RE: [ActiveDir] RestrictAnonymous Settings
Here's the SARC description of Gaobot, at least what's pertinent to locked out accounts: Probes administrative shares using the following username and password combinations, as well as usernames found by using the NetUserEnum() API. Seems okay at first glance because it sounds like it uses a known uid/pwd combination, which it does... however, the NetUserEnum call against a DC will return all user objects (behavior we were seeing by the virus). RestrictAnonymous=1 is supposed to stop the user of those calls... which it appears to. This is great for anything that attempts to use that call. This article on SecurityFocus talks at some length on about it: http://www.securityfocus.com/infocus/1352. This Monday ought to be fun. Can't wait to see what broke... :-/ _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Sunday, November 02, 2003 12:37 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] RestrictAnonymous Settings I haven't seen anything that locked out normal user accounts, I have seen MUMU which locked out local admin ID's. I would expect this new one you describe is probably doing the same as well. Our solution was to start smacking people using local admin ID's because they weren't supposed to be anyway, they were all supposed to use domain accounts and the only ID's that would be local ids and admin on the machines holding the IDs are the domain admins which is my group and only affects three people instead of thousands. Note that disabling the anonymous enumeration on domain controllers can have some interesting effects that you should watch for. For instance if you want to populate an ACL or group on a machine and you aren't logged into the machine with a domain ID it won't be able to directly enumerate users and groups for the domain and you can either be presented with an authentication box to authenticate as a domain user or it may just fail outright. joe _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marcus Oh Sent: Sunday, November 02, 2003 12:21 PM To: [EMAIL PROTECTED] This has been a long week. We finally made the RestrictAnonymous=1 setting this weekend to combat what looked like "Gaobot" infections locking out thousands of accounts. Gave the PDCe a good run for the money with all the lock/unlock activity going on. The odd thing is, shortly after we put the settings in place and bounced all the domain controllers, it still happened. The bottom line being, a two fold situation. One, an infection of sdbot, causing lockouts... the other we discovered on a sniff of one of the DCs showing ridiculously high # of packets originating from one machine. Finally in the clear for now... Problem is, any script written to enumerate objects w/ a normal or logged-on user account and attempt a dictionary list of passwords is going to cause this same problem. Any of you guys have lockout policies in place... and if so... what steps have you taken to mitigate these lockout storms? Thanks! Marcus <>
RE: [ActiveDir] RestrictAnonymous Settings
I thought this went away with SP5... they changed something in their call... ? _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rod Trent Sent: Sunday, November 02, 2003 12:22 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] RestrictAnonymous Settings Keep in mind that with the RestrictAnonymous value set, SMS will not be able to detect the OS of discovered computers. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marcus Oh Sent: Sunday, November 02, 2003 12:21 PM To: [EMAIL PROTECTED] Subject:[ActiveDir] RestrictAnonymous Settings This has been a long week. We finally made the RestrictAnonymous=1 setting this weekend to combat what looked like "Gaobot" infections locking out thousands of accounts. Gave the PDCe a good run for the money with all the lock/unlock activity going on. The odd thing is, shortly after we put the settings in place and bounced all the domain controllers, it still happened. The bottom line being, a two fold situation. One, an infection of sdbot, causing lockouts... the other we discovered on a sniff of one of the DCs showing ridiculously high # of packets originating from one machine. Finally in the clear for now... Problem is, any script written to enumerate objects w/ a normal or logged-on user account and attempt a dictionary list of passwords is going to cause this same problem. Any of you guys have lockout policies in place... and if so... what steps have you taken to mitigate these lockout storms? Thanks! Marcus <>
[ActiveDir] RestrictAnonymous Settings
This has been a long week. We finally made the RestrictAnonymous=1 setting this weekend to combat what looked like "Gaobot" infections locking out thousands of accounts. Gave the PDCe a good run for the money with all the lock/unlock activity going on. The odd thing is, shortly after we put the settings in place and bounced all the domain controllers, it still happened. The bottom line being, a two fold situation. One, an infection of sdbot, causing lockouts... the other we discovered on a sniff of one of the DCs showing ridiculously high # of packets originating from one machine. Finally in the clear for now... Problem is, any script written to enumerate objects w/ a normal or logged-on user account and attempt a dictionary list of passwords is going to cause this same problem. Any of you guys have lockout policies in place... and if so... what steps have you taken to mitigate these lockout storms? Thanks! Marcus <>
RE: [ActiveDir][OT] OUs by server function?
