RE: [ActiveDir] Cisco VPN user authentication problem
Steve - Check the Dial-in tab settings on the user's account in AD. Depending on how your VPN3000 is authenticating, these settings may or may not be checked. One other possibility - I vaguely remember having an issue before we had our VPN3000s authenticate against Cisco ACS where users with passwords longer than 14 characters could not authenticate. If you shortened the password, it worked fine. Jeff From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Egan Sent: Friday, January 19, 2007 4:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Cisco VPN user authentication problem Al: I knew what you meant, and that was the first thing I did, thinking the client software got hammered somehow by some other misbehaved software (or whatever). No change. Like I said, if somebody else logs in from her machine, it's fine. If she tries to log in from another machine, it breaks. Gotta be something in AD. Steve Egan (temp) Systems/Network Engineer From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Garrett Sent: Friday, January 19, 2007 4:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Cisco VPN user authentication problem I just realized my response was misleading. I deleted and recreated the VPN Connection Profile within the Cisco VPN ClientNOT the users computer profile under Documents and Settings. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Garrett Sent: Friday, January 19, 2007 3:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Cisco VPN user authentication problem I had similar issues and solved them by recreating the Profile on the laptop. Same settings, just created an identical Profile. Almost like the corruption was in the profile itself. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Egan (Temp) Sent: Friday, January 19, 2007 3:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Cisco VPN user authentication problem Did that. It was the first thing I looked at, having had experience with RADIUS before. I created a user on the 3000, and it worked fine. BTW, we use the Kerberos/Active Directory authentication. But you knew that... Steve Egan (temp) Systems/Network Engineer From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, January 19, 2007 3:00 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Cisco VPN user authentication problem Steve; Just for kicks. Could you create a local account for testing? This would bypass any RADIUS/TAC+ problems and confirm the VPN client isn't at fault. Also, Cisco released a new client about a week ago. Don't ask, my laptop is stored for the weekend. Something like 4.881720344-1 or some such. Anyhow, it sounds like a RADIUS problem within the server but check with a local account on the 3000 just to eliminate what should be obvious. Brent Eads Employee Technology Solutions, Inc. Office: (312) 762-9224 Fax: (312) 762-9275 The contents contain privileged and/or confidential information intended for the named recipient of this email. ETSI (Employee Technology Solutions, Inc.) does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email in error, please reply to us immediately and delete the document. Viruses, Malware, Phishing and other known and unknown electronic threats: It is the recipient/client's duties to perform virus scans and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect. Any loss/damage incurred by using this material is not the sender's responsibility. Liability will be limited to resupplying the material. "Steve Egan \(Temp\)" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 01/19/2007 04:39 PM Please respond to ActiveDir@mail.activedir.org To cc Subject [ActiveDir] Cisco VPN user authentication problem
RE: [ActiveDir] Computer bootup speeds
We have been fighting this for some time across the enterprise. DNS appears to be fine everywhere yet the problem persists on XP systems. The only solution we have found, which we are rolling out now, is to disable XP's Fast Logon Optimization. In Group Policy it is Computer Configuration\Administrative Templates\System\Logon\Always wait for the network at computer startup and logon. You can also do this directly in the registry if you want to try it on one machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "SyncForegroundPolicy"=dword:0001 Jeff -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, August 09, 2006 11:29 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Computer bootup speeds Is there any easy way to determine why it's taking so long for PCs in our AD to boot up? It sits at applying settings for quite awhile, so I'm thinking it may have something to do with GPOs, but most computers only have 2 or 3 GPOs applied to them. I wouldn't think the GPOs would take that long to apply though. Sometimes it literally sits at applying settings for 4 or 5 minutes! I guess I could move a computer to an OU with no GPOs and see, but is there any other ways? Thanks ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx Confidential This e-mail and any files transmitted with it are the property of Belkin Corporation and/or its affiliates, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipients or otherwise have reason to believe that you have received this e-mail in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Communication across a trust...with firewalls
Rocky - This article explains why the fragmented UDP packets cause problems: http://support.microsoft.com/?id=244474 and how to modify the registry to force TCP. We run into this periodically, especially with users running a VPN tunnel across their home wireless network. Jeff From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky HabeebSent: Tuesday, March 14, 2006 12:18 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Communication across a trust...with firewalls So why does fragmentation cause a problem? Packets are fragmented all the time in network traffic but stuff still works. Are you saying credentialling packets can't be fragmented? RH ___ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Myrick, Todd (NIH/CC/DNA) [E]Sent: Tuesday, March 14, 2006 2:55 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Communication across a trust...with firewalls You might also want to investigate if you are using TCP or UDP packets with your authentication request. By default Kerberos uses UDP, so a lot of firewalls will fragment the packets and cause authentication issues. Todd Myrick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: Tuesday, March 14, 2006 2:47 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Communication across a trust...with firewalls lets say the structure is: CLIENT-DOMAIN_A . DC-DOMAIN_A .. DC-DOMAIN_B .. MEMBERSRV-DOMAIN_B if NTLM is used the order of authentication is: (1) CLIENT-DOMAIN_A wants to access MEMBERSRV-DOMAIN_B (2) CLIENT-DOMAIN_A connects to MEMBERSRV-DOMAIN_B (3) MEMBERSRV-DOMAIN_B connects to DC-DOMAIN_B and asks do you know: CLIENT-DOMAIN_A (4) DC-DOMAIN_B says NO, but I do trust DOMAIN_A. Let me check. (5) DC-DOMAIN_B connects to DC-DOMAIN_A and asks do you know: CLIENT-DOMAIN_A (6) DC-DOMAIN_A says: yes, it's OK (7) DC-DOMAIN_B sets up an access token for domain B for CLIENT-DOMAIN_A. (8) CLIENT-DOMAIN_A accesses MEMBERSRV-DOMAIN_B if KERBEROS is used the order of authentication is: (1) CLIENT-DOMAIN_A wants to access MEMBERSRV-DOMAIN_B (2) CLIENT-DOMAIN_A connects to DC-DOMAIN_A and asks for a ticket to access MEMBERSRV-DOMAIN_B (3) DC-DOMAIN_A says: let me check, just a sec. (4) DC-DOMAIN_A says: that server does not exist within the domain or the forest. However I do have a trust with DOMAIN_B. Go to DC-DOMAIN_B (5) CLIENT-DOMAIN_A connects to DC-DOMAIN_B and asks for a ticket to access MEMBERSRV-DOMAIN_B (6) DC-DOMAIN_B says: let me check, just a sec. (7) DC-DOMAIN_B says: here's your ticket and access token. have fun (8) CLIENT-DOMAIN_A accesses MEMBERSRV-DOMAIN_B the problem is that only DC-DOMAIN_A and DC-DOMAIN_B can communicate through the firewall with each other. Other communication paths are not available or possible because of the firewall configuration. Or did I miss something? Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : [EMAIL PROTECTED] From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED]Sent: Tue 2006-03-14 16:35To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Communication across a trust...with firewalls Within a domain, when a user’s credentials are presented to a member server, that member server communicates with the domain controller to validate the creds. We have a cross-forest (cross–company; a divestiture) trust set up that we are testing. A member server in the other forest/domain and across the firewall is having trouble authenticating credentials from our domain. Their DC works fine. Ports on the firewall are only opened for the two domain controllers (one on each side). Here’s the question: in order to validate the “foreign” credentials, should the member server be looking first to its own DC, or is
RE: [ActiveDir] Single Sign-on
Does anyone know of or use a SSO product that allows access to the Oracle Business Suite of applications using AD accounts, or that can synchronize the two? I see many that will interoperate with Oracle Database accounts, but not with Oracle Applications user accounts. Thanks! Jeff -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shannon Coleman Sent: Monday, January 30, 2006 5:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Single Sign-on Citrix's Password Manager. :) http://www.citrix.com/English/ps2/products/product.asp?contentID=7181 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Saturday, January 28, 2006 3:40 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Single Sign-on Confidential This e-mail and any files transmitted with it are the property of Belkin Corporation and/or its affiliates, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipients or otherwise have reason to believe that you have received this e-mail in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ADUC updates - Was Expired Accounts
