

Dan









From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Group, 
RussSent: Tuesday, September 
12, 2006 10:45 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Sharepoint in the DMZ 

Hi 
all 
I 
have a consultant that wants to put Sharepoint into our DMZ. Here is what 
he is proposing to do: 

  Create a 
  child domain and put the Sharepoint computer account in the child domain 
  
  Put 
  Sharepoint server in our DMZ. 
  Open up 
  the same ports for Sharepoint that we would open for Outlook Web 
  Access 
  Also open 
  port 1433 for SQL 
Since I dont know much about 
Sharepoint, I was hoping someone would be to let me know if this has been done 
in the past and if it's safe.
Thank you 
Russ 

RE: [ActiveDir] Sharepoint in the DMZ

[Ramon Linan]

Title: Sharepoint in the DMZ



No problem at all, he is actually living in 
MD.

Let me know if you would like his contact 
info.

Rezuma


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Group, 
RussSent: Thursday, September 14, 2006 9:18 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Sharepoint in 
the DMZ 

Thank you

Is he in NY?

Thanks
Russ


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ramon 
LinanSent: Wednesday, September 13, 2006 9:14 AMTo: 
ActiveDir@mail.activedir.orgSubject: FW: [ActiveDir] Sharepoint in 
the DMZ 




Hi Russ,

I have a friend with a lot of experience as Sharepoint 
administrator in different environments, this is what he 
suggested.



BTW, although he is currently working in the same 
company than me, he is looking to move to another company, in case you need 
someone.

Rezuma





 
They should only open port 443 from the internet and use SSL if it will be used 
with AD users. If its dual purpose for outlook web access, it still only needs 
443. You can hide the purpose of this port from port scanners by using a load 
balancer or port redirection.

When 
connecting servers in the DMZ to servers on the inside, the best way is to 
create a IPSec tunnel from web server to inside (dbase or exchange)) server 
using the MS built in networking and run the tunnel over a non-standard port 
such as 5066. That will minimize how many ports are open from the DMZ to inside 
and will also take care of forgetting to open a port or two when more traffic 
needs to pass such as NetBIOS or AD type traffic. Because its a non-standard 
port, it makes it harder to find and identify for specific exploit types such as 
SQL injection on port 1433 against SQL server.

I dont 
have an opinion on using a child domain, it will work fine but if security is 
the reason, Id build a separate domain and use a trust maybe. 


What do 
you think?

Dan









From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Group, 
RussSent: Tuesday, September 
12, 2006 10:45 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Sharepoint in the DMZ 

Hi 
all 
I 
have a consultant that wants to put Sharepoint into our DMZ. Here is what 
he is proposing to do: 

  Create a 
  child domain and put the Sharepoint computer account in the child domain 
  
  Put 
  Sharepoint server in our DMZ. 
  Open up 
  the same ports for Sharepoint that we would open for Outlook Web 
  Access 
  Also open 
  port 1433 for SQL 
Since I dont know much about 
Sharepoint, I was hoping someone would be to let me know if this has been done 
in the past and if it's safe.
Thank you 
Russ 

Re: [ActiveDir] Any impacts to domain controller when changingits IP?

[Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]]

In SBSland they made a change IP address wizard for our DCs because 
invariably we forget something...


DHCP
WINS
kitchen sink stuff, etc

http://www.microsoft.com/technet/prodtechnol/sbs/2003/support/43dd693a-0cc4-47fd-94c7-cfe200439f41.mspx?mfr=true

You can see what the wizard does.. which is are the changes you will 
need to do


Jobsz wrote:


Dear all,

Because our company is being merged by another company, in the process of
integration we need change the internal IP address and computer name.

Our domain controller of Windows Server 2003.
We have to change its computer name and internal IP but no need to change
The domain name, because we want to let run for 3 months.

Anyone could tell me what impacts brought by these changes?

Any suggestions would be appreciated!


With best regards
Jobs.Zhao


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Any impacts to domain controller when changingits IP?

[McClure, David (MED US)]

If you're running a Certificate Authority on that DC, you can't change
the computer name without first uninstalling Certificate Services.  I'm
not sure what the impact would be on the chain of trust if you reinstall
CertSvcs after the name change.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Thursday, September 14, 2006 10:04 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Any impacts to domain controller when
changingits IP?

In SBSland they made a change IP address wizard for our DCs because
invariably we forget something...

DHCP
WINS
kitchen sink stuff, etc

http://www.microsoft.com/technet/prodtechnol/sbs/2003/support/43dd693a-0
cc4-47fd-94c7-cfe200439f41.mspx?mfr=true

You can see what the wizard does.. which is are the changes you will
need to do

Jobsz wrote:

 Dear all,

 Because our company is being merged by another company, in the process

 of integration we need change the internal IP address and computer
name.

 Our domain controller of Windows Server 2003.
 We have to change its computer name and internal IP but no need to
 change The domain name, because we want to let run for 3 months.

 Anyone could tell me what impacts brought by these changes?

 Any suggestions would be appreciated!


 With best regards
 Jobs.Zhao

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

---
This message and any included attachments are from Siemens Medical Solutions
USA, Inc. and are intended only for the addressee(s). 
The information contained herein may include trade secrets or privileged or
otherwise confidential information.  Unauthorized review, forwarding, printing,
copying, distributing, or using such information is strictly prohibited and may
be unlawful.  If you received this message in error, or have reason to believe
you are not authorized to receive it, please promptly delete this message and
notify the sender by e-mail with a copy to [EMAIL PROTECTED]

Thank you
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Any impacts to domain controller when changingits IP?

[Mark Parris]

If you want to change the computer name you need to demote the server, wait for 
replication then change the server name at this stage I would re ip the server, 
then dcpromo the server again. 

This is of course assuming you have multiple DC's if not and it's only for 3 
months keep then why not keep the name and just change the IP address.

Make sure DNS functions correctly.

Regards




Mark Parris

Base IT Ltd
Active Directory Consultancy
Tel +44(0)7801 690596


-Original Message-
From: McClure, David (MED US) [EMAIL PROTECTED]
Date: Thu, 14 Sep 2006 10:12:54 
To:ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Any impacts to domain controller when changingits IP?


If you're running a Certificate Authority on that DC, you can't change
the computer name without first uninstalling Certificate Services.  I'm
not sure what the impact would be on the chain of trust if you reinstall
CertSvcs after the name change.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Thursday, September 14, 2006 10:04 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Any impacts to domain controller when
changingits IP?

In SBSland they made a change IP address wizard for our DCs because
invariably we forget something...

DHCP
WINS
kitchen sink stuff, etc

http://www.microsoft.com/technet/prodtechnol/sbs/2003/support/43dd693a-0
cc4-47fd-94c7-cfe200439f41.mspx?mfr=true

You can see what the wizard does.. which is are the changes you will
need to do

Jobsz wrote:

 Dear all,

 Because our company is being merged by another company, in the process

 of integration we need change the internal IP address and computer
name.

 Our domain controller of Windows Server 2003.
 We have to change its computer name and internal IP but no need to

 change The domain name, because we want to let run for 3 months.

 Anyone could tell me what impacts brought by these changes?

 Any suggestions would be appreciated!


 With best regards
 Jobs.Zhao

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

---
This message and any included attachments are from Siemens Medical Solutions

USA, Inc. and are intended only for the addressee(s). 

The information contained herein may include trade secrets or privileged or

otherwise confidential information.  Unauthorized review, forwarding, printing,

copying, distributing, or using such information is strictly prohibited and may

be unlawful.  If you received this message in error, or have reason to believe

you are not authorized to receive it, please promptly delete this message and

notify the sender by e-mail with a copy to [EMAIL PROTECTED]


Thank you
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Any impacts to domain controller when changingits IP?

[Justin_Leney]

I am about to embark on a similar task.


I have a root DC running DNS that is
slowly dying. I have a fresh server to take it's place. The fresh server
will use a new hostname. Two scenarios I envision: 

(1) Promote and install DNS on the fresh
server, using a temporary IP Address. Make the fresh box a GC. Migrate
FMSO's from the dead server, remove it's GC, demote, remove DNS and remove
it from the domain, and then shutdown the dying server. Ensure all replication
and computer objects are gone. Assign the dying server's IP to the
fresh server. 

-or- 

(2) Demote, remove DNS and shutdown
the dying server. Assign it's IP to the fresh server. Promote and install
DNS on the fresh box. 

I am thinking scenario (1) would be
the cleanest, albiet more time consuming, scenario. Any thoughts? 



Thanks! 








McClure, David (MED
US) [EMAIL PROTECTED] 
Sent by: [EMAIL PROTECTED]
09/14/2006 10:12 AM



Please respond to
ActiveDir@mail.activedir.org





To
ActiveDir@mail.activedir.org


cc



Subject
RE: [ActiveDir] Any impacts
to domain controller when changingits IP?









If you're running a Certificate Authority on that DC, you can't change
the computer name without first uninstalling Certificate Services. I'm
not sure what the impact would be on the chain of trust if you reinstall
CertSvcs after the name change.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Thursday, September 14, 2006 10:04 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Any impacts to domain controller when
changingits IP?

In SBSland they made a change IP address wizard for our DCs because
invariably we forget something...

DHCP
WINS
kitchen sink stuff, etc

http://www.microsoft.com/technet/prodtechnol/sbs/2003/support/43dd693a-0
cc4-47fd-94c7-cfe200439f41.mspx?mfr=true

You can see what the wizard does.. which is are the changes you will
need to do

Jobsz wrote:

 Dear all,

 Because our company is being merged by another company, in the process

 of integration we need change the internal IP address and computer
name.

 Our domain controller of Windows Server 2003.
 We have to change its computer name and internal IP but no need to

 change The domain name, because we want to let run for 3 months.

 Anyone could tell me what impacts brought by these changes?

 Any suggestions would be appreciated!


 With best regards
 Jobs.Zhao

List info  : http://www.activedir.org/List.aspx
List FAQ  : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

---
This message and any included attachments are from Siemens Medical Solutions

USA, Inc. and are intended only for the addressee(s). 

The information contained herein may include trade secrets or privileged
or

otherwise confidential information. Unauthorized review, forwarding,
printing,

copying, distributing, or using such information is strictly prohibited
and may

be unlawful. If you received this message in error, or have reason
to believe

you are not authorized to receive it, please promptly delete this message
and

notify the sender by e-mail with a copy to [EMAIL PROTECTED]


Thank you
List info  : http://www.activedir.org/List.aspx
List FAQ  : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

NEW! COSMEO, THE ONLINE HOMEWORK HELP TOOL BROUGHT TO YOU BY DISCOVERY CHANNEL.  FREE TRIAL AT HTTP://WWW.COSMEO.COMThis e-mail, and any attachment, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, copying, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. The contents of this message may contain personal views which are not the views of Discovery Communications, Inc. (DCI).

[ActiveDir] OT: Protecting against Spyware/Adware

[Chris Pohlschneider]

Just curious what other people are using for protecting
against adware/spyware? We are using Webroot Spysweeper right now, but I see
some performance hits on computers running this software and it does work, but
it causes headaches will installing some apps that we approve. Any suggestions
are appreciated. 



Chris Pohlschneider

Holloway SportswearIT

937-494-2559

937-497-7300 (Fax)

[EMAIL PROTECTED]

RE: [ActiveDir] Any impacts to domain controller when changingits IP?

[Almeida Pinto, Jorge de]

have at look at:
http://blogs.dirteam.com/blogs/jorge/archive/2005/11/25/165.aspx
 
which might help you on your way
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Jobsz
Sent: Thu 2006-09-14 14:09
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Any impacts to domain controller when changingits IP?



Dear all,

Because our company is being merged by another company, in the process of
integration we need change the internal IP address and computer name.

Our domain controller of Windows Server 2003.
We have to change its computer name and internal IP but no need to change
The domain name, because we want to let run for 3 months.

Anyone could tell me what impacts brought by these changes?

Any suggestions would be appreciated!


With best regards
Jobs.Zhao



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
winmail.dat

RE: [ActiveDir] CSVDE Export

[Mike Newell]

Hey,
Don't know why csvde would change the order but try adfind from
www.joeware.net. So far for me, it's always kept the fields in the order
that I list them in the query.

Below gets just the user accounts in the OU. If you want everything in
the OU remove the -f ((objectcategory=person)) reference.

adfind -csv -nodn -b OU=User
Accounts,OU=Office,OU=Company,DC=abc,DC=defghi,DC=inet -f
((objectcategory=person)) name mail givenname sn userprincip
alname physicaldeliveryofficename  filename.csv

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Thursday, September 14, 2006 6:02 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] CSVDE Export

Morning,

I am using csvde to create a CSV file for importing into another system
and this runs (CRONS - say no more) on regular basis.

the syntax is 

csvde -f accusers.csv -d OU=User
Accounts,OU=Office,OU=Company,DC=abc,DC=defghi,DC=inet -l
name,mail,givenName,sn,userprincipalname,physicalDeliveryOfficeName

on occasions the fields come out as listed and other times they are in a
different order. I would like them to be consistent at all times.

Does anyone know why they shuffle? Am I missing a flag or is there a
better utility to create CSV files

many thanks

mark


This message and any attachments (the Message) may contain confidential, 
proprietary and/or privileged information and are only for their intended 
recipient(s). If you are not the intended recipient, you should notify the 
sender and delete the Message. E-mail transmissions cannot be guaranteed to be 
secure or error-free. This Message is provided for information purposes and 
should not be construed as a solicitation or offer to buy or sell any 
securities or financial instruments, or to provide investment advice in any 
jurisdiction where the sender is not properly licensed or permitted to do so.  
This Message is subject to additional conditions and restrictions.  Please read 
them here:  http://legal.dimensional.com/email/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Any impacts to domain controller when changingits IP?

[Almeida Pinto, Jorge de]

Title: Re: [ActiveDir] Any impacts to domain controller when changingits IP?






If you want to change the computer name you need 
toDEMOTE the server

isn't that for w2k only? (he's got 
w2k3)




Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server- Directory Services


LogicaCMG 
Nederland B.V. (BU RTINC Eindhoven)
(Tel 
: +31-(0)40-29.57.777
(Mobile: +31-(0)6-26.26.62.80
* E-mail: see sender 
address


From: [EMAIL PROTECTED] on 
behalf of Mark ParrisSent: Thu 2006-09-14 16:35To: 
ActiveDir.orgSubject: Re: [ActiveDir] Any impacts to domain 
controller when changingits IP?

If you want to change the computer name you need to demote the 
server, wait for replication then change the server name at this stage I would 
re ip the server, then dcpromo the server again.This is of course 
assuming you have multiple DC's if not and it's only for 3 months keep then why 
not keep the name and just change the IP address.Make sure DNS functions 
correctly.RegardsMark ParrisBase IT 
LtdActive Directory ConsultancyTel +44(0)7801 
690596-Original Message-From: "McClure, David (MED US)" 
[EMAIL PROTECTED]Date: Thu, 14 Sep 2006 
10:12:54To:ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
Any impacts to domain controller when changingits IP?If you're 
running a Certificate Authority on that DC, you can't changethe computer 
name without first uninstalling Certificate Services. I'mnot sure what 
the impact would be on the chain of trust if you reinstallCertSvcs after the 
name change.-Original Message-From: 
[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] 
On Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: 
Thursday, September 14, 2006 10:04 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Any impacts to domain 
controller whenchangingits IP?In SBSland they made a change IP 
address wizard for our DCs becauseinvariably we forget 
something...DHCPWINSkitchen sink stuff, etchttp://www.microsoft.com/technet/prodtechnol/sbs/2003/support/43dd693a-0cc4-47fd-94c7-cfe200439f41.mspx?mfr=trueYou 
can see what the wizard does.. which is are the changes you willneed to 
doJobsz wrote: Dear all, Because our 
company is being merged by another company, in the process of 
integration we need change the internal IP address and 
computername. Our domain controller of Windows Server 
2003. We have to change its computer name and internal IP but no need 
to change The domain name, because we want to let run for 3 
months. Anyone could tell me what impacts brought by these 
changes? Any suggestions would be 
appreciated! With best regards 
Jobs.ZhaoList info : http://www.activedir.org/List.aspxList 
FAQ : http://www.activedir.org/ListFAQ.aspxList 
archive: http://www.activedir.org/ml/threads.aspx---This 
message and any included attachments are from Siemens Medical 
SolutionsUSA, Inc. and are intended only for the 
addressee(s).The information contained herein may include trade secrets 
or privileged orotherwise confidential information. Unauthorized 
review, forwarding, printing,copying, distributing, or using such 
information is strictly prohibited and maybe unlawful. If you 
received this message in error, or have reason to believeyou are not 
authorized to receive it, please promptly delete this message andnotify 
the sender by e-mail with a copy to 
[EMAIL PROTECTED]Thank youList info 
: http://www.activedir.org/List.aspxList 
FAQ : http://www.activedir.org/ListFAQ.aspxList 
archive: http://www.activedir.org/ml/threads.aspx.ÿÁ²§²B§Ã¶v®
§²rz§Ã¶v®± 



This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

Re: [ActiveDir] Specifying builtin accounts in GPO settings.