Title: Message LOL! I like your loose terminology of “cable dude”. Are you sure you didn’t tap into your neighbor’s cable with a string job like that??? J From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Saturday, November 01, 2003 6:30 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir][OT] OUs by server function? I found that having compromising photos of other MVP's helps out but mostly for renewal. For initial entry, a large one time payment in small bills is the generally accepted method of getting in. Never would have made it except I was able to mortgage my house at the time. So what if I am stuck with the 3/4 of a million dollars in payments for the next 69 years for a 1 bedroom 400 sq ft efficiency with an outhouse with an actual door!?! To back up what Rick said, I really tried not to be one. They wouldn't leave me alone. I was sitting in the newsgroups scaring people away with excessive noise concerning Code Red and Nimda and WHY in the world was everything on by default and what was anyone thinking if thinking could indeed be admitted to being done at all. It went like this... joe: Blah blah blah BLAAHH BLAHHH Code Red Blah blah BLAH Microsoft Blah blah blah Blech Blah. MS: Hey you want to be an MVP? joe: Blah blah blah bla Do I have to stop complaining about things that need to be fixed? MS: Nope, not at all... joe: Cool, sure... Blah blah blah blah Microsoft Blah blah blah Code Red Arg! :op I see I am a bit behind in the list right now (200 or so messages). Sorry about that. Exchange 2K tried to kill me in a wholly new way recently and I finally have the knife coming out of my back. Also I had a slight problem with my cable modem connectivity. It seems a large truck came down my street and tore the cable off of the eave of my house because the truck was obviously taller than the cable was strung (not even going to talk about how I told the cable dude it was too low when he was running the line in the first place). I've got wireless in the house but it doesn't reach to the pole unfortunately... The cable company had an issue coming out with me not being home because they thought that possibly the issue could be in my house and couldn't seem to grasp the idea that the cable being pulled a couple hundred feet down the road probably had something to do with the poor signal to noise ratio I was currently enjoying. So I will slowly catch up over the next couple of days if anyone was waiting for anything out of me. Again, I apologize for the delay. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Saturday, November 01, 2003 4:37 PM To: [EMAIL PROTECTED] It also helps to NOT TRY. Becoming an MVP is a recognition for what you would do anyway. If you try, then you're not going to make it. However, be smart, helpful, diligent, persistent and add value to the community - recognition will come. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Friday, October 31, 2003 1:20 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OUs by server function? You must pass the feats of strength! Toddler -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, October 31, 2003 12:27 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OUs by server function? What does one have to do to become an MVP? Does it involve parting bodies of water or turning them into wine? :-) Michael Parent MCSE MCT Analyst I - Web Services ITOS - Systems Enablement Maritime Life Assurance Company (902) 453-7300 x3456 Rich Milburn <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 10/31/2003 12:16 PM Please respond to ActiveDir To: [EMAIL PROTECTED] cc: Subject: RE: [ActiveDir] OUs by server function? You're right, I was referring to WMI filtering. Thanks for the welcome, I've never seen so many MVPs in one place!! J I looked on winnetmag.com and didn't find it, I'll have a look for the hardcopy I read it in at home... Rich From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Friday, October 31, 2003 9:01 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OUs by server function? Rich Welcome to the list! If you have a link to the article, please post it. I'm sure others would be interested. Scope filtering using security groups is not new to 2003. You might be thinking of WMI filtering, which is new with XP/2003. The problem with scope filtering is (as you rightly point out) the reporting si
RE: [ActiveDir] DNS Record Timestamp
Thanks for the feedback, Robbie. Not precisely certain about the situation. I'd have to do more investigation on it. Provided a sufficiently long period of time, it would probably be okay. I was looking to trim at a 30 day time frame. During some of the searches, I did note some active machines that hadn't reset their machine account passwords recently. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robbie Allen Sent: Wednesday, October 29, 2003 11:16 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DNS Record Timestamp There are a couple of ways you can get it. If you are a command line hacker, you could use this: dnscmd . /enumrecords rallencorp.com foobar /detail | findstr dwTimeStamp If you are looking to do it via VBScript or Perl, then you'll want to look at the MicrosoftDNS_ResourceRecord WMI class. It has a Timestamp property: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dns/dns /mic rosoftdns_resourcerecord.asp <http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dns/dn s/mi crosoftdns_resourcerecord.asp> BTW, in what situation does password change date not work if you use a sufficiently long expiration period? Robbie Allen http://www.rallenhome.com/ <http://www.rallenhome.com/> > -----Original Message- > From: Marcus Oh [mailto:[EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]> ] > Sent: Wednesday, October 29, 2003 8:54 PM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] DNS Record Timestamp > > Curious if anyone knows if the DNS record timestamp can be exposed by > script? I'm working on a script to delete old machine accounts. Problem > is, machine account age is not always accurate based on the last password > change date. I'd like to do a query against DNS and examine the record > timestamp as a secondary checkpoint prior to deleting the machine account. > > Any ideas? :-) List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] DNS Record Timestamp
Curious if anyone knows if the DNS record timestamp can be exposed by script? I'm working on a script to delete old machine accounts. Problem is, machine account age is not always accurate based on the last password change date. I'd like to do a query against DNS and examine the record timestamp as a secondary checkpoint prior to deleting the machine account. Any ideas? :-) <>
RE: [ActiveDir] GPOs and additional sites
Gil, does this also apply if the binaries are stored in an alternate location such as Dfs? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Wednesday, October 29, 2003 1:16 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] GPOs and additional sites Oliver, The GPO processing on the client side includes a short test to determine the available bandwidth to the authenticating DC. If the bandwidth is below a certain threshold, the costlier bits of GPO processing such as application deployment will not be applied. See http://support.microsoft.com/default.aspx?scid=kb;EN-US%3B227260 And http://support.microsoft.com/default.aspx?scid=kb;EN-US;227369 -gil Gil Kirkpatrick CTO, NetPro Author of "Active Directory Programming" Find AD problems you don't even know you have! Register today for NetPro's FREE DirectoryAnalyzer Rapid Deployment Program! www.netpro.com/welcome/rapid/index.cfm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oliver Marshall Sent: Wednesday, October 29, 2003 5:59 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] GPOs and additional sites Whilst tinkering (read breaking) AD now that we have multiple sites setup in it, I was wondering this; We have a GPO that installs SP4 by way of an msi file. Now that the scottish office has been brought into the fold, and the DNS is working so that all machines can resolve all other names on the network, is it likely that when/if they reboot the SP4 install will be sent via the not-so-quick 256kbps line to scotland ? On that note, if a user with a roaming profile from the southern office goes to log on to scotlands workstations (happens often) will his machine attempt to download the profile from the servers in the southern office thereby flooding the line with stuff ? Eeek Olly List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Cached Credentials
Hey Al, Can you elaborate on what you mean with the “possibly an ip address if you have to authenticate the computer account (depends on your settings)” remark? I’m curious if this is a function natively of Windows, or if you’re referring to some type of authentication method like ACS or 802.1x stuff? Thanks! -m -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, October 29, 2003 5:11 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Cached Credentials Ah. Then like I said about network resources: assuming the DC is unavailable to more than just your workstation, network resources that rely on AD authentication would be unavailable, you wouldn't get GPO's and login scripts, and possibly an ip address if you have to authenticate the computer account (depends on your settings). Other things, such as RIS images etc would also not be published to you. If you did get an address, you wouldn't be able to update your DNS entry if set up for secure DDNS. I doubt that's a complete list, but it's what comes to mind. Al From: Santhosh Sivarajan [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 4:24 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Cached Credentials Yes it is.. "Anything domain related won't happen" I am looking for more information about those "domain related" stuff. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, October 29, 2003 1:45 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Cached Credentials Anything domain related won't happen with cached credentials. By definition, you only need to use cached credentials when you are not able to contact a domain controller. If you can't contact a domain controller, you won't be able to authenticate to other machines because most likely they won't be able to either. Is that too simplified? :) Al From: Santhosh Sivarajan [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 2:20 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Cached Credentials Hi there, I am trying to explain to a client the difference on the network between using Cached Credentials and Domain Credentials . I know a few things about group policy updates, such as password expiration notice, when using Cached Credentials. What else, other than Group policy updates, won't happen when using Cached Credentials? I couldn't find a good explanation or any technical documentation on this. Can anyone give me a good technical explanation? Thanks, Santhosh