Seems like people have been asking forever that the Employee ID field be added to the display. We ended up purchasing Hyena from SystemTools Software just so our admins could populate this field, which is used to sync AD employee information with other systems. Hyena is a great tool for many other reasons - perhaps Microsoft should acquire them. Jeff -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, January 13, 2006 7:00 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Only three people with issues with ADUC? Or did these three fine folks describe accurately everyone's pain? I am asking because I will summarize and wrap this up after it is done, I pinged the developer and he is looking forward to seeing the email with the details. This isn't going through multiple layers of PSS like you may be used to putting requests through, this is going into the MVP feedback system and being sent separately to one of the guys writing the source code for it. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Thursday, January 12, 2006 10:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Here are some of my ADUC pet peeves and wish-list items. Let's have an expert's mode where we don't change the names of the attributes things that are "user-friendly" like calling samAccountName "User logon name (pre-Windows 2000)", Kind of a cross between ADUC and ADSIedit or like that E55 admin utility in RAW mode. Allow ADUC to handle larger numbers of objects in a container without running like a snail. I'd like to be able to multi-select a bunch of objects and have a UI to change all the common attributes that are modifiable. I'd like an interface that will allow me to query for where a particular security principal is referred to in an explicit ACE on an ACL. I'd like an extension of the Advanced Security dialog that allowed me to specify a security principal, highlight a right and click a button to find out how/why that principal has that right. I'd like an easy way to search by managedBy that didn't require full DNs. I'd like to be able to specify the canonical name and have it figure out the DN for me. That's because canonical name is copy-able from the UI. Use the disabled account icon for disabled accounts that show up in the find object dialog results pane. Wook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, January 12, 2006 8:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Your starter for 10: [Dean will explain this, joe :) ] Add context menu options below out of the box: 1. Unlock User (user context menu) 2. Unlock all users (OU context menu) neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 12 January 2006 15:22 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Well, ok, lets do this. Everyone who has an idea for a change to ADUC post to the ideas to this thread. Don't be shy, you may have thought of something no one else would think of that once seeing it would go this is very cool. Then when the thread seems to die (or some point after that when I catch up :oP ) I will summarize to make sure I understand and then post to LadyBug as improvements that could be made. Also, you may or may not be shocked to hear that many of the folks working on the stuff in Redmond actually watch this list on a regular basis too so they may see it directly. I know the conversation we had previously about suggested improvements to AD was watched pretty closely and generated several DCRs without me even arguing with anyone. So let's hear it. First item on the table is different icons flagging accounts (and I am stating this generically) that are not currently live. This includes disabled, locked, expired passwords, expired accounts? Would this be better to add maybe as additional columns that you could tell the GUI to sort on? Or the icons are best? Note to Dean: This is D's bailywick now isn't it? I think I recall us having this conversation at BB. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, January 12, 2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Expired Accounts I believe it would be helpful if different icons could be used for disabled accounts, expired account, expired password, etc. Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, January 12, 2006 7:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Expired Accounts Philosophical question really. How do you want
RE: [ActiveDir] OT: WMF issue - patch on the 10th
I recommend taking a look at the SANS Internet Storm Center (http://isc.sans.org/) write up as well, including information regarding an unofficial patch that is now available in MSI installer format. Jeff -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kennedy, Jim Sent: Tuesday, January 03, 2006 12:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: WMF issue - patch on the 10th http://www.microsoft.com/technet/security/advisory/912840.mspx January 10th...is the target. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Navroz Shariff > Sent: Tuesday, January 03, 2006 3:17 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] OT: WMF issue - patch on the 10th > > Regarding the June 10 WMF exploit patch release, can somone > please point me to Microsoft's article regarding the release. > > Thanks, > > Nav > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley > Sent: Tuesday, January 03, 2006 12:33 PM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] OT: WMF issue - patch on the 10th > > What's Microsoft's response to the availability of third > party patches for the WMF vulnerability? > Microsoft recommends that customers download and deploy the > security update for the WMF vulnerability that we are > targeting for release on January 10, 2006. > > As a general rule, it is a best practice to utilize security > updates for software vulnerabilities from the original vendor > of the software. With Microsoft software, Microsoft carefully > reviews and tests security updates to ensure that they are of > high quality and have been evaluated thoroughly for > application compatibility. In addition, Microsoft's security > updates are offered in 23 languages for all affected versions > of the software simultaneously. > > Microsoft cannot provide similar assurance for independent > third party security updates. > > Why is it taking Microsoft so long to issue a security update? > Creating security updates that effectively fix > vulnerabilities is an extensive process. There are many > factors that impact the length of time between the discovery > of a vulnerability and the release of a security update. When > a potential vulnerability is reported, designated product > specific security experts investigate the scope and impact of > a threat on the affected product. Once the MSRC knows the > extent and the severity of the vulnerability, they work to > develop an update for every supported version affected. Once > the update is built, it must be tested with the different > operating systems and applications it affects, then localized > for many markets and languages across the globe. Confidential This e-mail and any files transmitted with it are the property of Belkin Corporation and/or its affiliates, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipients or otherwise have reason to believe that you have received this e-mail in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] logon scripts
We had this happen by accident for a short time. The old logon script specied in the user account properties was running as well as the desired logon script, which we tie to AD Sites. Both were running, and if I remember right the drive mappings in the legacy script were winning - which would mean that it was running after the script that was triggered by group policy. I don't think there is any harm provided there aren't conflicting drive mappings or other settings where script timing would need to be verified and accounted for. Jeff From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Wednesday, December 07, 2005 12:58 PMTo: activedirectorySubject: [ActiveDir] logon scripts What happends if you have 2 different logon scripts for users- one in the legacy location and one in a domain GPO? how do they execute? does one start sooner? are there any issues with doing things this way for a short time period? Both scripts do completley different things. Thanks ConfidentialThis e-mail and any files transmitted with it are the propertyof Belkin Corporation and/or its affiliates, are confidential,and are intended solely for the use of the individual orentity to whom this e-mail is addressed. If you are not oneof the named recipients or otherwise have reason to believethat you have received this e-mail in error, please notify thesender and delete this message immediately from your computer.Any other use, retention, dissemination, forwarding, printingor copying of this e-mail is strictly prohibited.
RE: [ActiveDir] Group Policy Object for Windows Firewall
We use the Cisco VPN Client for remote connections. Evidently the Cisco Systems VPN Adapter is not considered a PPP or SLIP-based connection in this regards since my notebook uses the domain profile while connected by VPN. I suspect the native XP VPN connection behaves exactly as described in the link. I believe you can "trick" the machine to use domain mode by modifying a connection's domain name to match your corporate network's domain name. Jeff -Original Message- From: Darren Mar-Elia [mailto:[EMAIL PROTECTED] Sent: Friday, October 28, 2005 8:34 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Group Policy Object for Windows Firewall Just an FYI on this. "On the Domain" can be tricky here. For example. If your user is connected to the corporate network via VPN, they will be considered "off the domain" and will use the standard profile. The determination process is documented pretty well in the following article: http://www.microsoft.com/technet/community/columns/cableguy/cg0504.mspx -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, October 28, 2005 7:44 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Group Policy Object for Windows Firewall www.sbslinks.com/group.htm [that's SBS's group policy settings for the XP sp2 firewall] Domain is when you are 'on' the domain Standard is when the device is unattached. Also grab the XP sp2 security documents that were just released on the web a few days ago. Todd Hofert wrote: > I am implementing Windows Firewall settings via an Active Directory > Group Policy. I see there are two sets of settings; Domain Profile and > Standard Profile with no explanation of how these settings differ. Can > anyone explain which circumstances dictate which profile to use? I am > assuming it relates to roaming profiles vs. local profiles but I am > not certain. I also do not want to create both profile settings if it > is not necessary. > > Thanks > > Todd Hofert > IT Director > Spartan Graphics, Inc. > > This e-mail and any attachments may contain confidential and > privileged information. If you are not the intended recipient, please > notify the sender immediately by return e-mail, delete this e-mail and > destroy any copies. Any dissemination or use of this information by a > person other than the intended recipient is unauthorized and may be > illegal. > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Confidential This e-mail and any files transmitted with it are the property of Belkin Corporation and/or its affiliates, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipients or otherwise have reason to believe that you have received this e-mail in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] XP SP2 Firewall - Domain vs Standard Policy
