Re: [ActiveDir] Strange password issue
Not really, as it's now 512 and can't get to that state without a password meeting complexity. --Paul - Original Message - From: Akomolafe, Deji To: ActiveDir@mail.activedir.org Sent: Friday, September 15, 2006 4:52 AM Subject: RE: [ActiveDir] Strange password issue I think you are missing 5. 5. The account was created programmatically disabled with PWD_NOT_REQD set. So, we have 546 UAC. Then someone programmatically set UAC to 544 or went into ADUC and manually enabled the account. It's a feasible scenario, no? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Thu 9/14/2006 5:25 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue The secret is you cannot ENABLE an account with no password if you have a password length policy and the PWD_NOT_REQD flag isn't set. So if you have an account that is created which by default (i.e. no UAC specified)will be 546. If you specify 544 it will still create and it will allow a blank password. If you have an account with 546 (disables, pwdnotrqed) you can clear the pwdnotreqd fine. However when you go to enable the account, you will get busted for not following policy. The Extended Error (-exterr with admod) is DN: CN=someuser,OU=Users,OU=TestOU,DC=test,DC=loc...: [r2dc1.test.loc] Error 0x35 (53) - Unwilling To PerformExtended Error: 052D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0 Which is F:\DEV\cpp\AdModerr 52d# for hex 0x52d / decimal 1325 : ERROR_PASSWORD_RESTRICTION winerror.h# Unable to update the password. The value provided for the# new password does not meet the length, complexity, or# history requirement of the domain.# 1 matches found for "52d" A blank password does not have a hash, the system knows it is blank. You will obviously hit the same problem if you have an enabled account with pwd_not_reqd and try to clear the pwd_not_reqd. So current or past setting of UAC has no bearing on this problem. This could occur infour ways that I can think of (in order of likelihood) and speak about 1. Someone relaxed the policy while the password was set or when the account was being enabled / having pwd_not_reqd cleared 2. The Domain Password Policy isn't or at least wasn't getting applied to one or more domain controllers for some reason. Check minPwdLength on the NC Head objects of all DCs in the domain 3. A blank password hash was forced into the attribute of an already enabled account through some form of LSASS process injection. 4. The raw DIT was modified. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: Wednesday, September 06, 2006 3:30 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue PWD_NOT_REQ is 32. You can create an account with this set and bypass the need to set a password (ADSI does this automatically if you dont set a password when you create an enabled user without a password), but you cant set it back to 512 (normal) when its blank, like Al says: C:\admod -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" objectclass::user samaccountname::test-user useraccountcontrol::544 -unsafe -add AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005 DN Count: 1 Using server: connoa-dc-01.connoa.concorp.contoso.com Adding specified objects... DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com... The command completed successfully C:\admod -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" useraccountcontrol::512 -unsafe AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005 DN Count: 1 Using server: connoa-dc-01.connoa.concorp.contoso.com Modifying specified objects... DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com...: [connoa-dc-01.conn oa.concorp.contoso.com] Error 0x35 (53) - Unwilling To Perform ERROR: Too many errors encountered, terminating... The command did not complete successfully --Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 06 September 2006 19:28To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue From what I recall, if the password is not required,
RE: [ActiveDir] Elevating privileges from DA to EA
Thanks for responses, all.
Al - we are designing a forest with regional domains (don't
ask!) and one region has suggested it needs to split from this forest since
elevating rights in any regional domain from DA to EA (forest wide) is 'simple'
[and this would break the admin / support model].
I am arguing that it is not simple and am looking for
methods which may be used to elevate rights as per the
above.
Make sense?
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al
MulnickSent: 14 September 2006 20:59To:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Elevating
privileges from DA to EA
Can you reword? I'm not sure I clearly understand the question.
FWIW, going from DA to EA is a matter of adding one's id to the EA
group. DA's have that right in the root domain of the forest (DA's of the
root domain have that right). Editing etc. is not necessary. Nor are key-loggers
etc. If physical access is available, there are plenty of ways to get the
access you require to a domain but I suspect you're asking how can a DA from a
child domain gain EA access; is that the question you're looking to
answer? Just for curiousity, what brings up that question?
Al
On 9/14/06, [EMAIL PROTECTED] [EMAIL PROTECTED]
wrote:
It has been suggested by certain parties here that
elevating one's rights from AD to EA is 'simple'.
I have suggested that whilst it's possible it is
not simple at all.
Does anyone have any descriptions of methods /
backdoors / workarounds etc that can be used to elevate rights in this way?
Naturally, you may prefer to send this to me offline :) [
[EMAIL PROTECTED]]
I can think of the following basic methods:
- Remove DC disks and edit offline
- Introduce key logger on admin workstation
/ DC - Inject code into lsass
As you can see, I don't want specific steps to
'hack' the DC, just basic ideas / methods.
Thanks, neil
PLEASE READ: The information contained in
this email is confidential and
intended for the named recipient(s) only.
If you are not an intended
recipient of this email please notify the
sender immediately and delete your
copy from your system. You must not copy,
distribute or take any further
action in reliance on it. Email is not a
secure method of communication and
Nomura International plc ('NIplc') will
not, to the extent permitted by law,
accept responsibility or liability for (a)
the accuracy or completeness of,
or (b) the presence of any virus, worm or
similar malicious or disabling
code in, this message or any attachment(s)
to it. If verification of this
email is sought then please request a hard
copy. Unless otherwise stated
this email: (1) is not, and should not be
treated or relied upon as,
investment research; (2) contains views or
opinions that are solely those of
the author and do not necessarily represent
those of NIplc; (3) is intended
for informational purposes only and is not
a recommendation, solicitation or
offer to buy or sell securities or related
financial instruments. NIplc
does not provide investment services to
private customers. Authorised and
regulated by the Financial Services
Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered
Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura
group of companies.
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] Elevating privileges from DA to EA
Al - we are designing a forest with regional domains (don't
ask!) and one region has suggested it needs to split from this forest since
elevating rights in any regional domain from DA to EA (forest wide) is 'simple'
[and this would break the admin / support
model].
What
is being said is very very true. Either you trust ALL Domain Admins (no matter
the domain those are in) or you do not trust ANY! Every Domain Admin or ANY
person with physical access to a DC has the possibility to turn the complete
forest into crap!
Because if that was NOT the case the DOMAIN would be
the security boundary. Unfortunately it is not! The Forest is the security
boundary, whereas EVERY single DC in the forest MUST be protected and EVERY
Domain Admin MUST be trusted!
I am arguing that it is not
simple and am looking for methods which may be used to elevate rights as per the
above
When
you know HOW, it is as easy as taking candy from a baby
jorge
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Friday, September 15, 2006
09:36To: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] Elevating privileges from DA to EA
Thanks for responses, all.
Al - we are designing a forest with regional domains
(don't ask!) and one region has suggested it needs to split from this forest
since elevating rights in any regional domain from DA to EA (forest wide) is
'simple' [and this would break the admin / support model].
I am arguing that it is not simple and am looking for
methods which may be used to elevate rights as per the
above.
Make sense?
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al
MulnickSent: 14 September 2006 20:59To:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Elevating
privileges from DA to EA
Can you reword? I'm not sure I clearly understand the
question. FWIW, going from DA to EA is a matter of adding one's id to
the EA group. DA's have that right in the root domain of the forest
(DA's of the root domain have that right). Editing etc. is not necessary. Nor
are key-loggers etc. If physical access is available, there are plenty of
ways to get the access you require to a domain but I suspect you're asking how
can a DA from a child domain gain EA access; is that the question you're
looking to answer? Just for curiousity, what brings up that
question? Al
On 9/14/06, [EMAIL PROTECTED]
[EMAIL PROTECTED]
wrote:
It has been suggested by certain parties here
that elevating one's rights from AD to EA is 'simple'.
I have suggested that whilst it's possible it is
not simple at all.
Does anyone have any descriptions of methods /
backdoors / workarounds etc that can be used to elevate rights in this way?
Naturally, you may prefer to send this to me offline :) [
[EMAIL PROTECTED]]
I can think of the following basic
methods: - Remove DC disks and edit
offline - Introduce key logger on
admin workstation / DC - Inject
code into lsass
As you can see, I don't want specific steps to
'hack' the DC, just basic ideas / methods.
Thanks, neil
PLEASE READ: The information contained in
this email is confidential and
intended for the named recipient(s) only.
If you are not an intended
recipient of this email please notify the
sender immediately and delete your
copy from your system. You must not copy,
distribute or take any further
action in reliance on it. Email is not a
secure method of communication and
Nomura International plc ('NIplc') will
not, to the extent permitted by law,
accept responsibility or liability for
(a) the accuracy or completeness of,
or (b) the presence of any virus, worm or
similar malicious or disabling
code in, this message or any
attachment(s) to it. If verification of this
email is sought then please request a
hard copy. Unless otherwise stated
this email: (1) is not, and should not be
treated or relied upon as,
investment research; (2) contains views
or opinions that are solely those of
the author and do not necessarily
represent those of NIplc; (3) is intended
for informational purposes only and is
not a recommendation, solicitation or
offer to buy or sell securities or
related financial instruments. NIplc
does not provide investment services to
private customers. Authorised and
regulated by the Financial Services
Authority. Registered in England
no. 1550505 VAT No. 447 2492 35.
Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura
group of companies.
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of
RE: [ActiveDir] Any impacts to domain controller when changingits IP?
Title: Re: [ActiveDir] Any impacts to domain controller when changingits IP? I knew that, I just preferred him to say it for himself... ;-) (BY THE WAY: Mark, did you go to the game?) it is also possible to rename a W2K3 DC when not in DFL=W2K3 (thus DFL=W2K native/mixed) AND it is supported! ;-) However, what Guido is saying IS preferred because it is a multiple step approach and does not cause the issues the other method does cause see: http://blogs.dirteam.com/blogs/jorge/archive/2005/11/19/109.aspx jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Thursday, September 14, 2006 17:56To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Any impacts to domain controller when changingits IP? Yep, that was Win2k – once you’ve reached Win2k3 domain functional level, you can start adding another name to your DC, make it primary, reboot, ensure everything replicates well and registers in DNS, then remove the old name. Use NETDOM to do so. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: Thursday, September 14, 2006 4:50 PMTo: ActiveDir@mail.activedir.org; ActiveDir.orgSubject: RE: [ActiveDir] Any impacts to domain controller when changingits IP? If you want to change the computer name you need toDEMOTE the server isn't that for w2k only? (he's got w2k3) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server- Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Mark ParrisSent: Thu 2006-09-14 16:35To: ActiveDir.orgSubject: Re: [ActiveDir] Any impacts to domain controller when changingits IP? If you want to change the computer name you need to demote the server, wait for replication then change the server name at this stage I would re ip the server, then dcpromo the server again.This is of course assuming you have multiple DC's if not and it's only for 3 months keep then why not keep the name and just change the IP address.Make sure DNS functions correctly.RegardsMark ParrisBase IT LtdActive Directory ConsultancyTel +44(0)7801 690596-Original Message-From: "McClure, David (MED US)" [EMAIL PROTECTED]Date: Thu, 14 Sep 2006 10:12:54To:ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Any impacts to domain controller when changingits IP?If you're running a Certificate Authority on that DC, you can't changethe computer name without first uninstalling Certificate Services. I'mnot sure what the impact would be on the chain of trust if you reinstallCertSvcs after the name change.-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Thursday, September 14, 2006 10:04 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Any impacts to domain controller whenchangingits IP?In SBSland they made a change IP address wizard for our DCs becauseinvariably we forget something...DHCPWINSkitchen sink stuff, etchttp://www.microsoft.com/technet/prodtechnol/sbs/2003/support/43dd693a-0cc4-47fd-94c7-cfe200439f41.mspx?mfr=trueYou can see what the wizard does.. which is are the changes you willneed to doJobsz wrote: Dear all, Because our company is being merged by another company, in the process of integration we need change the internal IP address and computername. Our domain controller of Windows Server 2003. We have to change its computer name and internal IP but no need to change The domain name, because we want to let run for 3 months. Anyone could tell me what impacts brought by these changes? Any suggestions would be appreciated! With best regards Jobs.ZhaoList info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx---This message and any included attachments are from Siemens Medical SolutionsUSA, Inc. and are intended only for the addressee(s).The information contained herein may include trade secrets or privileged orotherwise confidential information. Unauthorized review, forwarding, printing,copying, distributing, or using such information is strictly prohibited and maybe unlawful. If you received this message in error, or have reason to believeyou are not authorized to
Re: [ActiveDir] Any impacts to domain controller when changingits IP?
No I missed the game as the wife is not well - she's from Maastricht so you can guess what it's like at home at the moment. Mark Mark Parris Base IT Ltd Active Directory Consultancy Tel +44(0)7801 690596 -Original Message- From: Almeida Pinto, Jorge de [EMAIL PROTECTED] Date: Fri, 15 Sep 2006 10:18:09 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Any impacts to domain controller when changingits IP? I knew that, I just preferred him to say it for himself... ;-) (BY THE WAY: Mark, did you go to the game?) it is also possible to rename a W2K3 DC when not in DFL=W2K3 (thus DFL=W2K native/mixed) AND it is supported! ;-) However, what Guido is saying IS preferred because it is a multiple step approach and does not cause the issues the other method does cause see: http://blogs.dirteam.com/blogs/jorge/archive/2005/11/19/109.aspx: http://blogs.dirteam.com/blogs/jorge/archive/2005/11/19/109.aspx jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Thursday, September 14, 2006 17:56 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Any impacts to domain controller when changingits IP? Yep, that was Win2k – once you’ve reached Win2k3 domain functional level, you can start adding another name to your DC, make it primary, reboot, ensure everything replicates well and registers in DNS, then remove the old name. Use NETDOM to do so. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Thursday, September 14, 2006 4:50 PM To: ActiveDir@mail.activedir.org; ActiveDir.org Subject: RE: [ActiveDir] Any impacts to domain controller when changingits IP? If you want to change the computer name you need to DEMOTE the server isn't that for w2k only? (he's got w2k3) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Mark Parris Sent: Thu 2006-09-14 16:35 To: ActiveDir.org Subject: Re: [ActiveDir] Any impacts to domain controller when changingits IP? If you want to change the computer name you need to demote the server, wait for replication then change the server name at this stage I would re ip the server, then dcpromo the server again. This is of course assuming you have multiple DC's if not and it's only for 3 months keep then why not keep the name and just change the IP address. Make sure DNS functions correctly. Regards Mark Parris Base IT Ltd Active Directory Consultancy Tel +44(0)7801 690596 -Original Message- From: McClure, David (MED US) [EMAIL PROTECTED] Date: Thu, 14 Sep 2006 10:12:54 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Any impacts to domain controller when changingits IP? If you're running a Certificate Authority on that DC, you can't change the computer name without first uninstalling Certificate Services. I'm not sure what the impact would be on the chain of trust if you reinstall CertSvcs after the name change. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]: mailto:[EMAIL PROTECTED] ] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, September 14, 2006 10:04 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Any impacts to domain controller when changingits IP? In SBSland they made a change IP address wizard for our DCs because invariably we forget something... DHCP WINS kitchen sink stuff, etc http://www.microsoft.com/technet/prodtechnol/sbs/2003/support/43dd693a-0: http://www.microsoft.com/technet/prodtechnol/sbs/2003/support/43dd693a-0 cc4-47fd-94c7-cfe200439f41.mspx?mfr=true You can see what the wizard does.. which is are the changes you will need to do Jobsz wrote: Dear all, Because our company is being merged by another company, in the process of integration we need change the internal IP address and computer name. Our domain controller of Windows Server 2003. We have to change its computer name and internal IP but no need to change The domain name, because we want to let run for 3 months. Anyone could tell me what impacts brought by these changes? Any suggestions would be appreciated! With best regards Jobs.Zhao List info : http://www.activedir.org/List.aspx: http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx: http://www.activedir.org/ml/threads.aspx --- This message and any included attachments are from
Re: [ActiveDir] Elevating privileges from DA to EA
Neil, Try a re-read of the first couple of chapters of the first part of the deployment guide book designing and deploying directory and security services. Obviously it doesn't spell out how to do this -it doesn't even allude to how this is done- but does emphasise when and when not to go with the regional domain model. I'm not disputing what anyone is saying here -I agree. I just happen to think the regional model can be a good one, and that if done properly works. Even from a security stand point. The main thing with the regional design is that there's a central group of service admins, or a true delegated model. If you have multiple groups of service admins it can still work, but the issue that has been raised is very real and you probably need to implement processes and monitor against it (if you're forced into such a design by the needs of the business or obtuse upper management ;-). Although it does seem to be possible to implement disparate groups of service admins if you follow the delegation whitepaper (you'll need to improvide, but most of the info. is pertinent), which should put you in a much stronger position from a security stand point. If you can achieve a very small number of people who are actually members of the builtin\Administrators group, and the rest only have delegated permissions and privileges (and preferably very few privileges on the DCs, i.e. no logon locally) you can achieve what you want. Joe's been there and done it... --Paul - Original Message - From: Almeida Pinto, Jorge de To: ActiveDir@mail.activedir.org Sent: Friday, September 15, 2006 8:48 AM Subject: RE: [ActiveDir] Elevating privileges from DA to EA Al - we are designing a forest with regional domains (don't ask!) and one region has suggested it needs to split from this forest since elevating rights in any regional domain from DA to EA (forest wide) is 'simple' [and this would break the admin / support model]. What is being said is very very true. Either you trust ALL Domain Admins (no matter the domain those are in) or you do not trust ANY! Every Domain Admin or ANY person with physical access to a DC has the possibility to turn the complete forest into crap! Because if that was NOT the case the DOMAIN would be the security boundary. Unfortunately it is not! The Forest is the security boundary, whereas EVERY single DC in the forest MUST be protected and EVERY Domain Admin MUST be trusted! I am arguing that it is not simple and am looking for methods which may be used to elevate rights as per the above When you know HOW, it is as easy as taking candy from a baby jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, September 15, 2006 09:36To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Elevating privileges from DA to EA Thanks for responses, all. Al - we are designing a forest with regional domains (don't ask!) and one region has suggested it needs to split from this forest since elevating rights in any regional domain from DA to EA (forest wide) is 'simple' [and this would break the admin / support model]. I am arguing that it is not simple and am looking for methods which may be used to elevate rights as per the above. Make sense? neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 14 September 2006 20:59To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Elevating privileges from DA to EA Can you reword? I'm not sure I clearly understand the question. FWIW, going from DA to EA is a matter of adding one's id to the EA group. DA's have that right in the root domain of the forest (DA's of the root domain have that right). Editing etc. is not necessary. Nor are key-loggers etc. If physical access is available, there are plenty of ways to get the access you require to a domain but I suspect you're asking how can a DA from a child domain gain EA access; is that the question you're looking to answer? Just for curiousity, what brings up that question? Al On 9/14/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: It has been suggested by certain parties here that elevating one's rights from AD to EA is 'simple'. I have suggested that whilst it's possible it is not simple at all. Does anyone have any descriptions of methods / backdoors / workarounds etc that can be used to elevate rights in this way? Naturally, you may prefer to send this to me offline :) [ [EMAIL PROTECTED]] I can think of the following basic methods: - Remove DC disks and edit offline - Introduce key logger on admin workstation / DC -
RE: [ActiveDir] List archive
yes htmlDIVSTRONGEMFONT face=Garamond, Times, Serif color=#cc0033 size=5Thanks amp; Regds./FONT/EM/STRONG/DIV DIVSTRONGEMFONT face=Garamond color=#cc0033 size=5/FONT/EM/STRONGnbsp;/DIV DIVSTRONGEMFONT face=Garamond color=#cc0033 size=5Dinesh/FONT/EM/STRONG/DIV/html From: David Adner [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: [ActiveDir] List archive Date: Thu, 14 Sep 2006 23:05:46 -0500 MIME-Version: 1.0 Received: from mail.activedir.org ([12.168.66.190]) by bay0-mc12-f8.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444); Thu, 14 Sep 2006 21:16:08 -0700 Received: from smtp103.sbc.mail.mud.yahoo.com [68.142.198.202] by mail.activedir.org (SMTPD32-8.15) id A6A13BC008A; Fri, 15 Sep 2006 00:05:53 -0400 Received: (qmail 29054 invoked from network); 15 Sep 2006 04:05:47 - Received: from unknown (HELO enterprise) ([EMAIL PROTECTED] with plain) by smtp103.sbc.mail.mud.yahoo.com with SMTP; 15 Sep 2006 04:05:47 - X-Message-Info: LsUYwwHHNt2+UqZ/DUbESt2M93oyReMxdSOaCwATU4w= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Received:From:To:References:In-Reply-To:Subject:Date:Message-ID:MIME-Version:Content-Type:X-Mailer:Thread-Index:Content-Language; b=niNMj6GnzjHwwL1G95RJMxYwfOk7NBy7c468r8QunZFLALH+3d3g/1AEhIIltggToh/p2ZuKSILFc4bkZHroOf1xiFZmBihRSkAFw4k82lkqvjlAJMq+ed6m15QoFNxClK+ZN8r9gwY/9DXLBD7sOWiwKwuueMpPcxxcJX76jaU= ; References: [EMAIL PROTECTED], [EMAIL PROTECTED] [EMAIL PROTECTED] X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcbYek+Nt8Yj1BKNRy+NK5S2t5BgAwAAcbrA Content-Language: en-us Precedence: bulk Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 15 Sep 2006 04:16:08.0894 (UTC) FILETIME=[ABA61DE0:01C6D87D] Anyone else getting timeouts trying to get to the list archive URL? http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] VBScript Container Security
Title: VBScript Container Security I'm trying to create and secure the LDAP://cn=System Management,cn=System,dc=mydomain,dc=com container, as required for SMS[1]. I'm able to create the container successfully, but haven't found any examples of how to assign security to an OU or Container in the AD. MS Script Centre and a quick google have come up blank, can anyone point me to any examples? Thanks Joe [1] Ref: https://www.microsoft.com/technet/prodtechnol/sms/smssp2/spsecurity/3df7a6e2-e173-4def-a81a-5bd90fbbf9d8.mspx?mfr=true
Re: [ActiveDir] VBScript Container Security
