RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP servers? (or how do you find it?)
Your last statement is true but then if routers restrict BOOTP traffic as I describe, then the rogue DHCP server will only affect the VLAN on which it exists. At least that way, you've reduced the impact. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava Sent: 08 January 2007 17:24 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP servers? (or how do you find it?) Hi, Neil!! That's another thing I'll have to look into :) I am aware that it's possile to do DHCP-proxy to pass along the DHCP requests to the proper servers. That's something that will have to be done, as the client's network is split in different VLAN segments, and in multiple locations/sites, and they'd like to have a reduced number of DHCP servers. But, useful and necessary as it is, this won't prevent a rogue/malicious DHCP server on the same LAN segment from playing havoc with the systems. Thanks for the heads-up though. Javier Jarava -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de [EMAIL PROTECTED] Enviado el: lunes, 08 de enero de 2007 14:33 Para: ActiveDir@mail.activedir.org Asunto: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP servers? (or how do you find it?) In addition to the below, routers can be configured to only forward BOOTP packets to/from 'authorised' DHCP servers. neil ___ Neil Ruston Global Technology Infrastructure Nomura International plc Telephone: +44 (0) 20 7521 3481 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade Sent: 08 January 2007 13:27 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP servers? (or how do you find it?) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava Sent: 08 January 2007 12:20 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP servers? (or how do you find it?) Hi all! Just wondering, is there a way to prevent a rogue DCHP server from playing havoc with a network? I have been digging into dhcp security but I haven't really found anything that makes it possible to auth. a DHCP server, so that the clients don't fall for a rogue one. From what I've seen, the approach MS follows is that IF your DHCP server is Windows-based, you have to auth it on the Domain. That prevents the AD/infrastructure admins from shooting themselves on the foot by having too many/improperly configured servers.. But that won't stop a rogue VM from being a nuisance... I've found this problem in one of our customers sites. They use static IP addressing, but we were setting up a few of their computers with a different sw load and configuration, and they wanted to use DHCP to make config changes more dynamic. When running on an isolated netowork segment, all was fine, but once we moved into their network (to do a pilot test) we found a DHCP server serving a range outside their own, and really messing things up. You could try using DHCP classid. If you set it on your clients when you build them they will ignore anything with the wrong classid. I think you can also control via group policy. What's more, nmap'ing the server, it had a VMWARE-owned MAC and no open ports whatsoever (tcp/udp), at least that I could find. Strange ;) Probably an XP system with the firewall on. A real pain to manage We managed to overcome the issuse because the software load included an IP filtering component, so we decided to block UDP/67 and UDP/68 traffic from all IP addresses and only allow it for 255.255.255.255 and the IP address of the servers we were going to use... But using a whitelist is a bit of a PITA, so I was wondering if there was some other cleaner way to do it.. Thank a lot in advance Javier J List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx ** This email, and any files transmitted with it, is confidential and intended solely for the use of the individual or entity to whom they are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you. http://www.stockport.gov.uk ** List info : http://www.activedir.org/List.aspx List FAQ:
RE: [ActiveDir] DNS Comments
This is not a dynamic zone at all. The AD domains are all already integrated and dynamic and working. As far as the BIND merging, this is actually a bit of a cleanup/migration so it’s going to require some custom scripting more than anything. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wells, James Arthur Sent: Monday, January 08, 2007 9:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Comments If there are enough deltas that aren’t being made by Dynamic DNS, then I would suggest just looking into an IPAM solution like Infoblox or Bluecat. Either one can provide a management interface and BIND server that can then be merged with your existing zone through a number of API options… --James From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Monday, January 08, 2007 8:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Comments Integrated. They tell me they make a couple updates a day to the zone. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, January 08, 2007 7:53 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DNS Comments Weird name but they get good press. I haven't tried them myself, but I've heard of them. Most of the others out there tend to want to take over the DNS vs. provide tools. Personally, I'm a fan of setting it up well (design for success and all that) and using cli to manage so I haven't really researched after-market tools. One thing that comes to mind: is this going to be integrated or traditional zone with primary and secondary configurations? How much maintenance is expected? On 1/8/07, Brian Desmond [EMAIL PROTECTED] wrote: What a weird name – thanks for the link Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Monday, January 08, 2007 7:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Comments I like these guys: http://www.miceandmen.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Monday, January 08, 2007 4:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Comments Well there hasn't been some sort of ruling on whether the existing BIND folks will get new tools or the AD team (which is very gui dependent) will take it over. Are there any commercial tools you'd recommend I look at as far as management goes? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Sunday, January 07, 2007 1:35 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DNS Comments Backup a second - how do you plan to manage the zones? I ask because this might be a good time to re-evaluate the metadata concept of the zones. In BIND you see that information because of the way you manage the zone. In AD there is a different way to manage the zone information that doesn't include that information. If you decide to manage the zones the same way, then handle the comments the same way. If you decide to go GUI (often a shock for a real BIND techie and often doesn't last long) then consider using a CMDB-type of mechanism to record the metadata. You may also consider some alternate tools to manage the DNS systems instead of the built in tools. Performance is pretty rough with the included anyway so it's not like you won't consider it later :) This is a change in the way they do things. It deserves a change in the way they are used to doing things. Al On 1/5/07, Brian Desmond [EMAIL PROTECTED] wrote: Has anyone on this DL have experience with this problem? I am working on potentially migrating numerous UNIX BIND zones to AD Integrated DNS. The BIND zones have various comments in them which go with the record. I believe the dnsNode class in AD supports a notes field or similar but the GUI doesn't. How do people manage metadata about their DNS zones? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132
RE: [ActiveDir] DNS Comments
Perhaps they see themselves as a strange mixture of brain and brawn, along the same lines as the Steinbeck book :) http://en.wikipedia.org/wiki/Of_Mice_and_Men neil _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: 09 January 2007 01:42 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Comments What a weird name - thanks for the link Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Monday, January 08, 2007 7:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Comments I like these guys: http://www.miceandmen.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Monday, January 08, 2007 4:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Comments Well there hasn't been some sort of ruling on whether the existing BIND folks will get new tools or the AD team (which is very gui dependent) will take it over. Are there any commercial tools you'd recommend I look at as far as management goes? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Sunday, January 07, 2007 1:35 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DNS Comments Backup a second - how do you plan to manage the zones? I ask because this might be a good time to re-evaluate the metadata concept of the zones. In BIND you see that information because of the way you manage the zone. In AD there is a different way to manage the zone information that doesn't include that information. If you decide to manage the zones the same way, then handle the comments the same way. If you decide to go GUI (often a shock for a real BIND techie and often doesn't last long) then consider using a CMDB-type of mechanism to record the metadata. You may also consider some alternate tools to manage the DNS systems instead of the built in tools. Performance is pretty rough with the included anyway so it's not like you won't consider it later :) This is a change in the way they do things. It deserves a change in the way they are used to doing things. Al On 1/5/07, Brian Desmond [EMAIL PROTECTED] wrote: Has anyone on this DL have experience with this problem? I am working on potentially migrating numerous UNIX BIND zones to AD Integrated DNS. The BIND zones have various comments in them which go with the record. I believe the dnsNode class in AD supports a notes field or similar but the GUI doesn't. How do people manage metadata about their DNS zones? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
RE : RE: [ActiveDir] Decode the msExchMailboxSecurityDescriptor attribute.