The domain mode is determined by the DNS suffix of your active network connections. This article has information on troubleshooting the XP SP2 firewall: http://www.microsoft.com/technet/prodtechnol/winxppro/support/wftshoot.mspx And it links to this article which describes the algorithm for determining if the domain mode is in effect (look in the How Network Determination Works section): http://www.microsoft.com/technet/community/columns/cableguy/cg0504.mspx Hope that helps! -Original Message- From: Mark Parris [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 06, 2005 12:03 PM To: ActiveDir.org Subject: Re: [ActiveDir] XP SP2 Firewall - Domain vs Standard Policy It's probably to do with apply GPO over slow links, the troiuble is the spead is measured as the speed of the NIC not the speed of the link. Unless you dial up from the PC directly. I have had great fun with this and VPNs over ADSL and dial up. -Original Message- From: "Joe Pochedley" <[EMAIL PROTECTED]> Date: Tue, 6 Sep 2005 14:39:31 To: Subject: [ActiveDir] XP SP2 Firewall - Domain vs Standard Policy I've done some googling and searched the MS site a bit, but cannot find an answer... The question I have is this: How does an XP computer determine whether it's connected to the domain in order to decide which firewall policy (standard or domain) to enforce? The reason I ask is this: I see this most often with machines that come in over the WAN, though I've seen it a few times on machines on our local LAN too. A machine will start up and the firewall will be enabled. Normally that would be expected as that is the default behavior of the XP firewall. However, I do have a GPO that turns off the firewall for the domain profile. If I do a GPRESULT on these machine, the GPO is applied, yet the firewall is still on. If I do a "netsh fi show state" the current active profile is the standard profile, and the Firewall GPO that I have set displays as the Group Policy Version (so I know the machine has the settings) My only guess is that, for some reason when these machines start, they don't realize they're on the domain, but I can't explain why. Latency for the remote sites is about 60 to 100 ms and there are no DC's at many of the small (2-4 people) remote sites. If it were only remotes sites, then I might be convinced that the latency was an issue. But as I mentioned, I've seen it happen to machines on our LAN too. Any insights or other things to check would be much appreciated. Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Confidential This e-mail and any files transmitted with it are the property of Belkin Corporation and/or its affiliates, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipients or otherwise have reason to believe that you have received this e-mail in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] [OT] IT Trends Survey ($10 Amazon.com gift certificate)
I know this is off topic but many of you probably get these emails as well. I spent about 15 minutes filling out many pages of questions and only at the end did it tell me they already had enough data for our industry (so I didn't get the promised Amazon gift certificate). I wouldn't have minded if it told me on the first or second page that I "didn't qualify" - this was definitely not the case. If you get surveys from these guys my recommendation is don't waste your time. Jeff -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, May 26, 2005 12:24 AM To: [EMAIL PROTECTED] Subject: IT Trends Survey ($10 Amazon.com gift certificate) Dear Professional: We have a new survey opportunity for you! ***What's this survey about?*** We are interested in learning more about the technology trends and strategies of companies like yours. We need your valuable opinions! ***How much time will it take?*** On average, this survey will take between 15 and 30 minutes. ***How do I get there?*** Simply click on the Web address shown below (or copy the address into your browser) to be connected directly to the survey. http://srv2.survey.com/survey/survey/svy05004?list=1&pin=W6YH49U ***What do I get in return?*** If you qualify and complete the survey, you will receive a $10 Amazon.com gift certificate! Thank you for your participation, we value your opinions. Enjoy the survey! Copyright (c) 2005 Survey.com. All rights reserved. Confidential This e-mail and any files transmitted with it are the property of Belkin Corporation and/or its affiliates, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipients or otherwise have reason to believe that you have received this e-mail in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Rogue Folder - Can't Take Ownership
I have a folder on a Windows 2000 member server that I can't take ownership of. I am using an account that is a member of the Domain Administrators, and the Domain Administrators is a member of the local Administrators group. The folder is buried deep in the All Users profile and was created by Symantec Anti-Virus 7.5 to hold quarantined items. I took ownership of the parent folder and told Windows to replace the owner on all subfolders and files, but it just says "Access is Denied" when it gets to the Quarantine folder. I tried the command line tools xcacls and cacls with no luck. Does anyone know of a better tool or something that I missed? Thanks for your help! Jeff Confidential This e-mail and any files transmitted with it are the property of Belkin Corporation and/or its affiliates, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipients or otherwise have reason to believe that you have received this e-mail in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Group Policy Not working
A couple thoughts for you: - It looks like the .vbs extension is associated with notepad or another editor on the computer you tested, which is why it opened for viewing or editing. Your logon script should be setup to call the Windows Scripting Host explicitly with the path to the script file. For example "cscript.exe c:\scripts\map-printer.vbs". - I vaguely remember having problems a few years ago when I started creating logon scripts when trying to map drives or printers (can't recall which). These were all fixed by installing the latest version of the Windows Scripting Host. You can download WSH 5.6 here: http://msdn.microsoft.com/library/default.asp?url="">. - In your script you might want to create a text log file that records the results of each action. If the log file isn't present, you will know the script didn't even run. If it is present, it should have the information you need to do further debugging. Jeff From: Christine Allen [mailto:[EMAIL PROTECTED] Sent: Thursday, April 28, 2005 9:49 AMTo: 'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] Group Policy Not working The script runs in the background and I do not see it run. I copied the VBS script to the local computer and when I try to run it, it opens the script to view the language it does not run. Nothing in event view, which I find weird. When I run the gpresult /user, I do see the gpo listed in there. What locally could be preventing the script from running? Thanks for your help! -Original Message-From: Peter Jessop [mailto:[EMAIL PROTECTED]Sent: Thursday, April 28, 2005 12:20 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Group Policy Not workingDoes the script not run or does it run but not properly?Are there any clues in the event log?Can you run the script manually from the workstation?Are they receiving the GP over a WAN? ConfidentialThis e-mail and any files transmitted with it are the propertyof Belkin Corporation and/or its affiliates, are confidential,and are intended solely for the use of the individual orentity to whom this e-mail is addressed. If you are not oneof the named recipients or otherwise have reason to believethat you have received this e-mail in error, please notify thesender and delete this message immediately from your computer.Any other use, retention, dissemination, forwarding, printingor copying of this e-mail is strictly prohibited.
RE: [ActiveDir] deny internet
Tom - We use IPSec within Group Policies to do this. Here are some resources you might want to look over to learn more: http://www.microsoft.com/serviceproviders/columns/using_ipsec.asp http://www.analogx.com/contents/articles/ipsec.htm http://www.hernanracciatti.com.ar/ipfront/about.htm If you can spend some time reading up about IPSec policies I think you will see they can do exactly what you want, and you don't even need to buy a Proxy Server (although you might want one anyway for other reasons). Good luck! Jeff -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 08, 2005 7:22 PM To: ActiveDir (E-mail) Subject: [ActiveDir] deny internet hi all. If I want to deny a user internet access but allow everything else, is this possible via GPO? On win2k and winXP? also to include other browsers besides IE a firewall solution is not possible right now and the clients are dhcp so cisco acl's won't always work. Can I gpo this or is it easier to give the client a static ip and acl it on the router? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Confidential This e-mail and any files transmitted with it are the property of Belkin Corporation and/or its affiliates, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipients or otherwise have reason to believe that you have received this e-mail in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Website Restriction through group policy
Another option would be to create an IPSec policy that restricts that machine from accessing IP addresses outside of the local subnet except for the IP addresses of the two web domains you want to permit. You can apply this IPSec policy locally on one or more machines, or you can use Group Policy to apply it to machines within an OU. This works well as long as you can easily determine the IP addresses associated with the domains. Jeff -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, February 21, 2005 12:09 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Website Restriction through group policy Hi, The easiest way to do it is to get a test machine and manually configure IE the way you want (setting up zones etc). Then create a test policy, go to IE maintenance and import your settings. I have never tried exactly what you want to do, but it should work, although you would want to test it all to make sure. Your other option is to manually work out exactly what registry keys are required and then build an ADM Template to do it. Its a bit harder, but you will have a better understanding of exactly what is going on. Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml - Original Message - From: "Umer Y." <[EMAIL PROTECTED]> To: Sent: Tuesday, February 22, 2005 6:47 AM Subject: [ActiveDir] Website Restriction through group policy > Hello, > > I want to restrict a computer from accessing any website other than two web > domains of my choice. > > Is there a way to accomplish that with Group Policy? > > Thanks! > > > > > ... you don't know what you've got 'till it's gone.. > > - Joni Mitchell > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Confidential This e-mail and any files transmitted with it are the property of Belkin Corporation and/or its affiliates, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipients or otherwise have reason to believe that you have received this e-mail in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Using GPO to install an MSI package