[Matt Hargraves]

I think we discovered the problem... things were just locked down a *tad* too much.On 9/13/06, Akomolafe, Deji 
[EMAIL PROTECTED] wrote:


Look at your default recipient policy. What's set there? Just curious.



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ 
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Services
www.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon



From: Matt HargravesSent: Wed 9/13/2006 8:58 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Specifying builtin accounts in GPO settings.
Non-Exchange privileged users can't access OWA. I thought it was related to the fact that they had removed the M: drive, but that was only a small number of servers, the rest (that also aren't working) are having accessability issues to OWA (though they can still access their mailbox through Outlook). 

On 9/13/06, Brian Desmond 
[EMAIL PROTECTED] wrote: 




On W2000 running OWA on a DC this was an issue … only case I know of. What are the issues you're having?


Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132





From: [EMAIL PROTECTED]
 [mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Matt Hargraves
Sent: Wednesday, September 13, 2006 10:49 PM
To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Specifying builtin accounts in GPO settings.





We're having some issues with Exchange OWA and MS said something about IWAM when we called them. We're not granting them 'logon via terminal services', just testing 'log on locally', but if it works, that just creates an entire mess that we'd like to avoid. 


On 9/13/06, Brian Desmond [EMAIL PROTECTED] wrote:



No it wouldn't. Why are you giving an IWAM account access to a remote machine?


Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132





From: mailto:[EMAIL PROTECTED]
[mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Matt Hargraves
Sent: Wednesday, September 13, 2006 9:35 PM

To: ActiveDir@mail.activedir.org

Subject: Re: [ActiveDir] Specifying builtin accounts in GPO settings.


Would something like IWAM_%servername% or something like that work? I really don't want to go throuh and specify 45 account names in the Log on locally right for an OU if I can do it with a more simple command. I'll try just about anything :) 
Thanks,Matt

On 9/12/06, Brian Desmond [EMAIL PROTECTED] wrote:



And if you think about it they couldn't – if you have two DCs running IIS they both have IUSR and IWAM accounts in AD, so SIDs have to be different. 




Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132





From: mailto:[EMAIL PROTECTED]
[mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Darren Mar-Elia
Sent: Tuesday, September 12, 2006 2:29 PM

To: ActiveDir@mail.activedir.org

Subject: RE: [ActiveDir] Specifying builtin accounts in GPO settings.


Matt-
I don't think these accounts have well-known SIDs, so I'm not sure that's going to help.You can easily verify using psgetsid from Sysinternals. I checked a couple accounts here (though they were domain accounts) and they were not well-knownSIDs.


Darren

Darren Mar-Elia
For comprehensive Windows Group Policy Information, check out 
http://www.gpoguy.com/-- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the 
Windows Group Policy Guide ,the definitiveresource for Group Policy information.






From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of 
Matt HargravesSent: Tuesday, September 12, 2006 10:00 AMTo: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Specifying builtin accounts in GPO settings.
I am trying to specify the builtin IWAM/IUSR accounts in GPO settings. We have a set of servers within an OU where they require the account to have rights on the local servers, call them Server1, Server2, Server3. We obviously don't want to create the setting for IWAM_Server1, IWAM_Server2, etc I believe that this account has a common SID, if I simply do a browse for the account on one machine, will it resolve to SID and apply the setting for all accounts, or is there another way to do this (like specifying Builtin\Administrator would work for the builtin Administrator account) no matter what the name happens to be on a local machine? 

RE: [ActiveDir] OT: Protecting against Spyware/Adware

[Chinnery, Paul]

We're 
using CounterSpy Enterprise from Sunbelt Software. Like you, we have seen 
aperformance hit* on computers with just 128 meg of memory but that goes away 
when we add more memory. The only issue I ran into, other than 
performance, was it blocked a cookie that was necessary for our payroll 
department. However, once I "okayed" that cookie, it was fine. 


*According to Sunbelt, the next version is supposed to reduce the 
performance impact.

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Chris 
  PohlschneiderSent: Thursday, September 14, 2006 10:44 
  AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
  OT: Protecting against Spyware/Adware
  
  Just curious what other people are 
  using for protecting against adware/spyware? We are using Webroot Spysweeper 
  right now, but I see some performance hits on computers running this software 
  and it does work, but it causes headaches will installing some apps that we 
  approve. Any suggestions are appreciated. 
  
  Chris 
  Pohlschneider
  Holloway 
  SportswearIT
  937-494-2559
  937-497-7300 
  (Fax)
  [EMAIL PROTECTED]
  
  

RE: [ActiveDir] OT: Protecting against Spyware/Adware

[Brian Desmond]

Had Trend OfficeScan with Damage Cleanup Service on somewhere
between 60K and 90K devices. Worked great, they had graphs showing how well it
worked based on some custom data collection they did. 





Thanks,

Brian Desmond

[EMAIL PROTECTED]



c - 312.731.3132











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Chris Pohlschneider
Sent: Thursday, September 14, 2006 10:44 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Protecting against Spyware/Adware







Just
curious what other people are using for protecting against adware/spyware? We
are using Webroot Spysweeper right now, but I see some performance hits on
computers running this software and it does work, but it causes headaches will
installing some apps that we approve. Any suggestions are appreciated. 



Chris
Pohlschneider

Holloway
SportswearIT

937-494-2559

937-497-7300
(Fax)

[EMAIL PROTECTED]

RE: [ActiveDir] OT: Protecting against Spyware/Adware

[Dave Wade]

Chris,

I gather we tweaked ours so it only used a certain % of system 
resources (20% I think) and while it does have some impact on performance it 
does seem "livable with" now they have done that..

Dave.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Chris 
PohlschneiderSent: 14 September 2006 15:44To: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Protecting against Spyware/Adware


Just curious what other people are 
using for protecting against adware/spyware? We are using Webroot Spysweeper 
right now, but I see some performance hits on computers running this software 
and it does work, but it causes headaches will installing some apps that we approve. Any suggestions are appreciated. 

Chris 
Pohlschneider
Holloway 
SportswearIT
937-494-2559
937-497-7300 
(Fax)
[EMAIL PROTECTED]



**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this email,  or any response to it,  under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. 

If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. 

Thank you.

http://www.stockport.gov.uk
**

RE: [ActiveDir] Specifying builtin accounts in GPO settings.

[Andrew Cace]

I'm not disregarding what has happened in this thread since 
Matt asked if he couldwildcardthe IWAM account name. In fact, 
I can't even answer that question authoritatively, but my gut feeling says that 
it won't work. Matt can, however, delegate the logon locally right to a 
group, then add the IWAM accounts to that group. This should be easier 
that adding every server's IWAM account to the policy. In both cases, you 
will still have to add any new IWAM accounts, whether it's to the policy or to 
the group.

-Andrew


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, 
DejiSent: Wednesday, September 13, 2006 11:06 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Specifying 
builtin accounts in GPO settings.


Look at your default 
recipient policy. What's set there? Just curious.



Sincerely,  
_ 
 (, / | 
/) 
/) /)  /---| (/_ 
__ ___// _ // _ ) 
/ |_/(__(_) // 
(_(_)(/_(_(_/(__(/_(_/ 
/) 
 
(/ Microsoft MVP - Directory 
Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you 
were worried about Yesterday? 
-anon


From: Matt HargravesSent: Wed 
9/13/2006 8:58 PMTo: ActiveDir@mail.activedir.orgSubject: 
Re: [ActiveDir] Specifying builtin accounts in GPO 
settings.
Non-Exchange privileged users can't access OWA. I thought it was 
related to the fact that they had removed the M: drive, but that was only a 
small number of servers, the rest (that also aren't working) are having 
accessability issues to OWA (though they can still access their mailbox through 
Outlook). 
On 9/13/06, Brian 
Desmond [EMAIL PROTECTED] wrote: 

  
  
  
  On W2000 running OWA 
  on a DC this was an issue  only case I know of. What are the issues you're 
  having?
  
  
  Thanks,
  Brian 
  Desmond
  [EMAIL PROTECTED]
  
  c - 
  312.731.3132
  
  
  
  
  
  From: [EMAIL PROTECTED] [mailto:mailto:[EMAIL PROTECTED]] On Behalf Of 
  Matt HargravesSent: Wednesday, September 13, 2006 10:49 
  PM
  To: ActiveDir@mail.activedir.orgSubject: Re: 
  [ActiveDir] Specifying builtin accounts in GPO settings.
  
  
  
  
  We're having some issues with Exchange OWA and 
  MS said something about IWAM when we called them. We're not granting 
  them 'logon via terminal services', just testing 'log on locally', but if it 
  works, that just creates an entire mess that we'd like to avoid. 
  
  
  On 9/13/06, Brian Desmond [EMAIL PROTECTED] wrote:
  
  
  
  No it wouldn't. Why 
  are you giving an IWAM account access to a remote 
machine?
  
  
  Thanks,
  Brian 
  Desmond
  [EMAIL PROTECTED]
  
  c - 
  312.731.3132
  
  
  
  
  
  From: mailto:[EMAIL PROTECTED][mailto:mailto:[EMAIL PROTECTED]] On Behalf Of 
  Matt HargravesSent: Wednesday, September 13, 2006 9:35 
  PM
  
  To: ActiveDir@mail.activedir.org
  
  Subject: Re: [ActiveDir] Specifying builtin accounts in GPO 
  settings.
  
  
  Would something like IWAM_%servername% or 
  something like that work? I really don't want to go throuh and specify 
  45 account names in the "Log on locally" right for an OU if I can do it with a 
  more simple command. I'll try just about anything :) 
  Thanks,Matt
  
  On 9/12/06, Brian Desmond [EMAIL PROTECTED] wrote:
  
  
  
  And if you think 
  about it they couldn't  if you have two DCs running IIS they both have IUSR 
  and IWAM accounts in AD, so SIDs have to be different. 
  
  
  
  Thanks,
  Brian 
  Desmond
  [EMAIL PROTECTED]
  
  c - 
  312.731.3132
  
  
  
  
  
  From: mailto:[EMAIL PROTECTED][mailto:mailto:[EMAIL PROTECTED]] On Behalf Of 
  Darren Mar-EliaSent: Tuesday, September 12, 2006 2:29 
  PM
  
  To: ActiveDir@mail.activedir.org
  
  Subject: RE: [ActiveDir] Specifying builtin accounts in GPO 
  settings.
  
  
  Matt-
  I don't think these accounts 
  have well-known SIDs, so I'm not sure that's going to help.You can 
  easily verify using psgetsid from Sysinternals. I checked a couple accounts 
  here (though they were domain accounts) and they were not 
  well-knownSIDs.
  
  Darren
  
  Darren Mar-Elia
  For comprehensive 
  Windows Group Policy Information, check out http://www.gpoguy.com/-- the 
  best source for GPO FAQs, video training, tools and whitepapers. Also check 
  out the Windows Group Policy Guide ,the 
  definitiveresource for Group Policy information.
  
  
  
  
  
  
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt 
  HargravesSent: Tuesday, September 12, 2006 10:00 AMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
  Specifying builtin accounts in GPO settings.
  I am trying to specify the builtin IWAM/IUSR accounts in GPO 
  settings. We have a set of servers within an OU where they require the 
  account to have rights on the local servers, call them Server1, Server2, 
  Server3. We obviously don't want to create the setting for IWAM_Server1, 
  IWAM_Server2, etc I believe that this account has a common SID, if I 
  simply do a browse for the account on one machine, will it 

RE: [ActiveDir] Sharepoint in the DMZ

[Group, Russ]

Title: Sharepoint in the DMZ



Can you send me his resume offline? 


Thanks
Russ


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ramon 
LinanSent: Thursday, September 14, 2006 9:55 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Sharepoint in 
the DMZ 

No problem at all, he is actually living in 
MD.

Let me know if you would like his contact 
info.

Rezuma


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Group, 
RussSent: Thursday, September 14, 2006 9:18 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Sharepoint in 
the DMZ 

Thank you

Is he in NY?

Thanks
Russ


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ramon 
LinanSent: Wednesday, September 13, 2006 9:14 AMTo: 
ActiveDir@mail.activedir.orgSubject: FW: [ActiveDir] Sharepoint in 
the DMZ 




Hi Russ,

I have a friend with a lot of experience as Sharepoint 
administrator in different environments, this is what he 
suggested.



BTW, although he is currently working in the same 
company than me, he is looking to move to another company, in case you need 
someone.

Rezuma





 
They should only open port 443 from the internet and use SSL if it will be used 
with AD users. If its dual purpose for outlook web access, it still only needs 
443. You can hide the purpose of this port from port scanners by using a load 
balancer or port redirection.

When 
connecting servers in the DMZ to servers on the inside, the best way is to 
create a IPSec tunnel from web server to inside (dbase or exchange)) server 
using the MS built in networking and run the tunnel over a non-standard port 
such as 5066. That will minimize how many ports are open from the DMZ to inside 
and will also take care of forgetting to open a port or two when more traffic 
needs to pass such as NetBIOS or AD type traffic. Because its a non-standard 
port, it makes it harder to find and identify for specific exploit types such as 
SQL injection on port 1433 against SQL server.

I dont 
have an opinion on using a child domain, it will work fine but if security is 
the reason, Id build a separate domain and use a trust maybe. 


What do 
you think?

Dan









From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Group, 
RussSent: Tuesday, September 
12, 2006 10:45 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Sharepoint in the DMZ 

Hi 
all 
I 
have a consultant that wants to put Sharepoint into our DMZ. Here is what 
he is proposing to do: 

  Create a 
  child domain and put the Sharepoint computer account in the child domain 
  
  Put 
  Sharepoint server in our DMZ. 
  Open up 
  the same ports for Sharepoint that we would open for Outlook Web 
  Access 
  Also open 
  port 1433 for SQL 
Since I dont know much about 
Sharepoint, I was hoping someone would be to let me know if this has been done 
in the past and if it's safe.
Thank you 
Russ 

[ActiveDir] Elevating privileges from DA to EA

[neil.ruston]

Title: Elevating privileges from DA to EA






It has been suggested by certain parties here that elevating one's rights from AD to EA is 'simple'.


I have suggested that whilst it's possible it is not simple at all.


Does anyone have any descriptions of methods / backdoors / workarounds etc that can be used to elevate rights in this way? Naturally, you may prefer to send this to me offline :) [EMAIL PROTECTED]

I can think of the following basic methods:

- Remove DC disks and edit offline

- Introduce key logger on admin workstation / DC

- Inject code into lsass


As you can see, I don't want specific steps to 'hack' the DC, just basic ideas / methods.


Thanks,

neil


PLEASE READ: The information contained in this email is confidential and

intended for the named recipient(s) only. If you are not an intended

recipient of this email please notify the sender immediately and delete your

copy from your system. You must not copy, distribute or take any further

action in reliance on it. Email is not a secure method of communication and

Nomura International plc ('NIplc') will not, to the extent permitted by law,

accept responsibility or liability for (a) the accuracy or completeness of,

or (b) the presence of any virus, worm or similar malicious or disabling

code in, this message or any attachment(s) to it. If verification of this

email is sought then please request a hard copy. Unless otherwise stated

this email: (1) is not, and should not be treated or relied upon as,

investment research; (2) contains views or opinions that are solely those of

the author and do not necessarily represent those of NIplc; (3) is intended

for informational purposes only and is not a recommendation, solicitation or

offer to buy or sell securities or related financial instruments.  NIplc

does not provide investment services to private customers.  Authorised and

regulated by the Financial Services Authority.  Registered in England

no. 1550505 VAT No. 447 2492 35.  Registered Office: 1 St Martin's-le-Grand,

London, EC1A 4NP.  A member of the Nomura group of companies.