Title: VBScript Container Security I can't point you at any examples, but most of the documentation I read and from what MSFT people said at conferences, reckons you should grant full control to the group for SMS servers on that container. That's horse sh!t -you need to grant create and delete of each of the MS SMS object types and full control over those object types, and that's it. When I designed a couple of k3 SMS installations last year I used a DLG called SMS Servers and GGs called Primary SMS and Secondary SMS and nested the GGs into the DLG which was granted the permissions. You can then get specific for primary and secondary servers in some cases, or grant all via the DLG. I'm afraid I can't remember the names of the classes, so can't give you the ldapDisplayName's of the object type in question. But they're easy to find, they should be prefixed with mS-SMS or something like that. Note also that the advanced clients search on objectClass instead of objectCategory, so if you haven't already, you need to index objectClass. --Paul - Original Message - From: Joe McNicholas To: ActiveDir@mail.activedir.org Sent: Friday, September 15, 2006 10:53 AM Subject: [ActiveDir] _vbscript_ Container Security I'm trying to create and secure the "LDAP://cn=System Management,cn=System,dc=mydomain,dc=com" container, as required for SMS[1]. I'm able to create the container successfully, but haven't found any examples of how to assign security to an OU or Container in the AD. MS Script Centre and a quick google have come up blank, can anyone point me to any examples? Thanks Joe [1] Ref: https://www.microsoft.com/technet/prodtechnol/sms/smssp2/spsecurity/3df7a6e2-e173-4def-a81a-5bd90fbbf9d8.mspx?mfr=true
[ActiveDir] need help
Guys i need to develop a programe which display the services in all the dc 's , any idea where i can find better help regarding or nay other alternative solution Thanks in advance Joe McNicholas [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 09/15/2006 09:53 AM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject [ActiveDir] _vbscript_ Container Security I'm trying to create and secure the LDAP://cn=System Management,cn=System,dc=mydomain,dc=com container, as required for SMS[1]. I'm able to create the container successfully, but haven't found any examples of how to assign security to an OU or Container in the AD. MS Script Centre and a quick google have come up blank, can anyone point me to any examples? Thanks Joe [1] Ref: https://www.microsoft.com/technet/prodtechnol/sms/smssp2/spsecurity/3df7a6e2-e173-4def-a81a-5bd90fbbf9d8.mspx?mfr=true
RE: [ActiveDir] OT: Protecting against Spyware/Adware
Chris, I guess I have three "comments" on this:- 1) Putting user in "Power users" does "cut down on the potential", however even on a properly configured machine users can usually install personal browser extensions containing SpyWare. 2) Spy ware hangs around for a long time. Our users used to have admin rights so there is a lot of "legacy" spyware around 3) We still have business critical applications that won't run without admin rights. Often these are tightly integrated in a large suite of applications, e.g. the Call Centre management suit, so we stillhave some machines where users have admin rights. I know this sucks but there is certainly no cash available to replace these apps Dave. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris PohlschneiderSent: 14 September 2006 20:15To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Protecting against Spyware/Adware I have not done a lot of research on this, but if you have users in either the power users or regular users group, wont that cut down tremendously on the potential of getting adware/spyware? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chinnery, PaulSent: Thursday, September 14, 2006 11:04 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Protecting against Spyware/Adware We're using CounterSpy Enterprise from Sunbelt Software. Like you, we have seen aperformance hit* on computers with just 128 meg of memory but that goes away when we add more memory. The only issue I ran into, other than performance, was it blocked a cookie that was necessary for our payroll department. However, once I "okayed" that cookie, it was fine. *According to Sunbelt, the next version is supposed to reduce the performance impact. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Chris PohlschneiderSent: Thursday, September 14, 2006 10:44 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Protecting against Spyware/Adware Just curious what other people are using for protecting against adware/spyware? We are using Webroot Spysweeper right now, but I see some performance hits on computers running this software and it does work, but it causes headaches will installing some apps that we approve. Any suggestions are appreciated. Chris Pohlschneider Holloway SportswearIT 937-494-2559 937-497-7300 (Fax) [EMAIL PROTECTED] ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you. http://www.stockport.gov.uk **
RE: [ActiveDir] Block Inheritance on DC OU
Darren, While that also seems intuitive to me, patently something odd happens. It is clearly documented, (well I hope it is, its certainly my understanding) that you can only set password policy on the Domain in a top level GPO not one applied directly to the domain controllers OU. Therefore something odd must happen. Dave. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: 15 September 2006 00:44 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Block Inheritance on DC OU To me it seems intuitive that GP processing would behave the same way for DCs as it would for other computers. And to answer the question, yes I have confirmed this in testing numerous times over the years-most recently the day Ben asked the question. Darren -Original Message- From: Derek Harris [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 9/14/2006 4:11 PM Subject: RE: [ActiveDir] Block Inheritance on DC OU I did it a couple years ago, and found out that it does block the password policy. It seems intuitive that it shouldn't, but it does. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade Sent: Thursday, September 14, 2006 3:54 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Block Inheritance on DC OU You say Obvious but is this obvious? What happens in the case of password policy. This can only be set at the top level of the domain. Does this block actually prevent it being applied? I would guess that is does, but I wonder if any one has tested it or has any docs on what actually happens. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Wednesday, September 13, 2006 6:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Block Inheritance on DC OU Well, the obvious effect is that it prevents domain-linked policies from being delivered correctly, including password policy. This is probably not desirable. I can't think of a good scenario where this would be useful. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Wednesday, September 13, 2006 9:37 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Block Inheritance on DC OU The company I am currently working for has block inheritance enabled for the Domain Controller's OU and apparently whoever enabled this setting is no longer with the company (or they won't fess up to why they did this). Although I am curious, what sort of ramifications does enabling block inheritance on the Domain Controller's OU pose? And what reason would [truncated by sender] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you. http://www.stockport.gov.uk ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] need help
Look into the Win32_Service class for info. on how to view and manage services via script. Or, if you fancy calling EXEs and not handling everything in code, use the SC.EXE tool. --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, September 15, 2006 12:12 PM Subject: [ActiveDir] need help Guys i need to develop a programe which display the services in all the dc 's , any idea where i can find better help regarding or nay other alternative solution Thanks in advance "Joe McNicholas" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 09/15/2006 09:53 AM Please respond toActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject [ActiveDir] _vbscript_ Container Security I'm trying to create and secure the "LDAP://cn=System Management,cn=System,dc=mydomain,dc=com" container, as required for SMS[1]. I'm able to create the container successfully, but haven't found any examples of how to assign security to an OU or Container in the AD. MS Script Centre and a quick google have come up blank, can anyone point me to any examples? Thanks Joe [1] Ref: https://www.microsoft.com/technet/prodtechnol/sms/smssp2/spsecurity/3df7a6e2-e173-4def-a81a-5bd90fbbf9d8.mspx?mfr=true
RE: [ActiveDir] need help
I guess it depends on what you mean by "display". Its pretty easy to build a custom MMC console that contains a "Services" snap-in for each DC. and then use "runas" to launch with the rights needed. You can still only see the services on a single DC at once, but its pretty easy to flip round them... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: 15 September 2006 12:54To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] need help Look into the Win32_Service class for info. on how to view and manage services via script. Or, if you fancy calling EXEs and not handling everything in code, use the SC.EXE tool. --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, September 15, 2006 12:12 PM Subject: [ActiveDir] need help Guys i need to develop a programe which display the services in all the dc 's , any idea where i can find better help regarding or nay other alternative solution Thanks in advance "Joe McNicholas" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 09/15/2006 09:53 AM Please respond toActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject [ActiveDir] _vbscript_ Container Security I'm trying to create and secure the "LDAP://cn=System Management,cn=System,dc=mydomain,dc=com" container, as required for SMS[1]. I'm able to create the container successfully, but haven't found any examples of how to assign security to an OU or Container in the AD. MS Script Centre and a quick google have come up blank, can anyone point me to any examples? Thanks Joe [1] Ref: https://www.microsoft.com/technet/prodtechnol/sms/smssp2/spsecurity/3df7a6e2-e173-4def-a81a-5bd90fbbf9d8.mspx?mfr=true ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you. http://www.stockport.gov.uk **
RE: [ActiveDir] OT: Protecting against Spyware/Adware
I agree but, unfortunately, the software being used requires local admin privileges. Which, as you might imagine, is quite frustratig. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, September 14, 2006 3:11 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Protecting against Spyware/Adware Nonadmin I peronally have had way less issues when users that don't need admin rights don't have them. Chinnery, Paul wrote: We're using CounterSpy Enterprise from Sunbelt Software. Like you, we have seen aperformance hit* on computers with just 128 meg of memory but that goes away when we add more memory. The only issue I ran into, other than performance, was it blocked a cookie that was necessary for our payroll department. However, once I okayed that cookie, it was fine. *According to Sunbelt, the next version is supposed to reduce the performance impact. -Original Message- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of *Chris Pohlschneider *Sent:* Thursday, September 14, 2006 10:44 AM *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] OT: Protecting against Spyware/Adware Just curious what other people are using for protecting against adware/spyware? We are using Webroot Spysweeper right now, but I see some performance hits on computers running this software and it does work, but it causes headaches will installing some apps that we approve. Any suggestions are appreciated. Chris Pohlschneider Holloway Sportswear IT 937-494-2559 937-497-7300 (Fax) [EMAIL PROTECTED] -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT: Protecting against Spyware/Adware
Return Receipt Your RE: [ActiveDir] OT: Protecting against Spyware/Adware document : was Christopher Drewery/WilliamsF1 received by: at: 15/09/2006 13:20:22 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] DNS zones expiring
Thanks for the feedback.I can defintely telnet to both servers interchangeably and netstat works as it should.I have the allow all servers listed under nameservers selected for zone transfers -- i might just change that to specific IP addresses. When i reload, that works fine - the problem is the zone expires on its own without any pattern and i have to manually reload. Needless to say, not very efficientI'm open to other ways to architect the DNS structure for a single parent with single child. what are the recommended steps for this type of DNS setup ? Domain delgation ? all AD-integrated ?On 9/14/06, Akomolafe, Deji [EMAIL PROTECTED] wrote: Here's what I'd do: Ensure that there is no NATting going on between the 2 DNS servers. Verify this by doing something like telnet PrimaryDNSServer 53 from the secondary server and then going to the Primary server and doing netstat |find :53 and making sure that you could see the real IP address of the secondary server on the list. If that checks out, then I'd: Go to the DNS console on the Primary server and verify that the secondary server is on the list of servers allowed to transfer that particular zone. If that checks out, then I'd: Attempt a manual transferat the secondary server by going to the DNS console on the secondary server, right-clicking on the zone and selecting Reload from master first. If that fails, then I'd try Transfer from master. If that fails, then I'd pray very hard then enable DNS logging . then pray some more and open up the log file after a while. Then I'd post back here withwhatever is interesting. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: HBooGzSent: Thu 9/14/2006 2:14 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DNS zones expiring No worries, i don't take offense easily...=)Event Type: ErrorEvent Source: DNSEvent Category: NoneEvent ID: 6527Date: 9/14/2006Time: 10:08:04 AM User: N/AComputer: PHMAINDC1Description:Zone jacwf.phippsny.org expired before it could obtain a successful zone transfer or update from a master server acting as its source for the zone. The zone has been shut down. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp . On 9/14/06, Akomolafe, Deji [EMAIL PROTECTED] wrote: I guess if you have Widows, then someone must have expired :)[1] What is the exact error message? [1] Please don't take offense. I'm just in a laughing mood :) Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: HBooGzSent: Thu 9/14/2006 8:12 AMTo: mailto:ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS zones expiring Hey All -I've setup the child domain DNS zones as primary ( not AD-Integrated). On the parent Domain Controllers/DNS servers i've added that zone as a secondary zone. I've noticed this dns setup has worked better for me in the past than a full AD-Integrated setup. After migrating over to Widows 2003, every day i get an event log message on the parent DNS server log indicating that the child domains zone has expired and i have to manually reload. any ideas ? help ? suggestions ?Thanks,-- HBooGz:\ -- HBooGz:\ -- HBooGz:\
RE: [ActiveDir] OT: Protecting against Spyware/Adware
Return Receipt Your RE: [ActiveDir] OT: Protecting against Spyware/Adware document : was Christopher Drewery/WilliamsF1 received by: at: 15/09/2006 13:37:00 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Replication Metadata
Just tell your boss you didn't say the hour would be made up of consecutive minutes. [1] Cheers, -BrettSh [1] A line that was used on me when Windows Architect told me I'd be able to solve my global sync object naming problem within a few hours. A couple days of issues later, and after he spent 30 minutes trying to debug what was going on on a kd with me, I said, So 3 hours, eh?, He responds, I didn't say they'd be consecutive hours. :) On Thu, 14 Sep 2006, joe wrote: Yep, if vbscript you want the XML versions... You should be able to do this in an hour You just need to pick the right hour. ;o) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Thursday, September 14, 2006 9:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication Metadata That's great info; thanks joe. I'll take a look at msDS-ReplValueMetaData and msDS-ReplAttributeMetaData. I'm trying to do this in a vbscript and avoid getting into any compiled solutions. I told my boss I could do this in an hour because I thought I could just use IADsTools, oopsie. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, September 14, 2006 5:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication Metadata I doubt that IADsTools was updated. They seemed to be trying to kill that as far back as 2001. I think it was someone's pet project and they went to another petting zoo to work... I know I found some time issues in it back then and some more later that I tried to get corrected and was wholly unsuccessful on both occasions. But the answer is... There is additional metadata available now for looking at value level changes. The way IADsTools was probably getting the info (this is a guess, never saw the code) is through the attribute replPropertyMetaData but it very well could have been using the RPC based API call DsReplicaGetInfo. Probably the simplest mechanism to use now are the attributes msDS-ReplAttributeMetaData and msDS-ReplValueMetaData which by default will return XML strings with the data. If you are equipped to handle it, you can instead make the calls much faster and pass less data on the wire by asking for the binary versions of those attributes by appending the ;binary modifier. If you want to write DC API based code, you can use DsReplicateGetInfo2. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, September 08, 2006 11:36 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Replication Metadata I'm using Robbie Allens example for using IADSTools.DCFunctions to read group object meta data. I just realized that now that we've upgraded to 2003 I can no longer look at the member last changed field to determine when group membership last changed. I know that RepAdmin can look at the individual group changes so there must be some updated API that I can use to do the same thing, I just can't seem to find it. Can anyone point me in the right direction? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT: Protecting against Spyware/Adware
2) Spy ware hangs around for a long time. Our users used to have admin rights so there is a lot of legacy spyware around Create a project to re-build these machines? If you've got a standard deployment image for workstations, this might not be too disruptive. 3) We still have business critical applications that won't run without admin rights. Often these are tightly integrated in a large suite of applications, e.g. the Call Centre management suit, so we still have some machines where users have admin rights. I know this sucks but there is certainly no cash available to replace these apps Is there a budget to deliver these 'special' apps via Citrix or at least MS Terminal server, hence isolating them on a locked down server which users cannot browse the web from, and allowing you to drop their local workstation access level down to something sane? Or to virtualise these apps on each desktop, again isolating them and allowing you to drop the local workstation access rights down a notch or two. -- Robert Moir Microsoft MVP for Windows Servers Security Senior IT Systems Engineer Luton Sixth Form College Right vs. Wrong | Good vs. Evil God vs. the devil | What side you on? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] DNS zones expiring
>From what I've seen, the timeout can also be attributed to the transfer failing for whatever reason. If, during the transfer the entire zone is not copied, then you hit an error. This sounds like some network issues or you're behind in your patching. Have you verified that there are no network issues going on? Maybe a saturated network link? Dropped packets? High latency between the servers? I've seen similar issues with DNS servers. In my case they were network related, but it's odd that they drop and don't come back. Might be a good time to verify that your patches are up to date on those machines. On 9/15/06, HBooGz [EMAIL PROTECTED] wrote: Thanks for the feedback.I can defintely telnet to both servers interchangeably and netstat works as it should.I have the allow all servers listed under nameservers selected for zone transfers -- i might just change that to specific IP addresses. When i reload, that works fine - the problem is the zone expires on its own without any pattern and i have to manually reload. Needless to say, not very efficientI'm open to other ways to architect the DNS structure for a single parent with single child. what are the recommended steps for this type of DNS setup ? Domain delgation ? all AD-integrated ?On 9/14/06, Akomolafe, Deji [EMAIL PROTECTED] wrote: Here's what I'd do: Ensure that there is no NATting going on between the 2 DNS servers. Verify this by doing something like telnet PrimaryDNSServer 53 from the secondary server and then going to the Primary server and doing netstat |find :53 and making sure that you could see the real IP address of the secondary server on the list. If that checks out, then I'd: Go to the DNS console on the Primary server and verify that the secondary server is on the list of servers allowed to transfer that particular zone. If that checks out, then I'd: Attempt a manual transferat the secondary server by going to the DNS console on the secondary server, right-clicking on the zone and selecting Reload from master first. If that fails, then I'd try Transfer from master. If that fails, then I'd pray very hard then enable DNS logging . then pray some more and open up the log file after a while. Then I'd post back here withwhatever is interesting. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: HBooGzSent: Thu 9/14/2006 2:14 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DNS zones expiring No worries, i don't take offense easily...=)Event Type: ErrorEvent Source: DNSEvent Category: NoneEvent ID: 6527Date: 9/14/2006Time: 10:08:04 AM User: N/AComputer: PHMAINDC1Description:Zone jacwf.phippsny.org expired before it could obtain a successful zone transfer or update from a master server acting as its source for the zone. The zone has been shut down. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp . On 9/14/06, Akomolafe, Deji [EMAIL PROTECTED] wrote: I guess if you have Widows, then someone must have expired :)[1] What is the exact error message? [1] Please don't take offense. I'm just in a laughing mood :) Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: HBooGzSent: Thu 9/14/2006 8:12 AMTo: mailto:ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS zones expiring Hey All -I've setup the child domain DNS zones as primary ( not AD-Integrated). On the parent Domain Controllers/DNS servers i've added that zone as a secondary zone. I've noticed this dns setup has worked better for me in the past than a full AD-Integrated setup. After migrating over to Widows 2003, every day i get an event log message on the parent DNS server log indicating that the child domains zone has expired and i have to manually reload. any ideas ? help ? suggestions ?Thanks,-- HBooGz:\ -- HBooGz:\ -- HBooGz:\
RE: [ActiveDir] OT: Protecting against Spyware/Adware
Return Receipt Your RE: [ActiveDir] OT: Protecting against Spyware/Adware document: was[EMAIL PROTECTED] received by: at:09/15/2006 08:26:29 AM List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT: Protecting against Spyware/Adware
One help might be to run in admin mode (since you have to) but launch ie and outlook from shortcuts which run as unprivileged accounts - that might cut down on SOME vectors. HTH(PS - the following info from Mark Russinovich uses this approach - I can't get it to open on blogger (it's from his old pre-microsoft blog), so i've cut pasted it from the RSS feed FYI - all rights to Mark.)Malware has grown to epidemic proportions in the last few years. Despite applying layered security principles, including running antivirus, antispyware, and a firewall, even a careful user can fall victim to malware. Malware-infected downloads, drive-by exploits of Internet Explorer (IE) vulnerabilities, and a careless click on an Outlook attachment sent by a friend can render a system unusable and lead to several hours with the Windows setup CD and application installers.As this eWeek study shows, one of the most effective ways to keep a system free from malware and to avoid reinstalls even if malware happens to sneak by, is to run as a limited user (a member of the Windows Users group). The vast majority of Windows users run as members of the Administrators group simply because so many operations, such as installing software and printers, changing power settings, and changing the time zone require administrator rights. Further, many applications fail when run in a limited-user account because theyre poorly written and expect to have write access to directories such as \Program Files and \Windows or registry keys under HKLM\Software.An alternative to running as limited user is to instead run only specific Internet-facing applications as a limited user that are at greater risk of compromise, such as IE and Outlook. Microsoft promises this capability in Windows Vista with Protected-Mode IE and User Account Control (UAC), but you can achieve a form of this today on Windows 2000 and higher with the new limited user execution features of Process Explorer and PsExec.Process Explorers Run as Limited User menu item in the File menu opens a dialog that looks like and acts like the standard Windows Run dialog, but that runs the target process without administrative privileges: PsExec with the l switch accomplishes the same thing from the command line: An advantage to using PsExec to launch limited-user processes is that you can create PsExec desktop shortcuts for ones you commonly launch. To make a shortcut for Outlook, for example, right-click on the desktop, choose New-Shortcut, enter the path to PsExec in the location field and click Next. Enter Outlook as the name of the shortcut and press Finish. Then right click on the shortcut to open its properties, add -l d and the path to Outlook (e.g. C:\Program Files\Microsoft Office\Office11\Outlook.exe) to the text in the Target field. Finally, select Change Icon, navigate to the Outlook executable and choose the first icon. Activating the shortcut will result in a Command Prompt window briefly appearing as PsExec launches the target with limited rights.Both Process Explorer and PsExec use the CreateRestrictedToken API to create a security context, called a token, thats a stripped-down version of its own, removing administrative privileges and group membership. After generating a token that looks like one that Windows assigns to standard users Process Explorer calls CreateProcessAsUser to launch the target process with the new token.You can use Process Explorer itself to compare the token of a process running with full administrative rights and one thats limited by viewing the Security tab in the Process Properties dialog. The properties on the left are for an instance of IE running in an account with administrative group membership and the one on the right for IE launched using Run as Limited User: The privilege lists immediately stand out as different because the limited-user token has so few privileges. Process Explorer queries the privileges assigned to the Users group and strips out all other privileges, including powerful ones like SeDebugPrivilege, SeLoadDriverPrivilege and SeRestorePrivilege.The difference between the group lists is more subtle: both tokens contain the Builtin\Administrators group, but the group has a Deny flag in the limited-user version. Fully understanding the effect of that flag requires a quick background on the Windows security model.Windows stores an objects permissions in a Discretionary Access Control Lists (DACL) that consists of zero or more Access Control Entries (ACEs). Each ACE specifies the user or group to which it applies, a type of Allow or Deny and the accesses (e.g. read, delete) it allows or denies. When a process tries to open an object Windows normally considers each ACE in the objects DACL that matches the user or any of the groups in the process token. However, when the Deny flag is present on a group that group is only used by during a security access check to deny access to