There should be one more requirement: 4. The vendor promptly tests all service packs and security updates, publishes the results of their testing plus any end user feedback on their web site, and aggressively pursues correction of any incompatibilities discovered by themselves or their customers. These vendors should have a designation such as "Microsoft Security Partner", which folks involved in purchasing solutions could point out as a key requirement in any future solutions. Jeff From: Crawford, Scott [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 15, 2005 1:29 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Using GPO to install an MSI package Envision my utopia – all apps, in order to get a “Designed for XP” logo need to meet some requirements: Come with an MSI installer or have one that’s easily extractable from an EXE. Come with an .ADM file for configuring options Run under a non-privileged user account. How nice would that be? Think about it, you spent several hours preparing your package, and tracking down the required permissions. Multiply that by all the admins that would like to run in a secure environment and multiply that by all the apps that need special perms to run. Add to that all the time spent making MSI’s of legacy installs. Then you’ll get some idea of the YEARS of man hours wasted trying to make things manageable in a secure enterprise environment. Compare this to the comparatively miniscule amount of additional time needed to build things right. It would take relatively no time for developers to issue their installs as MSI’s in addition to EXEs. It might take a bit of time to create an ADM file, but still relatively little since they have intimate knowledge of the app and where it reads settings from. The biggest issue would be redesigning their apps to work as non-privileged users, but even that could be mitigated if they would at least publish a list of special perms needed or at the very least, every file and registry entry that’s part of their app so that we could give full control to Users over those objects. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason BSent: Tuesday, February 15, 2005 3:00 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Using GPO to install an MSI package I really appreciate everyone's input on my situation. I did get it to work, in short, because of everyone's help here. Thanks! Here's what I did: I contacted Intuit (maker of Quickbooks) and wasted 55 minutes on hold and another 10 minutes on hold after a rep answered the call only to find out absolutely nothing other than what a waste it is to have a "support" contract with Intuit. Apparently the employees in product development are too busy improperly coding new programs to talk to those who actually [try to] use their stuff. I determined that I needed to find out if the program explicitly looks for the user to be a local PU or Admin, since, if it did, as someone pointed out, we'd be SOL. I created a test OU, created a test GPO and applied it to that OU. I created a test group and a test user and put him in the group, and added the user (and test machine) to that OU. I then gave the test group full permissions to the C:\ drive (FS) and \\classes_root \\machine \\user (registry) and logged in as the test user on the test box to see if it could run under the non-PU and non-Admin context. It worked. Now that that was known, it was time to filter down. I removed the permissions for C:\ (FS), \\machine and \\user and tried again - it still worked, so now I have to figure out which keys were being written to in classes_root, so I ran regmon and after an hour of trying to decipher what it used and what it didn't, and making a long list in the test GPO permissions, I got it to work. I think it took longer to enter the registry keys in the GPO than it did to find out what was needed as far as permissions go (sigh). Did I mention how much I hate Intuit products? - Original Message - From: Jason B To: ActiveDir@mail.activedir.org Sent: Tuesday, February 15, 2005 8:44 AM Subject: [ActiveDir] Using GPO to install an MSI package Okay, our environment is that all our clients are running Windows XP SP2, and our servers are Windows 2003. The situation is that our Accounting department uses Quickbooks, and about 70 of our employees need to use an application that comes with Quickbooks called "QB Timer". It's free for use for our employees and it integrates with Quickbooks without requiring a Quickbooks install
RE: [ActiveDir] Display Computer Name on Desktop
We use BgInfo from the Sysinternals web site (http://www.sysinternals.com/ntw2k/freeware/bginfo.shtml). Before we were on AD, we used SMS to add a shortcut to the All Users profile Startup folder that launched BgInfo during each logon. We haven't looked to see if there is any way to leverage Group Policy for this, but you could certainly use logon scripts. If you do this, make sure you look at the folder permissions where you store the background image - if regular users don't have write rights to the folder then it can't update when they logon. Jeff Jeff Salisbury Network Infrastructure and Security Manager Belkin Corporation Information Services 310 604-2061 310 604-2022 fax www.belkin.com -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Friday, February 11, 2005 10:41 AM To: ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] Subject: [ActiveDir] Display Computer Name on Desktop I have a question, is there a way to display the computer name on the desktop either through a login script or via GPO? Justin A. Salandra MCSE Windows 2000 & 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Confidential This e-mail and any files transmitted with it are the property of Belkin Corporation and/or its affiliates, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipients or otherwise have reason to believe that you have received this e-mail in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] worm (very very OT)
Ms. Cube - I recommend that you configure the firewall to only allow traffic on port 25 to/from the IP address of your email gateway (or individual email servers, depending on your config). On our Cisco PIX firewall we can have violations of the access list as Syslog events and collect them on the Syslog Server (we use Kiwi). This would give you another place to look in hunting down infected machines. Jeff -Original Message- From: rubix cube [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 28, 2004 9:56 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] worm (very very OT) thank u J Well we have 50+ switches currently and I can't monitor VLANs because we have 15+ VLANs, , what am doing currently is blocking all traffic at the firewalls (hardware and software) except for the required ports (25 for mail, 80 for http, 1429 for msn messanger, ports for real player etc..) so I have no worries about traffic using port 1, the problem I face is when a worm has its own smtp engine and so its "legally" sending emails at port 25 from the client't machine internally and externally and spoofing addresses, The MAC resolution is no worry, the sniffer actually shows me the IPs which I can lookup in the DHCP, and yet if I have only MAC like u said I can connect to the switch and look it up in the switch MAC address table, thanks Ms. cube On Tue, 28 Dec 2004 07:48:59 -0500, Jason Hicks <[EMAIL PROTECTED]> wrote: > Mr. Cube, > > That depends. If you have a single switch, just sniff the network and > as someone suggested, check the MAC address of anything attempting to > hit port 1 on your own interface (assuming that the worm is > continually re-scanning its local subnet - if not, and its just > counting up from 1.0.0.1 to 255.255.255.254 - you'll want to mirror > the port going towards your gateway). If the switch is managed, you > can telnet or use the wbem interface to check the layer 2 forwarding > database for that MAC. It will tell you which port the offending PC is > attached to. > > Now, if you have multiple switches, this is not a very scalable > troubleshooting method... > > If you can define ACL's on your switches, you could block port 1 > traffic and log the offending packets. > > Regards, > J > > >Date: Sun, 26 Dec 2004 09:06:53 +0300 > >From: rubix cube <[EMAIL PROTECTED]> > >Subject: Re: [ActiveDir] worm (very very OT) > >Reply-To: ActiveDir@mail.activedir.org do I need to mirror a specific > >port? Which one? > >Why can't I connect to any availble port on that switch and sniff the > network? > >thanks > >rubix > > -- > Jason Hicks > Senior Network Architect > National Fuel - Buffalo, NY > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Confidential This e-mail and any files transmitted with it are the property of Belkin Corporation and/or its affiliates, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipients or otherwise have reason to believe that you have received this e-mail in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Unusual network traffic to DC's
I believe you are seeing the link speed detection traffic. Check out KB article 227260 (http://support.microsoft.com/?id=227260). Jeff Jeff Salisbury Network Infrastructure and Security Manager Belkin Corporation Information Services 310 604-2061 310 604-2022 fax www.belkin.com -Original Message- From: Jacob Walker [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 07, 2004 1:13 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Unusual network traffic to DC's One of the networking professionals within our company that says he is seeing hundreds of gigs of ping network traffic everyday to and from the domain controller. Why would we see all of this ping traffic to and from the DC's? Any ideas? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Confidential This e-mail and any files transmitted with it are the property of Belkin Corporation and/or its affiliates, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipients or otherwise have reason to believe that you have received this e-mail in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OU and Policies