FW: [ActiveDir] CSVDE Export

[Mike Newell]

And if you need the DN in the csv to import, remove the -nodn.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mike Newell
Sent: Thursday, September 14, 2006 9:56 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] CSVDE Export

Hey,
Don't know why csvde would change the order but try adfind from
www.joeware.net. So far for me, it's always kept the fields in the order
that I list them in the query.

Below gets just the user accounts in the OU. If you want everything in
the OU remove the -f ((objectcategory=person)) reference.

adfind -csv -nodn -b OU=User
Accounts,OU=Office,OU=Company,DC=abc,DC=defghi,DC=inet -f
((objectcategory=person)) name mail givenname sn userprincip
alname physicaldeliveryofficename  filename.csv

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Thursday, September 14, 2006 6:02 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] CSVDE Export

Morning,

I am using csvde to create a CSV file for importing into another system
and this runs (CRONS - say no more) on regular basis.

the syntax is 

csvde -f accusers.csv -d OU=User
Accounts,OU=Office,OU=Company,DC=abc,DC=defghi,DC=inet -l
name,mail,givenName,sn,userprincipalname,physicalDeliveryOfficeName

on occasions the fields come out as listed and other times they are in a
different order. I would like them to be consistent at all times.

Does anyone know why they shuffle? Am I missing a flag or is there a
better utility to create CSV files

many thanks

mark


This message and any attachments (the Message) may contain
confidential, proprietary and/or privileged information and are only for
their intended recipient(s). If you are not the intended recipient, you
should notify the sender and delete the Message. E-mail transmissions
cannot be guaranteed to be secure or error-free. This Message is
provided for information purposes and should not be construed as a
solicitation or offer to buy or sell any securities or financial
instruments, or to provide investment advice in any jurisdiction where
the sender is not properly licensed or permitted to do so.  This Message
is subject to additional conditions and restrictions.  Please read them
here:  http://legal.dimensional.com/email/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


This message and any attachments (the Message) may contain confidential, 
proprietary and/or privileged information and are only for their intended 
recipient(s). If you are not the intended recipient, you should notify the 
sender and delete the Message. E-mail transmissions cannot be guaranteed to be 
secure or error-free. This Message is provided for information purposes and 
should not be construed as a solicitation or offer to buy or sell any 
securities or financial instruments, or to provide investment advice in any 
jurisdiction where the sender is not properly licensed or permitted to do so.  
This Message is subject to additional conditions and restrictions.  Please read 
them here:  http://legal.dimensional.com/email/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] CSVDE Export

[Brian Desmond]

Just so you know that query will get you more than user accounts. To get
just users do ((objectCategory=person)(objectClass=user))

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Mike Newell
 Sent: Thursday, September 14, 2006 10:56 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] CSVDE Export
 
 Hey,
 Don't know why csvde would change the order but try adfind from
 www.joeware.net. So far for me, it's always kept the fields in the
 order that I list them in the query.
 
 Below gets just the user accounts in the OU. If you want everything in
 the OU remove the -f ((objectcategory=person)) reference.
 
 adfind -csv -nodn -b OU=User
 Accounts,OU=Office,OU=Company,DC=abc,DC=defghi,DC=inet -f
 ((objectcategory=person)) name mail givenname sn userprincip alname
 physicaldeliveryofficename  filename.csv
 
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
 Sent: Thursday, September 14, 2006 6:02 AM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] CSVDE Export
 
 Morning,
 
 I am using csvde to create a CSV file for importing into another
system
 and this runs (CRONS - say no more) on regular basis.
 
 the syntax is
 
 csvde -f accusers.csv -d OU=User
 Accounts,OU=Office,OU=Company,DC=abc,DC=defghi,DC=inet -l
 name,mail,givenName,sn,userprincipalname,physicalDeliveryOfficeName
 
 on occasions the fields come out as listed and other times they are in
 a different order. I would like them to be consistent at all times.
 
 Does anyone know why they shuffle? Am I missing a flag or is there a
 better utility to create CSV files
 
 many thanks
 
 mark
 
 
 This message and any attachments (the Message) may contain
 confidential, proprietary and/or privileged information and are only
 for their intended recipient(s). If you are not the intended
recipient,
 you should notify the sender and delete the Message. E-mail
 transmissions cannot be guaranteed to be secure or error-free. This
 Message is provided for information purposes and should not be
 construed as a solicitation or offer to buy or sell any securities or
 financial instruments, or to provide investment advice in any
 jurisdiction where the sender is not properly licensed or permitted to
 do so.  This Message is subject to additional conditions and
 restrictions.  Please read them here:
 http://legal.dimensional.com/email/
 
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Specifying builtin accounts in GPO settings.

[Akomolafe, Deji]

Glad I could help ;)



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Matt HargravesSent: Thu 9/14/2006 8:00 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Specifying builtin accounts in GPO settings.
I think we discovered the problem... things were just locked down a *tad* too much.
On 9/13/06, Akomolafe, Deji mailto:[EMAIL PROTECTED] wrote: 




Look at your default recipient policy. What's set there? Just curious.



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon 


From: Matt HargravesSent: Wed 9/13/2006 8:58 PM
To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Specifying builtin accounts in GPO settings.


Non-Exchange privileged users can't access OWA. I thought it was related to the fact that they had removed the M: drive, but that was only a small number of servers, the rest (that also aren't working) are having accessability issues to OWA (though they can still access their mailbox through Outlook). 


On 9/13/06, Brian Desmond mailto:[EMAIL PROTECTED] wrote: 






On W2000 running OWA on a DC this was an issue  only case I know of. What are the issues you're having?


Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132






From: mailto:[EMAIL PROTECTED][mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Matt Hargraves 
Sent: Wednesday, September 13, 2006 10:49 PM



To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. 






We're having some issues with Exchange OWA and MS said something about IWAM when we called them. We're not granting them 'logon via terminal services', just testing 'log on locally', but if it works, that just creates an entire mess that we'd like to avoid. 



On 9/13/06, Brian Desmond [EMAIL PROTECTED] wrote:





No it wouldn't. Why are you giving an IWAM account access to a remote machine?


Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132






From: mailto:[EMAIL PROTECTED][mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Matt Hargraves 
Sent: Wednesday, September 13, 2006 9:35 PM




To: ActiveDir@mail.activedir.org

Subject: Re: [ActiveDir] Specifying builtin accounts in GPO settings.




Would something like IWAM_%servername% or something like that work? I really don't want to go throuh and specify 45 account names in the "Log on locally" right for an OU if I can do it with a more simple command. I'll try just about anything :) Thanks,Matt



On 9/12/06, Brian Desmond [EMAIL PROTECTED] wrote:





And if you think about it they couldn't  if you have two DCs running IIS they both have IUSR and IWAM accounts in AD, so SIDs have to be different. 



Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132






From: mailto:[EMAIL PROTECTED][mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Darren Mar-Elia 
Sent: Tuesday, September 12, 2006 2:29 PM




To: ActiveDir@mail.activedir.org

Subject: RE: [ActiveDir] Specifying builtin accounts in GPO settings.




Matt-
I don't think these accounts have well-known SIDs, so I'm not sure that's going to help.You can easily verify using psgetsid from Sysinternals. I checked a couple accounts here (though they were domain accounts) and they were not well-knownSIDs. 

Darren

Darren Mar-Elia

For comprehensive Windows Group Policy Information, check out http://www.gpoguy.com/-- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide ,the definitiveresource for Group Policy information.







From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: Tuesday, September 12, 2006 10:00 AMTo: mailto:ActiveDir@mail.activedir.orgSubject: [ActiveDir] Specifying builtin accounts in GPO settings.
I am trying to specify the builtin IWAM/IUSR accounts in GPO settings. We have a set of servers within an OU where they require the account to have rights on the local servers, call them Server1, Server2, Server3. We obviously don't want to create the setting for IWAM_Server1, IWAM_Server2, etc I believe that this account has a common SID, if I simply do a browse for the account on one machine, will it resolve to SID and apply the setting for all accounts, or is there another way to do this (like specifying "Builtin\Administrator" would work for the builtin Administrator account) no matter what the name happens to be on a local machine? 

RE: [ActiveDir] OT: Protecting against Spyware/Adware

[Crawford, Scott]

Nobody runs as a local administrator.  We have zero issues with spyware.  
Coincidence?



From: [EMAIL PROTECTED] on behalf of Chris Pohlschneider
Sent: Thu 9/14/2006 9:44 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Protecting against Spyware/Adware



Just curious what other people are using for protecting against adware/spyware? 
We are using Webroot Spysweeper right now, but I see some performance hits on 
computers running this software and it does work, but it causes headaches will 
installing some apps that we approve. Any suggestions are appreciated. 

 

Chris Pohlschneider

Holloway Sportswear IT

937-494-2559

937-497-7300 (Fax)

[EMAIL PROTECTED]

 

 

winmail.dat

Re: [ActiveDir] OT: Protecting against Spyware/Adware

[Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]]

Nonadmin

I peronally have had way less issues when users that don't need admin 
rights don't have them.


Chinnery, Paul wrote:
We're using CounterSpy Enterprise from Sunbelt Software.  Like you, we 
have seen aperformance hit* on computers with just 128 meg of memory 
but that goes away when we add more memory.  The only issue I ran 
into, other than performance, was it blocked a cookie that was 
necessary for our payroll department.  However, once I okayed that 
cookie, it was fine. 
 
*According to Sunbelt, the next version is supposed to reduce the 
performance impact.


-Original Message-
*From:* [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of *Chris
Pohlschneider
*Sent:* Thursday, September 14, 2006 10:44 AM
*To:* ActiveDir@mail.activedir.org
*Subject:* [ActiveDir] OT: Protecting against Spyware/Adware

Just curious what other people are using for protecting against
adware/spyware? We are using Webroot Spysweeper right now, but I
see some performance hits on computers running this software and
it does work, but it causes headaches will installing some apps
that we approve. Any suggestions are appreciated.

 


Chris Pohlschneider

Holloway Sportswear IT

937-494-2559

937-497-7300 (Fax)

[EMAIL PROTECTED]

 

 



--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com


If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will 
hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] DNS Entries --Laptop Users--

[Al Mulnick]

Ulf did a really nice write up a while back that's worth reading:http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/03/26/39841.aspx
here's the KB I was referring to: http://support.microsoft.com/?id=816592On 9/14/06, 
Ravi Dogra [EMAIL PROTECTED] wrote:
Al this in not a priority for us now. Earlier i was unaware of our VPNBox settings thats why i was a bit confuse about why these machinesare registring there own records in my DNS.Also i am not going to uncheck Register in DNS check box on Client
machine as this is not required as if now.I have already set lease period as per our organizational requirementso, again i will not do any change unless it is a must required thingto do.Al i would surely want to have a look on KB you refered to. If
possible, do me this favor.Thanks for all your help!!!Ravi DograOn 9/14/06, Al Mulnick [EMAIL PROTECTED] wrote: Personally, for a shop with more than 30 machines I wouldn't recommend this
 approach.DHCP half-life registrations would start to fly all over the place.That and the DHCP server is not registering for the remote users. On 9/13/06, Matt Hargraves 
[EMAIL PROTECTED] wrote:   I'm not s huge DNS geek, so I'm not sure whether you can do this, but can't you just set the DHCP to have a short expiration (1 hour?) and it will
 unregister the 'old' entry for a machine?There would be a small amount of vulnerability, but it would go away after the client's reservation expires.
  On 9/13/06, Ravi Dogra  [EMAIL PROTECTED] wrote:   No, Laptop Users are getting IP Addresses from my VPN Box and when   they are on site its DHCP.
 On machines Register in DNS option Is checked, hence machines are   attempting to register its own records in DNS. Although i have made my   LAN DHCP to register only its Clients in DNS.
 Credentials used are abviously my Administrator Account. But Al, The Issue we had is laptop users are using LAN DHCP as well as using
   VPN Connection from home. Both are getting registered in My DNS with   different IP. Which is obvious.   But the thing is SOPHOS gave us this as one of the reasons for my
   laptop machines not showing in Sophos Enterprise Console because it   uses DNS to build existing machines list. Now everything is working fine and this reason was totally not
 applicable. but still there are other machines which are only in our network using   only my LAN DHCP and are not showing up in EC. Sophos Support team is working on this.
 Thanks and Regards   Ravi Dogra On 9/13/06, Al Mulnick [EMAIL PROTECTED] wrote:
I swear this is the last question and then I'll make a suggestion. :)   Is the DHCP server that the remote clients are getting their ip addr's from
the same as the one that you are using for lan connected clients? You areobviously allowing the user's machine to update it's own records, but isthat consistent or is the DHCP server on the lan registering the
 records foryou possibly under a different set of credentials or in a different zone?
  On 9/11/06, Ravi Dogra  [EMAIL PROTECTED] wrote: yes its correct.
 No we have mobile users.. On 9/11/06, Al Mulnick  [EMAIL PROTECTED] wrote:  Besides the obvious of telling Sophos to adjust their management
 to deal  with this, here's what I understand of your problem to date.   VPN clients that are also trusted network clients (
i.e. mobile usersthat  traverse both trusted and non-trusted networks can end up with seemingly  duplicate entries for the same device but different ip addresses.
 This  confuses some antivirus management applications and presumably some  management applications such as SMS or similar class of app, that
 relyon  reverse name resolution.   Is that correct?   Do you have workers that are remote-based only?
   Al On 9/8/06, Ravi Dogra  
[EMAIL PROTECTED] wrote:   According to Sophos Support if one host has 2 DNS Entries, Sophos   Enterprise Manager might not be able to detect this Host and
 auto   update will also dont work. As you know jolly;- We are in process of migration from Trend to
   Sophos as our Antivirus Solution. Working on a solution will update soon.  
   Thanks   Ravi Dogra On 9/8/06, Jaspreet Singh  
[EMAIL PROTECTED] wrote:   Ravi,As Rob said, If your VPN box is forwarding requests to your
 internal  networkthe your DNS will automatically update the records according to thenew  IP
which in your case is x.x.5.x.   Can you explain exactly what is the problem that you are
 facing dueto  this?   Regards,Jaspreet Singh Jolly
 On 9/7/06, Al Mulnick  
[EMAIL PROTECTED] wrote: 1. I Didnt understand what exactly u r asking?
 2. Yes DHCP Is configured properly.   

RE: [ActiveDir] OT: Protecting against Spyware/Adware

[beads]

Return Receipt
   
   Your   RE: [ActiveDir] OT: Protecting against Spyware/Adware
   document:   
   
   was[EMAIL PROTECTED]   
   received
   by: 
   
   at:09/14/2006 02:14:14 PM   
   




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] OT: Protecting against Spyware/Adware

[Chris Pohlschneider]

I have not done a lot of research on this,
but if you have users in either the power users or regular users group, wont
that cut down tremendously on the potential of getting adware/spyware?











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chinnery, Paul
Sent: Thursday, September 14, 2006
11:04 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:
Protecting against Spyware/Adware







We're using CounterSpy Enterprise from
Sunbelt Software. Like you, we have seen aperformance hit* on computers
with just 128 meg of memory but that goes away when we add more memory.
The only issue I ran into, other than performance, was it blocked a cookie that
was necessary for our payroll department. However, once I
okayed that cookie, it was fine. 











*According to Sunbelt,
the next version is supposed to reduce the performance impact.





-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]On
Behalf Of Chris Pohlschneider
Sent: Thursday, September 14, 2006
10:44 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT:
Protecting against Spyware/Adware

Just curious what other people are using for protecting
against adware/spyware? We are using Webroot Spysweeper right now, but I see
some performance hits on computers running this software and it does work, but
it causes headaches will installing some apps that we approve. Any suggestions
are appreciated. 



Chris Pohlschneider

Holloway SportswearIT

937-494-2559

937-497-7300 (Fax)

[EMAIL PROTECTED]

RE: [ActiveDir] OT: Protecting against Spyware/Adware

[beads]

We use TrendMicro as well. Probably
not quite as good as Webroot as Trend is a bit more conservative than is
Webroot. Then again, Webroot is very agressive as spyware is all they do.
Eventually, I think you'll see them acquired by one of the top three A/V
folks (Symantec, McAffee or TrendMicro). But they (Webroot) has resisted
such in the past. 