Re: [ActiveDir] OT: Protecting against Spyware/Adware
www.threatcode.com and those business critical apps are? Have you tried hacking up the registry to get them to work? Dave Wade wrote: Chris, I guess I have three comments on this:- 1) Putting user in Power users does cut down on the potential, however even on a properly configured machine users can usually install personal browser extensions containing SpyWare. 2) Spy ware hangs around for a long time. Our users used to have admin rights so there is a lot of legacy spyware around 3) We still have business critical applications that won't run without admin rights. Often these are tightly integrated in a large suite of applications, e.g. the Call Centre management suit, so we still have some machines where users have admin rights. I know this sucks but there is certainly no cash available to replace these apps Dave. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Chris Pohlschneider *Sent:* 14 September 2006 20:15 *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] OT: Protecting against Spyware/Adware I have not done a lot of research on this, but if you have users in either the power users or regular users group, won’t that cut down tremendously on the potential of getting adware/spyware? *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Chinnery, Paul *Sent:* Thursday, September 14, 2006 11:04 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] OT: Protecting against Spyware/Adware We're using CounterSpy Enterprise from Sunbelt Software. Like you, we have seen aperformance hit* on computers with just 128 meg of memory but that goes away when we add more memory. The only issue I ran into, other than performance, was it blocked a cookie that was necessary for our payroll department. However, once I okayed that cookie, it was fine. *According to Sunbelt, the next version is supposed to reduce the performance impact. -Original Message- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of *Chris Pohlschneider *Sent:* Thursday, September 14, 2006 10:44 AM *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] OT: Protecting against Spyware/Adware Just curious what other people are using for protecting against adware/spyware? We are using Webroot Spysweeper right now, but I see some performance hits on computers running this software and it does work, but it causes headaches will installing some apps that we approve. Any suggestions are appreciated. Chris Pohlschneider Holloway Sportswear IT 937-494-2559 937-497-7300 (Fax) [EMAIL PROTECTED] ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you. http://www.stockport.gov.uk ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] DNS zones expiring
Thanks Al.I will monitor the link and check to see if any latency or packet loss occurs and if so, if it coincides with the zone expiring.what about the second part of the question ? would you recommend dns delgation ? On 9/15/06, Al Mulnick [EMAIL PROTECTED] wrote: From what I've seen, the timeout can also be attributed to the transfer failing for whatever reason. If, during the transfer the entire zone is not copied, then you hit an error. This sounds like some network issues or you're behind in your patching. Have you verified that there are no network issues going on? Maybe a saturated network link? Dropped packets? High latency between the servers? I've seen similar issues with DNS servers. In my case they were network related, but it's odd that they drop and don't come back. Might be a good time to verify that your patches are up to date on those machines. On 9/15/06, HBooGz [EMAIL PROTECTED] wrote: Thanks for the feedback.I can defintely telnet to both servers interchangeably and netstat works as it should.I have the allow all servers listed under nameservers selected for zone transfers -- i might just change that to specific IP addresses. When i reload, that works fine - the problem is the zone expires on its own without any pattern and i have to manually reload. Needless to say, not very efficientI'm open to other ways to architect the DNS structure for a single parent with single child. what are the recommended steps for this type of DNS setup ? Domain delgation ? all AD-integrated ?On 9/14/06, Akomolafe, Deji [EMAIL PROTECTED] wrote: Here's what I'd do: Ensure that there is no NATting going on between the 2 DNS servers. Verify this by doing something like telnet PrimaryDNSServer 53 from the secondary server and then going to the Primary server and doing netstat |find :53 and making sure that you could see the real IP address of the secondary server on the list. If that checks out, then I'd: Go to the DNS console on the Primary server and verify that the secondary server is on the list of servers allowed to transfer that particular zone. If that checks out, then I'd: Attempt a manual transferat the secondary server by going to the DNS console on the secondary server, right-clicking on the zone and selecting Reload from master first. If that fails, then I'd try Transfer from master. If that fails, then I'd pray very hard then enable DNS logging . then pray some more and open up the log file after a while. Then I'd post back here withwhatever is interesting. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: HBooGzSent: Thu 9/14/2006 2:14 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DNS zones expiring No worries, i don't take offense easily...=)Event Type: ErrorEvent Source: DNSEvent Category: NoneEvent ID: 6527Date: 9/14/2006Time: 10:08:04 AM User: N/AComputer: PHMAINDC1Description:Zone jacwf.phippsny.org expired before it could obtain a successful zone transfer or update from a master server acting as its source for the zone. The zone has been shut down. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp . On 9/14/06, Akomolafe, Deji [EMAIL PROTECTED] wrote: I guess if you have Widows, then someone must have expired :)[1] What is the exact error message? [1] Please don't take offense. I'm just in a laughing mood :) Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: HBooGzSent: Thu 9/14/2006 8:12 AMTo: mailto:ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS zones expiring Hey All -I've setup the child domain DNS zones as primary ( not AD-Integrated). On the parent Domain Controllers/DNS servers i've added that zone as a secondary zone. I've noticed this dns setup has worked better for me in the past than a full AD-Integrated setup. After migrating over to Widows 2003, every day i get an event log message on the parent DNS server log indicating that the child domains zone has expired and i have to manually reload. any ideas ? help ? suggestions ?Thanks,-- HBooGz:\ -- HBooGz:\ -- HBooGz:\ -- HBooGz:\
RE: [ActiveDir] OT: Protecting against Spyware/Adware
Return Receipt Your RE: [ActiveDir] OT: Protecting against Spyware/Adware document: wasJason Centenni/CDS/CG/CAPITAL received by: at:09/15/2006 09:14:49 AM CDT List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] DNS zones expiring
Yes, I would. From parent to the child DNS server. Then create a Primary or AD-int child zone on the child DNS server. It's a KISS factor. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: HBooGzSent: Fri 9/15/2006 6:56 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DNS zones expiring Thanks Al.I will monitor the link and check to see if any latency or packet loss occurs and if so, if it coincides with the zone expiring.what about the second part of the question ? would you recommend dns delgation ? On 9/15/06, Al Mulnick [EMAIL PROTECTED] wrote: From what I've seen, the timeout can also be attributed to the transfer failing for whatever reason. If, during the transfer the entire zone is not copied, then you hit an error. This sounds like some network issues or you're behind in your patching. Have you verified that there are no network issues going on? Maybe a saturated network link? Dropped packets? High latency between the servers? I've seen similar issues with DNS servers. In my case they were network related, but it's odd that they drop and don't come back. Might be a good time to verify that your patches are up to date on those machines. On 9/15/06, HBooGz mailto:[EMAIL PROTECTED] wrote: Thanks for the feedback.I can defintely telnet to both servers interchangeably and netstat works as it should.I have the "allow all servers listed under nameservers" selected for zone transfers -- i might just change that to specific IP addresses. When i reload, that works fine - the problem is the zone expires on its own without any pattern and i have to manually reload. Needless to say, not very efficientI'm open to other ways to architect the DNS structure for a single parent with single child. what are the "recommended" steps for this type of DNS setup ? Domain delgation ? all AD-integrated ? On 9/14/06, Akomolafe, Deji [EMAIL PROTECTED] wrote: Here's what I'd do: Ensure that there is no NATting going on between the 2 DNS servers. Verify this by doing something like "telnet PrimaryDNSServer 53" from the secondary server and then going to the Primary server and doing "netstat |find ":53" and making sure that you could see the real IP address of the secondary server on the list. If that checks out, then I'd: Go to the DNS console on the Primary server and verify that the secondary server is on the list of servers allowed to transfer that particular zone. If that checks out, then I'd: Attempt a manual transferat the secondary server by going to the DNS console on the secondary server, right-clicking on the zone and selecting "Reload from master" first. If that fails, then I'd try "Transfer from master". If that fails, then I'd pray very hard then enable DNS logging . then pray some more and open up the log file after a while. Then I'd post back here withwhatever is interesting. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: HBooGzSent: Thu 9/14/2006 2:14 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DNS zones expiring No worries, i don't take offense easily...=)Event Type: ErrorEvent Source: DNSEvent Category: NoneEvent ID: 6527Date: 9/14/2006Time: 10:08:04 AM User: N/AComputer: PHMAINDC1Description:Zone jacwf.phippsny.org expired before it could obtain a successful zone transfer or update from a master server acting as its source for the zone. The zone has been shut down. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. On 9/14/06, Akomolafe, Deji mailto:[EMAIL PROTECTED] wrote: I guess if you have "Widows", then someone must have "expired" :)[1] What is the exact error message? [1] Please don't take offense. I'm just in a laughing mood :) Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: HBooGzSent: Thu 9/14/2006 8:12 AM To: mailto:ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS zones expiring Hey All -I've setup the child domain DNS zones as primary ( not AD-Integrated). On the parent Domain Controllers/DNS servers i've added that zone as a secondary zone. I've noticed this dns setup has worked better for me in the past than a full AD-Integrated setup. After migrating over to Widows 2003, every day i get an event log message on the parent DNS server log indicating that the child
RE: [ActiveDir] Strange password issue
Paul, did you try this? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Paul WilliamsSent: Fri 9/15/2006 12:25 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue Not really, as it's now 512 and can't get to that state without a password meeting complexity. --Paul - Original Message - From: Akomolafe, Deji To: ActiveDir@mail.activedir.org Sent: Friday, September 15, 2006 4:52 AM Subject: RE: [ActiveDir] Strange password issue I think you are missing 5. 5. The account was created programmatically disabled with PWD_NOT_REQD set. So, we have 546 UAC. Then someone programmatically set UAC to 544 or went into ADUC and manually enabled the account. It's a feasible scenario, no? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Thu 9/14/2006 5:25 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue The secret is you cannot ENABLE an account with no password if you have a password length policy and the PWD_NOT_REQD flag isn't set. So if you have an account that is created which by default (i.e. no UAC specified)will be 546. If you specify 544 it will still create and it will allow a blank password. If you have an account with 546 (disables, pwdnotrqed) you can clear the pwdnotreqd fine. However when you go to enable the account, you will get busted for not following policy. The Extended Error (-exterr with admod) is DN: CN=someuser,OU=Users,OU=TestOU,DC=test,DC=loc...: [r2dc1.test.loc] Error 0x35 (53) - Unwilling To PerformExtended Error: 052D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0 Which is F:\DEV\cpp\AdModerr 52d# for hex 0x52d / decimal 1325 : ERROR_PASSWORD_RESTRICTION winerror.h# Unable to update the password. The value provided for the# new password does not meet the length, complexity, or# history requirement of the domain.# 1 matches found for "52d" A blank password does not have a hash, the system knows it is blank. You will obviously hit the same problem if you have an enabled account with pwd_not_reqd and try to clear the pwd_not_reqd. So current or past setting of UAC has no bearing on this problem. This could occur infour ways that I can think of (in order of likelihood) and speak about 1. Someone relaxed the policy while the password was set or when the account was being enabled / having pwd_not_reqd cleared 2. The Domain Password Policy isn't or at least wasn't getting applied to one or more domain controllers for some reason. Check minPwdLength on the NC Head objects of all DCs in the domain 3. A blank password hash was forced into the attribute of an already enabled account through some form of LSASS process injection. 4. The raw DIT was modified. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: Wednesday, September 06, 2006 3:30 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue PWD_NOT_REQ is 32. You can create an account with this set and bypass the need to set a password (ADSI does this automatically if you dont set a password when you create an enabled user without a password), but you cant set it back to 512 (normal) when its blank, like Al says: C:\admod -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" objectclass::user samaccountname::test-user useraccountcontrol::544 -unsafe -add AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005 DN Count: 1 Using server: connoa-dc-01.connoa.concorp.contoso.com Adding specified objects... DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com... The command completed successfully C:\admod -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" useraccountcontrol::512 -unsafe AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005 DN Count: 1 Using server: connoa-dc-01.connoa.concorp.contoso.com Modifying specified objects... DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com...: [connoa-dc-01.conn oa.concorp.contoso.com] Error 0x35 (53) - Unwilling To Perform ERROR: Too many errors encountered, terminating... The command did not complete successfully --Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 06 September 2006 19:28To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue From what I recall, if the password is not required, then there's no need to check the minimum length. Since it
RE: [ActiveDir] List archive
That thing is always really really slow for me. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David AdnerSent: Friday, September 15, 2006 12:06 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] List archive Anyone else getting timeouts trying to get to the list archive URL? http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Strange password issue
The account is currently 512... You can't get there with a blank password without 1-4. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: Thursday, September 14, 2006 11:52 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue I think you are missing 5. 5. The account was created programmatically disabled with PWD_NOT_REQD set. So, we have 546 UAC. Then someone programmatically set UAC to 544 or went into ADUC and manually enabled the account. It's a feasible scenario, no? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Thu 9/14/2006 5:25 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue The secret is you cannot ENABLE an account with no password if you have a password length policy and the PWD_NOT_REQD flag isn't set. So if you have an account that is created which by default (i.e. no UAC specified)will be 546. If you specify 544 it will still create and it will allow a blank password. If you have an account with 546 (disables, pwdnotrqed) you can clear the pwdnotreqd fine. However when you go to enable the account, you will get busted for not following policy. The Extended Error (-exterr with admod) is DN: CN=someuser,OU=Users,OU=TestOU,DC=test,DC=loc...: [r2dc1.test.loc] Error 0x35 (53) - Unwilling To PerformExtended Error: 052D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0 Which is F:\DEV\cpp\AdModerr 52d# for hex 0x52d / decimal 1325 : ERROR_PASSWORD_RESTRICTION winerror.h# Unable to update the password. The value provided for the# new password does not meet the length, complexity, or# history requirement of the domain.# 1 matches found for "52d" A blank password does not have a hash, the system knows it is blank. You will obviously hit the same problem if you have an enabled account with pwd_not_reqd and try to clear the pwd_not_reqd. So current or past setting of UAC has no bearing on this problem. This could occur infour ways that I can think of (in order of likelihood) and speak about 1. Someone relaxed the policy while the password was set or when the account was being enabled / having pwd_not_reqd cleared 2. The Domain Password Policy isn't or at least wasn't getting applied to one or more domain controllers for some reason. Check minPwdLength on the NC Head objects of all DCs in the domain 3. A blank password hash was forced into the attribute of an already enabled account through some form of LSASS process injection. 4. The raw DIT was modified. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: Wednesday, September 06, 2006 3:30 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue PWD_NOT_REQ is 32. You can create an account with this set and bypass the need to set a password (ADSI does this automatically if you dont set a password when you create an enabled user without a password), but you cant set it back to 512 (normal) when its blank, like Al says: C:\admod -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" objectclass::user samaccountname::test-user useraccountcontrol::544 -unsafe -add AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005 DN Count: 1 Using server: connoa-dc-01.connoa.concorp.contoso.com Adding specified objects... DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com... The command completed successfully C:\admod -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" useraccountcontrol::512 -unsafe AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005 DN Count: 1 Using server: connoa-dc-01.connoa.concorp.contoso.com Modifying specified objects... DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com...: [connoa-dc-01.conn oa.concorp.contoso.com] Error 0x35 (53) - Unwilling To Perform ERROR: Too many errors encountered, terminating... The command did not complete successfully --Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 06 September 2006 19:28To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue From what I recall, if the password is not required, then there's no need to check the minimum length. Since it would be overridden at the user object level, that does not affect the domain. I don't recall the UAC bitmask, and I'm not going to figure it out at the moment. I'll take your word that the password not required is true for this user. If
RE: [ActiveDir] OT: Protecting against Spyware/Adware
Thanks for that pointer. I might be making some nominations. I have done lots of hacking of registry etc, but at some point you have to cut your losses. I think when before we started the lock down there were about 3,500 PC's with local admin rights. We are now down to between 20 and 30. This is less than 1% of our PCs. Its now a managable problem and its under control. From being our number one problem its gone down to being below (well almost below) the radar. Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: 15 September 2006 14:53 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Protecting against Spyware/Adware www.threatcode.com and those business critical apps are? Have you tried hacking up the registry to get them to work? Dave Wade wrote: Chris, I guess I have three comments on this:- 1) Putting user in Power users does cut down on the potential, however even on a properly configured machine users can usually install personal browser extensions containing SpyWare. 2) Spy ware hangs around for a long time. Our users used to have admin rights so there is a lot of legacy spyware around 3) We still have business critical applications that won't run without admin rights. Often these are tightly integrated in a large suite of applications, e.g. the Call Centre management suit, so we still have some machines where users have admin rights. I know this sucks but there is certainly no cash available to replace these apps Dave. -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Chris Pohlschneider *Sent:* 14 September 2006 20:15 *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] OT: Protecting against Spyware/Adware I have not done a lot of research on this, but if you have users in either the power users or regular users group, won't that cut down tremendously on the potential of getting adware/spyware? -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Chinnery, Paul *Sent:* Thursday, September 14, 2006 11:04 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] OT: Protecting against Spyware/Adware We're using CounterSpy Enterprise from Sunbelt Software. Like you, we have seen aperformance hit* on computers with just 128 meg of memory but that goes away when we add more memory. The only issue I ran into, other than performance, was it blocked a cookie that was necessary for our payroll department. However, once I okayed that cookie, it was fine. *According to Sunbelt, the next version is supposed to reduce the performance impact. -Original Message- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of *Chris Pohlschneider *Sent:* Thursday, September 14, 2006 10:44 AM *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] OT: Protecting against Spyware/Adware Just curious what other people are using for protecting against adware/spyware? We are using Webroot Spysweeper right now, but I see some performance hits on computers running this software and it does work, but it causes headaches will installing some apps that we approve. Any suggestions are appreciated. Chris Pohlschneider Holloway Sportswear IT 937-494-2559 937-497-7300 (Fax) [EMAIL PROTECTED] ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you. http://www.stockport.gov.uk ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] DNS zones expiring
I've seen that work Ok if used with forwarding. I think I'd prefer stub zones though. On 9/15/06, HBooGz [EMAIL PROTECTED] wrote:Thanks Al.I will monitor the link and check to see if any latency or packet loss occurs and if so, if it coincides with the zone expiring. what about the second part of the question ? would you recommend dns delgation ? On 9/15/06, Al Mulnick [EMAIL PROTECTED] wrote: From what I've seen, the timeout can also be attributed to the transfer failing for whatever reason. If, during the transfer the entire zone is not copied, then you hit an error. This sounds like some network issues or you're behind in your patching. Have you verified that there are no network issues going on? Maybe a saturated network link? Dropped packets? High latency between the servers? I've seen similar issues with DNS servers. In my case they were network related, but it's odd that they drop and don't come back. Might be a good time to verify that your patches are up to date on those machines. On 9/15/06, HBooGz [EMAIL PROTECTED] wrote: Thanks for the feedback.I can defintely telnet to both servers interchangeably and netstat works as it should.I have the allow all servers listed under nameservers selected for zone transfers -- i might just change that to specific IP addresses. When i reload, that works fine - the problem is the zone expires on its own without any pattern and i have to manually reload. Needless to say, not very efficientI'm open to other ways to architect the DNS structure for a single parent with single child. what are the recommended steps for this type of DNS setup ? Domain delgation ? all AD-integrated ?On 9/14/06, Akomolafe, Deji [EMAIL PROTECTED] wrote: Here's what I'd do: Ensure that there is no NATting going on between the 2 DNS servers. Verify this by doing something like telnet PrimaryDNSServer 53 from the secondary server and then going to the Primary server and doing netstat |find :53 and making sure that you could see the real IP address of the secondary server on the list. If that checks out, then I'd: Go to the DNS console on the Primary server and verify that the secondary server is on the list of servers allowed to transfer that particular zone. If that checks out, then I'd: Attempt a manual transferat the secondary server by going to the DNS console on the secondary server, right-clicking on the zone and selecting Reload from master first. If that fails, then I'd try Transfer from master. If that fails, then I'd pray very hard then enable DNS logging . then pray some more and open up the log file after a while. Then I'd post back here withwhatever is interesting. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: HBooGzSent: Thu 9/14/2006 2:14 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DNS zones expiring No worries, i don't take offense easily...=)Event Type: ErrorEvent Source: DNSEvent Category: NoneEvent ID: 6527Date: 9/14/2006Time: 10:08:04 AM User: N/AComputer: PHMAINDC1Description:Zone jacwf.phippsny.org expired before it could obtain a successful zone transfer or update from a master server acting as its source for the zone. The zone has been shut down. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp . On 9/14/06, Akomolafe, Deji [EMAIL PROTECTED] wrote: I guess if you have Widows, then someone must have expired :)[1] What is the exact error message? [1] Please don't take offense. I'm just in a laughing mood :) Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: HBooGzSent: Thu 9/14/2006 8:12 AMTo: mailto:ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS zones expiring Hey All -I've setup the child domain DNS zones as primary ( not AD-Integrated). On the parent Domain Controllers/DNS servers i've added that zone as a secondary zone. I've noticed this dns setup has worked better for me in the past than a full AD-Integrated setup. After migrating over to Widows 2003, every day i get an event log message on the parent DNS server log indicating that the child domains zone has expired and i have to manually reload. any ideas ? help ? suggestions ?Thanks,-- HBooGz:\ -- HBooGz:\ -- HBooGz:\ -- HBooGz:\