Oh, thanks Joe ! the command adfind -b DN_OU -f msExchMailboxSecurityDescriptor=* msExchMailboxSecurityDescriptor -sddl -adcsv works fine. But when I add -resolvesids as this adfind -b DN_MyOU -f msExchMailboxSecurityDescriptor=* msExchMailboxSecurityDescriptor -sddl -resolvesids -adcsv It shows an error ERROR: Bad Command Line Arg(s) ERROR: resolvesids Thanks, Yann joe [EMAIL PROTECTED] a écrit : Yes it is a binary octet string, it is a normal security descriptor and can be manipulated like you would manipulate security descriptors in compiled apps normally. If you are scripting, then use adfind to dump the attribute with the -sddl+ or -sddl++ switches and if you want the SIDs and SDDL encoded secprins decoded use -resolvesids. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm - From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Monday, January 08, 2007 5:42 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Decode the msExchMailboxSecurityDescriptor attribute. Hello, I'd like to dump the msExchMailboxSecurityDescriptor attribute of a user object into readable format. It seems that the value is in binary blob format. Is there a way to do this ? Thanks, Yann __ Do You Yahoo!? En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités http://mail.yahoo.fr Yahoo! Mail __ Do You Yahoo!? En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités http://mail.yahoo.fr Yahoo! Mail
RE: [ActiveDir] Risks of exposure of machine account passwords
I agree with Joe, I trust very FEW things, or people, you don't meet my standards, sorry no access, it might be harse, but it's a CYA measure. Z Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security + email:[EMAIL PROTECTED] cell:401-639-3505 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, January 08, 2007 10:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Risks of exposure of machine account passwords You can't treat everyone inside your network like criminals or you'll never get anything done. I don't completely agree with this. When you are an admin, especially a DA, you need to be etxremely paranoid about things and trust very little that you don't directly control when using your ID. When I see folks who aren't running separate accounts for admin work and normal work I know they aren't paranoid enough. Then if someone had two accounts the next question is are the passwords synced which is pretty normal to see but almost as bad as using your DA ID to log into your PC and doing work in which you aren't specifically making changes. The next thing to do to cut down on risk is do interactive auth as well as application auth to servers and DCs as little as possible with enhanced IDs. Just too many possible ways to get screwed whether on purpose or by accident to treat anything but proven trusted systems and people as anything but a danger. Yes it slows you down, but folks need to be very careful with their most powerful IDs. If people follow these guidelines it is considerably more difficult to compromise them through social engineering types of attacks such as outlined. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: Michael B Allen [mailto:[EMAIL PROTECTED] Sent: Monday, January 08, 2007 5:35 PM To: ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Risks of exposure of machine account passwords On Mon, 8 Jan 2007 15:33:01 -0500 joe [EMAIL PROTECTED] wrote: A dirty trick I have used in the past to disprove how secure an environment was was to set up a web site on a workstation, enable basic auth only, write a little perl cgi script to write the creds sent to the website to a log file and throw up a website unavailable screen and then tell admins that I have a web site that doens't seem to authenticate users properly could they try to logon to see if it is just my test IDs or a permission problem. I would say at least 50%-60% of the time the admins will go to the page and type in their creds. Alternately try to get an admin to log into a workstation I control. In far too many cases I think you will find admins are user's too... :) If you already own a machine with an FQDN and you can send email to people as someone internal then it would be pretty hard to keep you out since you're already somewhat trusted. You can't treat everyone inside your network like criminals or you'll never get anything done. And if you do have a criminal inside you should take it up with HR not IT. But I can add an improved permutation to your dirty trick. Send out an email with a link to your site but use NTLM SSO pass-through to create a bogus account with a predefined password. If someone with domain admin privs so much as stumbles across your site they will create the said account and not even know they did it. No credentials necessary and no SSO account necessary. Just a website with an FQDN. There is one simple security setting that will thwart this attack though. For bonus points, does anyone know what it is? :- Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: RE: [ActiveDir] Decode the msExchMailboxSecurityDescriptor attribute.