As far as overall performance I still
recommend TrendMicro in the Enterprise. It simply works well together.
Besides we are small enough to see any actual leaks from spyware, etc.
I haven't found anything that I cannot account for leaving the network.
I tell people to think of us as a medium sized business with only a few
internal people. That's why I can see (Ethereal) anything leaving or not
leaving the network - when I want.



Brent Eads
Employee Technology Solutions, Inc.

Office: (312) 762-9224
Fax:   (312) 762-9275


The contents contain privileged and/or confidential information intended
for the named recipient of this email. ETSI (Employee Technology Solutions,
Inc.) does not warrant that the contents of any electronically transmitted
information will remain confidential. If the reader of this email is not
the intended recipient you are hereby notified that any use, reproduction,
disclosure or distribution of the information contained in the email in
error, please reply to us immediately and delete the document. 

Viruses, Malware, Phishing and other known and unknown electronic threats:
It is the recipient/client's duties to perform virus scans and otherwise
test the information provided before loading onto any computer system.
No warranty is made that this material is free from computer virus or any
other defect.

Any loss/damage incurred by using this material is not the sender's responsibility.
Liability will be limited to resupplying the material.






Brian Desmond
[EMAIL PROTECTED] 
Sent by: [EMAIL PROTECTED]
09/14/2006 10:05 AM



Please respond to
ActiveDir@mail.activedir.org





To
ActiveDir@mail.activedir.org


cc



Subject
RE: [ActiveDir] OT: Protecting against
Spyware/Adware








Had Trend OfficeScan
with Damage Cleanup Service on somewhere between 60K and 90K devices. Worked
great, they had graphs showing how well it worked based on some custom
data collection they did. 

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chris Pohlschneider
Sent: Thursday, September 14, 2006 10:44 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Protecting against Spyware/Adware

Just curious what other people are using
for protecting against adware/spyware? We are using Webroot Spysweeper
right now, but I see some performance hits on computers running this software
and it does work, but it causes headaches will installing some apps that
we approve. Any suggestions are appreciated. 

Chris Pohlschneider
Holloway Sportswear IT
937-494-2559
937-497-7300 (Fax)
[EMAIL PROTECTED]





Message scanned by TrendMicro



Message scanned by TrendMicro

RE: [ActiveDir] DNS zones expiring

[Akomolafe, Deji]

I guess if you have "Widows", then someone must have "expired" :)[1]

What is the exact error message?

[1] Please don't take offense. I'm just in a laughing mood :)



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: HBooGzSent: Thu 9/14/2006 8:12 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS zones expiring
Hey All -I've setup the child domain DNS zones as primary ( not AD-Integrated). On the parent Domain Controllers/DNS servers i've added that zone as a secondary zone. I've noticed this dns setup has worked better for me in the past than a full AD-Integrated setup. After migrating over to Widows 2003, every day i get an event log message on the parent DNS server log indicating that the child domains zone has expired and i have to manually reload. any ideas ? help ? suggestions ?Thanks,-- HBooGz:\ 

Re: [ActiveDir] CSVDE Export

[Mark Parris]

Mike, 

Thanks I will give it a go later, I always seem to forget about ADfind. 

ADfind is a bit like a potato - you can do so many different things with it.

Regards


Mark Parris

Base IT Ltd
Active Directory Consultancy
Tel +44(0)7801 690596


-Original Message-
From: Mike Newell [EMAIL PROTECTED]
Date: Thu, 14 Sep 2006 07:55:52 
To:ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] CSVDE Export

Hey,
Don't know why csvde would change the order but try adfind from
www.joeware.net. So far for me, it's always kept the fields in the order
that I list them in the query.

Below gets just the user accounts in the OU. If you want everything in
the OU remove the -f ((objectcategory=person)) reference.

adfind -csv -nodn -b OU=User
Accounts,OU=Office,OU=Company,DC=abc,DC=defghi,DC=inet -f
((objectcategory=person)) name mail givenname sn userprincip
alname physicaldeliveryofficename  filename.csv

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Thursday, September 14, 2006 6:02 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] CSVDE Export

Morning,

I am using csvde to create a CSV file for importing into another system
and this runs (CRONS - say no more) on regular basis.

the syntax is 

csvde -f accusers.csv -d OU=User
Accounts,OU=Office,OU=Company,DC=abc,DC=defghi,DC=inet -l
name,mail,givenName,sn,userprincipalname,physicalDeliveryOfficeName

on occasions the fields come out as listed and other times they are in a
different order. I would like them to be consistent at all times.

Does anyone know why they shuffle? Am I missing a flag or is there a
better utility to create CSV files

many thanks

mark


This message and any attachments (the Message) may contain confidential, 
proprietary and/or privileged information and are only for their intended 
recipient(s). If you are not the intended recipient, you should notify the 
sender and delete the Message. E-mail transmissions cannot be guaranteed to be 
secure or error-free. This Message is provided for information purposes and 
should not be construed as a solicitation or offer to buy or sell any 
securities or financial instruments, or to provide investment advice in any 
jurisdiction where the sender is not properly licensed or permitted to do so.  
This Message is subject to additional conditions and restrictions.  Please read 
them here:  http://legal.dimensional.com/email/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Any impacts to domain controller when changingits IP?

[Mark Parris]

Really - must have missed that.

Whoops.


Mark Parris

Base IT Ltd
Active Directory Consultancy
Tel +44(0)7801 690596


-Original Message-
From: Almeida Pinto, Jorge de [EMAIL PROTECTED]
Date: Thu, 14 Sep 2006 16:50:13 
To:ActiveDir@mail.activedir.org,   ActiveDir.org 
ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Any impacts to domain controller when changingits IP?

If you want to change the computer name you need to DEMOTE the server 
  
isn't that for w2k only? (he's got w2k3) 
  
  
 
 
Met vriendelijke groeten / Kind regards, 
Ing. Jorge de Almeida Pinto 
Senior Infrastructure Consultant 
MVP Windows Server - Directory Services 
  
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven) 
(   Tel : +31-(0)40-29.57.777 
(   Mobile : +31-(0)6-26.26.62.80 
*   E-mail : see sender address 

 

 From: [EMAIL PROTECTED] on behalf of Mark Parris
Sent: Thu 2006-09-14 16:35
To: ActiveDir.org
Subject: Re: [ActiveDir] Any impacts to domain controller when changingits IP?

 
 
If you want to change the computer name you need to demote the server, wait for 
replication then change the server name at this stage I would re ip the server, 
then dcpromo the server again.

This is of course assuming you have multiple DC's if not and it's only for 3 
months keep then why not keep the name and just change the IP address.

Make sure DNS functions correctly.

Regards




Mark Parris

Base IT Ltd
Active Directory Consultancy
Tel +44(0)7801 690596


-Original Message-
From: McClure, David (MED US) [EMAIL PROTECTED]
Date: Thu, 14 Sep 2006 10:12:54
To:ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Any impacts to domain controller when changingits IP?


If you're running a Certificate Authority on that DC, you can't change
the computer name without first uninstalling Certificate Services.  I'm
not sure what the impact would be on the chain of trust if you reinstall
CertSvcs after the name change.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]: mailto:[EMAIL PROTECTED] ] On Behalf Of Susan 
Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Thursday, September 14, 2006 10:04 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Any impacts to domain controller when
changingits IP?

In SBSland they made a change IP address wizard for our DCs because
invariably we forget something...

DHCP
WINS
kitchen sink stuff, etc

http://www.microsoft.com/technet/prodtechnol/sbs/2003/support/43dd693a-0: 
http://www.microsoft.com/technet/prodtechnol/sbs/2003/support/43dd693a-0 
cc4-47fd-94c7-cfe200439f41.mspx?mfr=true

You can see what the wizard does.. which is are the changes you will
need to do

Jobsz wrote:

 Dear all,

 Because our company is being merged by another company, in the process

 of integration we need change the internal IP address and computer
name.

 Our domain controller of Windows Server 2003.
 We have to change its computer name and internal IP but no need to

 change The domain name, because we want to let run for 3 months.

 Anyone could tell me what impacts brought by these changes?

 Any suggestions would be appreciated!


 With best regards
 Jobs.Zhao

List info   : http://www.activedir.org/List.aspx: 
http://www.activedir.org/List.aspx 
List FAQ    : http://www.activedir.org/ListFAQ.aspx: 
http://www.activedir.org/ListFAQ.aspx 
List archive: http://www.activedir.org/ml/threads.aspx: 
http://www.activedir.org/ml/threads.aspx 

---
This message and any included attachments are from Siemens Medical Solutions

USA, Inc. and are intended only for the addressee(s).

The information contained herein may include trade secrets or privileged or

otherwise confidential information.  Unauthorized review, forwarding, printing,

copying, distributing, or using such information is strictly prohibited and may

be unlawful.  If you received this message in error, or have reason to believe

you are not authorized to receive it, please promptly delete this message and

notify the sender by e-mail with a copy to [EMAIL PROTECTED]


Thank you
List info   : http://www.activedir.org/List.aspx: 
http://www.activedir.org/List.aspx 
List FAQ    : http://www.activedir.org/ListFAQ.aspx: 
http://www.activedir.org/ListFAQ.aspx 
List archive: http://www.activedir.org/ml/threads.aspx: 
http://www.activedir.org/ml/threads.aspx 

.Š†ÿÁŠŠƒ²§²B§Ã¶v®Š
§²rz§Ã¶v®—­± 
 

 
This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
 

[ActiveDir] OT: RAID-5 expansion problem

[Larry Wahlers]

Esteemed colleagues,

We can't get the RAID configuration utility to give us the amount of
disk space we think we ought to have on our main file server. We used to
have 4 72Gb drives in a RAID-5. We put two more 72Gb drives into the
server, and followed the directions to expand the array using HP's
ACU-XE program. The directions say this can take 10-15 minutes per Gb,
and it took lots more time than that, but finally, it was done.

So, here are the figures for drive space we are now working with, and
they just don't add up.

In ACU-XE:

- The original drive space is listed as 208378 Mb
This is roughly equivalent to 69460, which is the physical drive
capacity reported by the System Management Homepage, times 3, leaving
out the 4th drive to make the RAID-5, which comes out to 208380. This is
fine.

- The new unused space is listed as   166707 Mb
This is actually quite a bit more than 69460 times the two
drives we added, which would be 138920. This is confusing to me, and the
figures do not add up.

- When I go to extend size in ACU-XE, the maximum size I can extend
the array to is 261116. This is not even as much space as adding one
drive to the array should give us, and we've added two drives! This
really doesn't add up.

More figures:

If you add the two numbers in ACU-XE (original plus unused), I come up
with 375085.

If you figure out what 5 times 69460 would be, it comes up to 347300. 

Either one of these numbers would be fine with us, but 261116 is just
plain not enough!

Thanks in advance for your help.

-- 
Larry Wahlers
Concordia Technologies
The Lutheran Church - Missouri Synod
mailto:[EMAIL PROTECTED]
direct office line: (314) 996-1876
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Elevating privileges from DA to EA

[Al Mulnick]

Can you reword? I'm not sure I clearly understand the question. FWIW, going from DA to EA is a matter of adding one's id to the EA group. DA's have that right in the root domain of the forest (DA's of the root domain have that right). Editing etc. is not necessary. Nor are key-loggers etc. 
If physical access is available, there are plenty of ways to get the access you require to a domain but I suspect you're asking how can a DA from a child domain gain EA access; is that the question you're looking to answer?  
Just for curiousity, what brings up that question? Al On 9/14/06, [EMAIL PROTECTED]
 [EMAIL PROTECTED] wrote:










It has been suggested by certain parties here that elevating one's rights from AD to EA is 'simple'.


I have suggested that whilst it's possible it is not simple at all.


Does anyone have any descriptions of methods / backdoors / workarounds etc that can be used to elevate rights in this way? Naturally, you may prefer to send this to me offline :) [
[EMAIL PROTECTED]]

I can think of the following basic methods:

- Remove DC disks and edit offline

- Introduce key logger on admin workstation / DC

- Inject code into lsass


As you can see, I don't want specific steps to 'hack' the DC, just basic ideas / methods.


Thanks,

neil


PLEASE READ: The information contained in this email is confidential and

intended for the named recipient(s) only. If you are not an intended

recipient of this email please notify the sender immediately and delete your

copy from your system. You must not copy, distribute or take any further

action in reliance on it. Email is not a secure method of communication and

Nomura International plc ('NIplc') will not, to the extent permitted by law,

accept responsibility or liability for (a) the accuracy or completeness of,

or (b) the presence of any virus, worm or similar malicious or disabling

code in, this message or any attachment(s) to it. If verification of this

email is sought then please request a hard copy. Unless otherwise stated

this email: (1) is not, and should not be treated or relied upon as,

investment research; (2) contains views or opinions that are solely those of

the author and do not necessarily represent those of NIplc; (3) is intended

for informational purposes only and is not a recommendation, solicitation or

offer to buy or sell securities or related financial instruments.  NIplc

does not provide investment services to private customers.  Authorised and

regulated by the Financial Services Authority.  Registered in England

no. 1550505 VAT No. 447 2492 35.  Registered Office: 1 St Martin's-le-Grand,

London, EC1A 4NP.  A member of the Nomura group of companies.

RE: [ActiveDir] Any impacts to domain controller when changingits IP?

[Grillenmeier, Guido]

Title: Re: [ActiveDir] Any impacts to domain controller when changingits IP?









Yep, that was Win2k – once you’ve reached Win2k3 domain
functional level, you can start adding another name to your DC, make it
primary, reboot, ensure everything replicates well and registers in DNS, then remove
the old name.  Use NETDOM to do so.



/Guido







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Almeida Pinto, Jorge de
Sent: Thursday, September 14, 2006 4:50 PM
To: ActiveDir@mail.activedir.org; ActiveDir.org
Subject: RE: [ActiveDir] Any impacts to domain controller when
changingits IP?











If
you want to change the computer name you need toDEMOTE the server











isn't
that for w2k only? (he's got w2k3)























Met vriendelijke groeten / Kind regards,





Ing. Jorge de Almeida Pinto





Senior Infrastructure Consultant





MVP Windows Server- Directory Services













LogicaCMG Nederland B.V. (BU RTINC Eindhoven)





( Tel : +31-(0)40-29.57.777





( Mobile : +31-(0)6-26.26.62.80



* E-mail
: see sender address

















From: [EMAIL PROTECTED] on
behalf of Mark Parris
Sent: Thu 2006-09-14 16:35
To: ActiveDir.org
Subject: Re: [ActiveDir] Any impacts to domain controller when
changingits IP?





If you want to change the computer name you
need to demote the server, wait for replication then change the server name at
this stage I would re ip the server, then dcpromo the server again.

This is of course assuming you have multiple DC's if not and it's only for 3
months keep then why not keep the name and just change the IP address.

Make sure DNS functions correctly.

Regards




Mark Parris

Base IT Ltd
Active Directory Consultancy
Tel +44(0)7801 690596


-Original Message-
From: McClure, David (MED US) [EMAIL PROTECTED]
Date: Thu, 14 Sep 2006 10:12:54
To:ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Any impacts to domain controller when changingits IP?


If you're running a Certificate Authority on that DC, you can't change
the computer name without first uninstalling Certificate Services. I'm
not sure what the impact would be on the chain of trust if you reinstall
CertSvcs after the name change.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Thursday, September 14, 2006 10:04 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Any impacts to domain controller when
changingits IP?

In SBSland they made a change IP address wizard for our DCs because
invariably we forget something...

DHCP
WINS
kitchen sink stuff, etc

http://www.microsoft.com/technet/prodtechnol/sbs/2003/support/43dd693a-0
cc4-47fd-94c7-cfe200439f41.mspx?mfr=true

You can see what the wizard does.. which is are the changes you will
need to do

Jobsz wrote:

 Dear all,

 Because our company is being merged by another company, in the process

 of integration we need change the internal IP address and computer
name.

 Our domain controller of Windows Server 2003.
 We have to change its computer name and internal IP but no need to

 change The domain name, because we want to let run for 3 months.

 Anyone could tell me what impacts brought by these changes?

 Any suggestions would be appreciated!


 With best regards
 Jobs.Zhao

List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

---
This message and any included attachments are from Siemens Medical Solutions

USA, Inc. and are intended only for the addressee(s).