RE: [ActiveDir] Strange password issue
Hell I posted it in the post I wrote Deji, take a peek... -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: Friday, September 15, 2006 10:39 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue Paul, did you try this? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Paul WilliamsSent: Fri 9/15/2006 12:25 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue Not really, as it's now 512 and can't get to that state without a password meeting complexity. --Paul - Original Message - From: Akomolafe, Deji To: ActiveDir@mail.activedir.org Sent: Friday, September 15, 2006 4:52 AM Subject: RE: [ActiveDir] Strange password issue I think you are missing 5. 5. The account was created programmatically disabled with PWD_NOT_REQD set. So, we have 546 UAC. Then someone programmatically set UAC to 544 or went into ADUC and manually enabled the account. It's a feasible scenario, no? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Thu 9/14/2006 5:25 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue The secret is you cannot ENABLE an account with no password if you have a password length policy and the PWD_NOT_REQD flag isn't set. So if you have an account that is created which by default (i.e. no UAC specified)will be 546. If you specify 544 it will still create and it will allow a blank password. If you have an account with 546 (disables, pwdnotrqed) you can clear the pwdnotreqd fine. However when you go to enable the account, you will get busted for not following policy. The Extended Error (-exterr with admod) is DN: CN=someuser,OU=Users,OU=TestOU,DC=test,DC=loc...: [r2dc1.test.loc] Error 0x35 (53) - Unwilling To PerformExtended Error: 052D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0 Which is F:\DEV\cpp\AdModerr 52d# for hex 0x52d / decimal 1325 : ERROR_PASSWORD_RESTRICTION winerror.h# Unable to update the password. The value provided for the# new password does not meet the length, complexity, or# history requirement of the domain.# 1 matches found for "52d" A blank password does not have a hash, the system knows it is blank. You will obviously hit the same problem if you have an enabled account with pwd_not_reqd and try to clear the pwd_not_reqd. So current or past setting of UAC has no bearing on this problem. This could occur infour ways that I can think of (in order of likelihood) and speak about 1. Someone relaxed the policy while the password was set or when the account was being enabled / having pwd_not_reqd cleared 2. The Domain Password Policy isn't or at least wasn't getting applied to one or more domain controllers for some reason. Check minPwdLength on the NC Head objects of all DCs in the domain 3. A blank password hash was forced into the attribute of an already enabled account through some form of LSASS process injection. 4. The raw DIT was modified. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: Wednesday, September 06, 2006 3:30 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue PWD_NOT_REQ is 32. You can create an account with this set and bypass the need to set a password (ADSI does this automatically if you dont set a password when you create an enabled user without a password), but you cant set it back to 512 (normal) when its blank, like Al says: C:\admod -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" objectclass::user samaccountname::test-user useraccountcontrol::544 -unsafe -add AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005 DN Count: 1 Using server: connoa-dc-01.connoa.concorp.contoso.com Adding specified objects... DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com... The command completed successfully C:\admod -b
RE: [ActiveDir] Active Directory Cookbooks...
If you mean you purchased Active Directory Second Edition... Ebay it and just start reading the Third Edition, I made considerable changes through it and not just for new stuff. The security and schema chapters and most all of the scripts got massive work done to them to correct issues, etc. Now if you mean you bought the AD Cookbook Second Edition, I would actually recommend reading Active Directory Third Edition first, then reading the cookbook as it will make more sense. Alternately, don't read the cookbook and just treat it as a cookbook where when you need to do something, you look up the recipe. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, September 14, 2006 11:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory Cookbooks... I have just purchased the 2nd one and will be on to the 3rd one as soon as I have finished that... Cheers, Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |-+-- | | | | | | | | | | | joe | | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 15/09/2006 03:14 p.m. | | | Please respond to | | | ActiveDir | | | | |-+-- --- ---| | | |To: ActiveDir@mail.activedir.org | |cc: | |Subject: RE: [ActiveDir] Active Directory Cookbooks... | --- ---| Actually I did the Active Directory Third Edition. The Active Directory Cookbook is in the Second Edition now and that was done by Laura Hunter. My book you can find in my signature, the Cookbook you can find at http://www.amazon.com/gp/product/059610202X/ref=pd_cp_b_title/002-4991631-48 70433?ie=UTF8 -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, September 14, 2006 10:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory Cookbooks... hahaha no worries cheers for that i'll just swim around the fish bowl one more time...;-) Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |-+-- | | | | | | | | | | | David Adner | | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 15/09/2006 02:21 p.m. | | | Please respond to | | | ActiveDir | | | | |-+-- --- ---| | | |To: ActiveDir@mail.activedir.org | |cc: | |Subject: RE: [ActiveDir] Active Directory Cookbooks... | --- ---| *points at joe's signature...* And in case that was too vague, try here. http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, September 14, 2006 9:13 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Active Directory Cookbooks... Hi there, I have already read and use the Active Directory Cookbook for Windows 2003 and Windows 2000
Re: [ActiveDir] DNS zones expiring
say for example i havecompany.org - parentsales.company.org - child.from the parent dns server i would start the delegation wizard and the delegated domain would be the sales.company.org, fqdn of child dns server ?then on the child server i would create a primary of the dnsdomain zone sales.company.org would i need a secondary on the primary dns server ? On 9/15/06, Akomolafe, Deji [EMAIL PROTECTED] wrote: Yes, I would. From parent to the child DNS server. Then create a Primary or AD-int child zone on the child DNS server. It's a KISS factor. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: HBooGzSent: Fri 9/15/2006 6:56 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DNS zones expiring Thanks Al.I will monitor the link and check to see if any latency or packet loss occurs and if so, if it coincides with the zone expiring.what about the second part of the question ? would you recommend dns delgation ? On 9/15/06, Al Mulnick [EMAIL PROTECTED] wrote: From what I've seen, the timeout can also be attributed to the transfer failing for whatever reason. If, during the transfer the entire zone is not copied, then you hit an error. This sounds like some network issues or you're behind in your patching. Have you verified that there are no network issues going on? Maybe a saturated network link? Dropped packets? High latency between the servers? I've seen similar issues with DNS servers. In my case they were network related, but it's odd that they drop and don't come back. Might be a good time to verify that your patches are up to date on those machines. On 9/15/06, HBooGz mailto:[EMAIL PROTECTED] wrote: Thanks for the feedback.I can defintely telnet to both servers interchangeably and netstat works as it should.I have the allow all servers listed under nameservers selected for zone transfers -- i might just change that to specific IP addresses. When i reload, that works fine - the problem is the zone expires on its own without any pattern and i have to manually reload. Needless to say, not very efficientI'm open to other ways to architect the DNS structure for a single parent with single child. what are the recommended steps for this type of DNS setup ? Domain delgation ? all AD-integrated ? On 9/14/06, Akomolafe, Deji [EMAIL PROTECTED] wrote: Here's what I'd do: Ensure that there is no NATting going on between the 2 DNS servers. Verify this by doing something like telnet PrimaryDNSServer 53 from the secondary server and then going to the Primary server and doing netstat |find :53 and making sure that you could see the real IP address of the secondary server on the list. If that checks out, then I'd: Go to the DNS console on the Primary server and verify that the secondary server is on the list of servers allowed to transfer that particular zone. If that checks out, then I'd: Attempt a manual transferat the secondary server by going to the DNS console on the secondary server, right-clicking on the zone and selecting Reload from master first. If that fails, then I'd try Transfer from master. If that fails, then I'd pray very hard then enable DNS logging . then pray some more and open up the log file after a while. Then I'd post back here withwhatever is interesting. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, - 3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: HBooGzSent: Thu 9/14/2006 2:14 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DNS zones expiring No worries, i don't take offense easily...=)Event Type: ErrorEvent Source: DNSEvent Category: NoneEvent ID: 6527Date: 9/14/2006Time: 10:08:04 AM User: N/A Computer: PHMAINDC1Description:Zone jacwf.phippsny.org expired before it could obtain a successful zone transfer or update from a master server acting as its source for the zone. The zone has been shut down. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp . On 9/14/06, Akomolafe, Deji mailto:[EMAIL PROTECTED] wrote: I guess if you have Widows, then someone must have expired :)[1] What is the exact error message? [1] Please don't take offense. I'm just in a laughing mood :) Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT-5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: HBooGzSent: Thu 9/14/2006 8:12 AM To: mailto:ActiveDir@mail.activedir.org Subject: [ActiveDir]
Re: [ActiveDir] Elevating privileges from DA to EA
I agree and add to that some additional thoughts: Not long ago there was some conversation around a suggestion that [EMAIL PROTECTED] put out regarding the idea of using multiple forests vs. domains in such a model. Personally, I disagree with that recommendation as given. I think A LOT more additional information is required before saying that, but I digress. If you decide to use the multi-domain model, I have to assume that you either have different password policies or a strong layer-8 contingent driving things. If the latter, I hate it for you. If you have a requirement to separate the domains from the forest, your workload just went through the roof, and with that your costs. Was it me I'd want to learn from my past mistakes ;0) and approach this by reversing the conversation. By that I mean I'd want each potential domain owner to absolutely and in a detailed manner specify the functions they need to execute. From there, we'll encompass the rights needed for each of those functions. I think what you'll find is that you can do almost all of it with a single domain if different password policies are not needed (mostly, but you know all of that anyway). From there, I'd be sure to spell all of that out the project sponsor because the costs (both ongoing and up front) can be significant. The amount of complexity and issues with other directory based applications alone can be enough to put them off and actually follow a recommendation such as this. The push obviously is to get as few actual DA's as possible. Is the threat real? Yes. If you feel you should have multiple domains, chances are good you really need OU's and a better admin model that includes less complexity and fewer moving parts. Oh, one other thing that might be of interst to your planning group: ask them about their restoration requirements. In that model, restoration can be a bloody nightmare especially if the layer-8 issues are not resolved up front. AlOn 9/15/06, Paul Williams [EMAIL PROTECTED] wrote: Neil, Try a re-read of the first couple of chapters of the first part of the deployment guide book designing and deploying directory and security services. Obviously it doesn't spell out how to do this -it doesn't even allude to how this is done- but does emphasise when and when not to go with the regional domain model. I'm not disputing what anyone is saying here -I agree. I just happen to think the regional model can be a good one, and that if done properly works. Even from a security stand point. The main thing with the regional design is that there's a central group of service admins, or a true delegated model. If you have multiple groups of service admins it can still work, but the issue that has been raised is very real and you probably need to implement processes and monitor against it (if you're forced into such a design by the needs of the business or obtuse upper management ;-). Although it does seem to be possible to implement disparate groups of service admins if you follow the delegation whitepaper (you'll need to improvide, but most of the info. is pertinent), which should put you in a much stronger position from a security stand point. If you can achieve a very small number of people who are actually members of the builtin\Administrators group, and the rest only have delegated permissions and privileges (and preferably very few privileges on the DCs, i.e. no logon locally) you can achieve what you want. Joe's been there and done it... --Paul - Original Message - From: Almeida Pinto, Jorge de To: ActiveDir@mail.activedir.org Sent: Friday, September 15, 2006 8:48 AM Subject: RE: [ActiveDir] Elevating privileges from DA to EA Al - we are designing a forest with regional domains (don't ask!) and one region has suggested it needs to split from this forest since elevating rights in any regional domain from DA to EA (forest wide) is 'simple' [and this would break the admin / support model]. What is being said is very very true. Either you trust ALL Domain Admins (no matter the domain those are in) or you do not trust ANY! Every Domain Admin or ANY person with physical access to a DC has the possibility to turn the complete forest into crap! Because if that was NOT the case the DOMAIN would be the security boundary. Unfortunately it is not! The Forest is the security boundary, whereas EVERY single DC in the forest MUST be protected and EVERY Domain Admin MUST be trusted! I am arguing that it is not simple and am looking for methods which may be used to elevate rights as per the above When you know HOW, it is as easy as taking candy from a baby jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED]Sent: Friday, September 15, 2006 09:36To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Elevating privileges from DA to
[ActiveDir] Windows Time Service
Hi Guys, I have a small site with 2 DCs, the pdc emulator originally did not sync with any external source, I made the changes so it would seek an external source but now due to policy it needs to sync to its internal clock. When I change the registry entry for Type from NTP to Nt5DS I notice a lot of log entries in the system logs, these are w32time event ids 62 (this machine is a pdc of the domain at the root of the forest, configure to sync from external time source using the net command) and eventually 64 (because of repeated network problems the time service has not been able to find a domain controller to synchronize with for a long time. To reduce network traffic the time service will wait 960 minutes before trying again etc.) Is there a way I can stop these annoying messages or should I just ignore them? I found out that by leaving the Type as NTP and making NtpServer the DCs name these message no longer appear, are there any issues with setting it up this way? Regards, Steven Johnston
RE: [ActiveDir] OT: Protecting against Spyware/Adware
I'm sure there are apps that are written exceptionally stupidly, requiring admin, but I've yet to run across one. I've had lots of our guys tell me something HAS to have admin to run, but I've yet to run across one that really does. I suggest you read this article: http://www.microsoft.com/technet/technetmag/issues/2006/08/LUABugs/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chinnery, Paul Sent: Friday, September 15, 2006 7:15 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Protecting against Spyware/Adware I agree but, unfortunately, the software being used requires local admin privileges. Which, as you might imagine, is quite frustratig. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, September 14, 2006 3:11 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Protecting against Spyware/Adware Nonadmin I peronally have had way less issues when users that don't need admin rights don't have them. Chinnery, Paul wrote: We're using CounterSpy Enterprise from Sunbelt Software. Like you, we have seen aperformance hit* on computers with just 128 meg of memory but that goes away when we add more memory. The only issue I ran into, other than performance, was it blocked a cookie that was necessary for our payroll department. However, once I okayed that cookie, it was fine. *According to Sunbelt, the next version is supposed to reduce the performance impact. -Original Message- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of *Chris Pohlschneider *Sent:* Thursday, September 14, 2006 10:44 AM *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] OT: Protecting against Spyware/Adware Just curious what other people are using for protecting against adware/spyware? We are using Webroot Spysweeper right now, but I see some performance hits on computers running this software and it does work, but it causes headaches will installing some apps that we approve. Any suggestions are appreciated. Chris Pohlschneider Holloway Sportswear IT 937-494-2559 937-497-7300 (Fax) [EMAIL PROTECTED] -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Elevating privileges from DA to EA
I agree with the people who are saying Either trust all of them or none of them. Realistically, unless you have a large environment (BTW, some people argue that all but maybe 10 Fortune 100 companies are 'medium' sized and the other 99.% of organizations are 'small'), there should only be a handful of people (3-7?) and some service accounts that require that level of rights.Domain/Enterprise Admins are a tricky bunch and no matter what you do to us, we can take back whatever rights you took away from us very easily, then lock you and everyone else in the world out, destroy the on-site backups and demolish the environment to where it's going to take a major effort to get back to operational status. This would take all take significantly less time than it would take for someone to figure out who is doing what. I like Joe's recommendation of taking everyone that you don't need out of the admins groups and simply granting them various levels of rights with their account. Possibly give everyone a user and admin account (user1234567 and user1234567a), heaven knows it would make troubleshooting a lot easier. That being said, someone asking for their own regional forest? Fine, as long as the person saying that it's necessary is willing to come up with the budget for the additional servers and additional personnel to support that forest and that they understand that they will have 0 admin level rights on anything in the 'main' forest, it wouldn't bother me, just one less thing that I have to worry about managing. Oh yeah, and they have to pay for yearly audits to validate that they are meeting the corporate standards for security at all levels. Then again, most of those items aren't usually my concern. Thank God I'm not in management :DOn 9/15/06, Paul Williams [EMAIL PROTECTED] wrote: Neil, Try a re-read of the first couple of chapters of the first part of the deployment guide book designing and deploying directory and security services. Obviously it doesn't spell out how to do this -it doesn't even allude to how this is done- but does emphasise when and when not to go with the regional domain model. I'm not disputing what anyone is saying here -I agree. I just happen to think the regional model can be a good one, and that if done properly works. Even from a security stand point. The main thing with the regional design is that there's a central group of service admins, or a true delegated model. If you have multiple groups of service admins it can still work, but the issue that has been raised is very real and you probably need to implement processes and monitor against it (if you're forced into such a design by the needs of the business or obtuse upper management ;-). Although it does seem to be possible to implement disparate groups of service admins if you follow the delegation whitepaper (you'll need to improvide, but most of the info. is pertinent), which should put you in a much stronger position from a security stand point. If you can achieve a very small number of people who are actually members of the builtin\Administrators group, and the rest only have delegated permissions and privileges (and preferably very few privileges on the DCs, i.e. no logon locally) you can achieve what you want. Joe's been there and done it... --Paul - Original Message - From: Almeida Pinto, Jorge de To: ActiveDir@mail.activedir.org Sent: Friday, September 15, 2006 8:48 AM Subject: RE: [ActiveDir] Elevating privileges from DA to EA Al - we are designing a forest with regional domains (don't ask!) and one region has suggested it needs to split from this forest since elevating rights in any regional domain from DA to EA (forest wide) is 'simple' [and this would break the admin / support model]. What is being said is very very true. Either you trust ALL Domain Admins (no matter the domain those are in) or you do not trust ANY! Every Domain Admin or ANY person with physical access to a DC has the possibility to turn the complete forest into crap! Because if that was NOT the case the DOMAIN would be the security boundary. Unfortunately it is not! The Forest is the security boundary, whereas EVERY single DC in the forest MUST be protected and EVERY Domain Admin MUST be trusted! I am arguing that it is not simple and am looking for methods which may be used to elevate rights as per the above When you know HOW, it is as easy as taking candy from a baby jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED]Sent: Friday, September 15, 2006 09:36To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Elevating privileges from DA to EA Thanks for responses, all. Al - we are designing a forest with regional domains (don't ask!) and one region has suggested it needs to split from this forest since
RE: [ActiveDir] OT: Protecting against Spyware/Adware
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob MOIR Sent: 15 September 2006 13:50 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Protecting against Spyware/Adware 2) Spy ware hangs around for a long time. Our users used to have admin rights so there is a lot of legacy spyware around Create a project to re-build these machines? If you've got a standard deployment image for workstations, this might not be too disruptive. If only! I guess we have nearly 1000 old non-standard desktops, which have a range of obsolete hardware, a wide variety of software packages. The thought of re-building them is a nightmare.. 3) We still have business critical applications that won't run without admin rights. Often these are tightly integrated in a large suite of applications, e.g. the Call Centre management suit, so we still have some machines where users have admin rights. I know this sucks but there is certainly no cash available to replace these apps Is there a budget to deliver these 'special' apps via Citrix or at least MS Terminal server, hence isolating them on a locked down server which users cannot browse the web from, and allowing you to drop their local workstation access level down to something sane? Or to virtualise these apps on each desktop, again isolating them and allowing you to drop the local workstation access rights down a notch or two. Often they are things like the telephony or voice recording apps, or things which run tills or doors or other oddball hardware. I doubt these would run on TS or Citrix either Even worse we don't insist that new apps run without Admin rights :-( -- Robert Moir Microsoft MVP for Windows Servers Security Senior IT Systems Engineer Luton Sixth Form College Right vs. Wrong | Good vs. Evil God vs. the devil | What side you on? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you. http://www.stockport.gov.uk ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Elevating privileges from DA to EA