What is the version? Current version of AdFind that is publicly available is V01.35.00. The -resolvesids option made it into AdFind around V01.31.00 or so which was a year ago. Plus if you really want something readable you likely want -sddl++ joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Tuesday, January 09, 2007 5:59 AM To: ActiveDir@mail.activedir.org Subject: RE : RE: [ActiveDir] Decode the msExchMailboxSecurityDescriptor attribute. Oh, thanks Joe ! the command adfind -b DN_OU -f msExchMailboxSecurityDescriptor=* msExchMailboxSecurityDescriptor -sddl -adcsv works fine. But when I add -resolvesids as this adfind -b DN_MyOU -f msExchMailboxSecurityDescriptor=* msExchMailboxSecurityDescriptor -sddl -resolvesids -adcsv It shows an error ERROR: Bad Command Line Arg(s) ERROR: resolvesids Thanks, Yann joe [EMAIL PROTECTED] a écrit : Yes it is a binary octet string, it is a normal security descriptor and can be manipulated like you would manipulate security descriptors in compiled apps normally. If you are scripting, then use adfind to dump the attribute with the -sddl+ or -sddl++ switches and if you want the SIDs and SDDL encoded secprins decoded use -resolvesids. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Monday, January 08, 2007 5:42 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Decode the msExchMailboxSecurityDescriptor attribute. Hello, I'd like to dump the msExchMailboxSecurityDescriptor attribute of a user object into readable format. It seems that the value is in binary blob format. Is there a way to do this ? Thanks, Yann __ Do You Yahoo!? En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités http://mail.yahoo.fr Yahoo! Mail __ Do You Yahoo!? En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités http://mail.yahoo.fr Yahoo! Mail
Re: [ActiveDir] Moving ADC
My Questoin was: I have mixed mode environment in my setup with 28 Child Domains at remote loactions having Additional DC's and I am planning to move my DC to Additional Domain Controller making it a DC because of new Hardware we have received. We can move the Roles to the new server but the old one also has Active Directory Connector to our Bridgehead server(Exchange5.5). So what needs to be done to decommission old DC and make the new DC having AD Controller. htmlDIVSTRONGEMFONT face=Garamond, Times, Serif color=#cc0033 size=5Thanks amp; Regds./FONT/EM/STRONG/DIV DIVSTRONGEMFONT face=Garamond color=#cc0033 size=5/FONT/EM/STRONGnbsp;/DIV DIVSTRONGEMFONT face=Garamond color=#cc0033 size=5Dinesh/FONT/EM/STRONG/DIV/html From: AdamT [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Moving ADC Date: Mon, 8 Jan 2007 20:25:18 + MIME-Version: 1.0 Received: from mail.activedir.org ([12.168.66.190]) by bay0-mc12-f15.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444); Mon, 8 Jan 2007 12:40:22 -0800 Received: from nf-out-0910.google.com [64.233.182.184] by mail.activedir.org with ESMTP (SMTPD32-8.15) id A8B219D300D4; Mon, 08 Jan 2007 15:25:22 -0500 Received: by nf-out-0910.google.com with SMTP id o60so8933690nfafor ActiveDir@mail.activedir.org; Mon, 08 Jan 2007 12:25:19 -0800 (PST) Received: by 10.49.13.14 with SMTP id q14mr28309403nfi.1168287918998; Mon, 08 Jan 2007 12:25:18 -0800 (PST) Received: by 10.48.254.12 with HTTP; Mon, 8 Jan 2007 12:25:18 -0800 (PST) X-Message-Info: LsUYwwHHNt3660MmjhEvYg2f34OAemlK3oXsmRrh6gU= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=fPbqRYXljrVJVt+f8tR2FxS9bYzrOfMLrHTqkbtQLUW/z4Q1G4JZQYAJVjfHv4KXvJ/0SyVWcwYrls/nmPeiHwaQmeo1JAdLBBNpgHkSDV4yx5tWEiM8jCWnr4Nniou8vNgVcrS5AqcFgaYJH4t+5tY/ocA2a0QzFx3zPtSeTPQ= References: [EMAIL PROTECTED] [EMAIL PROTECTED] Precedence: bulk Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 08 Jan 2007 20:40:22.0775 (UTC) FILETIME=[38028070:01C73365] On 08/01/07, dinesh shinde [EMAIL PROTECTED] wrote: Hello Can someone help me on the below issue? I don't mean to come across as being awkward, but I found it difficult to understand what it is you're trying to do. Could you perhaps rephrase it a little? Regards, -- AdamT A casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx _ Try Sanjeev Kapoor's culinary delights! http://content.msn.co.in/Lifestyle/Moreonlifestyle/LifestylePT_101106_1530.htm List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] OT: Exchange Restrict Sending
I believe this option sets who can send to the group, not who the group members can send to. Is this correct? If so, is there a way to restrict who a group of users can send mail to? You can define in the properties of a group in Exchange general, there is the option to set the message restriction.there you can define a white list of users. Dhiraj Haritwal From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Wednesday, January 03, 2007 9:17 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT: Exchange Restrict Sending Can anyone tell me if there is a way in Exchange to restrict who certain users can send to? Almost a whitelist for certain groups of approved recipients. I would appreciate any help, This email is confidential and intended only for the use of the individual or entity named above and may contain information that is privileged. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this email is strictly prohibited. If you have received this email in error, please notify us immediately by return email or telephone and destroy the original message. - This mail is sent via Sony Asia Pacific Mail Gateway. Dan DeStefano Info-lution Corporation [EMAIL PROTECTED] http://www.info-lution.com http://www.info-lution.com/ Office: 727 546-9143 FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession.