The information contained herein may include trade secrets or privileged or

otherwise confidential information. Unauthorized review, forwarding,
printing,

copying, distributing, or using such information is strictly prohibited and may

be unlawful. If you received this message in error, or have reason to
believe

you are not authorized to receive it, please promptly delete this message and

notify the sender by e-mail with a copy to [EMAIL PROTECTED]


Thank you
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

.Š†ÿÁŠŠƒ²§²B§Ã¶v®Š§²rz§Ã¶v®—­± 





This
e-mail and any attachment is for authorised use by the intended recipient(s)
only. It may contain proprietary material, confidential information and/or be
subject to legal privilege. It should not be copied, disclosed to, retained or
used by, any other party. If you are not an intended recipient then please
promptly delete this e-mail and any attachment and 

RE: [ActiveDir] Elevating privileges from DA to EA

[Brian Desmond]

Title: Elevating privileges from DA to EA








Oh its easier than you think  go look at the ACLs on some
objects and think about what the various system accounts run as over the
network on the DCs. 





Thanks,

Brian Desmond

[EMAIL PROTECTED]



c - 312.731.3132











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, September 14, 2006 12:14 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Elevating privileges from DA to EA







It has been
suggested by certain parties here that elevating one's rights from AD to EA is
'simple'. 

I have
suggested that whilst it's possible it is not simple at all. 

Does anyone
have any descriptions of methods / backdoors / workarounds etc that can be used
to elevate rights in this way? Naturally, you may prefer to send this to me
offline :) [EMAIL PROTECTED]

I can think
of the following basic methods: 
- Remove
DC disks and edit offline 
-
Introduce key logger on admin workstation / DC 
- Inject
code into lsass 

As you can
see, I don't want specific steps to 'hack' the DC, just basic ideas / methods.


Thanks,

neil 



PLEASE
READ: The information contained in this email is confidential and 





intended
for the named recipient(s) only. If you are not an intended 





recipient
of this email please notify the sender immediately and delete your 





copy
from your system. You must not copy, distribute or take any further 





action
in reliance on it. Email is not a secure method of communication and 





Nomura
International plc ('NIplc') will not, to the extent permitted by law, 





accept
responsibility or liability for (a) the accuracy or completeness of, 





or
(b) the presence of any virus, worm or similar malicious or disabling 





code
in, this message or any attachment(s) to it. If verification of this 





email
is sought then please request a hard copy. Unless otherwise stated 





this
email: (1) is not, and should not be treated or relied upon as, 





investment
research; (2) contains views or opinions that are solely those of 





the
author and do not necessarily represent those of NIplc; (3) is intended 





for
informational purposes only and is not a recommendation, solicitation or 





offer
to buy or sell securities or related financial instruments. NIplc 





does
not provide investment services to private customers. Authorised and 





regulated
by the Financial Services Authority. Registered in England 





no.
1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, 





London,
EC1A 4NP. A member of the Nomura group of companies. 

RE: [ActiveDir] OT: Protecting against Spyware/Adware

[Chris Pohlschneider]

Are all of your users in power user group
or user group of their workstation?











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Crawford, Scott
Sent: Thursday, September 14, 2006
11:33 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:
Protecting against Spyware/Adware









Nobodyruns as a local
administrator. We have zero issues with spyware. Coincidence?















From:
[EMAIL PROTECTED] on behalf of Chris Pohlschneider
Sent: Thu 9/14/2006 9:44 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Protecting
against Spyware/Adware





Just curious what other people are using for protecting
against adware/spyware? We are using Webroot Spysweeper right now, but I see
some performance hits on computers running this software and it does work, but
it causes headaches will installing some apps that we approve. Any suggestions
are appreciated. 



Chris Pohlschneider

Holloway SportswearIT

937-494-2559

937-497-7300 (Fax)

[EMAIL PROTECTED]

Re: [ActiveDir] OT: Protecting against Spyware/Adware

[Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]]

Nope.

Crawford, Scott wrote:

Nobody runs as a local administrator.  We have zero issues with spyware.  
Coincidence?



From: [EMAIL PROTECTED] on behalf of Chris Pohlschneider
Sent: Thu 9/14/2006 9:44 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Protecting against Spyware/Adware



Just curious what other people are using for protecting against adware/spyware? We are using Webroot Spysweeper right now, but I see some performance hits on computers running this software and it does work, but it causes headaches will installing some apps that we approve. Any suggestions are appreciated. 

 


Chris Pohlschneider

Holloway Sportswear IT

937-494-2559

937-497-7300 (Fax)

[EMAIL PROTECTED]

 

 

  


--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com


If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will 
hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] OT: Protecting against Spyware/Adware

[Robert Rutherford]

Controlled user access, i.e. no admin rights, and use a good class
firewall with spyware/av protection on the gateway... no issues.

Rob

Robert Rutherford
QuoStar Solutions Limited

T:+44 (0) 8456 440 331   
F:+44 (0) 8456 440 332   
M:+44 (0) 7974 249 494   
E:[EMAIL PROTECTED] 
W:www.quostar.com   

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: 14 September 2006 20:11
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: Protecting against Spyware/Adware

Nonadmin

I peronally have had way less issues when users that don't need admin 
rights don't have them.

Chinnery, Paul wrote:
 We're using CounterSpy Enterprise from Sunbelt Software.  Like you, we

 have seen aperformance hit* on computers with just 128 meg of memory 
 but that goes away when we add more memory.  The only issue I ran 
 into, other than performance, was it blocked a cookie that was 
 necessary for our payroll department.  However, once I okayed that 
 cookie, it was fine. 
  
 *According to Sunbelt, the next version is supposed to reduce the 
 performance impact.

 -Original Message-
 *From:* [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of *Chris
 Pohlschneider
 *Sent:* Thursday, September 14, 2006 10:44 AM
 *To:* ActiveDir@mail.activedir.org
 *Subject:* [ActiveDir] OT: Protecting against Spyware/Adware

 Just curious what other people are using for protecting against
 adware/spyware? We are using Webroot Spysweeper right now, but I
 see some performance hits on computers running this software and
 it does work, but it causes headaches will installing some apps
 that we approve. Any suggestions are appreciated.

  

 Chris Pohlschneider

 Holloway Sportswear IT

 937-494-2559

 937-497-7300 (Fax)

 [EMAIL PROTECTED]

  

  


-- 
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

If you are a SBSer and you don't subscribe to the SBS Blog... man ... I
will hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] DNS zones expiring

[HBooGz]

No worries, i don't take offense easily...=)Event Type: ErrorEvent Source: DNSEvent Category: NoneEvent ID: 6527Date:  9/14/2006Time:  10:08:04 AMUser:  N/A
Computer: PHMAINDC1Description:Zone jacwf.phippsny.org expired before it could obtain a successful zone transfer or update from a master server acting as its source for the zone. The zone has been shut down.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.On 9/14/06, 
Akomolafe, Deji [EMAIL PROTECTED] wrote:



I guess if you have Widows, then someone must have expired :)[1]

What is the exact error message?

[1] Please don't take offense. I'm just in a laughing mood :)



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ 
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Services
www.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon



From: HBooGzSent: Thu 9/14/2006 8:12 AMTo: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DNS zones expiring
Hey All -I've setup the child domain DNS zones as primary ( not AD-Integrated). On the parent Domain Controllers/DNS servers i've added that zone as a secondary zone. I've noticed this dns setup has worked better for me in the past than a full AD-Integrated setup. After migrating over to Widows 2003, every day i get an event log message on the parent DNS server log indicating that the child domains zone has expired and i have to manually reload. 
any ideas ? help ? suggestions ?Thanks,-- HBooGz:\ 

-- HBooGz:\

RE: [ActiveDir] CSVDE Export

[Mike Newell]

Yep, nice catch. I guess I got lazy as the OU I ran that against in the
lab only has user and computer accounts in it ;-)

Thanks again.

Mike

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Thursday, September 14, 2006 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] CSVDE Export

Just so you know that query will get you more than user accounts. To get
just users do ((objectCategory=person)(objectClass=user))

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Mike Newell
 Sent: Thursday, September 14, 2006 10:56 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] CSVDE Export
 
 Hey,
 Don't know why csvde would change the order but try adfind from
 www.joeware.net. So far for me, it's always kept the fields in the
 order that I list them in the query.
 
 Below gets just the user accounts in the OU. If you want everything in
 the OU remove the -f ((objectcategory=person)) reference.
 
 adfind -csv -nodn -b OU=User
 Accounts,OU=Office,OU=Company,DC=abc,DC=defghi,DC=inet -f
 ((objectcategory=person)) name mail givenname sn userprincip alname
 physicaldeliveryofficename  filename.csv
 
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
 Sent: Thursday, September 14, 2006 6:02 AM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] CSVDE Export
 
 Morning,
 
 I am using csvde to create a CSV file for importing into another
system
 and this runs (CRONS - say no more) on regular basis.
 
 the syntax is
 
 csvde -f accusers.csv -d OU=User
 Accounts,OU=Office,OU=Company,DC=abc,DC=defghi,DC=inet -l
 name,mail,givenName,sn,userprincipalname,physicalDeliveryOfficeName
 
 on occasions the fields come out as listed and other times they are in
 a different order. I would like them to be consistent at all times.
 
 Does anyone know why they shuffle? Am I missing a flag or is there a
 better utility to create CSV files
 
 many thanks
 
 mark
 
 
 This message and any attachments (the Message) may contain
 confidential, proprietary and/or privileged information and are only
 for their intended recipient(s). If you are not the intended
recipient,
 you should notify the sender and delete the Message. E-mail
 transmissions cannot be guaranteed to be secure or error-free. This
 Message is provided for information purposes and should not be
 construed as a solicitation or offer to buy or sell any securities or
 financial instruments, or to provide investment advice in any
 jurisdiction where the sender is not properly licensed or permitted to
 do so.  This Message is subject to additional conditions and
 restrictions.  Please read them here:
 http://legal.dimensional.com/email/
 
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


This message and any attachments (the Message) may contain confidential, 
proprietary and/or privileged information and are only for their intended 
recipient(s). If you are not the intended recipient, you should notify the 
sender and delete the Message. E-mail transmissions cannot be guaranteed to be 
secure or error-free. This Message is provided for information purposes and 
should not be construed as a solicitation or offer to buy or sell any 
securities or financial instruments, or to provide investment advice in any 
jurisdiction where the sender is not properly licensed or permitted to do so.  
This Message is subject to additional conditions and restrictions.  Please read 
them here:  http://legal.dimensional.com/email/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Elevating privileges from DA to EA

[joe]

Title: Elevating privileges from DA to EA



Simple is a relative term but yes, there are mechanisms 
that could be and aretermed simple. 

No I don't think people shouldn't be sharing details even 
offline. If someonecannot come up with a method on their own it 
doesn't mean someone else who is aware of a method should supply it. It doesn't 
help anything knowing how itcan 
bedone.

You are a smart guy though Neil, I have no doubt if you sat 
down and gave yourself an hour to think out the ways an attack could be 
perpetrated you could work out a couple of methods that you would consider 
simple. 

Hopefully folks don't start dropping hints, etc as it is a 
can of worms we don't generally want opened up. 

 joe


--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Thursday, September 14, 2006 12:14 
PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
Elevating privileges from DA to EA

It has been suggested by certain parties here that 
elevating one's rights from AD to EA is 'simple'. 
I have suggested that whilst it's possible it is not 
simple at all. 
Does anyone have any descriptions of methods / 
backdoors / workarounds etc that can be used to elevate rights in this way? 
Naturally, you may prefer to send this to me offline :) 
[EMAIL PROTECTED]
I can think of the following basic methods: 
- Remove DC disks and edit offline 
- Introduce key logger on admin workstation / 
DC - Inject code into lsass 
As you can see, I don't want specific steps to 'hack' 
the DC, just basic ideas / methods. 
Thanks, neil 
PLEASE READ: The 
information contained in this email is confidential and 
intended for the 
named recipient(s) only. If you are not an intended 
recipient of this 
email please notify the sender immediately and delete your 
copy from your 
system. You must not copy, distribute or take any further 
action in reliance 
on it. Email is not a secure method of communication and 
Nomura International 
plc ('NIplc') will not, to the extent permitted by law, 
accept 
responsibility or liability for (a) the accuracy or completeness of, 

or (b) the presence 
of any virus, worm or similar malicious or disabling 
code in, this 
message or any attachment(s) to it. If verification of this 
email is sought then 
please request a hard copy. Unless otherwise stated 
this email: (1) is 
not, and should not be treated or relied upon as, 
investment research; 
(2) contains views or opinions that are solely those of 
the author and do 
not necessarily represent those of NIplc; (3) is intended 
for informational 
purposes only and is not a recommendation, solicitation or 
offer to buy or sell 
securities or related financial instruments. NIplc 
does not provide 
investment services to private customers. Authorised and 
regulated by the 
Financial Services Authority. Registered in England 
no. 1550505 VAT No. 
447 2492 35. Registered Office: 1 St Martin's-le-Grand, 
London, EC1A 4NP. A 
member of the Nomura group of companies. 

RE: [ActiveDir] OT: Protecting against Spyware/Adware

[joe]

I run as local admin and have zero issues with spyware? Coincidence?
 
;o)
 
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott
Sent: Thursday, September 14, 2006 11:33 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Protecting against Spyware/Adware


Nobody runs as a local administrator.  We have zero issues with spyware.
Coincidence?

  _  

From: [EMAIL PROTECTED] on behalf of Chris Pohlschneider
Sent: Thu 9/14/2006 9:44 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Protecting against Spyware/Adware



Just curious what other people are using for protecting against
adware/spyware? We are using Webroot Spysweeper right now, but I see some
performance hits on computers running this software and it does work, but it
causes headaches will installing some apps that we approve. Any suggestions
are appreciated. 

 

Chris Pohlschneider

Holloway Sportswear IT

937-494-2559

937-497-7300 (Fax)

[EMAIL PROTECTED]

 

 

attachment: winmail.dat

RE: [ActiveDir] OT: Protecting against Spyware/Adware

[Crawford, Scott]

All regular users. Dont get me
wrong  it was tough to get to this point, but its sooo worth it.











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Pohlschneider
Sent: Thursday, September 14, 2006
3:28 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:
Protecting against Spyware/Adware





Are all of your users in power user group
or user group of their workstation?











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott
Sent: Thursday, September 14, 2006
11:33 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:
Protecting against Spyware/Adware









Nobodyruns as a local
administrator. We have zero issues with spyware. Coincidence?















From:
[EMAIL PROTECTED] on behalf of Chris Pohlschneider
Sent: Thu 9/14/2006 9:44 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT:
Protecting against Spyware/Adware





Just curious what other people are using for protecting
against adware/spyware? We are using Webroot Spysweeper right now, but I see
some performance hits on computers running this software and it does work, but
it causes headaches will installing some apps that we approve. Any suggestions
are appreciated. 



Chris Pohlschneider

Holloway SportswearIT

937-494-2559

937-497-7300 (Fax)

[EMAIL PROTECTED]

RE: [ActiveDir] OT: Protecting against Spyware/Adware

[Crawford, Scott]

I didn't think so :)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Thursday, September 14, 2006 3:33 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: Protecting against Spyware/Adware

Nope.

Crawford, Scott wrote:
 Nobody runs as a local administrator.  We have zero issues with
spyware.  Coincidence?

 

 From: [EMAIL PROTECTED] on behalf of Chris
Pohlschneider
 Sent: Thu 9/14/2006 9:44 AM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] OT: Protecting against Spyware/Adware



 Just curious what other people are using for protecting against
adware/spyware? We are using Webroot Spysweeper right now, but I see
some performance hits on computers running this software and it does
work, but it causes headaches will installing some apps that we approve.
Any suggestions are appreciated. 

  

 Chris Pohlschneider

 Holloway Sportswear IT

 937-494-2559

 937-497-7300 (Fax)

 [EMAIL PROTECTED]

  

  

   

-- 
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

If you are a SBSer and you don't subscribe to the SBS Blog... man ... I
will hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] CSVDE Export

[joe]

And if AdFind doesn't keep them in order, let me know as that would be a
featur... Err I mean bug. For -csv and -oao options I maintain the order
specified on purpose. 