Thanks Paul., Joe's been there and done it... LOL - so have I several time before :) neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: 15 September 2006 09:46To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Elevating privileges from DA to EA Neil, Try a re-read of the first couple of chapters of the first part of the deployment guide book designing and deploying directory and security services. Obviously it doesn't spell out how to do this -it doesn't even allude to how this is done- but does emphasise when and when not to go with the regional domain model. I'm not disputing what anyone is saying here -I agree. I just happen to think the regional model can be a good one, and that if done properly works. Even from a security stand point. The main thing with the regional design is that there's a central group of service admins, or a true delegated model. If you have multiple groups of service admins it can still work, but the issue that has been raised is very real and you probably need to implement processes and monitor against it (if you're forced into such a design by the needs of the business or obtuse upper management ;-). Although it does seem to be possible to implement disparate groups of service admins if you follow the delegation whitepaper (you'll need to improvide, but most of the info. is pertinent), which should put you in a much stronger position from a security stand point. If you can achieve a very small number of people who are actually members of the builtin\Administrators group, and the rest only have delegated permissions and privileges (and preferably very few privileges on the DCs, i.e. no logon locally) you can achieve what you want. Joe's been there and done it... --Paul - Original Message - From: Almeida Pinto, Jorge de To: ActiveDir@mail.activedir.org Sent: Friday, September 15, 2006 8:48 AM Subject: RE: [ActiveDir] Elevating privileges from DA to EA Al - we are designing a forest with regional domains (don't ask!) and one region has suggested it needs to split from this forest since elevating rights in any regional domain from DA to EA (forest wide) is 'simple' [and this would break the admin / support model]. What is being said is very very true. Either you trust ALL Domain Admins (no matter the domain those are in) or you do not trust ANY! Every Domain Admin or ANY person with physical access to a DC has the possibility to turn the complete forest into crap! Because if that was NOT the case the DOMAIN would be the security boundary. Unfortunately it is not! The Forest is the security boundary, whereas EVERY single DC in the forest MUST be protected and EVERY Domain Admin MUST be trusted! I am arguing that it is not simple and am looking for methods which may be used to elevate rights as per the above When you know HOW, it is as easy as taking candy from a baby jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, September 15, 2006 09:36To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Elevating privileges from DA to EA Thanks for responses, all. Al - we are designing a forest with regional domains (don't ask!) and one region has suggested it needs to split from this forest since elevating rights in any regional domain from DA to EA (forest wide) is 'simple' [and this would break the admin / support model]. I am arguing that it is not simple and am looking for methods which may be used to elevate rights as per the above. Make sense? neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 14 September 2006 20:59To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Elevating privileges from DA to EA Can you reword? I'm not sure I clearly understand the question. FWIW, going from DA to EA is a matter of adding one's id to the EA group. DA's have that right in the root domain of the forest (DA's of the root domain have that right). Editing etc. is not necessary. Nor are key-loggers etc. If physical access is available, there are plenty of ways to get the access you require to a domain but I suspect you're asking how can a DA from a child domain gain EA access; is that the question you're looking to answer? Just for curiousity, what brings up that question? Al On 9/14/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: It has been suggested by certain parties here that elevating one's rights from AD to EA is 'simple'. I have suggested that whilst it's possible it is not simple at all. Does anyone have any descriptions of methods / backdoors / workarounds
RE: [ActiveDir] List archive
May be some one should re-write in .NET! J Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, September 15, 2006 10:54 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] List archive That thing is always really really slow for me. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Friday, September 15, 2006 12:06 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] List archive Anyone else getting timeouts trying to get to the list archive URL? http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] ADSI programming
Hi, I want to start programming in AD. I have experience programming with Python, PHP and VBA. Any suggestion on which language is more convienient to program with ADSI. I was going to use Python because I can be use in windows, MAC or Linux/unix Thanks Rezuma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Strange password issue
OK. The account under discussion is "512". Had to refresh my brains because I just took your 1-4 bullet points and said, uh-uh, there is a way to have an enabled password-less account. Granted it won't be "512" and will be useless, it is still enabled. Sorry, Paul. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Fri 9/15/2006 7:52 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue The account is currently 512... You can't get there with a blank password without 1-4. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: Thursday, September 14, 2006 11:52 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue I think you are missing 5. 5. The account was created programmatically disabled with PWD_NOT_REQD set. So, we have 546 UAC. Then someone programmatically set UAC to 544 or went into ADUC and manually enabled the account. It's a feasible scenario, no? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Thu 9/14/2006 5:25 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue The secret is you cannot ENABLE an account with no password if you have a password length policy and the PWD_NOT_REQD flag isn't set. So if you have an account that is created which by default (i.e. no UAC specified)will be 546. If you specify 544 it will still create and it will allow a blank password. If you have an account with 546 (disables, pwdnotrqed) you can clear the pwdnotreqd fine. However when you go to enable the account, you will get busted for not following policy. The Extended Error (-exterr with admod) is DN: CN=someuser,OU=Users,OU=TestOU,DC=test,DC=loc...: [r2dc1.test.loc] Error 0x35 (53) - Unwilling To PerformExtended Error: 052D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0 Which is F:\DEV\cpp\AdModerr 52d# for hex 0x52d / decimal 1325 : ERROR_PASSWORD_RESTRICTION winerror.h# Unable to update the password. The value provided for the# new password does not meet the length, complexity, or# history requirement of the domain.# 1 matches found for "52d" A blank password does not have a hash, the system knows it is blank. You will obviously hit the same problem if you have an enabled account with pwd_not_reqd and try to clear the pwd_not_reqd. So current or past setting of UAC has no bearing on this problem. This could occur infour ways that I can think of (in order of likelihood) and speak about 1. Someone relaxed the policy while the password was set or when the account was being enabled / having pwd_not_reqd cleared 2. The Domain Password Policy isn't or at least wasn't getting applied to one or more domain controllers for some reason. Check minPwdLength on the NC Head objects of all DCs in the domain 3. A blank password hash was forced into the attribute of an already enabled account through some form of LSASS process injection. 4. The raw DIT was modified. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: Wednesday, September 06, 2006 3:30 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue PWD_NOT_REQ is 32. You can create an account with this set and bypass the need to set a password (ADSI does this automatically if you dont set a password when you create an enabled user without a password), but you cant set it back to 512 (normal) when its blank, like Al says: C:\admod -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" objectclass::user samaccountname::test-user useraccountcontrol::544 -unsafe -add AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005 DN Count: 1 Using server: connoa-dc-01.connoa.concorp.contoso.com Adding specified objects... DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com... The command completed successfully C:\admod -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" useraccountcontrol::512 -unsafe AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005 DN Count: 1 Using server: connoa-dc-01.connoa.concorp.contoso.com Modifying specified objects... DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com...: [connoa-dc-01.conn oa.concorp.contoso.com] Error 0x35 (53) - Unwilling To Perform ERROR: Too many errors encountered, terminating... The command did not
RE: [ActiveDir] Replication Metadata
Don't you mean, If vbscript Then : you want the XML versions : End If Sorry, bad joke -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, September 14, 2006 6:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication Metadata Yep, if vbscript you want the XML versions... You should be able to do this in an hour You just need to pick the right hour. ;o) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Thursday, September 14, 2006 9:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication Metadata That's great info; thanks joe. I'll take a look at msDS-ReplValueMetaData and msDS-ReplAttributeMetaData. I'm trying to do this in a vbscript and avoid getting into any compiled solutions. I told my boss I could do this in an hour because I thought I could just use IADsTools, oopsie. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, September 14, 2006 5:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication Metadata I doubt that IADsTools was updated. They seemed to be trying to kill that as far back as 2001. I think it was someone's pet project and they went to another petting zoo to work... I know I found some time issues in it back then and some more later that I tried to get corrected and was wholly unsuccessful on both occasions. But the answer is... There is additional metadata available now for looking at value level changes. The way IADsTools was probably getting the info (this is a guess, never saw the code) is through the attribute replPropertyMetaData but it very well could have been using the RPC based API call DsReplicaGetInfo. Probably the simplest mechanism to use now are the attributes msDS-ReplAttributeMetaData and msDS-ReplValueMetaData which by default will return XML strings with the data. If you are equipped to handle it, you can instead make the calls much faster and pass less data on the wire by asking for the binary versions of those attributes by appending the ;binary modifier. If you want to write DC API based code, you can use DsReplicateGetInfo2. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, September 08, 2006 11:36 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Replication Metadata I'm using Robbie Allens example for using IADSTools.DCFunctions to read group object meta data. I just realized that now that we've upgraded to 2003 I can no longer look at the member last changed field to determine when group membership last changed. I know that RepAdmin can look at the individual group changes so there must be some updated API that I can use to do the same thing, I just can't seem to find it. Can anyone point me in the right direction? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Elevating privileges from DA to EA
Hi All I wanted to weigh in with two comments. 1) Elevating priveledges from DA to EA (or from physical DC access to EA) is simple - it takes about 45 minutes and unless you have some very good active monitoring is difficult to detect. There are automated tools out there for doing this. I have been known to use the term lazy EAs to refer to domain admins. 2) Replication boundaries is another reason for separate domains. a million objects can lead to huge DITs and very slow replication - especially in a build a new DC case. Separating that into multiple domains - to put smaller load on locations where bandwidth is an issue is worth considering. For example. 90,000 users. 200 of those are in Alaska The rest of the world has good bandwidth, Alaska locations all have the equivalent of 56K modem speed. DIT and Sysvol size is about 7G, but for Alaska users there are only 3 GPOs that affect them Rather then doing 1 domain I can put the 200 Alaska users in their own domain. Security wise, there is no advantage. Replication wise, the Global Catalgue is a fraction the size of the full database, the Sysvol never replicates anywhere in Alaska,and replicaiton for that domain will cause less strain on their bandwidth - 200 users will create a much lower amount of changes then 90,000 users. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service 202-230-2983 [EMAIL PROTECTED] Al Mulnick [EMAIL PROTECTED] omTo Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject Re: [ActiveDir] Elevating 09/15/2006 11:34 privileges from DA to EA AM AST Please respond to [EMAIL PROTECTED] tivedir.org I agree and add to that some additional thoughts: Not long ago there was some conversation around a suggestion that [EMAIL PROTECTED] put out regarding the idea of using multiple forests vs. domains in such a model. Personally, I disagree with that recommendation as given. I think A LOT more additional information is required before saying that, but I digress. If you decide to use the multi-domain model, I have to assume that you either have different password policies or a strong layer-8 contingent driving things. If the latter, I hate it for you. If you have a requirement to separate the domains from the forest, your workload just went through the roof, and with that your costs. Was it me I'd want to learn from my past mistakes ;0) and approach this by reversing the conversation. By that I mean I'd want each potential domain owner to absolutely and in a detailed manner specify the functions they need to execute. From there, we'll encompass the rights needed for each of those functions. I think what you'll find is that you can do almost all of it with a single domain if different password policies are not needed (mostly, but you know all of that anyway). From there, I'd be sure to spell all of that out the project sponsor because the costs (both ongoing and up front) can be significant. The amount of complexity and issues with other directory based applications alone can be enough to put them off and actually follow a recommendation such as this. The push obviously is to get as few actual DA's as possible. Is the threat real? Yes. If you feel you should have multiple domains, chances are good you really need OU's and a better admin model that includes less complexity and fewer moving parts. Oh, one other thing that might be of interst to your planning group: ask them about their restoration requirements. In that model, restoration can be a bloody nightmare especially if the layer-8 issues are not resolved up front. Al On 9/15/06, Paul Williams [EMAIL PROTECTED] wrote: Neil, Try a re-read of the first couple of chapters of the first part of the deployment guide book designing and
Re: [ActiveDir] VBScript Container Security
Here is a link to a script written in Jscript that may give you some ideas. http://calnetad.berkeley.edu/documentation/scripts/index.html#ousetup This script creates an OU and adds an ACE for delegating rights to the OU. Regards, Arden On 9/15/06, Paul Williams [EMAIL PROTECTED] wrote: I can't point you at any examples, but most of the documentation I read and from what MSFT people said at conferences, reckons you should grant full control to the group for SMS servers on that container. That's horse sh!t -you need to grant create and delete of each of the MS SMS object types and full control over those object types, and that's it. When I designed a couple of k3 SMS installations last year I used a DLG called SMS Servers and GGs called Primary SMS and Secondary SMS and nested the GGs into the DLG which was granted the permissions. You can then get specific for primary and secondary servers in some cases, or grant all via the DLG. I'm afraid I can't remember the names of the classes, so can't give you the ldapDisplayName's of the object type in question. But they're easy to find, they should be prefixed with mS-SMS or something like that. Note also that the advanced clients search on objectClass instead of objectCategory, so if you haven't already, you need to index objectClass. --Paul - Original Message - From: Joe McNicholas To: ActiveDir@mail.activedir.org Sent: Friday, September 15, 2006 10:53 AM Subject: [ActiveDir] _vbscript_ Container Security I'm trying to create and secure the LDAP://cn=System Management,cn=System,dc=mydomain,dc=com container, as required for SMS[1]. I'm able to create the container successfully, but haven't found any examples of how to assign security to an OU or Container in the AD. MS Script Centre and a quick google have come up blank, can anyone point me to any examples? Thanks Joe [1] Ref: https://www.microsoft.com/technet/prodtechnol/sms/smssp2/spsecurity/3df7a6e2-e173-4def-a81a-5bd90fbbf9d8.mspx?mfr=true
RE: [ActiveDir] OT: Protecting against Spyware/Adware
Well, I guess you'd have to define has. We run a hospital IS from a major healthcare s/ware vendor that has instructions on its customer website on making a couple of registry changes to allow non-local admins to run it. So, technically if a registry change is made, it doesn't have to run under those privilieges. However, in my mind, if I have to modify the registry, then it still fits the description. There was a message (can't remember if it was this listserv or antoher) where the poster gave a link to a list of programs that needed local admin to run properly. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Crawford, Scott Sent: Friday, September 15, 2006 11:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Protecting against Spyware/Adware I'm sure there are apps that are written exceptionally stupidly, requiring admin, but I've yet to run across one. I've had lots of our guys tell me something HAS to have admin to run, but I've yet to run across one that really does. I suggest you read this article: http://www.microsoft.com/technet/technetmag/issues/2006/08/LUABugs/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chinnery, Paul Sent: Friday, September 15, 2006 7:15 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Protecting against Spyware/Adware I agree but, unfortunately, the software being used requires local admin privileges. Which, as you might imagine, is quite frustratig. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, September 14, 2006 3:11 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Protecting against Spyware/Adware Nonadmin I peronally have had way less issues when users that don't need admin rights don't have them. Chinnery, Paul wrote: We're using CounterSpy Enterprise from Sunbelt Software. Like you, we have seen aperformance hit* on computers with just 128 meg of memory but that goes away when we add more memory. The only issue I ran into, other than performance, was it blocked a cookie that was necessary for our payroll department. However, once I okayed that cookie, it was fine. *According to Sunbelt, the next version is supposed to reduce the performance impact. -Original Message- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of *Chris Pohlschneider *Sent:* Thursday, September 14, 2006 10:44 AM *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] OT: Protecting against Spyware/Adware Just curious what other people are using for protecting against adware/spyware? We are using Webroot Spysweeper right now, but I see some performance hits on computers running this software and it does work, but it causes headaches will installing some apps that we approve. Any suggestions are appreciated. Chris Pohlschneider Holloway Sportswear IT 937-494-2559 937-497-7300 (Fax) [EMAIL PROTECTED] -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] List archive
Aspx == .Net Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Alborzfard Sent: Friday, September 15, 2006 12:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] List archive May be some one should re-write in .NET! J Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, September 15, 2006 10:54 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] List archive That thing is always really really slow for me. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Friday, September 15, 2006 12:06 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] List archive Anyone else getting timeouts trying to get to the list archive URL? http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] ADSI programming
I wonder whether ironpython http://www.ironpython.com/ is worth looking into in that case. I am no programmer but I have a hunch it might be to your liking. CheersM@ On 9/15/06, Ramon Linan [EMAIL PROTECTED] wrote: Hi,I want to start programming in AD.I have experience programming with Python, PHP and VBA.Any suggestion on which language is more convienient to program withADSI.I was going to use Python because I can be use in windows, MAC or Linux/unixThanksRezumaList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] OT: Protecting against Spyware/Adware
Web bigger malware threat than email - ZDNet UK News: http://news.zdnet.co.uk/0,39020330,39283339,00.htm Dave Wade wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob MOIR Sent: 15 September 2006 13:50 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Protecting against Spyware/Adware 2) Spy ware hangs around for a long time. Our users used to have admin rights so there is a lot of legacy spyware around Create a project to re-build these machines? If you've got a standard deployment image for workstations, this might not be too disruptive. If only! I guess we have nearly 1000 old non-standard desktops, which have a range of obsolete hardware, a wide variety of software packages. The thought of re-building them is a nightmare.. 3) We still have business critical applications that won't run without admin rights. Often these are tightly integrated in a large suite of applications, e.g. the Call Centre management suit, so we still have some machines where users have admin rights. I know this sucks but there is certainly no cash available to replace these apps Is there a budget to deliver these 'special' apps via Citrix or at least MS Terminal server, hence isolating them on a locked down server which users cannot browse the web from, and allowing you to drop their local workstation access level down to something sane? Or to virtualise these apps on each desktop, again isolating them and allowing you to drop the local workstation access rights down a notch or two. Often they are things like the telephony or voice recording apps, or things which run tills or doors or other oddball hardware. I doubt these would run on TS or Citrix either Even worse we don't insist that new apps run without Admin rights :-( -- Robert Moir Microsoft MVP for Windows Servers Security Senior IT Systems Engineer Luton Sixth Form College Right vs. Wrong | Good vs. Evil God vs. the devil | What side you on? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you. http://www.stockport.gov.uk ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Slightly OT: Modifying AD vbscript
You are almost assuredly running into the default return limit of 1000 items. AD queries will only return that many items per query by default. In order to retrieve more information you need to use paging. I personally use SQL style syntax because I know SQL and that is what the MS script center has available for learning. Therefore the relevant code for me is objCommand.Properties(Page Size) = 1000, I am unsure how you would modify your query to use paging, perhaps someone else can chime in with the syntax needed. Thanks, Andrew Fidel Alex Alborzfard [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 09/15/2006 12:28 PM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject [ActiveDir] Slightly OT: Modifying AD _vbscript_ Im sure this can be done more elegantly with joewares tools or others, but in the spirit of learning, I whipped up this primer _vbscript_ with the help from a site. What I want to do is to modify it, so it can count # of employees in each location and output it to a simple text/csv file. In our AD, we enter the location name in the Description field. Also when the number is too high, the script doesnt return anything. I think I have to change the variable type of intCounter to something that can hold bigger values, but dont know what. Can some one take a look and help me or give me pointers? TIA Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Alborzfard Sent: Wednesday, September 13, 2006 9:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Management Solutions What is the largest environment WSUS can be deployed effectively? At what point youre better off going with something like Shavlik or Patchlink? What do they give you that WSUS doesnt? Were trying to put in place a patch management solution for a company thats midsize (~1700 users), but with offices scattered all over the world. But were not sure how to architect the whole thing (how many servers, layers, and where-whats the cutoff point:bandwidth, # of users?-). The other issue is the industry were in: healthcare. Were constantly audited and for every single task we have to test, write validation and justification. So were not sure how can we do this, with so many patches MS puts out every Tuesday, without going insane! And this is just for desktops; servers are a whole different ball of wax. Anybody out there had to deal with similar issues? Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Monday, September 11, 2006 9:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Management Solutions I use WSUS for patching in some decent size places. My strategy has been to combine a variety of free products into a single system Ive gotten good at it and Ive also written glue when I need to. My overall feeling is that I get more flexibility just gluing things together than with a single baked product. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: Monday, September 11, 2006 6:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Management Solutions I agree with Brian that Ghost does tend to be the front runner for imaging (IMHO).. Ive tested and used many but Ghost is a mature project which does what it says on the tin. Youll be surprised how forgiving it is and how much you can do with varying software and hardware with a little work. In terms of helpdesk well its a minefield and a road of I have travelled many times. I have actually found that most of the time its actually easier to get a dev guy to come in and build a system which actually meets your requirements. I have found this to be cheaper (most of the time) in the larger organisations as every organisation has different SLAs, contracts, processes, methods, etc. I just recommend going onto sourceforge.net and typing helpdesk initially. This should get you going and you may find something that suits your needs or something you can amend to fit. Yes, you can go for the bigger boys, i.e. Hornbill but youll pay for it.. have a sniff around and see what fits your requirements. In terms of patch deployment I do like Patchlink. It will give you patch deployment across most applications with good reporting. You also get software and hardware inventory included in the price. Cheers, Rob Robert Rutherford QuoStar Solutions Limited T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: 11 September 2006 20:26 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Management Solutions I have a lot of experience using Ghost for all of that but helpdesk. Helpdesk I have worked with Peregrine (will empty your check book very complex),