RE: [ActiveDir] OT: NetIQ or MOM
Done the same, going through a MOM deployment now... I agree wholeheartedly on most points made. AppManager is BY FAR easier to navigate and use. I do find that MOM delivers better bang for the buck in terms of latent knowledge in product rule sets. Setting up AppManager to pick up all those events, counters, etc... would take quite a long time. Make sure you look at the support model as well, since NetIQ generally uses a year-long contract, use as many calls as you want... and MOM is PSS calls based. Reporting in both products suck and neither are built for long-term reporting. As someone alluded to earlier, reporting for AppManager (long-term) was an afterthought. They created another product which the same agent can communicate with to store the same data point in two different locations... the idea being to groom your AppManager database often to keep the console functional. MOM uses DTS package jobs that run on schedule to copy the data to another SQL server. You have to keep in mind the rules-based to script-based agent as well. AppManager agents are primarily script-based - which means they have to run at set intervals to look for certain events. MOM agents are primarily rules-based which means they deliver the information when the event occurs. They both do a little of the other, too. At any rate, a hybrid product would be great... one that is as easy to use as AppManager (drag and drop scripts on a machine) and one that comes with as much "knowledge" as MOM. Hopefully MOM2004 delivers on that... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn Corbett Sent: Thursday, October 09, 2003 4:55 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] OT: NetIQ or MOM Chris, I've deployed both of these products in reasonably large environments. - Both NetIQ and MOM require a fair bit of setup to get the right level of monitoring going - Both require constant attention to be effective monitoring / reporting platforms (they are not set-and-forget products) - NetIQ's monitoring is more flexible and customisable IMHO. - Both products are very expensive, with costs for base level OS agents, plus additional costs for layered applications (like Exchange / SQL) - NetIQ is a very mature product, MOM is essentially v1.0 (take that any way you want) - the current version of MOM is basically an OEM version of NetIQ - NetIQ's cross platform support is MILES / LEAGUES / KM (depending on your unit of measurement) ahead of MOM, and will be for some time. There is a bunch of other things, it has been talked about on the list previously (fairly recently actually). For my money, NetIQ is crrently the better prodct, but we all know what happens once MS put their muscle behind a particular product sector. That being said, NetIQ will probably be left standing, as they have a great range of products and people, not just in the overlap with MOM. Glenn On Fri, 2003-10-10 at 00:13, Chris Flesher wrote: > We're looking at NetIQ for monitoring our Windows/SQL stuff, as well > as what it can do on Unix (Solaris, AIX). However, with Microsoft > going head on into monitoring, should I be worried about the affect > this will have on NetIQ in the short/long term? Which is a better > product right now? Which has better cross-platform support? > > We are a dominantly Windows in this department, with Unix in there as > well. > > Thank you for any info you may have. > > Chris Flesher > The University of Chicago > NSIT/DCS > 1-773-834-8477 > List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS Scavenging and DHCP Lease Expiration Times
03 12:32 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] DNS Scavenging and DHCP Lease > Expiration Times > > None that occur to me off the top of my head. > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > > _ > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Marcus Oh > Sent: Friday, August 29, 2003 4:56 PM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] DNS Scavenging and DHCP Lease > Expiration Times > > Hey folks, > > Our DNS scavenging cycle is 7 days. Our DHCP leases expire > every 3 days. Are there any notable drawbacks or problems in > changing the DNS scavenging time period to match the DHCP > lease expiration time period? > > Thanks! > > Marcus
RE: [ActiveDir] Anti-Virus Software and AD