I can't speak to CSVDE and how it works, I actually have never looked at the
source for that program. I expect you may be getting different orders based
on the DC you are querying possibly. There is no guarantee on the order
returned from the DCs so if you want that guarantee, the tool outputting the
results has to be aware to do it.

 joe


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mike Newell
Sent: Thursday, September 14, 2006 10:56 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] CSVDE Export

Hey,
Don't know why csvde would change the order but try adfind from
www.joeware.net. So far for me, it's always kept the fields in the order
that I list them in the query.

Below gets just the user accounts in the OU. If you want everything in
the OU remove the -f ((objectcategory=person)) reference.

adfind -csv -nodn -b OU=User
Accounts,OU=Office,OU=Company,DC=abc,DC=defghi,DC=inet -f
((objectcategory=person)) name mail givenname sn userprincip
alname physicaldeliveryofficename  filename.csv

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Thursday, September 14, 2006 6:02 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] CSVDE Export

Morning,

I am using csvde to create a CSV file for importing into another system
and this runs (CRONS - say no more) on regular basis.

the syntax is 

csvde -f accusers.csv -d OU=User
Accounts,OU=Office,OU=Company,DC=abc,DC=defghi,DC=inet -l
name,mail,givenName,sn,userprincipalname,physicalDeliveryOfficeName

on occasions the fields come out as listed and other times they are in a
different order. I would like them to be consistent at all times.

Does anyone know why they shuffle? Am I missing a flag or is there a
better utility to create CSV files

many thanks

mark


This message and any attachments (the Message) may contain confidential,
proprietary and/or privileged information and are only for their intended
recipient(s). If you are not the intended recipient, you should notify the
sender and delete the Message. E-mail transmissions cannot be guaranteed to
be secure or error-free. This Message is provided for information purposes
and should not be construed as a solicitation or offer to buy or sell any
securities or financial instruments, or to provide investment advice in any
jurisdiction where the sender is not properly licensed or permitted to do
so.  This Message is subject to additional conditions and restrictions.
Please read them here:  http://legal.dimensional.com/email/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] CSVDE Export

[joe]

A potato  Interesting analogy... Once I get past the image of a brown lump 
buried in the dirt in the backyard (or your ears if you are a kid and don't 
listen to your mom) it starts to grow on me... 

I may actually have to post that quote on my blog...


--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Thursday, September 14, 2006 11:32 AM
To: ActiveDir.org
Subject: Re: [ActiveDir] CSVDE Export

Mike, 

Thanks I will give it a go later, I always seem to forget about ADfind. 

ADfind is a bit like a potato - you can do so many different things with it.

Regards


Mark Parris

Base IT Ltd
Active Directory Consultancy
Tel +44(0)7801 690596


-Original Message-
From: Mike Newell [EMAIL PROTECTED]
Date: Thu, 14 Sep 2006 07:55:52 
To:ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] CSVDE Export

Hey,
Don't know why csvde would change the order but try adfind from
www.joeware.net. So far for me, it's always kept the fields in the order
that I list them in the query.

Below gets just the user accounts in the OU. If you want everything in
the OU remove the -f ((objectcategory=person)) reference.

adfind -csv -nodn -b OU=User
Accounts,OU=Office,OU=Company,DC=abc,DC=defghi,DC=inet -f
((objectcategory=person)) name mail givenname sn userprincip
alname physicaldeliveryofficename  filename.csv

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Thursday, September 14, 2006 6:02 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] CSVDE Export

Morning,

I am using csvde to create a CSV file for importing into another system
and this runs (CRONS - say no more) on regular basis.

the syntax is 

csvde -f accusers.csv -d OU=User
Accounts,OU=Office,OU=Company,DC=abc,DC=defghi,DC=inet -l
name,mail,givenName,sn,userprincipalname,physicalDeliveryOfficeName

on occasions the fields come out as listed and other times they are in a
different order. I would like them to be consistent at all times.

Does anyone know why they shuffle? Am I missing a flag or is there a
better utility to create CSV files

many thanks

mark


This message and any attachments (the Message) may contain confidential, 
proprietary and/or privileged information and are only for their intended 
recipient(s). If you are not the intended recipient, you should notify the 
sender and delete the Message. E-mail transmissions cannot be guaranteed to be 
secure or error-free. This Message is provided for information purposes and 
should not be construed as a solicitation or offer to buy or sell any 
securities or financial instruments, or to provide investment advice in any 
jurisdiction where the sender is not properly licensed or permitted to do so.  
This Message is subject to additional conditions and restrictions.  Please read 
them here:  http://legal.dimensional.com/email/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

.+Šw†ÛÿüÁ§Š÷Šºƒò²Ö§²ÑB§ÿö+v*®ŠË
§²Örz§ÿö+v*®—û­æ±«

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] DNS zones expiring

[Akomolafe, Deji]

Here's what I'd do:

Ensure that there is no NATting going on between the 2 DNS servers. Verify this by doing something like "telnet PrimaryDNSServer 53" from the secondary server and then going to the Primary server and doing "netstat |find ":53" and making sure that you could see the real IP address of the secondary server on the list.

If that checks out, then I'd:
Go to the DNS console on the Primary server and verify that the secondary server is on the list of servers allowed to transfer that particular zone.

If that checks out, then I'd:
Attempt a manual transferat the secondary server by going to the DNS console on the secondary server, right-clicking on the zone and selecting "Reload from master" first. If that fails, then I'd try "Transfer from master".

If that fails, then I'd pray very hard then enable DNS logging . then pray some more and open up the log file after a while. Then I'd post back here withwhatever is interesting.



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: HBooGzSent: Thu 9/14/2006 2:14 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DNS zones expiring
No worries, i don't take offense easily...=)Event Type: ErrorEvent Source: DNSEvent Category: NoneEvent ID: 6527Date:  9/14/2006Time:  10:08:04 AMUser:  N/AComputer: PHMAINDC1Description:Zone jacwf.phippsny.org expired before it could obtain a successful zone transfer or update from a master server acting as its source for the zone. The zone has been shut down. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
On 9/14/06, Akomolafe, Deji [EMAIL PROTECTED] wrote: 




I guess if you have "Widows", then someone must have "expired" :)[1]

What is the exact error message?

[1] Please don't take offense. I'm just in a laughing mood :)



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon 


From: HBooGzSent: Thu 9/14/2006 8:12 AMTo: mailto:ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS zones expiring

Hey All -I've setup the child domain DNS zones as primary ( not AD-Integrated). On the parent Domain Controllers/DNS servers i've added that zone as a secondary zone. I've noticed this dns setup has worked better for me in the past than a full AD-Integrated setup. After migrating over to Widows 2003, every day i get an event log message on the parent DNS server log indicating that the child domains zone has expired and i have to manually reload. any ideas ? help ? suggestions ?Thanks,-- HBooGz:\ -- HBooGz:\ 

RE: [ActiveDir] OT: Protecting against Spyware/Adware

[Akomolafe, Deji]

Yes. You run Mac. LOL



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: joeSent: Thu 9/14/2006 3:03 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Protecting against Spyware/Adware

I run as local admin and have zero issues with spyware? Coincidence?

;o)


--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, ScottSent: Thursday, September 14, 2006 11:33 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Protecting against Spyware/Adware


Nobodyruns as a local administrator. We have zero issues with spyware. Coincidence?


From: [EMAIL PROTECTED] on behalf of Chris PohlschneiderSent: Thu 9/14/2006 9:44 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Protecting against Spyware/Adware


Just curious what other people are using for protecting against adware/spyware? We are using Webroot Spysweeper right now, but I see some performance hits on computers running this software and it does work, but it causes headaches will installing some apps that we approve. Any suggestions are appreciated. 

Chris Pohlschneider
Holloway SportswearIT
937-494-2559
937-497-7300 (Fax)
[EMAIL PROTECTED]


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Block Inheritance on DC OU

[Derek Harris]

I did it a couple years ago, and found out that it does 
block the password policy. It seemsintuitive thatit shouldn't, but 
it does.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dave 
WadeSent: Thursday, September 14, 2006 3:54 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Block 
Inheritance on DC OU

You say "Obvious" but is this obvious? What 
happens in the case of password policy. This can only be set at the top level of 
the domain. Does this block actually prevent it being applied? I would guess 
that is does, but I wonder if any one has tested it or has any docs on what 
actually happens. 






From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Darren Mar-EliaSent: Wednesday, September 13, 
2006 6:59 PMTo: ActiveDir@mail.activedir.orgSubject: RE: 
[ActiveDir] Block Inheritance on DC OU

Well, 
the obvious effect is that it prevents domain-linked policies from being 
delivered correctly, including password policy. This is probably not desirable. 
I can't think of a good scenario where this would be useful. 

Darren




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of WATSON, BENSent: Wednesday, September 13, 2006 
9:37 AMTo: ActiveDir@mail.activedir.orgSubject: 
[ActiveDir] Block Inheritance on DC OU
The company I am currently working for has block 
inheritance enabled for the Domain Controllers OU and apparently whoever 
enabled this setting is no longer with the company (or they wont fess up to why 
they did this).

Although I am curious, what sort of ramifications does 
enabling block inheritance on the Domain Controllers OU pose? And what 
reason would you have to enable this setting on the Domain Controllers 
OU? With any other OU, it would be fairly obvious, but being that these 
are the Domain Controllers it would seem to be a unique 
situation.

Thanks as always for your input,
~Ben**This 
email and any files transmitted with it are confidential andintended solely 
for the use of the individual or entity to whom theyare addressed. As a 
public body, the Council may be required to disclose this email, or any response 
to it, under the Freedom of Information Act 2000, unless the information in it 
is covered by one of the exemptions in the Act. If you receive this 
email in error please notify Stockport e-Services via 
[EMAIL PROTECTED] and then permanently remove it from your system. 
Thank 
you.http://www.stockport.gov.uk**

RE: [ActiveDir] Handling different schemas - managing maintaining updates

[joe]

Use 

adfind -sc sdump

or 

adfind -sc sdump:csv

to dump a schema suitable for comparison with say 
Windiff

I am 
pretty sure it captures all of the critical info and it definitely maintains the 
order of the attributes so you don't have to worry about the text analyzer 
resyncing when lines are out of order...

The 
output for the first command looks like

dn:CN=account,SCHEMAadminDescription: 
The account object class is used to define entries representing computer 
accounts.adminDisplayName: accountattributeID: NOT 
SETattributeSecurityGUID: NOT SETattributeSyntax: 
NOT SETauxiliaryClass: NOT SETcn: 
accountdefaultHidingValue: TRUEdefaultObjectCategory: 
CN=account,SCHEMAdefaultSecurityDescriptor: 
D:(A;;RPWPCRCCDCLCLOLORCWOWDSDDTDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)description: 
NOT SETextendedCharsAllowed: NOT SETgovernsID: 
0.9.2342.19200300.100.4.5isDefunct: NOT 
SETisMemberOfPartialAttributeSet: NOT 
SETisSingleValued: NOT SETlDAPDisplayName: 
accountlinkID: NOT SETmAPIID: NOT 
SETmayContain: uidmayContain: hostmayContain: 
oumayContain: omayContain: lmayContain: 
seeAlsomayContain: descriptionmustContain: NOT 
SETobjectClass: topobjectClass: 
classSchemaobjectClassCategory: 1oMSyntax: NOT 
SETpossSuperiors: organizationalUnitpossSuperiors: 
containerrangeLower: NOT SETrangeUpper: NOT 
SETrDNAttID: cnschemaIDGUID: 
{2628A46A-A6AD-4AE0-B854-2B12D9FE6F9E}searchFlags: NOT 
SETshowInAdvancedViewOnly: TRUEsubClassOf: 
topsystemAuxiliaryClass: NOT SETsystemFlags: NOT 
SETsystemMayContain: NOT SETsystemMustContain: 
NOT SETsystemOnly: FALSEsystemPossSuperiors: NOT 
SET


The 
output for the second command looks like (well it looks pretty ugly here but is 
great for scripts...)

"dn","adminDescription","adminDisplayName","attributeID","attributeSecurityGUID","attributeSyntax","auxiliaryClass","cn","defaultHidingValue","defaultObjectCategory","defaultSecurityDescriptor","description","extendedCharsAllowed","governsID","isDefunct","isMemberOfPartialAttributeSet","isSingleValued","lDAPDisplayName","linkID","mAPIID","mayContain","mustContain","objectClass","objectClassCategory","oMSyntax","possSuperiors","rangeLower","rangeUpper","rDNAttID","schemaIDGUID","searchFlags","showInAdvancedViewOnly","subClassOf","systemAuxiliaryClass","systemFlags","systemMayContain","systemMustContain","systemOnly","systemPossSuperiors""CN=account,CN=Schema,CN=Configuration,DC=pg,DC=com","The 
account object class is used to define entries representing computer 
accounts.","account","NOT SET","NOT SET","NOT 
SET","NOT 
SET","account","TRUE","CN=account,SCHEMA","D:(A;;RPWPCRCCDCLCLOLORCWOWDSDDTDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)","NOT 
SET","NOT SET","0.9.2342.19200300.100.4.5","NOT 
SET","NOT SET","NOT SET","account","NOT 
SET","NOT SET","uid;host;ou;o;l;seeAlso;description","NOT 
SET","top;classSchema","1","NOT 
SET","organizationalUnit;container","NOT SET","NOT 
SET","cn","{2628A46A-A6AD-4AE0-B854-2B12D9FE6F9E}","NOT 
SET","TRUE","top","NOT SET","NOT SET","NOT 
SET","NOT SET","FALSE","NOT 
SET""CN=Account-Expires,CN=Schema,CN=Configuration,DC=pg,DC=com","Account-Expires","Account-Expires","1.2.840.113556.1.4.159","{4C164200-20C0-11D0-A768-00AA006E0529}","2.5.5.16","NOT 
SET","Account-Expires","NOT SET","NOT SET","NOT 
SET","NOT SET","NOT SET","NOT SET","NOT 
SET","NOT SET","TRUE","accountExpires","NOT SET","NOT 
SET","NOT SET","NOT SET","top;attributeSchema","NOT 
SET","65","NOT SET","NOT SET","NOT SET","NOT 
SET","{BF967915-0DE6-11D0-A285-00AA003049E2}","16","TRUE","NOT 
SET","NOT SET","16","NOT SET","NOT 
SET","FALSE","NOT 
SET""CN=Account-Name-History,CN=Schema,CN=Configuration,DC=pg,DC=com","Account-Name-History","Account-Name-History","1.2.840.113556.1.4.1307","NOT 
SET","2.5.5.12","NOT SET","Account-Name-History","NOT 
SET","NOT SET","NOT SET","NOT SET","NOT 
SET","NOT SET","NOT SET","NOT 
SET","FALSE","accountNameHistory","NOT SET","NOT 
SET","NOT SET","NOT SET","top;attributeSchema","NOT 
SET","64","NOT SET","NOT SET","NOT SET","NOT 
SET","{031952EC-3B72-11D2-90CC-00C04FD91AB1}","0","TRUE","NOT 
SET","NOT SET","16","NOT SET","NOT 
SET","FALSE","NOT SET"
for 
the curious, the -sc sdump shortcut simply combines the following 
switches

Selected Switches -f 
(name=*) -oao NOT SET 
-po -replacedn _schema;_config -s 
one -sc sdump 
-schema -sort name
Selected Attributes 
adminDescription adminDisplayName 
attributeID attributeSecurityGUID 
attributeSyntax auxiliaryClass 
cn defaultHidingValue 
defaultObjectCategory 
defaultSecurityDescriptor 
description extendedCharsAllowed 
governsID isDefunct 
isMemberOfPartialAttributeSet 
isSingleValued lDAPDisplayName 
linkID mAPIID 
mayContain mustContain 
objectClass objectClassCategory 
oMSyntax possSuperiors 
rangeLower rangeUpper 
rDNAttID schemaIDGUID 
searchFlags showInAdvancedViewOnly 
subClassOf systemAuxiliaryClass 
systemFlags systemMayContain 
systemMustContain systemOnly 
systemPossSuperiors

RE: [ActiveDir] dsget error

[joe]

Yep, the new version of AdMod, in beta testing now, will 
leverage the info that you get from an adfind query to do what I call partial 
data attribute updates. That is when there is something in the current value you 
need to generate the new value. DSMOD has to make a call to the DC for every DN 
it is passed to get the current useraccountcontrol value in order to 
enable/disable objects as it is simply clearing the #1 bit which has a value of 
2. There is no mechanism to tell AD just clear the second bit, you retrieve the 
old value, clear the bit, then write the whole value back.