Re: [ActiveDir] DNS Comments
For a couple of updates a day, I'm wondering if you really *need* something other than the GUI. Might be worth it to have them use the GUI just for the sake of complexity. If cost is not an issue, evaluate the miceandmen products to see if it'll give you a better interface although honestly dnscmd might be more than enough for what you want to do at those rates. Outside of troubleshooting I usually recommend specified times for updates. For example, all updates are performed once in the morning and once in the afternoon to prevent the constant churn of administrating pieces and parts, especially on larger implementations. Al On 1/8/07, Brian Desmond [EMAIL PROTECTED] wrote: *Integrated. They tell me they make a couple updates a day to the zone.* * * *Thanks,* *Brian Desmond* [EMAIL PROTECTED] * * *c - 312.731.3132* * * *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of *Al Mulnick *Sent:* Monday, January 08, 2007 7:53 PM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] DNS Comments Weird name but they get good press. I haven't tried them myself, but I've heard of them. Most of the others out there tend to want to take over the DNS vs. provide tools. Personally, I'm a fan of setting it up well (design for success and all that) and using cli to manage so I haven't really researched after-market tools. One thing that comes to mind: is this going to be integrated or traditional zone with primary and secondary configurations? How much maintenance is expected? On 1/8/07, *Brian Desmond* [EMAIL PROTECTED] wrote: *What a weird name – thanks for the link* * * *Thanks,* *Brian Desmond* [EMAIL PROTECTED] * * *c - 312.731.3132* * * *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of *Darren Mar-Elia *Sent: *Monday, January 08, 2007 7:33 PM *To:* ActiveDir@mail.activedir.org *Subject: *RE: [ActiveDir] DNS Comments I like these guys: http://www.miceandmen.com/ *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of *Brian Desmond *Sent: *Monday, January 08, 2007 4:56 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] DNS Comments *Well there hasn't been some sort of ruling on whether the existing BIND folks will get new tools or the AD team (which is very gui dependent) will take it over.* * * *Are there any commercial tools you'd recommend I look at as far as management goes?* * * *Thanks,* *Brian Desmond* [EMAIL PROTECTED] * * *c - 312.731.3132* * * *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of *Al Mulnick *Sent:* Sunday, January 07, 2007 1:35 PM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] DNS Comments Backup a second - how do you plan to manage the zones? I ask because this might be a good time to re-evaluate the metadata concept of the zones. In BIND you see that information because of the way you manage the zone. In AD there is a different way to manage the zone information that doesn't include that information. If you decide to manage the zones the same way, then handle the comments the same way. If you decide to go GUI (often a shock for a real BIND techie and often doesn't last long) then consider using a CMDB-type of mechanism to record the metadata. You may also consider some alternate tools to manage the DNS systems instead of the built in tools. Performance is pretty rough with the included anyway so it's not like you won't consider it later :) This is a change in the way they do things. It deserves a change in the way they are used to doing things. Al On 1/5/07, *Brian Desmond* [EMAIL PROTECTED] wrote: Has anyone on this DL have experience with this problem? I am working on potentially migrating numerous UNIX BIND zones to AD Integrated DNS. The BIND zones have various comments in them which go with the record. I believe the dnsNode class in AD supports a notes field or similar but the GUI doesn't. How do people manage metadata about their DNS zones? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132
RE: [ActiveDir] list logon user for the services in serveral server
Hi, A SA just left the company and I am suspecting he installed several applications in several servers using his account, therefore I cant change his password or disable his account, is there an easy of finding which services are running on his account without having to go to each different server? Thanks Rezuma
[ActiveDir] AD Schema - adding an attribute
How do I add an attribute to AD? I'd like to add birthMonth, birthDay, birthYear to my Active Directory Schema for extra data to store for my users. Looking in MMC - Schema, I see I can add an attribute, but it wants an Object ID (OID). I know there's a oidgen program somewhere (haven't found it yet). but is that the best way to do it? Thanks, -- Matt Brown [EMAIL PROTECTED] Sr. Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
[ActiveDir] OT: Time change support webcast
http://blogs.technet.com/beatrice/archive/2007/01/09/preparing-for-dst-changes-in-2007.aspx In August of 2005 the United States Congress passed the Energy Policy Act, which changes the dates of both the start and end of daylight saving time (DST) from 2007. While the change in daylight saving time applies to U.S. and Canada, it may have an impact also on customers who interact or integrate with systems that are based in North America or rely on such date/time for calculations. Windows Client, windows Server, Windows Mobile, Sharepoint Services, Exchange Server and Office Outlook are some of the Microsoft Products which will be affected by the DTS changes. Updates to these products are being developed and tested. Depending on the particular product or scenario, these updates will be released through Microsoft Customer Support Services (CSS), Hotfixes incorporated in Knowledge Base articles, Windows Update, Microsoft Update, Windows Server Update Services (WSUS), and the Microsoft Download Center. What you can do in the meanwhile to prepare your business for the change: 1. Check the Microsoft site: Preparing for daylight saving time changes in 2007 2. Participate on Microsoft Support WebCast: Deploying Microsoft Windows 2000 updates for daylight saving time changes for worldwide use, which is specifically focused on Microsoft Windows 2000. It talks about the registry changes and the time zones that are being updated. This WebCast also tells how to confirm that the updates have been applied, and then provides information about testing and rollback procedure. -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] AD Schema - adding an attribute
Well, first off - birthDate already exists - can you take advantage of it? Second you need to register a prefix and OID tree with Microsoft on MSDN. This is how you will get a starting point for OIDs. You'll also get a prefix so it would be ewu-birthMonth or something. Don't use oidgen. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Tuesday, January 09, 2007 10:56 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Schema - adding an attribute How do I add an attribute to AD? I'd like to add birthMonth, birthDay, birthYear to my Active Directory Schema for extra data to store for my users. Looking in MMC - Schema, I see I can add an attribute, but it wants an Object ID (OID). I know there's a oidgen program somewhere (haven't found it yet). but is that the best way to do it? Thanks, -- Matt Brown [EMAIL PROTECTED] Sr. Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE : Re: [ActiveDir] Moving ADC