Title: Message Any particular reason, Joe? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Tuesday, September 02, 2003 7:02 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anti-Virus Software and AD Good info Todd. Actually I avoid AV on DC's but then we don't do file and print from them. If we did it would be a different story. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Tuesday, September 02, 2003 2:47 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Anti-Virus Software and AD A few months back I started a thread about installing AV software on Domain Controllers. There were a lot of good comments generated as part of the discussion with the recommendation to avoid software that triggered FRS replication, and recommendations to also exclude certain file types. Another trend that was reported was that some people were getting recommendations from Microsoft that they don't run AV software on DC's because their Firewalls and such protect them. Recently I have discovered two new KB's that seem to offer some definitive recommendations from Microsoft. Virus Scanning Recommendations on a Windows 2000 Domain Controller http://support.microsoft.com/default.aspx?scid=kb;en-us;822158 Antivirus, Backup, and Disk Optimization Programs That Are Compatible with the File Replication Service http://support.microsoft.com/default.aspx?scid=kb;EN-US;815263 Below is a summary of the MS recommendations Programs That Do Not Trigger FRS Replication The following programs do not modify files in a way that triggers FRS replication. Antivirus eTrust Antivirus build 96 or later with the "NTFS incremental scan" feature disabled McAfee/NAI NetShield 4.50 with the NetShield Hotfix Rollup Norton AntiVirus 7.6 or later File and System State Backup Legato Octopus/Replistor 5.2.1 Disk Optimization None currently reported Toddler
RE: [ActiveDir] DNS Scavenging and DHCP Lease Expiration Times
We generally have two DHCP servers per site. The 3 day lease was instituted 2 or 3 years ago... maybe longer... when we had a very limited amount of IP addresses that could be assigned - basically ran out of them too often and had to clear out leases. We have more than enough now though. That's something to consider... raising DHCP lease times instead of lowering DNS scavenging times. Thanks Joe... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Sunday, August 31, 2003 9:31 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS Scavenging and DHCP Lease Expiration Times None to me either. However that DHCP lease time seems short. How many DHCP servers do you have per site? With that lease time you should probably have a couple or a guarantee to be able to not have an outage of the server greater than 3 days or more preferably (to me) more than 1.5 days - lease half-life. About the only time I would recommend to anyone to go below 7-14 days on lease times is if they are trying to switch values for some of the networking components through DHCP. What is the idea behind the 3 day lease time? joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Saturday, August 30, 2003 12:32 PM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] DNS Scavenging and DHCP Lease Expiration Times None that occur to me off the top of my head. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marcus Oh Sent: Friday, August 29, 2003 4:56 PM To: [EMAIL PROTECTED] Subject:[ActiveDir] DNS Scavenging and DHCP Lease Expiration Times Hey folks, Our DNS scavenging cycle is 7 days. Our DHCP leases expire every 3 days. Are there any notable drawbacks or problems in changing the DNS scavenging time period to match the DHCP lease expiration time period? Thanks! Marcus <>
RE: [ActiveDir] DNS Scavenging and DHCP Lease Expiration Times
Thanks for the assistance Rick! :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Saturday, August 30, 2003 12:32 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS Scavenging and DHCP Lease Expiration Times None that occur to me off the top of my head. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marcus Oh Sent: Friday, August 29, 2003 4:56 PM To: [EMAIL PROTECTED] Subject:[ActiveDir] DNS Scavenging and DHCP Lease Expiration Times Hey folks, Our DNS scavenging cycle is 7 days. Our DHCP leases expire every 3 days. Are there any notable drawbacks or problems in changing the DNS scavenging time period to match the DHCP lease expiration time period? Thanks! Marcus <>
[ActiveDir] DNS Scavenging and DHCP Lease Expiration Times
Hey folks, Our DNS scavenging cycle is 7 days. Our DHCP leases expire every 3 days. Are there any notable drawbacks or problems in changing the DNS scavenging time period to match the DHCP lease expiration time period? Thanks! Marcus <>
RE: [ActiveDir] Installation Priviledges only on a DC