RE: [ActiveDir] OT: Protecting against Spyware/Adware
Return Receipt Your RE: [ActiveDir] OT: Protecting against Spyware/Adware document: wasJohn Haaland/CDS/CG/CAPITAL received by: at:09/15/2006 03:29:31 PM CDT List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT: Protecting against Spyware/Adware
Has = The user running the program needs to be a member of Power Users or Administrators to run said program. It sounds like your program requires one of two options to run - add the user to Administrators or tweak the registry. Tweaking the registry is by far the better option IMO. The benefits to system security outweigh the time required to find the required perm changes (It gets easier with practice). My original point was taking the time to tweak problem apps allows you to let your users run as non-admins, effectively eliminating spyware. I think the link you're referring to is www.threatcode.com. There are plenty of apps/vendors that *think* they need to be run with admin privs. I'm just saying that's not the case, provided you're willing to tweak file/reg perms. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chinnery, Paul Sent: Friday, September 15, 2006 1:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Protecting against Spyware/Adware Well, I guess you'd have to define has. We run a hospital IS from a major healthcare s/ware vendor that has instructions on its customer website on making a couple of registry changes to allow non-local admins to run it. So, technically if a registry change is made, it doesn't have to run under those privilieges. However, in my mind, if I have to modify the registry, then it still fits the description. There was a message (can't remember if it was this listserv or antoher) where the poster gave a link to a list of programs that needed local admin to run properly. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Crawford, Scott Sent: Friday, September 15, 2006 11:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Protecting against Spyware/Adware I'm sure there are apps that are written exceptionally stupidly, requiring admin, but I've yet to run across one. I've had lots of our guys tell me something HAS to have admin to run, but I've yet to run across one that really does. I suggest you read this article: http://www.microsoft.com/technet/technetmag/issues/2006/08/LUABugs/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chinnery, Paul Sent: Friday, September 15, 2006 7:15 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Protecting against Spyware/Adware I agree but, unfortunately, the software being used requires local admin privileges. Which, as you might imagine, is quite frustratig. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, September 14, 2006 3:11 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Protecting against Spyware/Adware Nonadmin I peronally have had way less issues when users that don't need admin rights don't have them. Chinnery, Paul wrote: We're using CounterSpy Enterprise from Sunbelt Software. Like you, we have seen aperformance hit* on computers with just 128 meg of memory but that goes away when we add more memory. The only issue I ran into, other than performance, was it blocked a cookie that was necessary for our payroll department. However, once I okayed that cookie, it was fine. *According to Sunbelt, the next version is supposed to reduce the performance impact. -Original Message- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of *Chris Pohlschneider *Sent:* Thursday, September 14, 2006 10:44 AM *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] OT: Protecting against Spyware/Adware Just curious what other people are using for protecting against adware/spyware? We are using Webroot Spysweeper right now, but I see some performance hits on computers running this software and it does work, but it causes headaches will installing some apps that we approve. Any suggestions are appreciated. Chris Pohlschneider Holloway Sportswear IT 937-494-2559 937-497-7300 (Fax) [EMAIL PROTECTED] -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List
Re: [ActiveDir] Block Inheritance on DC OU
Well at one of the customers, they have around 10 to 15 GPOs applied at domain level, for various purposes ranging from software deployment to other settings.So they didn't wanted many of those GPOs to be applied to domain controllers. Above that, they have block inheritance enabled at various sub-OU levels.So only thing we could come up with to achieve what we wanted was to.1) Block policy at DC OU2) Create Password Policy at Domain level and enforce it. This helped for keeping a consistent password policy across all OUs and Domain.And also saving DCs from domain level general purpose GPOs.Long term, soln is to rethink the OU structure. KamleshOn 9/13/06, Darren Mar-Elia [EMAIL PROTECTED] wrote: Well, the obvious effect is that it prevents domain-linked policies from being delivered correctly, including password policy. This is probably not desirable. I can't think of a good scenario where this would be useful. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of WATSON, BENSent: Wednesday, September 13, 2006 9:37 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Block Inheritance on DC OU The company I am currently working for has "block inheritance" enabled for the Domain Controller's OU and apparently whoever enabled this setting is no longer with the company (or they won't fess up to why they did this). Although I am curious, what sort of ramifications does enabling "block inheritance" on the Domain Controller's OU pose? And what reason would you have to enable this setting on the Domain Controller's OU? With any other OU, it would be fairly obvious, but being that these are the Domain Controllers it would seem to be a unique situation. Thanks as always for your input, ~Ben -- ~Short-term actions X time = long-term accomplishments.~
RE: [ActiveDir] Elevating privileges from DA to EA
Elevating priveledges from DA to EA (or from physical DC access to EA) is simple Is this physical access to a DC in the root domain or physical access to a DC with a forest trust to the root domain? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, September 15, 2006 12:15 PM To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: Re: [ActiveDir] Elevating privileges from DA to EA Hi All I wanted to weigh in with two comments. 1) Elevating priveledges from DA to EA (or from physical DC access to EA) is simple - it takes about 45 minutes and unless you have some very good active monitoring is difficult to detect. There are automated tools out there for doing this. I have been known to use the term lazy EAs to refer to domain admins. 2) Replication boundaries is another reason for separate domains. a million objects can lead to huge DITs and very slow replication - especially in a build a new DC case. Separating that into multiple domains - to put smaller load on locations where bandwidth is an issue is worth considering. For example. 90,000 users. 200 of those are in Alaska The rest of the world has good bandwidth, Alaska locations all have the equivalent of 56K modem speed. DIT and Sysvol size is about 7G, but for Alaska users there are only 3 GPOs that affect them Rather then doing 1 domain I can put the 200 Alaska users in their own domain. Security wise, there is no advantage. Replication wise, the Global Catalgue is a fraction the size of the full database, the Sysvol never replicates anywhere in Alaska,and replicaiton for that domain will cause less strain on their bandwidth - 200 users will create a much lower amount of changes then 90,000 users. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service 202-230-2983 [EMAIL PROTECTED] Al Mulnick [EMAIL PROTECTED] om To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject Re: [ActiveDir] Elevating 09/15/2006 11:34 privileges from DA to EA AM AST Please respond to [EMAIL PROTECTED] tivedir.org I agree and add to that some additional thoughts: Not long ago there was some conversation around a suggestion that [EMAIL PROTECTED] put out regarding the idea of using multiple forests vs. domains in such a model. Personally, I disagree with that recommendation as given. I think A LOT more additional information is required before saying that, but I digress. If you decide to use the multi-domain model, I have to assume that you either have different password policies or a strong layer-8 contingent driving things. If the latter, I hate it for you. If you have a requirement to separate the domains from the forest, your workload just went through the roof, and with that your costs. Was it me I'd want to learn from my past mistakes ;0) and approach this by reversing the conversation. By that I mean I'd want each potential domain owner to absolutely and in a detailed manner specify the functions they need to execute. From there, we'll encompass the rights needed for each of those functions. I think what you'll find is that you can do almost all of it with a single domain if different password policies are not needed (mostly, but you know all of that anyway). From there, I'd be sure to spell all of that out the project sponsor because the costs (both ongoing and up front) can be significant. The amount of complexity and issues with other directory based applications alone can be enough to put them off and actually follow a recommendation such as this. The push obviously is to get as few actual DA's as possible. Is the threat real? Yes. If you feel you should have multiple domains, chances are good you really need OU's and a better admin model that includes less complexity and fewer moving parts. Oh, one other thing that might be of interst to your planning group: ask them about their restoration requirements. In that model, restoration can be a bloody nightmare especially if the layer-8 issues are not resolved up front. Al On 9/15/06, Paul Williams [EMAIL PROTECTED] wrote: Neil, Try a re-read of the first couple of chapters of the first part of the deployment guide book designing and deploying directory and security services. Obviously it doesn't spell out how to do this -it doesn't even allude to how this is done- but does emphasise when and when not to go with the regional domain model. I'm not disputing what anyone is saying here -I agree. I just happen to think the regional model can be a good one, and that if done properly works. Even from
[ActiveDir] splitting a domain into two
Dear All,Scenario : Single regional domain , two sites , both sites having separate links to Internet and direct WAN connectivity with each other.AD Integrated DNSsite1: 300 userssite2: 400 users Now, due to restructuring, they have decided to get rid of WAN link joining the two sites immediately, as both sites will have separate individual WAN connectivity with some corporate hub site. And this domain will be migrated to corporate domain in due course. Problem here is the WAN connectivity to hub site will be commissioned at different times (one month apart) and they want to get rid of WAN link joining site1 with site2 NOW. Other problems like mail access and stuff will be handled thru' Internet link. Now issue is, what to do about AD Domain? as DCs will lose the direct network connectivity.Solution we are looking at is 1) Migrate one of the locations into separate domain, and thus break the dependence of both sites on single domain. 2) Just break the network link as requested and here comes the crummy part :) instead of migrating one of the site to new domain, you just split the domain into two isolated networks, where each site DC will think it is the only DC handling all the stuff for that domain. Basically, 1) break the link 2) Point DC to themselves for DNS 3) seize all the roles 4) do meta data DNS cleanup of other DCnet result : each DC believes they own the domain. Just make sure they don't talk to each other directly ever. Now, Any foreseeable issues with 2nd approach.Please don't include layer 8 issues ;), I am purely looking at technical feasibility and precautions if we go ahead.-- Kamlesh~ Short-term actions X time = long-term accomplishments.~
RE: [ActiveDir] Elevating privileges from DA to EA
Again simple is relative. Also don't mistake your knowledge for that of anyone else. You may know more than others, others may know more than you. Me, I tend to expect others know more than I do so I error on the side of caution because I know what I know and it sometimes scares me. :o) Hopefully no one herewill feel the need togive any more detail,hints, or speculations on methods that can be used to compromise Active Directory. It is not a good open forum discussion item. If someones comes to you and gives you detailed hacking instructions (for free or with a charge), start to wonder what other bad habits they have as well. :) Just trust that such things are possible, people do do this both for good[1] and bad reasons, you aren't blocking them so don't be giving out hefty rights on DCs in your forest that you don't trust 100%. joe p.s.A basic security premise is that you can't prove systems secure, only insecure. [1] Consider a company that is insourcing their environment from a vendor who doesn't want to give up the forest... I think someone posted to this very list this year about a vendor who found out that was going to happen and they chopped off access to the forest root from the customer network leaving the customer high and dry. The customer should have had a root DC in their possession before making that announcement. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin BrunsonSent: Friday, September 15, 2006 2:03 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Elevating privileges from DA to EA http://www.microsoft.com/technet/security/Bulletin/MS02-001.mspx discusses some elevation of privilege attacks. It also links to another article that is supposed to have more details on SID filtering, which doesnt seem to exist anymore. All references I have found point only at NT4 and 2000 as susceptible to this kind of attack, and they have a patch to fix it. So I guess 2003 is secure at least when it comes to the SIDHistory method. There must be other ways of doing it, though. I dont know that they could possibly be simple if MS put out a patch to fix this particular hole way back in 02. The referenced article (for those who dont read it) calls for a binary edit of the data structures that hold the SIDHistory information. Not exactly candy from a baby level, unless you happen to be a 3rd level black-belt in babies-canditsu. But Im sure someone with extreme skills could take on an unpatched 2000 domain without much trouble. Either way, it looks like sidfiltering mitigates most of the risk. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: Friday, September 15, 2006 2:48 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Elevating privileges from DA to EA Al - we are designing a forest with regional domains (don't ask!) and one region has suggested it needs to split from this forest since elevating rights in any regional domain from DA to EA (forest wide) is 'simple' [and this would break the admin / support model]. What is being said is very very true. Either you trust ALL Domain Admins (no matter the domain those are in) or you do not trust ANY! Every Domain Admin or ANY person with physical access to a DC has the possibility to turn the complete forest into crap! Because if that was NOT the case the DOMAIN would be the security boundary. Unfortunately it is not! The Forest is the security boundary, whereas EVERY single DC in the forest MUST be protected and EVERY Domain Admin MUST be trusted! I am arguing that it is not simple and am looking for methods which may be used to elevate rights as per the above When you know HOW, it is as easy as taking candy from a baby jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, September 15, 2006 09:36To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Elevating privileges from DA to EA Thanks for responses, all. Al - we are designing a forest with regional domains (don't ask!) and one region has suggested it needs to split from this forest since elevating rights in any regional domain from DA to EA (forest wide) is 'simple' [and this would break the admin / support model]. I am arguing that it is not simple and am looking for methods which may be used to elevate rights as per the above. Make sense? neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 14 September 2006 20:59To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Elevating privileges from DA to EA Can you reword? I'm not sure I clearly understand the question. FWIW, going from DA to EA is a matter of adding one's id to the EA group. DA's have that
Re: [ActiveDir] ADSI programming
Well, you don't need a .NET implementation of Python (which is what IronPython is) to use Python with ADSI. Python already has COM support. If one was interested in Python running on the CLR, then that would be the thing to check out, but I'm guessing the guy just wants to write some ADSI scripts, so the normal resources are appropriate (scripting center, AD 3rd edition, AD cookbook 2nd edition, etc.). If he was actually interested in programming LDAP in .NET, I'd also recommend my book (www.directoryprogramming,net), but his scripting background suggests that he isn't going there (to me). There is no mention of Python (or any language other than VB.NET, C++ or C# for that matter) in it. :) Joe K. - Original Message - From: Matheesha Weerasinghe To: ActiveDir@mail.activedir.org Sent: Friday, September 15, 2006 2:08 PM Subject: Re: [ActiveDir] ADSI programming I wonder whether ironpython http://www.ironpython.com/ is worth looking into in that case. I am no programmer but I have a hunch it might be to your liking. Cheers M@ On 9/15/06, Ramon Linan [EMAIL PROTECTED] wrote: Hi, I want to start programming in AD. I have experience programming with Python, PHP and VBA. Any suggestion on which language is more convienient to program with ADSI. I was going to use Python because I can be use in windows, MAC or Linux/unix Thanks Rezuma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Elevating privileges from DA to EA
Kevin, FWIW - as others are stating, assuming you know what you are doing, it is *simple* and painless so long assuming that you are a DA of any domain in the forest and have access to the console of a GC. There are many exploits strategies in this area and in its most basic form this can be done with rudimentary knowledge, native tools, and no coding or scripting. Aric -Original Message- From: Kevin Brunson [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org Sent: 9/15/06 1:35 PM Subject: RE: [ActiveDir] Elevating privileges from DA to EA http://www.microsoft.com/technet/security/Bulletin/MS02-001.mspx discusses some elevation of privilege attacks. It also links to another article that is supposed to have more details on SID filtering, which doesn't seem to exist anymore. All references I have found point only at NT4 and 2000 as susceptible to this kind of attack, and they have a patch to fix it. So I guess 2003 is secure at least when it comes to the SIDHistory method. There must be other ways of doing it, though. I don't know that they could possibly be simple if MS put out a patch to fix this particular hole way back in 02. The referenced article (for those who don't read it) calls for a binary edit of the data structures that hold the SIDHistory information. Not exactly candy from a baby level, unless you happen to be a 3rd level black-belt in babies-canditsu. But I'm sure someone with extreme skills could take on an unpatched 2000 domain without much trouble. Either way, it looks like sidfiltering mitigates most of the risk. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Friday, September 15, 2006 2:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Elevating privileges from DA to EA Al - we are designing a forest with regional domains (don't ask!) and one region has suggested it needs to split from this forest since elevating rights in any regional domain from DA to EA (forest wide) is 'simple' [and this would break the admin / support model]. What is being said is very very true. Either you trust ALL Domain Admins (no matter the domain those are in) or you do not trust ANY! Every Domain Admin or ANY person with physical access to a DC has the possibility to turn the complete forest into crap! Because if that was NOT the case the DOMAIN would be the security boundary. Unfortunately it is not! The Forest is the security boundary, whereas EVERY single DC in the forest MUST be protected and EVERY Domain Admin MUST be trusted! I am arguing that it is not simple and am looking for methods which may be used to elevate rights as per the above When you know HOW, it is as easy as taking candy from a baby jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, September 15, 2006 09:36 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Elevating privileges from DA to EA Thanks for responses, all. Al - we are designing a forest with regional domains (don't ask!) and one region has suggested it needs to split from this forest since elevating rights in any regional domain from DA to EA (forest wide) is 'simple' [and this would break the admin / support model]. I am arguing that it is not simple and am looking for methods which may be used to elevate rights as per the above. Make sense? neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: 14 September 2006 20:59 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Elevating privileges from DA to EA Can you reword? I'm not sure I clearly understand the question. FWIW, going from DA to EA is a matter of adding one's id to the EA group. DA's have that right in the root domain of the forest (DA's of the root domain have that right). Editing etc. is not necessary. Nor are key-loggers etc. If physical access is available, there are plenty of ways to get the access you require to a domain but I suspect you're asking how can a DA from a child domain gain EA access; is that the question you're looking to answer? Just for curiousity, what brings up that question? Al On 9/14/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: It has been suggested by certain parties here that elevating one's rights from AD to EA is 'simple'. I have suggested that whilst it's possible it is not simple at all. Does anyone have any descriptions of methods / backdoors / workarounds etc that can be used to elevate rights in this way? Naturally, you may prefer to send this to me
RE: [ActiveDir] Block Inheritance on DC OU
I just prefer using sec. Group filtering over block and enforced flags. In your scenario I would have added explicit denies for the DC group to those GPOs that should not have applied rather than block inheritance. -Original Message- From: Kamlesh Parmar [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 9/15/2006 1:38 PM Subject: Re: [ActiveDir] Block Inheritance on DC OU Well at one of the customers, they have around 10 to 15 GPOs applied at domain level, for various purposes ranging from software deployment to other settings. So they didn't wanted many of those GPOs to be applied to domain controllers. Above that, they have block inheritance enabled at various sub-OU levels. So only thing we could come up with to achieve what we wanted was to. 1) Block policy at DC OU 2) Create Password Policy at Domain level and enforce it. This helped for keeping a consistent password policy across all OUs and Domain. And also saving DCs from domain level general purpose GPOs. Long term, soln is to rethink the OU structure. Kamlesh On 9/13/06, Darren Mar-Elia [EMAIL PROTECTED] wrote: Well, the obvious effect is that it prevents domain-linked policies from being delivered correctly, including password policy. This is probably not desirable. I can't think of a good scenario where this would be useful. Darren -- *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of *WATSON, BEN *Sent:* Wednesday, September 13, 2006 9:37 AM *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Block Inheritance on DC OU The company I am currently working for has block inheritance enabled for the Domain Controller's OU and apparently whoever enabled this setting is no longer with the company (or they won't fess up to why they did this). Although I am curious, what sort of ramifications does enabling block inheritance on the Domain Controller's OU pose? And what reason would you have to enable this setting on the Domain Controller's OU? With any other OU, it would be fairly obvious, but being that these are the Domain Controllers it would seem to be a unique situation. Thanks as always for your input, ~Ben -- ~ Short-term actions X time = long-term accomplishments. ~ [truncated by sender] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Block Inheritance on DC OU
It seems to me that a better solution is to only put the password policy into the default domain GPO, and create a separate GPO for any other settings to apply to the OUs. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh ParmarSent: Friday, September 15, 2006 2:38 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Block Inheritance on DC OU Well at one of the customers, they have around 10 to 15 GPOs applied at domain level, for various purposes ranging from software deployment to other settings.So they didn't wanted many of those GPOs to be applied to domain controllers. Above that, they have "block inheritance" enabled at various sub-OU levels.So only thing we could come up with to achieve what we wanted was to.1) Block policy at DC OU2) Create Password Policy at Domain level and enforce it. This helped for keeping a consistent password policy across all OUs and Domain.And also "saving" DCs from domain level general purpose GPOs.Long term, soln is to rethink the OU structure.Kamlesh On 9/13/06, Darren Mar-Elia [EMAIL PROTECTED] wrote: Well, the obvious effect is that it prevents domain-linked policies from being delivered correctly, including password policy. This is probably not desirable. I can't think of a good scenario where this would be useful. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of WATSON, BENSent: Wednesday, September 13, 2006 9:37 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Block Inheritance on DC OU The company I am currently working for has "block inheritance" enabled for the Domain Controller's OU and apparently whoever enabled this setting is no longer with the company (or they won't fess up to why they did this). Although I am curious, what sort of ramifications does enabling "block inheritance" on the Domain Controller's OU pose? And what reason would you have to enable this setting on the Domain Controller's OU? With any other OU, it would be fairly obvious, but being that these are the Domain Controllers it would seem to be a unique situation. Thanks as always for your input, ~Ben -- ~Short-term actions X time = long-term accomplishments.~