I use Site GPOs extensively to have Site-specific logon scripts run. I just double-checked, and the logon/logoff script settings are definitely in the User portion of the GPO. If I remember correctly, the computer determines what site it is in during GPO processing, and applies any associated Site GPO objects. This includes both parts of Site GPOs. In our case the logon script associated with the Site is launched from the User portion of the GPO, and maps the drives appropriate for that site. User settings in Domain or OU policies will be applied after settings from the Site GPO, so they may override whatever User or Computer settings you are trying to apply in the Site GPO (Local->Site->Domain->OU...). Jeff Jeff Salisbury Network Infrastructure and Security Manager Belkin Corporation Information Services www.belkin.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, November 12, 2004 2:11 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [ActiveDir] OU and Policies Thanks for pointed out my boneheadedness - site policies will apply on the computer but do not apply to the user because, obviously, a user will never be part of an ip subnet. The site policies would work well for applying laptop settings for travelling laptops, not for setting user settings for multiple machines. Sorry for any confusion I caused during my caffeine lacking state this morning. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] |-+--> | | <[EMAIL PROTECTED]| | | > | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 11/13/2004 08:58 AM| | | ZE11 | | | Please respond to | | | ActiveDir | |-+--> >--| | | | To: <[EMAIL PROTECTED]> | | cc: (bcc: James Day/Contractor/NPS) | | Subject: Re: [ActiveDir] OU and Policies | >--| Mario, I think you have got it now... The OU that the USER belongs to should contain the policies you normally want The OU the Citrix server belongs to should contain the Loopback option enabled. It should also contain the User polices that you want the user to get when they log on to Citrix If you set Loopback processing to REPLACE, then the User will ONLY get the settings defined in the Citrix OU If you set Loopback processing to MERGE, then the User will get the their normal settings, followed by those in the Citrix OU. I normally prefer MERGE since you don't have to create your common policies twice. The blocking of policies confuses the situation and just Note: I think James is mistaken about Site Policies. My understanding is that all that sites policies do is add another set of policies that the machines receive. It does not effect the user settings Admittedly, if Loopback processing is enabled, the user will get the User component of the policies held in the CITRIX OU policy plus the User polices held in the site policy. Can I just put in a plug for our free Policy Log Reporter. It makes it very easy to see exactly what is happening on the machine when policies were applied, i.e what OU's and sites were checked, what policies were found, what were rejected because of security, what was rejected because of blocking, what was used because of loopback etc. Of course all the information is in the UserENV log, but you have to be someone like Darren to understand it! http://www.sysprosoft.com/index.php?ref=activedir2&f=policyreporter.shtml Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedir2&f=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedir2&f=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedir2&f=policyreporter
RE: [ActiveDir] OT: SQL Licensing question
My bad. Michael is correct. From the SQL Server 2000 Licensing FAQ (http://www.microsoft.com/sql/howtobuy/faq.asp): Q. Do you still offer per-server (concurrency) CALs? A. No. SQL Server 2000 is only available by means of a Server plus device CAL, Server plus user CAL, or a Processor license. I could swear it still asks you during installation if you want to go with per-server or per-seat licensing, but my memory is obviously not working too good and I am probably thinking of the server operating system installation options. I just ran a test install to see what the real story is. The licensing options presented are in fact either Per-Seat or Per-Processor. Under Per-Seat, it says "Each device that accesses Microsoft SQL Server 2000 requires a separate CAL", and at the bottom of the screen you are asked to specify how many devices will connect. Sorry for the misinformation! Jeff -Original Message- From: Michael B. Smith [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 24, 2004 11:20 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: SQL Licensing question I think that per-server licensing mode is gone. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Salisbury Sent: Tuesday, August 24, 2004 2:14 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: SQL Licensing question That would allow up to 50 users to connect at any given time assuming that: - You assign those 50 user CALs to the server - You selected the per-Server license mode during the installation and specified 50 connections If you get a second server, you would need to purchase more CALs or remove some from the original server. Jeff -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 24, 2004 10:52 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: SQL Licensing question So if I had a SQL Server, just one, and had 50 USER Cals with 200 users but no more then 25 or 30 of the 200 users would be accessing the server at any given time, then this would okay? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Salisbury Sent: Tuesday, August 24, 2004 1:43 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: SQL Licensing question Just the opposite is true! Per-Server licensing would be where you tie a certain number of CALs to the server and that many users/devices can connect to just that server at any given time. These CALs cannot be assigned to any other SQL server while they are tied to the original SQL server. In Per-Seat licensing, you tie the CALs to specific users or devices which can then access any SQL server. As many users/devices as have CALs can access a given server concurrently. The last option is to buy per-processor licenses, which allows an unlimited number of users (who don't need CALs) to access the SQL server. You probably want to read the SQL Server 2000 Pricing and Licensing White Paper here, and think about whether you want to by Device CALs or User CALs: http://www.microsoft.com/sql/howtobuy/sqlserverlicensing.asp. Jeff Jeff Salisbury Network Infrastructure and Security Manager Belkin Corporation Information Services 310 604-2061 310 604-2022 fax www.belkin.com -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 24, 2004 10:31 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT: SQL Licensing question I just have a quick licensing question for SQL, SQL's per seat licensing is for concurrent connection right? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] Confidential This e-mail and any files transmitted with it are the property of Belkin Corporation and/or its affiliates, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipients or otherwise have reason to believe that you have received this e-mail in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: SQL Licensing question
That would allow up to 50 users to connect at any given time assuming that: - You assign those 50 user CALs to the server - You selected the per-Server license mode during the installation and specified 50 connections If you get a second server, you would need to purchase more CALs or remove some from the original server. Jeff -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 24, 2004 10:52 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: SQL Licensing question So if I had a SQL Server, just one, and had 50 USER Cals with 200 users but no more then 25 or 30 of the 200 users would be accessing the server at any given time, then this would okay? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Salisbury Sent: Tuesday, August 24, 2004 1:43 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: SQL Licensing question Just the opposite is true! Per-Server licensing would be where you tie a certain number of CALs to the server and that many users/devices can connect to just that server at any given time. These CALs cannot be assigned to any other SQL server while they are tied to the original SQL server. In Per-Seat licensing, you tie the CALs to specific users or devices which can then access any SQL server. As many users/devices as have CALs can access a given server concurrently. The last option is to buy per-processor licenses, which allows an unlimited number of users (who don't need CALs) to access the SQL server. You probably want to read the SQL Server 2000 Pricing and Licensing White Paper here, and think about whether you want to by Device CALs or User CALs: http://www.microsoft.com/sql/howtobuy/sqlserverlicensing.asp. Jeff Jeff Salisbury Network Infrastructure and Security Manager Belkin Corporation Information Services 310 604-2061 310 604-2022 fax www.belkin.com -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 24, 2004 10:31 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT: SQL Licensing question I just have a quick licensing question for SQL, SQL's per seat licensing is for concurrent connection right? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] Confidential This e-mail and any files transmitted with it are the property of Belkin Corporation and/or its affiliates, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipients or otherwise have reason to believe that you have received this e-mail in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: SQL Licensing question
Just the opposite is true! Per-Server licensing would be where you tie a certain number of CALs to the server and that many users/devices can connect to just that server at any given time. These CALs cannot be assigned to any other SQL server while they are tied to the original SQL server. In Per-Seat licensing, you tie the CALs to specific users or devices which can then access any SQL server. As many users/devices as have CALs can access a given server concurrently. The last option is to buy per-processor licenses, which allows an unlimited number of users (who don't need CALs) to access the SQL server. You probably want to read the SQL Server 2000 Pricing and Licensing White Paper here, and think about whether you want to by Device CALs or User CALs: http://www.microsoft.com/sql/howtobuy/sqlserverlicensing.asp. Jeff Jeff Salisbury Network Infrastructure and Security Manager Belkin Corporation Information Services 310 604-2061 310 604-2022 fax www.belkin.com -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 24, 2004 10:31 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT: SQL Licensing question I just have a quick licensing question for SQL, SQL's per seat licensing is for concurrent connection right? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Confidential This e-mail and any files transmitted with it are the property of Belkin Corporation and/or its affiliates, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipients or otherwise have reason to believe that you have received this e-mail in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Windows XP Drive Mapping