So AdMod, takes the -adcsv output from AdFind which would 
include the current value of useraccountcontrol with the DN of the object. That 
means it works like

1 LDAP Query requeststo match x objects (done from 
AdFind)
Loop through X objects
{
LDAP Mod requests to update thecurrent 
object (done from AdMod)
}

Now dsquery/dsmod has to do it this way



1 LDAP Query requeststo match x objects (done from 
dsquery)
Loop through X objects
{
 LDAP Query requests to get UAC value for the 
currentobject
LDAP Mod requests to update thecurrent 
object (done from dsMod)
}


You 
could consider it cheating. It is something I always had in mind in doing when I 
wanted to combine adfind/admod into a single tool. Once I added CSV capability 
to adfind I realized I could pull it off with the two separate tools now for 
people. 

Maybe 
I should patent this technology... ;o)



--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Paul 
WilliamsSent: Wednesday, September 13, 2006 4:05 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] dsget 
error

It must be some kind of issue with the DS* 
tools. I was using a combination of ADFIND and DSMOD last week to enable 
~200,000 user objects (I forgot to set a password in a scrpit that created a 
bunch of objects and therefore had a shed load of objects with uac of 546) and 
it would die every time with that error after a couple of thousand 
objects. I figured, but didn't look into it, it's something to do with the 
fact that DSMOD queries the DN you pass it to check for object type, etc. which 
means there's loads of queries hitting the DC (one for each mod).

This is why Joe's ADMOD (1.7)is 
going to be loads better, as he only does one extra query which means there's 
only n + 1 LDAP requests hitting the DC as opposed ton x 2 with 
DSMOD.


--Paul

  - Original Message - 
  From: 
  Brian 
  Desmond 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Wednesday, September 13, 2006 2:45 
  AM
  Subject: RE: [ActiveDir] dsget 
error
  
  
  The 
  query is probably timing out.
  
  Get 
  Joes ADfind and run something like this:
  
  Adfind 
  default f ((objectCategory=person)(objectClass=user)) displayName 
  samAccountName pwdLastSet
  
  You 
  can tag a csv on there too 
  
  
  Thanks,
  Brian 
  Desmond
  [EMAIL PROTECTED]
  
  c 
  - 312.731.3132
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin 
  (ITS)Sent: Tuesday, September 12, 2006 9:29 PMTo: 
  activedir@mail.activedir.orgSubject: [ActiveDir] dsget 
  error
  
  Any time I try to run a large query using dsquery and dsget 
  where I pipe it to a text file for output, I eventually get a dsget 
  failed:The server is not operational. error from dsget. Ive searched the 
  Internet for this and seen posts from a couple of other people who have had 
  this issue, with no resolution.
  
  Am I doing something wrong? Am I stupid? (yes, I probably 
  am) Am I missing some limitation of stdout?
  
  Heres the command I was using:
  
  dsquery user -name * -limit 0 | dsget -display -samid 
  pwdneverexpires
  
  Thnx,
  JC
  
  


  
ITS 
ENTERPRISE SERVICES EMAIL NOTICEThe information contained in 
this email and any attachments is confidential and may be subject to 
copyright or other intellectual property protection. If you are not the 
intended recipient, you are not authorized to use or disclose this 
information, and we request that you notify us by reply mail or 
telephone and delete the original message from your mail 
system.
  

RE: [ActiveDir] OT: Protecting against Spyware/Adware

[joe]

No, not yet. I am looking at the MAC Notebooks though. 



--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, 
DejiSent: Thursday, September 14, 2006 6:46 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Protecting 
against Spyware/Adware


Yes. You run Mac. 
LOL



Sincerely,  
_ 
 (, / | 
/) 
/) /)  /---| (/_ 
__ ___// _ // _ ) 
/ |_/(__(_) // 
(_(_)(/_(_(_/(__(/_(_/ 
/) 
 
(/ Microsoft MVP - Directory 
Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you 
were worried about Yesterday? 
-anon


From: joeSent: Thu 9/14/2006 3:03 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
OT: Protecting against Spyware/Adware

I run as local admin and have zero issues with spyware? 
Coincidence?

;o)


--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Crawford, 
ScottSent: Thursday, September 14, 2006 11:33 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Protecting 
against Spyware/Adware


Nobodyruns as a local 
administrator. We have zero issues with spyware. 
Coincidence?


From: [EMAIL PROTECTED] on 
behalf of Chris PohlschneiderSent: Thu 9/14/2006 9:44 
AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: 
Protecting against Spyware/Adware


Just curious what other people are 
using for protecting against adware/spyware? We are using Webroot Spysweeper 
right now, but I see some performance hits on computers running this software 
and it does work, but it causes headaches will installing some apps that we 
approve. Any suggestions are appreciated. 

Chris 
Pohlschneider
Holloway 
SportswearIT
937-494-2559
937-497-7300 
(Fax)
[EMAIL PROTECTED]

List info : 
http://www.activedir.org/List.aspx List FAQ : 
http://www.activedir.org/ListFAQ.aspx List archive: 
http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] dsget error

[joe]

Yep and if you get the timeouts, adfind should tell you 
that pretty clearly. You can then use the -t switch to modify the timeout value. 
I often use -t 0 to disable the timeouts on really large (like get every user 
object in the 200k user forest) queries.

If you are still getting other errors, add the -exterr 
switch and post the info as that can help troubleshoot it.


--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brian 
DesmondSent: Tuesday, September 12, 2006 9:45 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] dsget 
error


The 
query is probably timing out.

Get 
Joes ADfind and run something like this:

Adfind 
default f ((objectCategory=person)(objectClass=user)) displayName 
samAccountName pwdLastSet

You 
can tag a csv on there too 


Thanks,
Brian 
Desmond
[EMAIL PROTECTED]

c 
- 312.731.3132



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Clay, Justin (ITS)Sent: Tuesday, September 12, 
2006 9:29 PMTo: activedir@mail.activedir.orgSubject: 
[ActiveDir] dsget error

Any time I try to run a large query using dsquery and dsget 
where I pipe it to a text file for output, I eventually get a dsget failed:The 
server is not operational. error from dsget. Ive searched the Internet for 
this and seen posts from a couple of other people who have had this issue, with 
no resolution.

Am I doing something wrong? Am I stupid? (yes, I probably am) 
Am I missing some limitation of stdout?

Heres the command I was using:

dsquery user -name * -limit 0 | dsget -display -samid 
pwdneverexpires

Thnx,
JC


  
  

  ITS 
  ENTERPRISE SERVICES EMAIL NOTICEThe information contained in this 
  email and any attachments is confidential and may be subject to copyright 
  or other intellectual property protection. If you are not the intended 
  recipient, you are not authorized to use or disclose this information, and 
  we request that you notify us by reply mail or telephone and delete the 
  original message from your mail system.

RE: [ActiveDir] [OT] Date Modification not same on the folder and subfolder level

[joe]

This is OT for this forum and you didn't prefix with OT 
which could be why I don't see any responses...

In the meanwhile, I would say no, if you just modify an 
existing file in a folder, it shouldn't update the folder modification date 
because there has been no change to the folder. Consider a folder is a directory 
which is sort of like a file. You modify a directory/folder file when you modify 
the "contents" of that directory file... aka the data the directory is 
responsible for... i.e. you add/delete entries in the directory, either files or 
subdirectories. Anything else and you are putting a tremendous load on the 
system especially if they have deep hierarchical directory structures for what I 
would consider no reason. Consider you have a folder structure with tens of 
thousands of folders at various levels even up to 20 levels deep and you have 
thousands of people making changes and you are expecting all of those changes to 
cascade further changes all the way back to the root of the drive... No, makes 
no sense really.

 joe


--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Sudhir 
KaushalSent: Tuesday, September 12, 2006 9:47 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Date Modification 
not same on the folder and subfolder level 
Hi All, On my file server, why do i get different modified dates 
for users main folder and subfolders and even the files in the subfolders. 
My concern is even if a user has changed 
or modified a file on any specific date, the parent folder should show me the 
latest modified date. Or if we have N number of files modified on different 
dates, then what should be the date on the parent folder ? Thanks in advance. Regards,Sudhir 
KaushalSystems Engineer (GIS)MCS Wintel 
IndiaComputer Sciences CorporationHello - + 91 120 2582323 
Ext. 2649You never win Silver, You lose Gold 
 
This 
is a PRIVATE message. If you are not the intended recipient, please delete 
without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: 
Regardless of content, this e-mail shall not operate to bind CSC to any order or 
other contract unless pursuant to explicit written agreement or government 
initiative expressly permitting the use of e-mail for such 
purpose.

RE: [ActiveDir] Block Inheritance on DC OU

[Darren Mar-Elia]

To me it seems intuitive that GP processing would behave the same way for DCs 
as it would for other computers.  And to answer the question, yes I have 
confirmed this in testing numerous times over the years-most recently the day 
Ben asked the question.

Darren

-Original Message-
From: Derek Harris [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: 9/14/2006 4:11 PM
Subject: RE: [ActiveDir] Block Inheritance on DC OU

I did it a couple years ago, and found out that it does block the
password policy. It seems intuitive that it shouldn't, but it does.



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade
Sent: Thursday, September 14, 2006 3:54 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Block Inheritance on DC OU


You say  Obvious but is this obvious? What happens in the case of
password policy. This can only be set at the top level of the domain.
Does this block actually prevent it being applied? I would guess that is
does, but I wonder if any one has tested it or has any docs on what
actually happens. 
 
 

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Wednesday, September 13, 2006 6:59 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Block Inheritance on DC OU

 

Well, the obvious effect is that it prevents domain-linked policies from
being delivered correctly, including password policy. This is probably
not desirable. I can't think of a good scenario where this would be
useful. 

 

Darren

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Wednesday, September 13, 2006 9:37 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Block Inheritance on DC OU

The company I am currently working for has block inheritance enabled
for the Domain Controller's OU and apparently whoever enabled this
setting is no longer with the company (or they won't fess up to why they
did this).

 

Although I am curious, what sort of ramifications does enabling block
inheritance on the Domain Controller's OU pose?  And what reason would

[truncated by sender]
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] OT: Protecting against Spyware/Adware

[Thommes, Michael M.]

Touche
8-)



Mike Thommes











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, September 14, 2006
5:04 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:
Protecting against Spyware/Adware





I run as local admin and have zero issues
with spyware? Coincidence?



;o)







--

O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm

















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott
Sent: Thursday, September 14, 2006
11:33 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:
Protecting against Spyware/Adware





Nobodyruns as a local
administrator. We have zero issues with spyware. Coincidence?















From:
[EMAIL PROTECTED] on behalf of Chris Pohlschneider
Sent: Thu 9/14/2006 9:44 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT:
Protecting against Spyware/Adware





Just curious what other people are using for protecting
against adware/spyware? We are using Webroot Spysweeper right now, but I see
some performance hits on computers running this software and it does work, but
it causes headaches will installing some apps that we approve. Any suggestions
are appreciated. 



Chris Pohlschneider

Holloway SportswearIT

937-494-2559

937-497-7300 (Fax)

[EMAIL PROTECTED]

RE: [ActiveDir] Strange password issue

[joe]

The secret is you cannot ENABLE an account with no password 
if you have a password length policy and the PWD_NOT_REQD flag isn't set. So if 
you have an account that is created which by default (i.e. no UAC 
specified)will be 546. If you specify 544 it will still create and it will 
allow a blank password. 

If you have an account with 546 (disables, pwdnotrqed) you 
can clear the pwdnotreqd fine. However when you go to enable the account, you 
will get busted for not following policy. The Extended Error (-exterr with 
admod) is

DN: CN=someuser,OU=Users,OU=TestOU,DC=test,DC=loc...: 
[r2dc1.test.loc] Error 0x35 (53) - Unwilling To PerformExtended Error: 
052D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 
0

Which is 

F:\DEV\cpp\AdModerr 52d# for hex 0x52d / decimal 
1325 : 
ERROR_PASSWORD_RESTRICTION 
winerror.h# Unable to update the password. The value provided for the# 
new password does not meet the length, complexity, or# history requirement 
of the domain.# 1 matches found for "52d"


A blank password does not have a hash, the system knows it 
is blank. 

You will obviously hit the same problem if you have an 
enabled account with pwd_not_reqd and try to clear the 
pwd_not_reqd.

So current or past setting of UAC has no bearing on this 
problem. 



This could occur infour ways that I can think of (in 
order of likelihood) and speak about

1. Someone relaxed the policy while the password was set or 
when the account was being enabled / having pwd_not_reqd 
cleared

2. The Domain Password Policy isn't or at least wasn't 
getting applied to one or more domain controllers for some reason. Check 
minPwdLength on the NC Head objects of all DCs in the domain

3. A blank password hash was forced into the attribute of 
an already enabled account through some form of LSASS process injection. 


4. The raw DIT was modified. 


 joe



--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Paul 
WilliamsSent: Wednesday, September 06, 2006 3:30 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password 
issue


PWD_NOT_REQ is 
32.

You can create an 
account with this set and bypass the need to set a password (ADSI does this 
automatically if you dont set a password when you create an enabled user 
without a password), but you cant set it back to 512 (normal) when its blank, 
like Al says:

C:\admod 
-b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" objectclass::user 
samaccountname::test-user useraccountcontrol::544 -unsafe 
-add

AdMod 
V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 
2005

DN Count: 
1
Using server: 
connoa-dc-01.connoa.concorp.contoso.com
Adding 
specified objects...
 
DN: 
cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com...

The command 
completed successfully



C:\admod 
-b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" useraccountcontrol::512 
-unsafe

AdMod 
V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 
2005

DN Count: 
1
Using server: 
connoa-dc-01.connoa.concorp.contoso.com
Modifying 
specified objects...
 
DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com...: 
[connoa-dc-01.conn
oa.concorp.contoso.com] 
Error 0x35 (53) - Unwilling To Perform


ERROR: Too 
many errors encountered, terminating...

The command 
did not complete successfully


--Paul






From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 06 September 2006 19:28To: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password 
issue

From what I recall, if the password is 
not required, then there's no need to check the minimum length. Since it 
would be overridden at the user object level, that does not affect the domain. 
I don't recall the UAC bitmask, and I'm not going to figure it out at 
the moment. I'll take your word that the password not required is true for 
this user. If you remove that setting (i.e. require the user to have a 
password) then that password would, by policy, have to be at least 6 chars in 
length. 

On 9/6/06, Tom Kern [EMAIL PROTECTED] 
wrote:


This is a domain 
account.



To rehash-



The Default Domain Policy is set to min password length- 
6 charcters.

This was created 2 years ago and never 
changed.

User account is a domain account created a month 
ago.

It was bought to my attention that the user can log in 
with no password.

I confirmed.

The userAccountControl attribute of the user object was 
set to 512(not that i'm certain if setting the passwd_notreqd overrides the 
DDP).

The domain/forest is at w2k3 
FL.



Thanks




On 9/6/06, Laura A. Robinson [EMAIL PROTECTED] 
 wrote: 



Impossible/irrelevant.If 
it's a domain account, the policy applies regardless, because the account is 
stored in AD. If it's a local account, then the policy doesn't apply regardless; 
domain account policies don't apply to local accounts. Is this a local account 
or a domain account? 



Laura

  
  

Re: [ActiveDir] OT: Protecting against Spyware/Adware

[Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]]

A member of the Power Users group may be able to gain administrator 
rights and permissions in Windows Server 2003, Windows 2000, or Windows XP:

http://support.microsoft.com/default.aspx?scid=kb;en-us;825069

Why power user isn't good enough

Thommes, Michael M. wrote:


Touche’ 8-)

Mike Thommes



*From:* [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] *On Behalf Of *joe

*Sent:* Thursday, September 14, 2006 5:04 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] OT: Protecting against Spyware/Adware

I run as local admin and have zero issues with spyware? Coincidence?

;o)

--

O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm




*From:* [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] *On Behalf Of *Crawford, Scott

*Sent:* Thursday, September 14, 2006 11:33 AM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] OT: Protecting against Spyware/Adware

Nobody runs as a local administrator. We have zero issues with 
spyware. Coincidence?