Hi, I don't know if i get it all but if I resume: You have a DC, say DCold,that has also Active Directory Connector(ADC) that points to a 5.5 BH server. You want to decomission it to a member server and promote a new one to a new DC, say DCnew. Right ? - On DCold that has the ADC, move all Connection Agreemenjts (CA) to an other ADC server then decommission DCold. - or if u have no other ADC server, just decomission DCold *BUT* be caution to verify that no CAs point to DCold before. Yann dinesh shinde [EMAIL PROTECTED] a écrit : My Questoin was: I have mixed mode environment in my setup with 28 Child Domains at remote loactions having Additional DC's and I am planning to move my DC to Additional Domain Controller making it a DC because of new Hardware we have received. We can move the Roles to the new server but the old one also has Active Directory Connector to our Bridgehead server(Exchange5.5). So what needs to be done to decommission old DC and make the new DC having AD Controller. size=5Thanks Regds. size=5 size=5Dinesh From: AdamT Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Moving ADC Date: Mon, 8 Jan 2007 20:25:18 + MIME-Version: 1.0 Received: from mail.activedir.org ([12.168.66.190]) by bay0-mc12-f15.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444); Mon, 8 Jan 2007 12:40:22 -0800 Received: from nf-out-0910.google.com [64.233.182.184] by mail.activedir.org with ESMTP (SMTPD32-8.15) id A8B219D300D4; Mon, 08 Jan 2007 15:25:22 -0500 Received: by nf-out-0910.google.com with SMTP id o60so8933690nfa for ; Mon, 08 Jan 2007 12:25:19 -0800 (PST) Received: by 10.49.13.14 with SMTP id q14mr28309403nfi.1168287918998; Mon, 08 Jan 2007 12:25:18 -0800 (PST) Received: by 10.48.254.12 with HTTP; Mon, 8 Jan 2007 12:25:18 -0800 (PST) X-Message-Info: LsUYwwHHNt3660MmjhEvYg2f34OAemlK3oXsmRrh6gU= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=fPbqRYXljrVJVt+f8tR2FxS9bYzrOfMLrHTqkbtQLUW/z4Q1G4JZQYAJVjfHv4KXvJ/0SyVWcwYrls/nmPeiHwaQmeo1JAdLBBNpgHkSDV4yx5tWEiM8jCWnr4Nniou8vNgVcrS5AqcFgaYJH4t+5tY/ocA2a0QzFx3zPtSeTPQ= References: Precedence: bulk Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 08 Jan 2007 20:40:22.0775 (UTC) FILETIME=[38028070:01C73365] On 08/01/07, dinesh shinde wrote: Hello Can someone help me on the below issue? I don't mean to come across as being awkward, but I found it difficult to understand what it is you're trying to do. Could you perhaps rephrase it a little? Regards, -- AdamT A casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx _ Try Sanjeev Kapoor's culinary delights! http://content.msn.co.in/Lifestyle/Moreonlifestyle/LifestylePT_101106_1530.htm List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx __ Do You Yahoo!? En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités http://mail.yahoo.fr Yahoo! Mail
RE: RE: [ActiveDir] SID Deleted users remains in NTS permission.
Even tools that would help with this sort of thing just in the AD would be welcomed. As far as I know, there's no GUI for finding out all the places just in AD where a particular security principal is asserted. I'd like to be able to find any (non-inherited) ACE that refers directly to a user account so that I can look to see why they aren't using a group. Even with tools like DSACLS, it's not clear which object you actually need to touch. Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, January 07, 2007 9:27 AM To: ActiveDir@mail.activedir.org Subject: RE: RE: [ActiveDir] SID Deleted users remains in NTS permission. Because as mentioned in my post, this is a very difficult and complex task given the current security infrastructure. There is nothing maintaining backlinks into where specific SIDs are used for ACLing. Even so, as Wook and Deji and I all mentioned, there are times where something could have a SID in an ACL and be perfectly valid but some sort of burb or in progress issue causes the SID to be temporarily unavailable. This kind of thing happens pretty regularly and people don't tend to catch it because MSFT, intelligently, didn't go through and scrub the ACLs when this occurred. If they did, people would be posting all of the time how some group or user or other security principal lost access to something or in the case of DENY ACEs all of a sudden had access to something. It is a very fine line between being helpful and being destructive. In order to implement this so it was effective and efficient I would visualize something that would have to track ALL uses of SIDs (not just file system or AD) with a backlink table and would somehow get notifications when a security principal was truly deleted and it was intended to be so and wouldn't be coming back (i.e. someone didn't pull a whoops). The first is extremely involved but likely possible from a technical standpoint though it would cause bloat somewhere where that info is stored. The second is near impossible, IMO, because it involves people not screwing up and I don't expect to see that day happen. A couple of other items to think about, you have more than ACes that have the SIDs in a security descriptor, you also have the owner and the group. You don't just want to zap the old value out, you want something there, what do you put there? Administrators? LocalSystem? What? Now what if you want to go clean all those up and reassign them to someone else? You are in the same place you were when you had the old missing user/group object. I have posted this before (slightly different because then it included DNs), but here is a portion of the list list of objects that can have SIDs embedded: 1. Windows Security Descriptors - this includes any kernel securable objects that can accept a security descriptor as well as many other objects that have customized ACL-like definitions like the customSD for event logs. A partial list of the official securable objects off the top of my head: O Active Directory Objects O SAM Objects (users and groups on member machines) O File System Objects (files/directories) O Threads/Processes O Synchronization objects (mutexes, events, semaphores, timers) O Job Objects O Network shares O Printers O Services O As of 2003 SP1 the Service Control Manager itself O Registry keys O Windows Desktops and Windows Stations O Access tokens O File Mapping objects O Pipes (named or anonymous) Basically anything that allows you to pass in a SECURITY_ATTRIBUTES structure when creating the object plus more 2. Microsoft supplied Windows based applications. This includes things like ADAM, SQL Server, Exchange, SharePoint, etc etc etc ad nauseum. 3. Third party applications that run on Windows and were written properly to take advantage of Windows security. This list could be long and wide, there are hundreds of thousands of Windows applications out there. 4. Third party applications that run on Windows and were written incorrectly to take advantage of Windows security. These apps don't use Windows security descriptors, they use custom security structures that are based on Windows Security Descriptors or are completely different but rely on SIDs. An example here would be how the event log security stuff was implemented in K3 which uses a basic Windows Security Descriptor SDDL format type that isn't quite standard. 5. Ditto #4 but running on non-Windows platforms. 6. Applications that use the groups for something other than security but still use the SID for identification purposed to avoid rename issues. For instance an IM app that uses groups for contact lists or an email app using groups for mail distribution. Numbers 3-6 are exceptionally hard to trace because in all but limited cases, it is pretty much guaranteed no well known well used interface is available to enumerate this info. You are completely dependent on how well you
RE: [ActiveDir] AD Schema - adding an attribute