The only hole is that it still affords them rights to make screw ups to the actual .dit file... -m -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Moran Sent: Friday, July 18, 2003 3:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Installation Priviledges only on a DC A quick down and dirty way to solve it would be to create an admin account for each person like ADMIN_username, then put them in a group, put the group in domain admins, and then place an explicit deny all at the root of the domain for the new group and let it trickle down through inheritance. Watch who has rights to the group or you could wind up letting someone lock you out. This will give them local administrative rights to the dc's without let them muck up AD. They still can do damage through RUN AS and some other exploits, but they would really have to go out of their way and if you mistrust them that much they should not touch a dc at all. Let me know if that works -John --- "Bond, Simon" <[EMAIL PROTECTED]> wrote: > Basically my boss wants to give the server team the ability > to install > updates and patches, etc on domain controllers but not give > them domain > admins permissions. Is this possible? My gut feeling is no. > -----Original Message- > From: Marcus Oh [mailto:[EMAIL PROTECTED] > Sent: 18 July 2003 02:38 > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Installation Priviledges only on a > DC > > > Eh? You want to allow someone else to "change" AD in some > way? BAD! BAD! > :-) What's the proposition??? > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Bond, Simon > Sent: Thursday, July 17, 2003 10:15 AM > To: '[EMAIL PROTECTED]' > Subject: [ActiveDir] Installation Priviledges only on a DC > > Is there a way to create a user who can log onto a DC and > install software > on it but not be a domain admin? To me logically you would > have to be since > a piece of software you might be installing may need to > alter AD in some > way. However, this is what I have been asked to do so I was > hoping someone > may be able to tell me one way or another. > > Cheers > > Simon > > > This e-mail and all attachments are confidential and may be > privileged. If > you have received this e-mail in error, notify the sender > immediately. Do > not use, disseminate, store or copy it in any way. > Statements or opinions in > this e-mail or any attachment are those of the author and > are not > necessarily agreed or authorised by News International > (NI). NI Group may > monitor emails sent or received for operational or business > reasons as > permitted by law. NI Group accepts no liability for viruses > introduced by > this e-mail or attachments. You should employ virus > checking software. News > International Limited, 1 Virginia St, London E98 1XY, is > the holding company > for the News International group and is registered in > England No 81701 > > > This e-mail and all attachments are confidential and may be > privileged. If you have received this e-mail in error, > notify the sender immediately. Do not use, disseminate, > store or copy it in any way. Statements or opinions in this > e-mail or any attachment are those of the author and are > not necessarily agreed or authorised by News International > (NI). NI Group may monitor emails sent or received for > operational or business reasons as permitted by law. NI > Group accepts no liability for viruses introduced by this > e-mail or attachments. You should employ virus checking > software. News International Limited, 1 Virginia St, London > E98 1XY, is the holding company for the News International > group and is registered in England No 81701 > > __ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Installation Priviledges only on a DC
Title: Message Eh? You want to allow someone else to “change” AD in some way? BAD! BAD! J What’s the proposition??? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bond, Simon Sent: Thursday, July 17, 2003 10:15 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Installation Priviledges only on a DC Is there a way to create a user who can log onto a DC and install software on it but not be a domain admin? To me logically you would have to be since a piece of software you might be installing may need to alter AD in some way. However, this is what I have been asked to do so I was hoping someone may be able to tell me one way or another. Cheers Simon This e-mail and all attachments are confidential and may be privileged. If you have received this e-mail in error, notify the sender immediately. Do not use, disseminate, store or copy it in any way. Statements or opinions in this e-mail or any attachment are those of the author and are not necessarily agreed or authorised by News International (NI). NI Group may monitor emails sent or received for operational or business reasons as permitted by law. NI Group accepts no liability for viruses introduced by this e-mail or attachments. You should employ virus checking software. News International Limited, 1 Virginia St, London E98 1XY, is the holding company for the News International group and is registered in England No 81701
RE: [ActiveDir] Quest Software's ActiveRoles and ActivePolicy
They came in for a short presentation. The only thing I gleamed from it was that unlike other software, it’s AD integrated. Coming from the NetIQ DRA world, this sounded attractive. WAY TOO PRICEY though. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Duncan, Larry Sent: Wednesday, July 16, 2003 1:53 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Quest Software's ActiveRoles and ActivePolicy Can anyone here provide some insight into your experiences with Quest Software's ActiveRoles and ActivePolicy products? I've seen their demos at the MMS and I'm watching a webcast now. But, it's always been my experience that it's never as good as they make it sound. So, what's the real world feedback?