Title: Message We had similar problems some time ago when developing our logon scripts, which are VBScripts. I ended up having the code that establishes the mapping try three times before it gives up. I'm guessing it is a timing issue that has faster response when you immediately follow up a failure with another attempt. Since we did this, I haven't heard of any problems. This would be harder to do, but certainly possible, in a batch file. Jeff -Original Message-From: Caple, Andrew [mailto:[EMAIL PROTECTED]Sent: Monday, July 05, 2004 11:42 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Windows XP Drive Mapping It's good to know that I'm not the only one having this issue --- -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of George ArezinaSent: Tuesday, July 06, 2004 7:01 AMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] Windows XP Drive Mapping Hi Dan, I have a script that is in use. However, it seems to be that it is not executing properly. The script maps a few shared drives and synchronizes the desktop PC time to the server. net use Y: \\servername\sharename /persistent /ynet use Z: \\servername\sharename /persistent /y When the user logs on, the script runs, but there are no mapped drives. The drives are shared, and proper permissions have been delegated. This is a problem on Windows 2003 server. When the same script is run on my production environment, being a windows 2000 platform, the drives are mapped and no problems occur. Cheers, George -Original Message-From: Dan Boghici <[EMAIL PROTECTED]>To: [EMAIL PROTECTED]Date: Mon, 05 Jul 2004 19:00:35 +0300Subject: Re: [ActiveDir] Windows XP Drive MappingThere are many ways to solve that.The easiest way is to write a .bat"net use X: \\computername\sharename"Put the .bat file in the share of your active directory server (DC) \sysvol\scriptsafter that into the profile of each user u want to map that drive at the "Logon script" just type the name of your scriptIf it's not working send me a reply and i will try to figure that out.Caple, Andrew wrote: Good evening everyone, I was hoping that someone out there might be able to help me - because this is doing my head in. I having some problems with a couple of users that have static drive mappings in Windows XP Pro. I'll try and explain what's happening. When the user logs onto the computer the login script automatically map's all the common drives that the department will need, however some users need other drives mapped. These have been mapped via Windows Explorer (Tools > Map Network Drive), when the user makes the initial connection everything this is fine they can see the drive and use it. However, if the user shuts the computer down and restarts the drives are no longer visible via Windows Explorer! I tried to disconnect the drive via Windows Explorer (Tools > Disconnect Network Drive) however it's says that it's connected, if I open up a command prompt and do a "NET USE". It's displays the drive as "Unavailable". The user in question has a shortcut on her desktop to an exe on the "missing" drive - if she double clicks on the shortcut and opens the program magic the drive is now visible in Explorer. I think in Windows 2000 there's a similar problem however the drive has a red "x" next to it. Has anyone else had this problem? Does anyone know of a fix? Thanks in advance for your help ... in the mean time I'll be rocking backwards and forwards under my desk. Thanks everyone, Andrew Caple Andrew Caple Infrastructure Engineer Phone: +61 3 9861 5425 Facsimile : +61 3 9861 5510 [EMAIL PROTECTED] 105 Camberwell Road, Hawthorn East, Vic 3123 -- .. Dan Boghici Jr SysAdmin NOBEL Romania tel: +40 21 211.01.85 fax: +40 21 211.04.85 cell: +40 745.303.939 http://www.nobel.ro This e-mail and attachments, if any, may contain confidential and/or proprietary information. Please be advised that the unauthorized use or disclosure of the information is strictly prohibited. The information herein is intended only for use by the intended recipient(s) named above. If you have received this transmission in error, please notify the sender immediately and per
RE: [ActiveDir] Setting account expiration time date the script
Tomasz - I believe that you will see a difference between what date you see
programmatically and what date you see in the GUI. If I remember correctly, if the GUI
says an account expires on June 18th, using scripts to pull the expiration date you
will actually get a date/time of 2400 (midnight) on June 17th. Assuming this is true,
you just need to adjust you code to account for the difference.
Jeff
Jeff Salisbury
Network Infrastructure and Security Manager
Belkin Corporation
Information Services
310 604-2061
310 604-2022 fax
www.belkin.com
-Original Message-
From: Tomasz Onyszko [mailto:[EMAIL PROTECTED]
Sent: Monday, June 21, 2004 10:12 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Setting account expiration time date the script
I have Windows 2000 AD domain and for user account creation I'm using my
own script creating users with ADSI. This script is working OK but I have a problem
with setting usera acount expiration date with it. Below is a fragment of my code:
Set usr = UserOU.Create("user", "CN=" & strLogonName)
With usr
(...)
.AccountExpirationDate = strExDate
.SetInfo
(...)
End With
where strExDate is date string in following format: mm/dd/.
As You can see I use AccountExpirationDate function to set this date.
This works almost correct - te problem is that date set in directory is different
(earlier) then this which is given as function attribute. For example, when I put
7/31/2004 the dat in account attribute is 7/30/2004 (this is just example). Does
anyone know this problem and solution ?? :)
I know that I can put value directly in user attribute but I want to avoid counting
value to put in this attribute - or maybe someone has code for counting value to put
in the account expire date property for given date?
--
Tomasz Onyszko [MVP]
[EMAIL PROTECTED]
http://www.w2k.pl
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Confidential
This e-mail and any files transmitted with it are the property
of Belkin Corporation and/or its affiliates, are confidential,
and are intended solely for the use of the individual or
entity to whom this e-mail is addressed. If you are not one
of the named recipients or otherwise have reason to believe
that you have received this e-mail in error, please notify the
sender and delete this message immediately from your computer.
Any other use, retention, dissemination, forwarding, printing
or copying of this e-mail is strictly prohibited.
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Group Policy at the Site Level With Remote VPN Us ers - Wrong Site Applied
Title: [ActiveDir] Group Policy at the Site Level With Remote VPN Users - Wrong Site Applied
Thanks
Steve! That comes closer than anything I have seen and I did not find the
article in previous searches. Some things are still amiss:
- The article was reviewed in November 2003 and only
shows as being applicable to Windows 2000, but we are seeing the problems on XP
clients
- If the first ping with a zero byte payload is successful, the
rest of the checks are skipped. This caused some confusion during analysis since
test machines in the office were not experiencing the same problems (there first
ping was less than 10 ms).
- We didn't see any 4,096 ping packets being generated. Perhaps
this doesn't apply to XP or the ping failures were disrupting the planned
routine.
- It doesn't describe the weird Site GPO processing that we
observed.
Hopefully Microsoft will update the article in the future to expand on
the behavior and make it applicable to XP clients.
For
those with Cisco VPN Concentrators - on our VPN 3000 series concentrator we
found the setting here:
Configuration->Policy Management->Traffic
Management->Filters->Private
Select Modify Filter and make sure that the Fragments (i.e.
- allow fragmented packets) options is enabled. It was not on our Concentrator.
I cannot confirm that the default is not-enabled since the box has been in
production use for over 4 years now and someone could have modified it. The
Public filter has the same options, but it already had Fragments
enabled.
Jeff
-Original Message-From: Steve Patrick
[mailto:[EMAIL PROTECTED]Sent: Sunday, May 30, 2004 11:04
PMTo: [EMAIL PROTECTED]Subject: Re:
[ActiveDir] Group Policy at the Site Level With Remote VPN Us ers - Wrong Site
Applied
See http://support.microsoft.com/?id=816045
- Original Message -
From:
Jeff Salisbury
To: '[EMAIL PROTECTED]'
Sent: Wednesday, June 02, 2004 10:32
PM
Subject: RE: [ActiveDir] Group Policy
at the Site Level With Remote VPN Us ers - Wrong Site Applied
Darren - Thanks very much for your suggestion. It didn't solve the
issue, but it did provide some keywords that helped in further Google
searches.
Part of the cause ended up being discarding of large ICMP packets by
our Cisco VPN Concentrator. In preparation for processing Group Policy,
workstations send a series of ping packets to a domain controller that
have payloads of both 0 and 2048 bytes. The 0 byte packets got through fine,
but the 2048 byte packets got dropped because they are larger than the MTU
and are thus fragmented. These pings are used to determine if you have a
slow link or fast link. Enabling fragmented packets to pass the VPN
Concentrator did the trick, and now Site GPs are being applied along with
other GPs.
I
still have no clue why the GP processing ended up pulling the logon script
from a different site. My suspicion is that the slow link processing code
doesn't know how to cleanly deal with failed responses from only some of the
ping packets. Whoever coded this section may have assumed that either all
would succeed and return a response time value or none would succeed. This
is only speculation because the Userenv.log file didn't reflect any
processing of group policy even though it clearly had
occurred.
When I have a few minutes I plan on submitting a detailed write-up to
MyITForum so that others will hopefully benefit from our research. Even
knowing most of the answers I couldn't find anything covering this situation
in the KB articles. Thanks again!
Jeff
-Original Message-From: Darren Mar-Elia
[mailto:[EMAIL PROTECTED]Sent: Sunday, May 30, 2004
9:40 AMTo: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] Group Policy at the Site Level With Remote VPN Users - Wrong
Site Applied
Jeff-
It's hard to say what is going on here. Group Policy uses whatever
site information is cached on the workstation to determine which
site-linked GPOs to process. In other words, the issue is that when this
machine connects to the corp. network, it is not following the normal site
affinity process to locate a DC to authenticate with. Given the random
nature of what you're seeing, I suspect this means that the workstation's
subnet is not being correctly associated with a site, and so its querying
any available DC.