Third, consider privacy. All data in AD is readable by default (unless you mark the attribute as confidential). Would you want everybody to know everybody else's age? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, January 09, 2007 9:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Schema - adding an attribute Well, first off - birthDate already exists - can you take advantage of it? Second you need to register a prefix and OID tree with Microsoft on MSDN. This is how you will get a starting point for OIDs. You'll also get a prefix so it would be ewu-birthMonth or something. Don't use oidgen. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Tuesday, January 09, 2007 10:56 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Schema - adding an attribute How do I add an attribute to AD? I'd like to add birthMonth, birthDay, birthYear to my Active Directory Schema for extra data to store for my users. Looking in MMC - Schema, I see I can add an attribute, but it wants an Object ID (OID). I know there's a oidgen program somewhere (haven't found it yet). but is that the best way to do it? Thanks, -- Matt Brown [EMAIL PROTECTED] Sr. Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] list logon user for the services in serveral server
for services use a script created by Dean Wells... get it here: http://www.jadonex.com/downloads/dec/DECscripts.zip http://www.jadonex.com/downloads/dec/DECscripts.zip PS joe/Dean: define coming soon ;-) for scheduled tasks create a script using schtasks (w2k3) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Ramon Linan Sent: Tue 2007-01-09 17:49 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] list logon user for the services in serveral server Hi, A SA just left the company and I am suspecting he installed several applications in several servers using his account, therefore I cant change his password or disable his account, is there an easy of finding which services are running on his account without having to go to each different server? Thanks Rezuma This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] AD Schema - adding an attribute
In addition to what Brian said... If you want to get OIDs for your organization to use in productive environment you can get your OIDs using this page: http://msdn.microsoft.com/certification/ad-registration.asp More info: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/obtaining_a_root_oid_from_an_iso_name_registration_authority.asp Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Brian Desmond Sent: Tue 2007-01-09 18:08 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Schema - adding an attribute Well, first off - birthDate already exists - can you take advantage of it? Second you need to register a prefix and OID tree with Microsoft on MSDN. This is how you will get a starting point for OIDs. You'll also get a prefix so it would be ewu-birthMonth or something. Don't use oidgen. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Tuesday, January 09, 2007 10:56 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Schema - adding an attribute How do I add an attribute to AD? I'd like to add birthMonth, birthDay, birthYear to my Active Directory Schema for extra data to store for my users. Looking in MMC - Schema, I see I can add an attribute, but it wants an Object ID (OID). I know there's a oidgen program somewhere (haven't found it yet). but is that the best way to do it? Thanks, -- Matt Brown [EMAIL PROTECTED] Sr. Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] list logon user for the services in serveral server
thanks, I see a few cmd files there, can you give me the link on how to use them? and what do they do? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, January 09, 2007 2:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] list logon user for the services in serveral server for services use a script created by Dean Wells... get it here: http://www.jadonex.com/downloads/dec/DECscripts.zip http://www.jadonex.com/downloads/dec/DECscripts.zip PS joe/Dean: define coming soon ;-) for scheduled tasks create a script using schtasks (w2k3) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Ramon Linan Sent: Tue 2007-01-09 17:49 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] list logon user for the services in serveral server Hi, A SA just left the company and I am suspecting he installed several applications in several servers using his account, therefore I cant change his password or disable his account, is there an easy of finding which services are running on his account without having to go to each different server? Thanks Rezuma
RE: [ActiveDir] OT: Time change support webcast
Susan, Thanks!!! I think a lot of us are going to be busy dealing with unforeseen time issues in March especially with all those Windows 2000 servers that won't die. _Stuart Fuller From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, January 09, 2007 10:07 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Time change support webcast http://blogs.technet.com/beatrice/archive/2007/01/09/preparing-for-dst-c hanges-in-2007.aspx In August of 2005 the United States Congress passed the Energy Policy Act, which changes the dates of both the start and end of daylight saving time (DST) from 2007. While the change in daylight saving time applies to U.S. and Canada, it may have an impact also on customers who interact or integrate with systems that are based in North America or rely on such date/time for calculations. Windows Client, windows Server, Windows Mobile, Sharepoint Services, Exchange Server and Office Outlook are some of the Microsoft Products which will be affected by the DTS changes. Updates to these products are being developed and tested. Depending on the particular product or scenario, these updates will be released through Microsoft Customer Support Services (CSS), Hotfixes incorporated in Knowledge Base articles, Windows Update, Microsoft Update, Windows Server Update Services (WSUS), and the Microsoft Download Center. What you can do in the meanwhile to prepare your business for the change: 1. Check the Microsoft site: Preparing for daylight saving time changes in 2007 http://www.microsoft.com/windows/timezone/dst2007.mspx 2. Participate on Microsoft Support WebCast: Deploying Microsoft Windows 2000 updates for daylight saving time changes for worldwide use http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032 324210EventCategory=2culture=en-USCountryCode=US , which is specifically focused on Microsoft Windows 2000. It talks about the registry changes and the time zones that are being updated. This WebCast also tells how to confirm that the updates have been applied, and then provides information about testing and rollback procedure. -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] OT: Time change support webcast
I agree, about 200+ servers knee deep into it, applying the fixes. For NT 4.0 SP6a, it works also, just need to use TZedit.exe from the Windows 2000 resource kit, the same can be done with the Win2k systems of course. Export the updated registry keys, and then import them into the servers as needed with script ( regedit -s tzinfo.reg, estimezones.reg) EZ Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security + email:[EMAIL PROTECTED] cell:401-639-3505 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fuller, Stuart Sent: Tuesday, January 09, 2007 3:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Time change support webcast Susan, Thanks!!! I think a lot of us are going to be busy dealing with unforeseen time issues in March especially with all those Windows 2000 servers that won't die. _Stuart Fuller From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, January 09, 2007 10:07 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Time change support webcast http://blogs.technet.com/beatrice/archive/2007/01/09/preparing-for-dst-c hanges-in-2007.aspx In August of 2005 the United States Congress passed the Energy Policy Act, which changes the dates of both the start and end of daylight saving time (DST) from 2007. While the change in daylight saving time applies to U.S. and Canada, it may have an impact also on customers who interact or integrate with systems that are based in North America or rely on such date/time for calculations. Windows Client, windows Server, Windows Mobile, Sharepoint Services, Exchange Server and Office Outlook