RE: [ActiveDir] Unlock and Password Reset Script
Raymond, You should be able to write (pronounced: customize) this vbscript that I pulled from www.myitforum.com to fit your needs. --- DomainName="domain" UserName="machine" Set UserObj = GetObject("WinNT://"& DomainName &"/"& UserName &"") If UserObj.IsAccountLocked = -1 then UserObj.IsAccountLocked = 0 UserObj.SetInfo -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raymond McClinnis Sent: Friday, June 13, 2003 6:50 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Unlock and Password Reset Script I recently wrote (pronounced: customized) a vb script that will reset passwords, I would also like it to unlock a user if the user acct is locked. Now I know your thinking why… We have a number of people in our helpdesk que that are not net support, but are IT Dept employees. Does anyone have a script or know of a way to unlock the users through VB. Joeware – Unlock works great, but it would be a two step process, decisions decisions. Thanks, Raymond McClinnis Network Administrator Provident Credit Union
RE: [ActiveDir] Active Directory Monitoring with MOM
Title: Message We’ve just started down the MOM path. I agree with some of your statements regarding MOM’s clunky interface and AppManager’s more intuitive interface. There’s a lot to be said about what NetIQ has done in terms of making script deployment relatively easy. That’s about where it ends, however. Speaking outside of functionality, in terms of a support organization, NetIQ consistently fails to make good grades. We have had outages of our monitoring product for 4-5 days at greatest length. With Microsoft, we at least know what we’re in for in terms of support. There were times that we had 15-20 outstanding issues open with NetIQ… some going on for months! We have some issues with some of the NetIQ reporting functionality (charting on the other hand is awesome). For example, it seems to be a very common occurrence that data points are simply missing. There doesn’t seem to be any agent intelligence in knowing that it delivered the data to the database correctly, even though it stores its information in a local Access db. Also, in order to do any long term trending, you have to use the Analysis Center product – which keeps driving up the price of ownership. An excellent example is the System Uptime report. We could NEVER rely on that report being accurate enough to use for publishing. As far as AD monitoring, we weren’t very impressed w/ what it offered out of the box. Without buying yet another add-on (Active Directory Response Time), there didn’t seem to be any end-to-end type of checks for user experience or synthetic transactions to verify replication. Database grooming also has issues. There’s a table called Aggregate data where data does NOT seem to go away (had to get them to write a sql script to handle this function). Since there’s no standard DTS packages or anything like that to setup a reporting database, if you decide to keep any amount of data for a reasonable length of time, the console takes a cups of coffee until it opens up. We’ve used NetIQ for 2-3 years. In the last 2-3 years, the product has not had many significant changes. We’ve gone through 2 full version number changes and it seems to be the same thing. I like AppManager for its vast functionality and ease of use… but am wholly displeased by their poor support, poor infrastructure, poor reporting… and did I mention poor support? J -m -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn Corbett Sent: Wednesday, June 11, 2003 7:13 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Active Directory Monitoring with MOM yep, use MOM here for our AD infrastructure (2 Forests, 4 domains total). I've deployed both NetIQ and MOM. A repost of something similar asked on the exchange lists: Essentially both products can perform the same levels of monitoring and reporting, however MOM requires a LOT more legwork to get the same result. The NetIQ interface as you said is more logical and easier to navigate, and it seems a lot more thought has been given to providing a clean interface for administrators. Setting up alerts etc for MOM for say a single server is MUCH more tedious than for NetIQ. MOM's grouping of monitoring into a hierarchal structure based on attributes creates more confusion IMHO. We have required some scripting to create custom attributes on servers just to enable some groups to be created (by pulling back these custom attributes), not necessary on NetIQ as it allow arbitrary grouping of servers (MOM does allow this as well, but its not as intuitive or efficient). With NetIQ a simple drag/drop of a task or monitoring job onto the device in