I would check the registry under
HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\DynamicSiteName
to see what site is being cached there after you VPN into the
network. This could be a timing issue where the site information is
not correctly popula
RE: [ActiveDir] Group Policy at the Site Level With Remote VPN Us ers - Wrong Site Applied
Title: [ActiveDir] Group Policy at the Site Level With Remote VPN Users - Wrong Site Applied Darren - Thanks very much for your suggestion. It didn't solve the issue, but it did provide some keywords that helped in further Google searches. Part of the cause ended up being discarding of large ICMP packets by our Cisco VPN Concentrator. In preparation for processing Group Policy, workstations send a series of ping packets to a domain controller that have payloads of both 0 and 2048 bytes. The 0 byte packets got through fine, but the 2048 byte packets got dropped because they are larger than the MTU and are thus fragmented. These pings are used to determine if you have a slow link or fast link. Enabling fragmented packets to pass the VPN Concentrator did the trick, and now Site GPs are being applied along with other GPs. I still have no clue why the GP processing ended up pulling the logon script from a different site. My suspicion is that the slow link processing code doesn't know how to cleanly deal with failed responses from only some of the ping packets. Whoever coded this section may have assumed that either all would succeed and return a response time value or none would succeed. This is only speculation because the Userenv.log file didn't reflect any processing of group policy even though it clearly had occurred. When I have a few minutes I plan on submitting a detailed write-up to MyITForum so that others will hopefully benefit from our research. Even knowing most of the answers I couldn't find anything covering this situation in the KB articles. Thanks again! Jeff -Original Message-From: Darren Mar-Elia [mailto:[EMAIL PROTECTED]Sent: Sunday, May 30, 2004 9:40 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Group Policy at the Site Level With Remote VPN Users - Wrong Site Applied Jeff- It's hard to say what is going on here. Group Policy uses whatever site information is cached on the workstation to determine which site-linked GPOs to process. In other words, the issue is that when this machine connects to the corp. network, it is not following the normal site affinity process to locate a DC to authenticate with. Given the random nature of what you're seeing, I suspect this means that the workstation's subnet is not being correctly associated with a site, and so its querying any available DC. I would check the registry under HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\DynamicSiteName to see what site is being cached there after you VPN into the network. This could be a timing issue where the site information is not correctly populated on the workstation by the time GPO processing cycle kicks off. http://www.tburke.net/info/regentry/topics/55956.htm -Original Message- From: [EMAIL PROTECTED] on behalf of Jeff Salisbury Sent: Fri 5/28/2004 2:51 PM To: '[EMAIL PROTECTED]' Cc: Subject: [ActiveDir] Group Policy at the Site Level With Remote VPN Users - Wrong Site Applied We have our logon scripts in GPOs tied to AD Sites in our Win2K domain, with each site having its own GPO that calls a script tailored to the locally available file shares. This has worked exceedingly well, until...Based on some great input from another list reader we started testing a feature in the Cisco VPN Client that forces a user to log off his/her system as soon as the VPN is established. When the user logs back on to the machine then she/he is authenticating with the domain. We want this functionality so that the cached copy of the user's password is updated if he/she changed it recently, and so that the user's logon script runs to map drives, check A-V signatures, etc.When I tried this from my home network (192.168.2.0/24) I connected to our corporate network in L.A. (Compton) and my notebook was assigned an IP address from the L.A. facility's internal network (172.16.0.0/21), which is the IP subnet associated with the Compton-Site in AD. After the logoff, I would have expected the Compton-Site logon script to run and map my drives. Instead, Group Policy was applied from a domain controller in Shanghai China (172.16.56.0/22) and my drives were mapped by their logon script to their servers. My colleague had a similar experience, except that he received policy from and was mapped to drives in the Singapore AD Site (172.16.48.0/22).I ran GPResult to see if I could figure out what was happening:RSOP results for BELKIN\ on : Logging ModeOS Type: Microsoft Windows XP ProfessionalOS Configuration: Member WorkstationOS Version: 5.1.2600Domain Name: BELKINDomai
[ActiveDir] Group Policy at the Site Level With Remote VPN Users - Wrong Site Applied
We have our logon scripts in GPOs tied to AD Sites in our Win2K domain, with each site having its own GPO that calls a script tailored to the locally available file shares. This has worked exceedingly well, until... Based on some great input from another list reader we started testing a feature in the Cisco VPN Client that forces a user to log off his/her system as soon as the VPN is established. When the user logs back on to the machine then she/he is authenticating with the domain. We want this functionality so that the cached copy of the user's password is updated if he/she changed it recently, and so that the user's logon script runs to map drives, check A-V signatures, etc. When I tried this from my home network (192.168.2.0/24) I connected to our corporate network in L.A. (Compton) and my notebook was assigned an IP address from the L.A. facility's internal network (172.16.0.0/21), which is the IP subnet associated with the Compton-Site in AD. After the logoff, I would have expected the Compton-Site logon script to run and map my drives. Instead, Group Policy was applied from a domain controller in Shanghai China (172.16.56.0/22) and my drives were mapped by their logon script to their servers. My colleague had a similar experience, except that he received policy from and was mapped to drives in the Singapore AD Site (172.16.48.0/22). I ran GPResult to see if I could figure out what was happening: RSOP results for BELKIN\ on : Logging Mode OS Type: Microsoft Windows XP Professional OS Configuration:Member Workstation OS Version: 5.1.2600 Domain Name: BELKIN Domain Type: Windows 2000 Site Name: compton-site <-- This is what I expected Roaming Profile: Local Profile: C:\Documents and Settings\ Connected over a slow link?: No COMPUTER SETTINGS -- CN=,OU=Notebooks,OU=Compton,OU=US,OU=NA,DC=belkin,DC=com Last time Group Policy was applied: 5/27/2004 at 9:18:37 PM Group Policy was applied from: shanghai.belkin.com <-- This DC is in the Shanghai China Site! Group Policy slow link threshold: 500 kbps Applied Group Policy Objects - Default Domain Policy Local Group Policy The following GPOs were not applied because they were filtered out --- Shanghai Site Logon Scripts<- There are not logon scripts tied to the computer Filtering: Not Applied (Empty) The computer is a part of the following security groups: USER SETTINGS -- CN=,OU=Information Services,OU=Compton,OU=US,OU=NA,DC=belkin,DC=com Last time Group Policy was applied: 5/27/2004 at 9:20:20 PM Group Policy was applied from: shanghai.belkin.com <-- This DC is in the Shanghai China Site! Group Policy slow link threshold: 500 kbps Applied Group Policy Objects - Default Domain Policy Shanghai Site Logon Scripts <- Here is what mapped the drives to Shanghai servers The following GPOs were not applied because they were filtered out --- Local Group Policy Filtering: Not Applied (Empty) The user is a part of the following security groups: I looked through Jeremy Moskowitz's great book (Group Policy, Profiles, and Intellimirror) and on his web site (www.gpanswers.com), but I can't find any reference to this mystery. My understanding is that the notebook's IP address would determine what Site's GP is applied. If the internal address assigned by VPN is used, then it should apply the Compton-Site policy. It looks like it DID determine that I was in the Compton site, but went off and pulled/applied GP from a different site. I have verified that the sites in AD have the correct subnets assigned to them, with no overlap. Has anyone else seen this happen or see what I am missing? Thanks! Jeff Salisbury Network Infrastructure and Security Manager Belkin Corporation Information Services 310 604-2061 310 604-2022 fax www.belkin.com Confidential This e-mail and any files transmitted with it are the property of Belkin Corporation and/or its affiliates, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipients or otherwise have reason to believe that you have received this e-mail in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination,
RE: [ActiveDir] go to my pc, revisited
There is a pretty good description of their security if you visit www.go2mypc.com and follow the How it Works links to the Security White Paper. The diagram in the PDF shows use of RSA SecureID as an option you could use in conjunction with what is already in place. We don't allow users to VPN in to the company from their personal computers. If you do support this, then any trojans, viruses, etc. that they have on their personal computers are now on your internal network. One advantage of Go2MyPC is that it acts more like a pcAnywhere session but you aren't putting the remote computer directly onto your internal network. They can still transfer files, good or bad, to their PCs, but chances are they could bring in a floppy or CD and do the same when in the office. Certainly Expertcity's entire reputation (now owned by Citrix) is based on their security model. Whether you choose to trust them or not is a decision you have to make, just as you would if you were outsourcing your VPN infrastructure. If your office PCs use Windows XP and your users are able to connect by VPN, you could choose to enable Remote Desktop. This allows you to use your PC like you would remotely administer a server with the same RDP client. You don't need to install anything additional to use this capability, but it is disabled by default and you would need to configure the allowed accounts on each PC. If you must allow connection from non-company PCs, then Go2MyPC might be worth consideration. I would prefer to not allow non-company PCs at all, but you may not have that choice. Jeff Salisbury Network Infrastructure and Security Manager Belkin Corporation Information Services 310 604-2061 310 604-2022 fax www.belkin.com -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 25, 2004 8:02 