are some of the Microsoft Products which will be affected by the DTS changes. Updates to these products are being developed and tested. Depending on the particular product or scenario, these updates will be released through Microsoft Customer Support Services (CSS), Hotfixes incorporated in Knowledge Base articles, Windows Update, Microsoft Update, Windows Server Update Services (WSUS), and the Microsoft Download Center. What you can do in the meanwhile to prepare your business for the change: 1. Check the Microsoft site: Preparing for daylight saving time changes in 2007 http://www.microsoft.com/windows/timezone/dst2007.mspx 2. Participate on Microsoft Support WebCast: Deploying Microsoft Windows 2000 updates for daylight saving time changes for worldwide use http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032 324210EventCategory=2culture=en-USCountryCode=US , which is specifically focused on Microsoft Windows 2000. It talks about the registry changes and the time zones that are being updated. This WebCast also tells how to confirm that the updates have been applied, and then provides information about testing and rollback procedure. -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
[ActiveDir] Shares with Computer Account Permissions
I was asked today whether it was possible to allow or deny access to shares not just based on user accounts, but also upon computer accounts. My immediate response was that I didn't think so. So I tested it by simply creating a folder up on our file server, and added the computer account for my workstation and denying it access completely. This made no difference to my permissions when trying to access it from this workstation. So my question is this, is there any way to design access permissions in such a way so you could not only allow access to a share to a certain security group, but also to this security group only when they are accessing it on hosts that we have explicitly defined? ~Ben
RE: [ActiveDir] Shares with Computer Account Permissions
Sure. IPsec. Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Tuesday, January 09, 2007 5:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Shares with Computer Account Permissions I was asked today whether it was possible to allow or deny access to shares not just based on user accounts, but also upon computer accounts. My immediate response was that I didn’t think so. So I tested it by simply creating a folder up on our file server, and added the computer account for my workstation and denying it access completely. This made no difference to my permissions when trying to access it from this workstation. So my question is this, is there any way to design access permissions in such a way so you could not only allow access to a share to a certain security group, but also to this security group only when they are accessing it on hosts that we have explicitly defined? ~Ben -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.16.7/620 - Release Date: 1/8/2007 4:12 PM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.16.7/620 - Release Date: 1/8/2007 4:12 PM
RE: [ActiveDir] Shares with Computer Account Permissions
Hi Laura, That's what I thought of first but that would stop all traffic to the server, not just a particular share. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Tuesday, January 09, 2007 4:19 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Shares with Computer Account Permissions Sure. IPsec. Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Tuesday, January 09, 2007 5:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Shares with Computer Account Permissions I was asked today whether it was possible to allow or deny access to shares not just based on user accounts, but also upon computer accounts. My immediate response was that I didn't think so. So I tested it by simply creating a folder up on our file server, and added the computer account for my workstation and denying it access completely. This made no difference to my permissions when trying to access it from this workstation. So my question is this, is there any way to design access permissions in such a way so you could not only allow access to a share to a certain security group, but also to this security group only when they are accessing it on hosts that we have explicitly defined? ~Ben -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.16.7/620 - Release Date: 1/8/2007 4:12 PM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.16.7/620 - Release Date: 1/8/2007 4:12 PM
RE: [ActiveDir] Shares with Computer Account Permissions
So you can use IPSec to allow or deny access to a network share based on originating host? Would you mind elaborating on this a little bit? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Tuesday, January 09, 2007 2:19 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Shares with Computer Account Permissions Sure. IPsec. Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Tuesday, January 09, 2007 5:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Shares with Computer Account Permissions I was asked today whether it was possible to allow or deny access to shares not just based on user accounts, but also upon computer accounts. My immediate response was that I didn't think so. So I tested it by simply creating a folder up on our file server, and added the computer account for my workstation and denying it access completely. This made no difference to my permissions when trying to access it from this workstation. So my question is this, is there any way to design access permissions in such a way so you could not only allow access to a share to a certain security group, but also to this security group only when they are accessing it on hosts that we have explicitly defined? ~Ben -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.16.7/620 - Release Date: 1/8/2007 4:12 PM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.16.7/620 - Release Date: 1/8/2007 4:12 PM
RE: [ActiveDir] Shares with Computer Account Permissions
It wouldn't stop all traffic to the server, you would just have to be specific about the rules you constructed in the IPsec policy. Unless by all traffic, you mean all shares on the server, in which case, that's where NTFS/share permissions would come in. Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, January 09, 2007 5:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Shares with Computer Account Permissions Hi Laura, That’s what I thought of first but that would stop all traffic to the server, not just a particular share. Mike Thommes _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Tuesday, January 09, 2007 4:19 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Shares with Computer Account Permissions Sure. IPsec. Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Tuesday, January 09, 2007 5:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Shares with Computer Account Permissions I was asked today whether it was possible to allow or deny access to shares not just based on user accounts, but also upon computer accounts. My immediate response was that I didn’t think so. So I tested it by simply creating a folder up on our file server, and added the computer account for my workstation and denying it access completely. This made no difference to my permissions when trying to access it from this workstation. So my question is this, is there any way to design access permissions in such a way so you could not only allow access to a share to a certain security group, but also to this security group only when they are accessing it on hosts that we have explicitly defined? ~Ben -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.16.7/620 - Release Date: 1/8/2007 4:12 PM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.16.7/620 - Release Date: 1/8/2007 4:12 PM -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.16.7/620 - Release Date: 1/8/2007 4:12 PM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.16.7/620 - Release Date: 1/8/2007 4:12 PM