*From:* [EMAIL PROTECTED] on behalf of Chris 
Pohlschneider

*Sent:* Thu 9/14/2006 9:44 AM
*To:* ActiveDir@mail.activedir.org
*Subject:* [ActiveDir] OT: Protecting against Spyware/Adware

Just curious what other people are using for protecting against 
adware/spyware? We are using Webroot Spysweeper right now, but I see 
some performance hits on computers running this software and it does 
work, but it causes headaches will installing some apps that we 
approve. Any suggestions are appreciated.


Chris Pohlschneider

Holloway Sportswear IT

937-494-2559

937-497-7300 (Fax)

[EMAIL PROTECTED]



--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com


If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will 
hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Replication Metadata

[joe]

I doubt that IADsTools was updated. They seemed to be trying to kill that as
far back as 2001. I think it was someone's pet project and they went to
another petting zoo to work... I know I found some time issues in it back
then and some more later that I tried to get corrected and was wholly
unsuccessful on both occasions.

But the answer is... There is additional metadata available now for looking
at value level changes. The way IADsTools was probably getting the info
(this is a guess, never saw the code) is through the attribute
replPropertyMetaData but it very well could have been using the RPC based
API call DsReplicaGetInfo. 

Probably the simplest mechanism to use now are the attributes
msDS-ReplAttributeMetaData and msDS-ReplValueMetaData which by default will
return XML strings with the data. If you are equipped to handle it, you can
instead make the calls much faster and pass less data on the wire by asking
for the binary versions of those attributes by appending the ;binary
modifier. 

If you want to write DC API based code, you can use DsReplicateGetInfo2.

  joe


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Friday, September 08, 2006 11:36 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Replication Metadata

I'm using Robbie Allens example for using IADSTools.DCFunctions to read
group object meta data.  I just realized that now that we've upgraded to
2003 I can no longer look at the member last changed field to determine
when group membership last changed.

I know that RepAdmin can look at the individual group changes so there
must be some updated API that I can use to do the same thing, I just
can't seem to find it.

Can anyone point me in the right direction?

Thanks 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Replication Metadata

[Isenhour, Joseph]

That's great info; thanks joe.  I'll take a look at
msDS-ReplValueMetaData and msDS-ReplAttributeMetaData.  I'm trying to do
this in a vbscript and avoid getting into any compiled solutions.  I
told my boss I could do this in an hour because I thought I could just
use IADsTools, oopsie. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, September 14, 2006 5:38 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Metadata

I doubt that IADsTools was updated. They seemed to be trying to kill
that as
far back as 2001. I think it was someone's pet project and they went to
another petting zoo to work... I know I found some time issues in it
back
then and some more later that I tried to get corrected and was wholly
unsuccessful on both occasions.

But the answer is... There is additional metadata available now for
looking
at value level changes. The way IADsTools was probably getting the info
(this is a guess, never saw the code) is through the attribute
replPropertyMetaData but it very well could have been using the RPC
based
API call DsReplicaGetInfo. 

Probably the simplest mechanism to use now are the attributes
msDS-ReplAttributeMetaData and msDS-ReplValueMetaData which by default
will
return XML strings with the data. If you are equipped to handle it, you
can
instead make the calls much faster and pass less data on the wire by
asking
for the binary versions of those attributes by appending the ;binary
modifier. 

If you want to write DC API based code, you can use DsReplicateGetInfo2.

  joe


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour,
Joseph
Sent: Friday, September 08, 2006 11:36 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Replication Metadata

I'm using Robbie Allens example for using IADSTools.DCFunctions to read
group object meta data.  I just realized that now that we've upgraded to
2003 I can no longer look at the member last changed field to determine
when group membership last changed.

I know that RepAdmin can look at the individual group changes so there
must be some updated API that I can use to do the same thing, I just
can't seem to find it.

Can anyone point me in the right direction?

Thanks 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Replication Metadata

[joe]

Yep, if vbscript you want the XML versions...

You should be able to do this in an hour You just need to pick the right
hour. ;o) 


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Thursday, September 14, 2006 9:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Metadata

That's great info; thanks joe.  I'll take a look at
msDS-ReplValueMetaData and msDS-ReplAttributeMetaData.  I'm trying to do
this in a vbscript and avoid getting into any compiled solutions.  I
told my boss I could do this in an hour because I thought I could just
use IADsTools, oopsie. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, September 14, 2006 5:38 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Metadata

I doubt that IADsTools was updated. They seemed to be trying to kill
that as
far back as 2001. I think it was someone's pet project and they went to
another petting zoo to work... I know I found some time issues in it
back
then and some more later that I tried to get corrected and was wholly
unsuccessful on both occasions.

But the answer is... There is additional metadata available now for
looking
at value level changes. The way IADsTools was probably getting the info
(this is a guess, never saw the code) is through the attribute
replPropertyMetaData but it very well could have been using the RPC
based
API call DsReplicaGetInfo. 

Probably the simplest mechanism to use now are the attributes
msDS-ReplAttributeMetaData and msDS-ReplValueMetaData which by default
will
return XML strings with the data. If you are equipped to handle it, you
can
instead make the calls much faster and pass less data on the wire by
asking
for the binary versions of those attributes by appending the ;binary
modifier. 

If you want to write DC API based code, you can use DsReplicateGetInfo2.

  joe


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour,
Joseph
Sent: Friday, September 08, 2006 11:36 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Replication Metadata

I'm using Robbie Allens example for using IADSTools.DCFunctions to read
group object meta data.  I just realized that now that we've upgraded to
2003 I can no longer look at the member last changed field to determine
when group membership last changed.

I know that RepAdmin can look at the individual group changes so there
must be some updated API that I can use to do the same thing, I just
can't seem to find it.

Can anyone point me in the right direction?

Thanks 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] OT: Egypt time zone change

[Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]]

A hotfix is available to change the daylight saving time for the 
(GMT+02:00) Cairo time zone for the year 2006 on Windows XP-based and on 
Windows Server 2003-based computers:

http://support.microsoft.com/?kbid=921028

--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com


If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will 
hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] Active Directory Cookbooks...

[Matt . Duguid]

Hi there,

I have already read and use the Active Directory Cookbook for Windows 2003
and Windows 2000 and see there are 2nd and 3rd editions. Is there anywhere
on the net which lists the contents of each so I can have a look before
purchase?

Thanks in advance,

Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs

Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Active Directory Cookbooks...

[David Adner]

*points at joe's signature...*

And in case that was too vague, try here.
http://www.joeware.net/win/ad3e.htm


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, September 14, 2006 9:13 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Active Directory Cookbooks...


Hi there,

I have already read and use the Active Directory Cookbook for Windows 2003
and Windows 2000 and see there are 2nd and 3rd editions. Is there anywhere
on the net which lists the contents of each so I can have a look before
purchase?

Thanks in advance,

Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs

Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Active Directory Cookbooks...

[Matt . Duguid]

hahaha no worries cheers for that i'll just swim around the fish bowl one
more time...;-)

Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs

Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/



|-+--
| |  |
| |  |
| |  |
| |   David Adner  |
| |   [EMAIL PROTECTED] |
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   15/09/2006 02:21 p.m.  |
| |   Please respond to  |
| |   ActiveDir  |
| |  |
|-+--
  
--|
  | 
 |
  |To:  ActiveDir@mail.activedir.org  
 |
  |cc:  
 |
  |Subject: RE: [ActiveDir] Active Directory Cookbooks...   
 |
  
--|



*points at joe's signature...*

And in case that was too vague, try here.
http://www.joeware.net/win/ad3e.htm


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, September 14, 2006 9:13 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Active Directory Cookbooks...


Hi there,

I have already read and use the Active Directory Cookbook for Windows 2003
and Windows 2000 and see there are 2nd and 3rd editions. Is there anywhere
on the net which lists the contents of each so I can have a look before
purchase?

Thanks in advance,

Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs

Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Active Directory Cookbooks...

[joe]

Actually I did the Active Directory Third Edition. The Active Directory
Cookbook is in the Second Edition now and that was done by Laura Hunter. My
book you can find in my signature, the Cookbook you can find at 

http://www.amazon.com/gp/product/059610202X/ref=pd_cp_b_title/002-4991631-48
70433?ie=UTF8 


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, September 14, 2006 10:41 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory Cookbooks...

hahaha no worries cheers for that i'll just swim around the fish bowl one
more time...;-)

Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs

Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/



|-+--
| |  |
| |  |
| |  |
| |   David Adner  |
| |   [EMAIL PROTECTED] |
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   15/09/2006 02:21 p.m.  |
| |   Please respond to  |
| |   ActiveDir  |
| |  |
|-+--
 
---
---|
  |
|
  |To:  ActiveDir@mail.activedir.org
|
  |cc:
|
  |Subject: RE: [ActiveDir] Active Directory Cookbooks...
|
 
---
---|



*points at joe's signature...*

And in case that was too vague, try here.
http://www.joeware.net/win/ad3e.htm


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, September 14, 2006 9:13 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Active Directory Cookbooks...


Hi there,

I have already read and use the Active Directory Cookbook for Windows 2003
and Windows 2000 and see there are 2nd and 3rd editions. Is there anywhere
on the net which lists the contents of each so I can have a look before
purchase?

Thanks in advance,

Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs

Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Active Directory Cookbooks...

[Matt . Duguid]

I have just purchased the 2nd one and will be on to the 3rd one as soon as
I have finished that...

Cheers,

Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs

Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/



|-+--
| |  |
| |  |
| |  |
| |   joe  |
| |   [EMAIL PROTECTED] |
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   15/09/2006 03:14 p.m.  |
| |   Please respond to  |
| |   ActiveDir  |
| |  |
|-+--
  
--|
  | 
 |
  |To:  ActiveDir@mail.activedir.org  
 |
  |cc:  
 |
  |Subject: RE: [ActiveDir] Active Directory Cookbooks...   
 |
  
--|



Actually I did the Active Directory Third Edition. The Active Directory
Cookbook is in the Second Edition now and that was done by Laura Hunter. My
book you can find in my signature, the Cookbook you can find at

http://www.amazon.com/gp/product/059610202X/ref=pd_cp_b_title/002-4991631-48

70433?ie=UTF8


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, September 14, 2006 10:41 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory Cookbooks...

hahaha no worries cheers for that i'll just swim around the fish bowl one
more time...;-)

Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs

Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/



|-+--
| |  |
| |  |
| |  |
| |   David Adner  |
| |   [EMAIL PROTECTED] |
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   15/09/2006 02:21 p.m.  |
| |   Please respond to  |
| |   ActiveDir  |
| |  |
|-+--

---

---|
  |
|
  |To:  ActiveDir@mail.activedir.org
|
  |cc:
|
  |Subject: RE: [ActiveDir] Active Directory Cookbooks...
|

---

---|



*points at joe's signature...*

And in case that was too vague, try here.
http://www.joeware.net/win/ad3e.htm


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, September 14, 2006 9:13 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Active Directory Cookbooks...


Hi there,

I have already read and use the Active Directory Cookbook for Windows 2003
and Windows 2000 and see there are 2nd and 3rd editions. Is there anywhere
on the net which lists the contents of each so I can have a look before
purchase?

Thanks in advance,

Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs

Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : 

RE: [ActiveDir] Strange password issue

[Akomolafe, Deji]

I think you are missing 5.

5. The account was created programmatically disabled with PWD_NOT_REQD set. So, we have 546 UAC. Then someone programmatically set UAC to 544 or went into ADUC and manually enabled the account.

It's a feasible scenario, no?



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: joeSent: Thu 9/14/2006 5:25 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue

The secret is you cannot ENABLE an account with no password if you have a password length policy and the PWD_NOT_REQD flag isn't set. So if you have an account that is created which by default (i.e. no UAC specified)will be 546. If you specify 544 it will still create and it will allow a blank password. 

If you have an account with 546 (disables, pwdnotrqed) you can clear the pwdnotreqd fine. However when you go to enable the account, you will get busted for not following policy. The Extended Error (-exterr with admod) is

DN: CN=someuser,OU=Users,OU=TestOU,DC=test,DC=loc...: [r2dc1.test.loc] Error 0x35 (53) - Unwilling To PerformExtended Error: 052D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0

Which is 

F:\DEV\cpp\AdModerr 52d# for hex 0x52d / decimal 1325 : ERROR_PASSWORD_RESTRICTION winerror.h# Unable to update the password. The value provided for the# new password does not meet the length, complexity, or# history requirement of the domain.# 1 matches found for "52d"


A blank password does not have a hash, the system knows it is blank. 

You will obviously hit the same problem if you have an enabled account with pwd_not_reqd and try to clear the pwd_not_reqd.

So current or past setting of UAC has no bearing on this problem. 



This could occur infour ways that I can think of (in order of likelihood) and speak about

1. Someone relaxed the policy while the password was set or when the account was being enabled / having pwd_not_reqd cleared

2. The Domain Password Policy isn't or at least wasn't getting applied to one or more domain controllers for some reason. Check minPwdLength on the NC Head objects of all DCs in the domain

3. A blank password hash was forced into the attribute of an already enabled account through some form of LSASS process injection. 

4. The raw DIT was modified. 


 joe



--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: Wednesday, September 06, 2006 3:30 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue


PWD_NOT_REQ is 32.

You can create an account with this set and bypass the need to set a password (ADSI does this automatically if you dont set a password when you create an enabled user without a password), but you cant set it back to 512 (normal) when its blank, like Al says:

C:\admod -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" objectclass::user samaccountname::test-user useraccountcontrol::544 -unsafe -add

AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005

DN Count: 1
Using server: connoa-dc-01.connoa.concorp.contoso.com
Adding specified objects...
 DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com...

The command completed successfully



C:\admod -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" useraccountcontrol::512 -unsafe

AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005

DN Count: 1
Using server: connoa-dc-01.connoa.concorp.contoso.com
Modifying specified objects...
 DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com...: [connoa-dc-01.conn
oa.concorp.contoso.com] Error 0x35 (53) - Unwilling To Perform


ERROR: Too many errors encountered, terminating...

The command did not complete successfully


--Paul






From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 06 September 2006 19:28To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue

From what I recall, if the password is not required, then there's no need to check the minimum length. Since it would be overridden at the user object level, that does not affect the domain. I don't recall the UAC bitmask, and I'm not going to figure it out at the moment. I'll take your word that the password not required is true for this user. If you remove that setting (i.e. require the user to have a password) then that password would, by policy, have to be at least 6 chars in length. 

On 9/6/06, Tom Kern [EMAIL PROTECTED] wrote:


This is a domain account.



To rehash-



The Default Domain Policy is set to min password length- 6 charcters.

This was created 2 years ago and never changed.

User account is a domain account created a month ago.

It was bought to my attention that the user can log in with no 

RE: [ActiveDir] Active Directory Cookbooks...

[David Adner]

Oh yeah. I get the two confused.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, September 14, 2006 10:15 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory Cookbooks...

Actually I did the Active Directory Third Edition. The Active Directory
Cookbook is in the Second Edition now and that was done by Laura Hunter. My
book you can find in my signature, the Cookbook you can find at 

http://www.amazon.com/gp/product/059610202X/ref=pd_cp_b_title/002-4991631-48
70433?ie=UTF8 


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, September 14, 2006 10:41 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory Cookbooks...

hahaha no worries cheers for that i'll just swim around the fish bowl one
more time...;-)

Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs

Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/



|-+--
| |  |
| |  |
| |  |
| |   David Adner  |
| |   [EMAIL PROTECTED] |
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   15/09/2006 02:21 p.m.  |
| |   Please respond to  |
| |   ActiveDir  |
| |  |
|-+--
 
---
---|
  |
|
  |To:  ActiveDir@mail.activedir.org
|
  |cc:
|
  |Subject: RE: [ActiveDir] Active Directory Cookbooks...
|
 
---
---|



*points at joe's signature...*

And in case that was too vague, try here.
http://www.joeware.net/win/ad3e.htm


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, September 14, 2006 9:13 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Active Directory Cookbooks...


Hi there,

I have already read and use the Active Directory Cookbook for Windows 2003
and Windows 2000 and see there are 2nd and 3rd editions. Is there anywhere
on the net which lists the contents of each so I can have a look before
purchase?

Thanks in advance,

Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs

Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] List archive

[David Adner]

Anyone else getting timeouts trying to get to the list archive
URL?



http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] List archive

[Akomolafe, Deji]

yes



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: David AdnerSent: Thu 9/14/2006 9:05 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] List archive



Anyone else getting timeouts trying to get to the list archive URL?

http://www.activedir.org/ml/threads.aspx