RE: [ActiveDir] Block Inheritance on DC OU
Yes, but there are times when you want to affect all machines or users in a domain and its a pain to have to link those policies to every OU. Domain-linked GPOs are useful but you do have to be explicitly aware of what you're targeting. That's why I like using explicit security group filtering rather than implicit blocking or enforcing. Its easier to troubleshoot (esp. on Win2K without RSOP). Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Derek HarrisSent: Friday, September 15, 2006 3:14 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Block Inheritance on DC OU It seems to me that a better solution is to only put the password policy into the default domain GPO, and create a separate GPO for any other settings to apply to the OUs. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh ParmarSent: Friday, September 15, 2006 2:38 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Block Inheritance on DC OU Well at one of the customers, they have around 10 to 15 GPOs applied at domain level, for various purposes ranging from software deployment to other settings.So they didn't wanted many of those GPOs to be applied to domain controllers. Above that, they have "block inheritance" enabled at various sub-OU levels.So only thing we could come up with to achieve what we wanted was to.1) Block policy at DC OU2) Create Password Policy at Domain level and enforce it. This helped for keeping a consistent password policy across all OUs and Domain.And also "saving" DCs from domain level general purpose GPOs.Long term, soln is to rethink the OU structure.Kamlesh On 9/13/06, Darren Mar-Elia [EMAIL PROTECTED] wrote: Well, the obvious effect is that it prevents domain-linked policies from being delivered correctly, including password policy. This is probably not desirable. I can't think of a good scenario where this would be useful. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of WATSON, BENSent: Wednesday, September 13, 2006 9:37 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Block Inheritance on DC OU The company I am currently working for has "block inheritance" enabled for the Domain Controller's OU and apparently whoever enabled this setting is no longer with the company (or they won't fess up to why they did this). Although I am curious, what sort of ramifications does enabling "block inheritance" on the Domain Controller's OU pose? And what reason would you have to enable this setting on the Domain Controller's OU? With any other OU, it would be fairly obvious, but being that these are the Domain Controllers it would seem to be a unique situation. Thanks as always for your input, ~Ben -- ~Short-term actions X time = long-term accomplishments.~
[ActiveDir] RPC Over HTTPS Problem....
Hi, I am facing a weird problem here is some required information. Frontend - Backend Structure. Exchange with SP2 on Win2k3 SP1 on all Servers. FE1 and BE1 is on a different site, BE2 is on my Site. Configured RPC Over Https on Frontend Server. OWA (SSL) is working fine. Now here is the situation:- I have configured my client for RPC over Https. When client machine tries to establish connection with my Exchange Server it prompts me for User Name and Password. When i am providing my credentials it is not accepting and keeps me prompting for same. Also while doing this when i use Ctrl + Right click on Outlook icon on rightside of taskbar and then selecting connection it never shows me established. It remains on Connecting and tries to connect my BE2 server where my mailbox resides. What could be the possible reason for this? If any other information is required please let me know. -- Ravi Dogra List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] RPC Over HTTPS Problem....
The usual issue with that is that the url u r connecting to matches the name on the cert. This must match on internal and external, i.e. u must use split brain or you must config ur firewall to accept that connection on the WAN interface. Rob Robert Rutherford QuoStar Solutions Limited T:+44 (0) 8456 440 331 F:+44 (0) 8456 440 332 M:+44 (0) 7974 249 494 E:[EMAIL PROTECTED] W:www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra Sent: 16 September 2006 00:00 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] RPC Over HTTPS Problem Hi, I am facing a weird problem here is some required information. Frontend - Backend Structure. Exchange with SP2 on Win2k3 SP1 on all Servers. FE1 and BE1 is on a different site, BE2 is on my Site. Configured RPC Over Https on Frontend Server. OWA (SSL) is working fine. Now here is the situation:- I have configured my client for RPC over Https. When client machine tries to establish connection with my Exchange Server it prompts me for User Name and Password. When i am providing my credentials it is not accepting and keeps me prompting for same. Also while doing this when i use Ctrl + Right click on Outlook icon on rightside of taskbar and then selecting connection it never shows me established. It remains on Connecting and tries to connect my BE2 server where my mailbox resides. What could be the possible reason for this? If any other information is required please let me know. -- Ravi Dogra List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] RPC Over HTTPS Problem....
Hi Bob, Can you please explain how it should be. because i think i have something wrong here related to certificate. Thanks Ravi Dogra On 9/16/06, Robert Rutherford [EMAIL PROTECTED] wrote: The usual issue with that is that the url u r connecting to matches the name on the cert. This must match on internal and external, i.e. u must use split brain or you must config ur firewall to accept that connection on the WAN interface. Rob Robert Rutherford QuoStar Solutions Limited T:+44 (0) 8456 440 331 F:+44 (0) 8456 440 332 M:+44 (0) 7974 249 494 E:[EMAIL PROTECTED] W:www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra Sent: 16 September 2006 00:00 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] RPC Over HTTPS Problem Hi, I am facing a weird problem here is some required information. Frontend - Backend Structure. Exchange with SP2 on Win2k3 SP1 on all Servers. FE1 and BE1 is on a different site, BE2 is on my Site. Configured RPC Over Https on Frontend Server. OWA (SSL) is working fine. Now here is the situation:- I have configured my client for RPC over Https. When client machine tries to establish connection with my Exchange Server it prompts me for User Name and Password. When i am providing my credentials it is not accepting and keeps me prompting for same. Also while doing this when i use Ctrl + Right click on Outlook icon on rightside of taskbar and then selecting connection it never shows me established. It remains on Connecting and tries to connect my BE2 server where my mailbox resides. What could be the possible reason for this? If any other information is required please let me know. -- Ravi Dogra List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- Ravi Dogra 9899647200 This e-mail, together with any attachments, is confidential. It may be read, copied and used only by the intended recipient. If you have received it in error, please notify the sender immediately by e-mail or telephone. Please then delete it from your computer without making any copies or disclosing it to any other person. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] RPC Over HTTPS Problem....
Hi Ravi, The certifcate does needs to match the name of the site... i.e. mail.comp.com . If it doesn't then it wont work. There are numerous reasons why it fails but that is the first. Rob Robert Rutherford QuoStar Solutions Limited T:+44 (0) 8456 440 331 F:+44 (0) 8456 440 332 M:+44 (0) 7974 249 494 E:[EMAIL PROTECTED] W:www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra Sent: 16 September 2006 01:36 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] RPC Over HTTPS Problem Hi Bob, Can you please explain how it should be. because i think i have something wrong here related to certificate. Thanks Ravi Dogra On 9/16/06, Robert Rutherford [EMAIL PROTECTED] wrote: The usual issue with that is that the url u r connecting to matches the name on the cert. This must match on internal and external, i.e. u must use split brain or you must config ur firewall to accept that connection on the WAN interface. Rob Robert Rutherford QuoStar Solutions Limited T:+44 (0) 8456 440 331 F:+44 (0) 8456 440 332 M:+44 (0) 7974 249 494 E:[EMAIL PROTECTED] W:www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra Sent: 16 September 2006 00:00 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] RPC Over HTTPS Problem Hi, I am facing a weird problem here is some required information. Frontend - Backend Structure. Exchange with SP2 on Win2k3 SP1 on all Servers. FE1 and BE1 is on a different site, BE2 is on my Site. Configured RPC Over Https on Frontend Server. OWA (SSL) is working fine. Now here is the situation:- I have configured my client for RPC over Https. When client machine tries to establish connection with my Exchange Server it prompts me for User Name and Password. When i am providing my credentials it is not accepting and keeps me prompting for same. Also while doing this when i use Ctrl + Right click on Outlook icon on rightside of taskbar and then selecting connection it never shows me established. It remains on Connecting and tries to connect my BE2 server where my mailbox resides. What could be the possible reason for this? If any other information is required please let me know. -- Ravi Dogra List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- Ravi Dogra 9899647200 This e-mail, together with any attachments, is confidential. It may be read, copied and used only by the intended recipient. If you have received it in error, please notify the sender immediately by e-mail or telephone. Please then delete it from your computer without making any copies or disclosing it to any other person. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] RPC Over HTTPS Problem....
In addition to what Robert is saying, take a look at http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3RPCHTTPDep/0849cb53-f1f9-419b-bb74-82bc010e247f.mspx?mfr=true There are many things that can be responsible for this failure, and you need to selectively eliminate each. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Robert RutherfordSent: Fri 9/15/2006 5:52 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] RPC Over HTTPS Problem Hi Ravi, The certifcate does needs to match the name of the site... i.e. mail.comp.com . If it doesn't then it wont work. There are numerous reasons why it fails but that is the first. Rob Robert Rutherford QuoStar Solutions Limited T:+44 (0) 8456 440 331 F:+44 (0) 8456 440 332 M:+44 (0) 7974 249 494 E:[EMAIL PROTECTED] W:www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra Sent: 16 September 2006 01:36 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] RPC Over HTTPS Problem Hi Bob, Can you please explain how it should be. because i think i have something wrong here related to certificate. Thanks Ravi Dogra On 9/16/06, Robert Rutherford [EMAIL PROTECTED] wrote: The usual issue with that is that the url u r connecting to matches the name on the cert. This must match on internal and external, i.e. u must use split brain or you must config ur firewall to accept that connection on the WAN interface. Rob Robert Rutherford QuoStar Solutions Limited T:+44 (0) 8456 440 331 F:+44 (0) 8456 440 332 M:+44 (0) 7974 249 494 E:[EMAIL PROTECTED] W:www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra Sent: 16 September 2006 00:00 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] RPC Over HTTPS Problem Hi, I am facing a weird problem here is some required information. Frontend - Backend Structure. Exchange with SP2 on Win2k3 SP1 on all Servers. FE1 and BE1 is on a different site, BE2 is on my Site. Configured RPC Over Https on Frontend Server. OWA (SSL) is working fine. Now here is the situation:- I have configured my client for RPC over Https. When client machine tries to establish connection with my Exchange Server it prompts me for User Name and Password. When i am providing my credentials it is not accepting and keeps me prompting for same. Also while doing this when i use Ctrl + Right click on Outlook icon on rightside of taskbar and then selecting connection it never shows me established. It remains on Connecting and tries to connect my BE2 server where my mailbox resides. What could be the possible reason for this? If any other information is required please let me know. -- Ravi Dogra List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- Ravi Dogra 9899647200 This e-mail, together with any attachments, is confidential. It may be read, copied and used only by the intended recipient. If you have received it in error, please notify the sender immediately by e-mail or telephone. Please then delete it from your computer without making any copies or disclosing it to any other person. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Block Inheritance on DC OU
I hear you joe. I think it depends upon the environment and its goals. I'm generally against implicit stuff like blocking flags because its hard for people to troubleshoot. I'm also not terribly thrilled with the notion, in large environments, of having to manage 10s or 100s of gplinks and their attendant flags (enabled, disabled, enforced) separately when the target is the entire domain anyway, esp. if you have lots of nested OUs because then you have to expect people to make consistent decisions about where in the hierarchy they need to link, and over time, it just gets messy. But frankly security group filtering can suffer the same complexity problems and groups are probably less well maintained than OU structure in most orgs. I think security group filtering is best used as an exception mechanism rather than a normal course of things. As an exception mechanism, I tend to prefer it over blocking or enforcing. d. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, September 15, 2006 6:24 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Block Inheritance on DC OU For a point / counter point kind of discussion. I am against, generally speaking[1], group filtering on GPOs as I have seen it go horribly wrong[2] and would rather look at putting the links on the OUs. I don't find that to be a particularly painful task, especially considering that I usually push for a very fixed OU structure such that when a new site or what not is spun up, there is a script that sets the entire OU structure up including needed admin groups, any delegation, and any gPLinks. joe [1] Meaning I am not absolutely against it but it needs to be a great reason. Say something for auto deploying certs and you have no matching OU structure for the deployment you want to implement. [2] Once saw an ACL reset on GPOs when a script that worked perfectly in the lab blew up in production and the resultant set of policieswas a completely locked down kiosk thatwas applied to hundreds of thousands of users and machines (both workstations and servers) across the world. Thankfully it occurred on a Wednesday evening 6PM EST so the fallout was not 100% but mostly only on the west coast of the US and Australia/New Zealand. Nope, I didn't write the script. ;o) I have seen lesser issues and heard of some other folks who have run into some fun with them. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Friday, September 15, 2006 6:48 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Block Inheritance on DC OU Yes, but there are times when you want to affect all machines or users in a domain and its a pain to have to link those policies to every OU. Domain-linked GPOs are useful but you do have to be explicitly aware of what you're targeting. That's why I like using explicit security group filtering rather than implicit blocking or enforcing. Its easier to troubleshoot (esp. on Win2K without RSOP). Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Derek HarrisSent: Friday, September 15, 2006 3:14 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Block Inheritance on DC OU It seems to me that a better solution is to only put the password policy into the default domain GPO, and create a separate GPO for any other settings to apply to the OUs. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh ParmarSent: Friday, September 15, 2006 2:38 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Block Inheritance on DC OU Well at one of the customers, they have around 10 to 15 GPOs applied at domain level, for various purposes ranging from software deployment to other settings.So they didn't wanted many of those GPOs to be applied to domain controllers. Above that, they have "block inheritance" enabled at various sub-OU levels.So only thing we could come up with to achieve what we wanted was to.1) Block policy at DC OU2) Create Password Policy at Domain level and enforce it. This helped for keeping a consistent password policy across all OUs and Domain.And also "saving" DCs from domain level general purpose GPOs.Long term, soln is to rethink the OU structure.Kamlesh On 9/13/06, Darren Mar-Elia [EMAIL PROTECTED] wrote: Well, the obvious effect is that it prevents domain-linked policies from being delivered correctly, including password policy. This is probably not desirable. I can't think of a good scenario where this would be useful. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of WATSON, BENSent: Wednesday, September 13, 2006 9:37 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Block Inheritance on DC OU The company I am currently working for has "block inheritance" enabled
RE: [ActiveDir] Elevating privileges from DA to EA
I am the type that argues that 3-5 EA/DA folksis good for any size org. Showing that the large companies with hundreds of thousands of seats can accomplish it helps illustrate that smaller companies should be able to accomplish it and that instead of making the job harder,it makes it easier. It may be tougher up front while you fight the political battles and learn how your environment and processes really work but once that is done, life is much easier as AD doesn't tend to just break on its own, people screw up. The less chances available for those screwups the smoother things run. When I see companies with tens or hundreds or even thousands of folks with admin (or other native built in group) access in a forest I just get an upset stomach because I know that things are almost certainly not running as smoothly as they could be. In fact, from my experiences, the more admins there are, it seems the more harried and running they all are. Getting down to a few EA/DAs is all about process and automation. Do it right, it is feasible and works great. Do it wrong, you have admins burning out every 3 months. I understand that admins don't have time to automate things and make the environment better. I have been in similar positions, positions where I had no choice but to work 80-100 a week every week always carrying a pager, etc. When in those positions I made the conscious choice to make sure I found a little time every day (even 30 minutes) to do some little bit. This slowly adds up. If you attack the items you are spending the most time on during the day, you slowly start freeing yourself up more and more and if it is to automate something that is being done manually more than likely you are saving even more time when that something is done correctly and consistently every time (everyone makes mistakes when doing things manually). Absolutely you need to be running separate admin and normal user IDs for admins. You could be the best admin in the world but it is stupid not to take care to make sure that if for some reason you make some small slip, the chances are reduced that something bad can result. My general recommendation is normal ID and dollar sign ID, e.g. jricha34 and $jricha34. Maybe even going to double dollar for enterprise admin to make that stand out even more so jricha34,$jricha34, and $$jricha34. Also make sure that these IDs are not used interactively on workstations and avoid logging into any servers that you don't fully trust (i.e. you own and only the DAs can log into or manipulate). Now for the regional forest... I haven't heard a good reason for one yet. I haven't heard a good reason for separate DAs for geographies. The best reasons I have heard are in relation to divisions within a company, say like a financial division of a company that's main business is manufacturing or distribution or something. The banking laws in some companies can be a bit involved and in _some_ of those cases there may be a need for a separate forest. There needs to be really good documentation of all of the why's though.A company is often better served as a whole if divisions and geographies bow down and let one group handle the overall functioning of the AD service. Assuming the group doing the work actually knows what it is doing, things will usually be much better off. Politics tends to get in the way here until someone gets sick of the politics and either makes an executive decision or stages a coup and forcefully takes control. I am with James that policy and replication boundaries are valid reasons for separate domains. Perfect world is single forest domain, things from Microsoft just work better in those environments. But as James pointed out with his example, with the current replication model, a single domain forest just can't work sometimes even if the policy is the same in all domains. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt HargravesSent: Friday, September 15, 2006 12:22 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Elevating privileges from DA to EA I agree with the people who are saying "Either trust all of them or none of them". Realistically, unless you have a large environment (BTW, some people argue that all but maybe 10 Fortune 100 companies are 'medium' sized and the other 99.% of organizations are 'small'), there should only be a handful of people (3-7?) and some service accounts that require that level of rights.Domain/Enterprise Admins are a tricky bunch and no matter what you do to us, we can take back whatever rights you took away from us very easily, then lock you and everyone else in the world out, destroy the on-site backups and demolish the environment to where it's going to take a major effort to get back to operational status. This would take all take significantly less
RE: [ActiveDir] Block Inheritance on DC OU
Yep yep. Good arguments for standardization of OU hierarchy and overall automated management of the OU's. :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Friday, September 15, 2006 10:02 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Block Inheritance on DC OU I hear you joe. I think it depends upon the environment and its goals. I'm generally against implicit stuff like blocking flags because its hard for people to troubleshoot. I'm also not terribly thrilled with the notion, in large environments, of having to manage 10s or 100s of gplinks and their attendant flags (enabled, disabled, enforced) separately when the target is the entire domain anyway, esp. if you have lots of nested OUs because then you have to expect people to make consistent decisions about where in the hierarchy they need to link, and over time, it just gets messy. But frankly security group filtering can suffer the same complexity problems and groups are probably less well maintained than OU structure in most orgs. I think security group filtering is best used as an exception mechanism rather than a normal course of things. As an exception mechanism, I tend to prefer it over blocking or enforcing. d. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, September 15, 2006 6:24 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Block Inheritance on DC OU For a point / counter point kind of discussion. I am against, generally speaking[1], group filtering on GPOs as I have seen it go horribly wrong[2] and would rather look at putting the links on the OUs. I don't find that to be a particularly painful task, especially considering that I usually push for a very fixed OU structure such that when a new site or what not is spun up, there is a script that sets the entire OU structure up including needed admin groups, any delegation, and any gPLinks. joe [1] Meaning I am not absolutely against it but it needs to be a great reason. Say something for auto deploying certs and you have no matching OU structure for the deployment you want to implement. [2] Once saw an ACL reset on GPOs when a script that worked perfectly in the lab blew up in production and the resultant set of policieswas a completely locked down kiosk thatwas applied to hundreds of thousands of users and machines (both workstations and servers) across the world. Thankfully it occurred on a Wednesday evening 6PM EST so the fallout was not 100% but mostly only on the west coast of the US and Australia/New Zealand. Nope, I didn't write the script. ;o) I have seen lesser issues and heard of some other folks who have run into some fun with them. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Friday, September 15, 2006 6:48 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Block Inheritance on DC OU Yes, but there are times when you want to affect all machines or users in a domain and its a pain to have to link those policies to every OU. Domain-linked GPOs are useful but you do have to be explicitly aware of what you're targeting. That's why I like using explicit security group filtering rather than implicit blocking or enforcing. Its easier to troubleshoot (esp. on Win2K without RSOP). Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Derek HarrisSent: Friday, September 15, 2006 3:14 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Block Inheritance on DC OU It seems to me that a better solution is to only put the password policy into the default domain GPO, and create a separate GPO for any other settings to apply to the OUs. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh ParmarSent: Friday, September 15, 2006 2:38 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Block Inheritance on DC OU Well at one of the customers, they have around 10 to 15 GPOs applied at domain level, for various purposes ranging from software deployment to other settings.So they didn't wanted many of those GPOs to be applied to domain controllers. Above that, they have "block inheritance" enabled at various sub-OU levels.So only thing we could come up with to achieve what we wanted was to.1) Block policy at DC OU2) Create Password Policy at Domain level and enforce it. This helped for keeping a consistent password policy across all OUs and Domain.And also "saving" DCs from domain level general purpose GPOs.Long term, soln is to rethink the OU structure.Kamlesh On 9/13/06, Darren Mar-Elia [EMAIL PROTECTED] wrote: Well, the obvious effect is that it prevents domain-linked policies from being delivered correctly, including password policy.