RE: [ActiveDir] Shares with Computer Account Permissions
HYPERLINK http://www.microsoft.com/technet/network/sdiso/default.mspxhttp://www.micr osoft.com/technet/network/sdiso/default.mspx _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, January 09, 2007 5:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Shares with Computer Account Permissions Hi Laura, That’s what I thought of first but that would stop all traffic to the server, not just a particular share. Mike Thommes _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Tuesday, January 09, 2007 4:19 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Shares with Computer Account Permissions Sure. IPsec. Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Tuesday, January 09, 2007 5:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Shares with Computer Account Permissions I was asked today whether it was possible to allow or deny access to shares not just based on user accounts, but also upon computer accounts. My immediate response was that I didn’t think so. So I tested it by simply creating a folder up on our file server, and added the computer account for my workstation and denying it access completely. This made no difference to my permissions when trying to access it from this workstation. So my question is this, is there any way to design access permissions in such a way so you could not only allow access to a share to a certain security group, but also to this security group only when they are accessing it on hosts that we have explicitly defined? ~Ben -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.16.7/620 - Release Date: 1/8/2007 4:12 PM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.16.7/620 - Release Date: 1/8/2007 4:12 PM -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.16.7/620 - Release Date: 1/8/2007 4:12 PM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.16.7/620 - Release Date: 1/8/2007 4:12 PM
RE: [ActiveDir] Shares with Computer Account Permissions
No, you can use IPsec to allow or deny access to the machine based on host (as well as filtering by protocol, etc.), and use user accounts to restrict share access. The end result is that specific users can access only from specific machines. The restrictions to different shares would be based on the combination of IPsec policies and user account. Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Tuesday, January 09, 2007 5:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Shares with Computer Account Permissions So you can use IPSec to allow or deny access to a network share based on originating host? Would you mind elaborating on this a little bit? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Tuesday, January 09, 2007 2:19 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Shares with Computer Account Permissions Sure. IPsec. Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Tuesday, January 09, 2007 5:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Shares with Computer Account Permissions I was asked today whether it was possible to allow or deny access to shares not just based on user accounts, but also upon computer accounts. My immediate response was that I didn’t think so. So I tested it by simply creating a folder up on our file server, and added the computer account for my workstation and denying it access completely. This made no difference to my permissions when trying to access it from this workstation. So my question is this, is there any way to design access permissions in such a way so you could not only allow access to a share to a certain security group, but also to this security group only when they are accessing it on hosts that we have explicitly defined? ~Ben -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.16.7/620 - Release Date: 1/8/2007 4:12 PM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.16.7/620 - Release Date: 1/8/2007 4:12 PM -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.16.7/620 - Release Date: 1/8/2007 4:12 PM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.16.7/620 - Release Date: 1/8/2007 4:12 PM
RE : RE: [ActiveDir] Decode the msExchMailboxSecurityDescriptor attribute.
Ben, Thank you also for your help, the page you point to me has useful info. :) Cheers, Yann WATSON, BEN [EMAIL PROTECTED] a écrit : Hi Yann, I was reading this over the weekend, and perhaps this might provide enough relevant info for you to find what you are looking for. http://blog.joeware.net/2007/01/06/756/ ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Monday, January 08, 2007 2:42 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Decode the msExchMailboxSecurityDescriptor attribute. Hello, I'd like to dump the msExchMailboxSecurityDescriptor attribute of a user object into readable format. It seems that the value is in binary blob format. Is there a way to do this ? Thanks, Yann __ Do You Yahoo!? En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités http://mail.yahoo.fr Yahoo! Mail __ Do You Yahoo!? En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités http://mail.yahoo.fr Yahoo! Mail
RE: [ActiveDir] Risks of exposure of machine account passwords
Hi Michael, I'm not sure what we are gaining here. You talking about When the client sends the password hashes you send them to the target server. So the web client doesn't authenticate with the web server it authenticates directly with the target server by proxying the NTLMSSP tokens Are you talking about transitioning the protocol as well? e.g. Client -- HTTP -- Your Website/PC -- RPC -- Domain Controller Cheers Ken From: Michael B Allen [mailto:[EMAIL PROTECTED] Sent: Tue 9/01/2007 5:24 PM To: ActiveDir@mail.activedir.org Cc: Ken Schaefer Subject: Re: [ActiveDir] Risks of exposure of machine account passwords On Tue, 9 Jan 2007 14:13:33 +1100 Ken Schaefer [EMAIL PROTECTED] wrote: I'm not sure what NTLM SSO Pass-Through is, but NTLM is not natively delegatable, so you can't (in the normal course of events) use this to create an account anywhere except on the local machine. There may be easier ways to create accounts on local machines. Perhaps proxy would be a better term. When the web client requests the challenge you request it from the target server (e.g. the DC) and send it back to the client. When the client sends the password hashes you send them to the target server. So the web client doesn't authenticate with the web server it authenticates directly with the target server by proxying the NTLMSSP tokens. This is effectively a man-in-the-middle attack. Digital signatures are used to twart an MITM so if you require SMB signing you can prevent such an attack (although if you can authenticate LDAP with NTLM you might be able to get around that). Actually now that I think about it I think W2K3 requires SMB signing so maybe this permutation wouldn't work. But workstations do not require SMB signing. One could authenticate back to the client and place and create an account or simply place an executable in their Startup. But again, if you're already trusted on the network it's game over. Mike On Mon, 8 Jan 2007 15:33:01 -0500 joe [EMAIL PROTECTED] wrote: But I can add an improved permutation to your dirty trick. Send out an email with a link to your site but use NTLM SSO pass-through to create a bogus account with a predefined password. If someone with domain admin privs so much as stumbles across your site they will create the said account and not even know they did it. No credentials necessary and no SSO account necessary. Just a website with an FQDN. There is one simple security setting that will thwart this attack though. For bonus points, does anyone know what it is? :- Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/