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] go to my pc, revisted 1. where? mostly from home, though i'm sure some will from hotels as well. 2.win2k/xp. 3.we have a cisco vpn concentrator 4.there's a desire to have them access their machines without any client software install or config. minimal involvment on their part is the attraction. thanks -Original Message- From: Brent Westmoreland [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 25, 2004 10:10 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] go to my pc, revisted Couple of questions Tom. Where do the managers want to access their PCs from? What is your operating systems base? Are all of your managers machines windows xp? Do you have vpn enabled at your site? Is there a requirement that they be able to access the machines via a web interface? > From: "Kern, Tom" <[EMAIL PROTECTED]> > Reply-To: <[EMAIL PROTECTED]> > Date: Tue, 25 May 2004 09:16:30 -0400 > To: <[EMAIL PROTECTED]> > Subject: [ActiveDir] go to my pc, revisted > > i've posted before about this issue. a recap- my cio wants to give himself and > some mangers access to their office pc's via Go To My PC. the attraction is no > client to install and configure ala vpn or terminal services. > i'm trying to push remote desktop web services but he's not bitting. he feels > installing IIS and configuring it on the target pc is just as much of a > headache( i counter that thats why you have a salaried IT staff and thats the > price you pay for complete control). also, he thinks IIS has had a history of > vulnerablities whereas Go To My PC has had none so far and is relaible. > > > also, on my side, don't i have to then set up Port address translation on my > firewall/router for this to work? the client would have to connect via ip or i > have to make a dns entry on my public dns server for everyone who wants to > connect to their office? i don't see that as a good idea ethier. > i guess i'm looking for some more info on go to my pc and how it really works > and why its a really bad idea(documentation or techincal reasons) and why > jumping thru hoops to get remote desktop web is really worht it in > comparison(disregarding vpn for the moment). > and finally, someone has stated on this list that the target pc can only run > on winxp but i see the activex control download for win2k and nt as well. > > Thanks and i apologize for bringing this up again, but i really HATE the idea > of Go To My Pc and outsourcing my security to some third party. I just need > some more ammo for my argument. > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Sent using the Microsoft Entourage 2004 for Mac Test Drive. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: ht
RE: [ActiveDir] VPN users and their AD passwords
Stuart - Thanks for the info! Do you know if using either or both methods actually update the cached credentials on the user's notebooks? If not we would still be stuck with locked user account problems after the change. Jeff Jeff Salisbury Network Infrastructure and Security Manager Belkin Corporation Information Services 310 604-2061 310 604-2022 fax www.belkin.com -Original Message- From: Fuller, Stuart [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 18, 2004 9:52 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] VPN users and their AD passwords Check out the Cisco documentation on configuring the concentrator to support the NT/AD password expiration feature. We are doing this and it works like a charm and nobody has to hit cancel. Clients with expired password get warned at VPN login and given an opportunity to change the password. See: http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration _example09186a00800946b9.shtml or search cisco.com for "VPN concentrator password expiration" and take the first result. MS IAS config for Cisco VPN is documented here - http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration _example09186a0080094700.shtml -Stuart -Original Message- From: Ayers, Diane To: [EMAIL PROTECTED] Sent: 5/18/2004 5:56 PM Subject: RE: [ActiveDir] VPN users and their AD passwords Gee... you give them remote access to the company via the internet from anywhere and their complaining about having to hit cancel?I would tell them to get over it... :-) Actually with my client, I can just type in my password in the ctrl-alt-del login box and just ignore the VPN client if I am on the compnay network. It will authenticate via normal channels. Externally, I can choose to authenticate via the VPN client. Only if you don't let the VPN client initialize fully do you get the big cancel button when you hit ctrl-alt-del. Either hit cancel or wait for the VPN client to initialize before they hit the keyboard. Diane _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, May 18, 2004 4:34 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] VPN users and their AD passwords The complaint here from users is that if they ARE on the network, they have to hit cancel on the Cisco VPN client login so they can get to the CTRL-ALT-DEL screen. Is there any workaround for this, or just tell the users to get over it? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ayers, Diane Sent: Tuesday, May 18, 2004 4:15 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] VPN users and their AD passwords I'm running v 4.0.3(D) of Cisco VPN client and it is configured as Jeff describes below (logon to VPN before laptop logon). I had my domain password "expire" and IIRC, I was able to change my password at my usual ctrl-alt-del logon after I had done my VPN login. This was after a few adult beverages so I may have been confused... :-) Diane _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Salisbury Sent: Tuesday, May 18, 2004 1:21 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] VPN users and their AD passwords Russ - With the newer versions of the Cisco VPN client you can configure the client to allow logon to the network via VPN before you logon to the notebook. When you first start up the system and hit Ctrl-Alt-Del to get the regular logon box, a Cisco VPN connection dialog comes up instead. You use this dialog to connect by VPN first so that you are actually authenticating your account with a domain controller, then you get a logon box again for logging on to the machine. This keeps the cached account information and the domain account information in synch. If users change their password while connected by VPN, the cached credentials on the notebook are not updated. If they restart the notebook, they have to logon using their old password. When they next connect by VPN they will have to provide their new password. As soon as their machine tries to access network resources, it passes the old password information and causes the user's account to lockout very quickly (assuming you have account lockout enabled). On the 3.6.3 client, you would go into Options -> Windows Logon Properties and select Enable Start Before Logon. You would also want to select Disconnect VPN Connection While Logging Off. I believe this requires a system restart so that it hooks into the security dialog (msgina?). If you need to go update your remote clients and you use SMS 2003, you may also want to upgrade your VPN clients at the same time to the 4.x VPN Client. Microsoft's notes say that the 4.x client will accurately report the IP address assigned by your VPN concentrator, as opposed to the IP address the notebook has on the user&#
RE: [ActiveDir] VPN users and their AD passwords
Russ - With the newer versions of the Cisco VPN client you can configure the client to allow logon to the network via VPN before you logon to the notebook. When you first start up the system and hit Ctrl-Alt-Del to get the regular logon box, a Cisco VPN connection dialog comes up instead. You use this dialog to connect by VPN first so that you are actually authenticating your account with a domain controller, then you get a logon box again for logging on to the machine. This keeps the cached account information and the domain account information in synch. If users change their password while connected by VPN, the cached credentials on the notebook are not updated. If they restart the notebook, they have to logon using their old password. When they next connect by VPN they will have to provide their new password. As soon as their machine tries to access network resources, it passes the old password information and causes the user's account to lockout very quickly (assuming you have account lockout enabled). On the 3.6.3 client, you would go into Options -> Windows Logon Properties and select Enable Start Before Logon. You would also want to select Disconnect VPN Connection While Logging Off. I believe this requires a system restart so that it hooks into the security dialog (msgina?). If you need to go update your remote clients and you use SMS 2003, you may also want to upgrade your VPN clients at the same time to the 4.x VPN Client. Microsoft's notes say that the 4.x client will accurately report the IP address assigned by your VPN concentrator, as opposed to the IP address the notebook has on the user's personal network, so that the SMS 2003 Client boundary calculations will work properly. We also have a ton of users with non-expiring passwords because they needed remote access in the past. One of my tasks this week is to get them to change their passwords, then we will set them to start expiring. We still need to figure out how to take care of remote users who only connect by dial-up direct to our company (no broadband available). Jeff Salisbury Network Infrastructure and Security Manager Belkin Corporation Information Services 310 604-2061 310 604-2022 fax www.belkin.com -Original Message-From: Rimmerman, Russ [mailto:[EMAIL PROTECTED]Sent: Tuesday, May 18, 2004 12:19 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] VPN users and their AD passwords How do your VPN only users who never attach their laptop to your network change their AD passwords when they expire? We're having an issue where we have to make all our VPN users "Password never expires" because they cannot change their password when it does expire, because they're only coming in via a Cisco VPN client. Thanks ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~ ConfidentialThis e-mail and any files transmitted with it are the propertyof Belkin Corporation and/or its affiliates, are confidential,and are intended solely for the use of the individual orentity to whom this e-mail is addressed. If you are not oneof the named recipients or otherwise have reason to believethat you have received this e-mail in error, please notify thesender and delete this message immediately from your computer.Any other use, retention, dissemination, forwarding, printingor copying of this e-mail is strictly prohibited.