RE: [ActiveDir] splitting a domain into two
First impression: Yuck. The main thing that caught my attention is the "migrate into a corporate domain at a later time". I assume you mean both of these "separated" domains would be migrated? If so, how do you plan to do the migration? You won't be able to have name res for the trusts, even if you could you would most likely run into SID issues if you maintained SID History. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh ParmarSent: Friday, September 15, 2006 4:57 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] splitting a domain into two Dear All,Scenario : Single regional domain , two sites , both sites having separate links to Internet and direct WAN connectivity with each other.AD Integrated DNSsite1: 300 userssite2: 400 usersNow, due to restructuring, they have decided to get rid of WAN link joining the two sites immediately, as both sites will have separate individual WAN connectivity with some corporate hub site. And this domain will be migrated to corporate domain in due course. Problem here is the WAN connectivity to hub site will be commissioned at different times (one month apart) and they want to get rid of WAN link joining site1 with site2 NOW. Other problems like mail access and stuff will be handled thru' Internet link. Now issue is, what to do about AD Domain? as DCs will lose the direct network connectivity.Solution we are looking at is 1) Migrate one of the locations into separate domain, and thus break the dependence of both sites on single domain. 2) Just break the network link as requested and here comes the crummy part :) instead of migrating one of the site to new domain, you just split the domain into two isolated networks, where each site DC will think it is the only DC handling all the stuff for that domain. Basically, 1) break the link 2) Point DC to themselves for DNS 3) seize all the roles 4) do meta data DNS cleanup of other DCnet result : each DC believes they own the domain. Just make sure they don't talk to each other directly ever. Now, Any foreseeable issues with 2nd approach.Please don't include layer 8 issues ;), I am purely looking at technical feasibility and precautions if we go ahead.-- Kamlesh~ Short-term actions X time = long-term accomplishments.~
RE: [ActiveDir] Replication Metadata
;o) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, September 15, 2006 1:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication Metadata Don't you mean, If vbscript Then : you want the XML versions : End If Sorry, bad joke -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, September 14, 2006 6:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication Metadata Yep, if vbscript you want the XML versions... You should be able to do this in an hour You just need to pick the right hour. ;o) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Thursday, September 14, 2006 9:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication Metadata That's great info; thanks joe. I'll take a look at msDS-ReplValueMetaData and msDS-ReplAttributeMetaData. I'm trying to do this in a vbscript and avoid getting into any compiled solutions. I told my boss I could do this in an hour because I thought I could just use IADsTools, oopsie. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, September 14, 2006 5:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication Metadata I doubt that IADsTools was updated. They seemed to be trying to kill that as far back as 2001. I think it was someone's pet project and they went to another petting zoo to work... I know I found some time issues in it back then and some more later that I tried to get corrected and was wholly unsuccessful on both occasions. But the answer is... There is additional metadata available now for looking at value level changes. The way IADsTools was probably getting the info (this is a guess, never saw the code) is through the attribute replPropertyMetaData but it very well could have been using the RPC based API call DsReplicaGetInfo. Probably the simplest mechanism to use now are the attributes msDS-ReplAttributeMetaData and msDS-ReplValueMetaData which by default will return XML strings with the data. If you are equipped to handle it, you can instead make the calls much faster and pass less data on the wire by asking for the binary versions of those attributes by appending the ;binary modifier. If you want to write DC API based code, you can use DsReplicateGetInfo2. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, September 08, 2006 11:36 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Replication Metadata I'm using Robbie Allens example for using IADSTools.DCFunctions to read group object meta data. I just realized that now that we've upgraded to 2003 I can no longer look at the member last changed field to determine when group membership last changed. I know that RepAdmin can look at the individual group changes so there must be some updated API that I can use to do the same thing, I just can't seem to find it. Can anyone point me in the right direction? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] RPC Over HTTPS Problem....
In addition to what everyone else has said, if there is an issue with SSL in Windows, you almost always get an error from schannel in the System event log on the machine that rejected the connection that explains exactly what the problem is (if you can figure out what it is telling you). For example, if the problem is really an issue with the cert name not matching the URL host name, schannel will give you an error 0x80090322, which translates to the target principal name is incorrect. The details of the error will contain the certificate, which looks like a bunch of binary crap (it is), but probably contains readable strings containing the cert name. You can usually deduce from there. Another thing that is often helpful with SSL issues, especially if HTTPS is involved, is just to point IE at the same site. If IE gives you a warning, the warning details will tell you exactly what the problem is in a friendlier way. Warning in IE typically translates to failure when SSL is done programmatically, as most code errs on the side of caution and simply fails if everything isn't ok. Also, the APIs that allow you to ignore the warnings are often not exposed anyway. For example, ADSI and .NET S.DS don't allow you to ignore SSL/LDAP problems, but LDAP API and System.DirectoryServices.Protocols (.NET 2.0) do. The LDAP error in this case is just server not operational, which isn't too helpful. Sometimes the IE trick doesn't work because IE and the code having the problem are executing in different security contexts/user profiles, so they have different configurations for certificate stores and private keys, but that should not be the issue with client code running in Outlook. Ironically, I know that error code by heart (at least for this week) because I had that exact problem with an LDAP app earlier this week. Apparently, someone had created a hosts file entry on one of two servers in a load balanced cluster that had the wrong IP address for one of our DCs. Nevermind that DNS resolved the name just fine, suggesting that the host file was not needed (beyond being a really bad idea in general). Luckily, I've had so much fun with SSL on Windows over the years that I know most of the rules by heart now. What took me an hour to troubleshoot had a medium sized team stymied for a few weeks. :) It is in this spirit that I try to provide as much detail here as I can. Some other common SSL problems are cert expired, cert not yet valid and cert cannot be trusted. Another can of worms is introduced if CRLs are checked (which we just discussed a little while ago). A huge can of worms opens up when client certificates are involved. Joe K. - Original Message - From: Akomolafe, Deji To: ActiveDir@mail.activedir.org Sent: Friday, September 15, 2006 8:18 PM Subject: RE: [ActiveDir] RPC Over HTTPS Problem In addition to what Robert is saying, take a look at http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3RPCHTTPDep/0849cb53-f1f9-419b-bb74-82bc010e247f.mspx?mfr=true There are many things that can be responsible for this failure, and you need to selectively eliminate each. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Robert Rutherford Sent: Fri 9/15/2006 5:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] RPC Over HTTPS Problem Hi Ravi, The certifcate does needs to match the name of the site... i.e. mail.comp.com . If it doesn't then it wont work. There are numerous reasons why it fails but that is the first. Rob Robert Rutherford QuoStar Solutions Limited T:+44 (0) 8456 440 331 F:+44 (0) 8456 440 332 M:+44 (0) 7974 249 494 E:[EMAIL PROTECTED] W:www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra Sent: 16 September 2006 01:36 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] RPC Over HTTPS Problem Hi Bob, Can you please explain how it should be. because i think i have something wrong here related to certificate. Thanks Ravi Dogra On 9/16/06, Robert Rutherford [EMAIL PROTECTED] wrote: The usual issue with that is that the url u r connecting to matches the name on the cert. This must match on internal and external, i.e. u must use split brain or you must config ur firewall to accept that connection on the WAN interface. Rob Robert Rutherford QuoStar Solutions Limited T:+44 (0) 8456 440 331 F:+44 (0) 8456 440 332 M:+44 (0) 7974 249 494 E:[EMAIL PROTECTED] W:www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
RE: [ActiveDir] Slightly OT: Modifying AD vbscript
However this isn't a query, it is an enumeratiion, no 1000
record limit here...
There could be various issues. I don't code in _vbscript_
enough to catch issues at a glance especially with recursive functions which can
introduce nice oddities. The OP doesn't indicate the number of users he
considers "too high" but if there were a rollover going on, it would be quite
odd if the count actually resulted in zero versus some other positive or
negative number which you normally get with integer overflow.
My recommendation would be to add in what are called debug
or trace statements which simply output status generously that tell you the
count every time it is updated as well as info about when a new OU is being
opened up. More than likely, you will see the code dumping out at some
point.
Writing this as an ADO query would be substantially faster
over enumeration and recursion.
And if you are curious... :o)
adfind -default -f
"(samaccounttype=805306368)(description=Blue Bell)" -c
joe
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Friday, September 15, 2006 4:13
PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir]
Slightly OT: Modifying AD _vbscript_
You are almost assuredly running
into the default return limit of 1000 items. AD queries will only return that
many items per query by default. In order to retrieve more information you need
to use paging. I personally use SQL style syntax because I know SQL and that is
what the MS script center has available for learning. Therefore the relevant
code for me is objCommand.Properties("Page Size") = 1000, I am unsure how you
would modify your query to use paging, perhaps someone else can chime in with
the syntax needed. Thanks,
Andrew Fidel
"Alex Alborzfard"
[EMAIL PROTECTED] Sent by: [EMAIL PROTECTED]
09/15/2006 12:28 PM
Please respond
toActiveDir@mail.activedir.org
To
ActiveDir@mail.activedir.org
cc
Subject
[ActiveDir] Slightly OT:
Modifying AD _vbscript_
Im sure this can be done more elegantly with joewares
tools or others, but in the spirit of learning, I whipped up this primer
_vbscript_ with the help from a site. What I want to do is to modify it, so it can count # of employees in each
location and output it to a simple text/csv file. In our AD, we enter the location name in the Description
field. Also when the number is
too high, the script doesnt return anything. I think I have to change the
variable type of intCounter to something that can hold bigger values,
but dont know what. Can some one take a look and help me or give me pointers?
TIA Alex
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Alex AlborzfardSent: Wednesday, September 13,
2006 9:22 AMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] OT: Management Solutions What is the
largest environment WSUS can be deployed effectively? At what point youre
better off going with something like Shavlik or Patchlink? What do they give you that WSUS doesnt?
Were trying to put in place a patch
management solution for a company thats midsize (~1700 users), but with offices
scattered all over the world. But were not sure how to architect the whole thing (how many servers,
layers, and where-whats the cutoff point:bandwidth, # of users?-).
The other issue is the industry were in: healthcare. Were
constantly audited and for every single task we have to test, write validation
and justification. So were not
sure how can we do this, with so many patches MS puts out every Tuesday, without
going insane! And this is just for desktops; servers are a whole different ball of wax. Anybody out there had to deal with similar issues? Alex
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Brian DesmondSent: Monday, September 11, 2006
9:34 PMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] OT: Management Solutions I use
WSUS for patching in some decent size places. My strategy has been to combine a
variety of free products into a single system Ive gotten good at it and Ive
also written glue when I need to. My overall feeling is that I get more
flexibility just gluing things together than with a single baked product.
Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Robert
RutherfordSent: Monday, September 11, 2006 6:31 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Management
Solutions I agree with Brian that Ghost does tend to be
the front runner for imaging (IMHO).. Ive tested and used many
RE: [ActiveDir] seeAlso
I generally try to dissuade folks from pillaging the base schema attributes... While MSFT may not be using them now it doesn't mean that later they won't start and you could be stuck in a difficult position. Creating a new attribute is relatively painless if you follow the basic rules, get an OID and properly register a prefix, and be sure of the capability you want when you define it. Schema updates are not dangerous, poorly planned and executed schema updates are dangerous. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, September 05, 2006 6:29 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] seeAlso Does anyone know if the seeAlso attribute is used by any specific application or is it up for grabs? I'm thinking about using it to store an alternate contact for a user. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Is a Global Security group being used?
Yep, as sucky as a method as it is it is something that has been floating around as *a* method for years and years to work out the Windows security related uses. I know I started mentioning it to folks once I noticed non-security groups maintained their SID. I find causing temporary easy to reverse pain much more desirable than deleting it and finding slightly longer lived pain. For the general question though, actually chasing down everywhere a group is used is a tremendously difficult task and I am not aware of any tool that can do it for every single possible use. The solution is truly to have very good process around the use of groups and a tight support definition around their use. This is one of the reasons why I like local and domain local resource groups, the scope is naturally limited. So, you may ask where all can the groups be used? The answer is anywhere that a SID or a DN can be specified. To name a few... 1. Windows Security Descriptors - this includes any kernel securable objects that can accept a security descriptor as well as many other objects that have customized ACL-like definitions like the customSD for event logs. A partial list of the official securable objects off the top of my head: O Active Directory Objects O SAM Objects (users and groups on member machines) O File System Objects (files/directories) O Threads/Processes O Synchronization objects (mutexes, events, semaphores, timers) O Job Objects O Network shares O Printers O Services O As of 2003 SP1 the Service Control Manager itself O Registry keys O Windows Desktops and Windows Stations O Access tokens O File Mapping objects O Pipes (named or anonymous) Basically anything that allows you to pass in a SECURITY_ATTRIBUTES structure when creating the object plus more 2. Microsoft supplied Windows based applications. This includes things like ADAM, SQL Server, Exchange, SharePoint, etc etc etc ad nauseum. 3. Third party applications that run on Windows and were written properly to take advantage of Windows security. This list could be long and wide, there are hundreds of thousands of Windows applications out there. 4. Third party applications that run on Windows and were written incorrectly to take advantage of Windows security. These apps don't use Windows security descriptors, they use custom security structures but rely on SIDs or GUIDs (if they are smart) or names or DNs otherwise. 5. Ditto #4 but running on non-Windows platforms. 6. Applications that use the groups for something other than security. For instance an IM app that uses groups for contact lists or an email app using groups for mail distribution. Numbers 3-6 are exceptionally hard to trace because in all but limited cases, it is pretty much guaranteed no well known well used interface is available to enumerate this info. You are completely dependent on how well you understand your environment and how well you know the underpinnings of what is running in that environment. 7. Any attribute in AD or ADAM or in fact any directory that takes a DN, GUID, Text, or SID. As an example here, in an Exchange/LCS enabled R2 Forest there are 195 DN NON-Backlink type attributes alone, roughly 20 SID attributes, who knows how many GUID attributes (they aren't marked as GUIDs, you get to guess...), hundreds of string types, etc. 8. Cross forest uses which are represented through FSPs in the foreign forests. 9. Privileges/Rights (in GPOs or security policy files) This is just the stuff I can think of off the top of my head between writing this and smoothing out the moving parts in AdMod for general release. I am sure there is more. It is something that I have sat down and thought about multiple times through the years and have code in various stages of development to try and generate reports or running databases of the current use of security principals. If anyone tells you they can give you a comprehensive list and you have anything but the simplest Windows only environment which is well locked down by process/procedure (i.e. you don't even need the list) you can probably assume they are trying to sell you the moon or they don't actually understand the scope of the issue. I would generally assume the latter because there are quite a few folks who think they understand Windows security that really don't[1]. I often am not sure if I understand it. :) joe [1] Try not to attribute to malice that which is adequately ascribed to ignorance. ;) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Patrick Parker Sent: Thursday, September 07, 2006 12:08 PM To: ActiveDir.org Subject: RE: [ActiveDir] Is a Global Security group being used? We met with the Microsoft Identity and Access Management product group recently and this was mentioned as the method used internally. Patrick Patrick