question is much easier and allows more targeted monitoring to occur. Currently with MOM if I really want to perform specific monitoring of a server, I jump into perfmon and set up custom monitoring, rather than try and make MOM do it. Arbitrary grouping / monitoring of different core servers in a different way is where MOM really falls down IMHO. With NetIQ, I can simply change the monitored jobs on each specific server, changing thresholds for each one, and even disabling some jobs if I feel like. Attempting to do this with MOM is an exercise in frustration, since most settings are based on the monitoring groups which are attached to a group of servers based on a specific attribute (registry setting, name etc), not the server itself. For example, we have 6 exchange servers. If I want to monitor the gateway server differently, or set different thresholds (eg I'm not concerned if the outgoing SMTP queue length on the gateway gets about 50, but on a mailbox server I am), this is MUCH more difficult on MOM than it should be. Currently, I set the threshold lower for all exchange servers, and simply ignore the ones from the gateway where they are under *my* determined threshold. Not pretty, and makes it more difficult for me to set up paging / sms interfa
RE: [ActiveDir] Error message when attempting to modify the AD Schema
Is there by chance any other schema modifications occurring at the same time? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeffrey Dubyn Sent: Saturday, June 07, 2003 12:01 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Error message when attempting to modify the AD Schema Working in a test Windows 2000 Active Directory environment. In order to utilize a 3rd party application, I have to modify the Active Directory schema. Anyone have any idea what this error means? "ldap_add: DSA is busy ldap_add: additional info: 20AE: SvcErr: DSID-030A05EC, problem 5001 (BUSY), data 0" The entire environment is only being used for this test, so there is no load on any of the systems, hence I can't see what is causing it to be busy. Unfortunately, I can't seem to find any documentation on the error. Thanks! List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] FW: Authentication Problems.
This is a pretty common scenario. We have it occur so often that we dump the security event logs from all DCs and run findstr against the output with the user's name (dumpel, psexec, findstr). You can also use the eventcomb utility from MS that's a part of the account lockout toolkit. -m -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raymond McClinnis Sent: Saturday, June 07, 2003 11:55 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FW: Authentication Problems. We had a user with this problem and he had a persistently mapped drive other than what was part of the logon script. For some reason the drive held onto his old credentials. We just disconnected and re created the drive. Raymond McClinnis Network Administrator Provident Credit Union -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rick reynolds Sent: Friday, June 06, 2003 10:57 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] FW: Authentication Problems. Does the old password work when it prompts, if so, then not all the dc;s know the password has been changed. - Original Message - From: "Juan Ibarra" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, June 06, 2003 10:15 PM Subject: RE: [ActiveDir] FW: Authentication Problems. > Tried that many times and didn't work. > > Juan > > -Original Message- > From: David Precht [mailto:[EMAIL PROTECTED] > Sent: Friday, June 06, 2003 9:40 PM > To: [EMAIL PROTECTED] > Subject: Re: [ActiveDir] FW: Authentication Problems. > > reboot, logoff/logon, tried that? > --- Juan Ibarra <[EMAIL PROTECTED]> wrote: > > > > Hello to all, > > > > I am experiencing the following problem at a client. > > > > We forced all employees to change their password, by > > going to AD users and > > computers and checking the box "user must change > > password at next logon" > > > > It appeared that everything worked fine until we > > started noticing that while > > working at a computer and trying to access a share > > an error message popped > > up. > > Your password is incorrect and it wouldn't take the > > new password. > > > > We forced a sync with all the DCs and still getting > > same errors. > > > > Please help. > > > > Juan > > > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Adding new objects to AD
I thought that employeeid was a field that already existed in AD..? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pennell, Ronald B. Sent: Tuesday, June 03, 2003 4:27 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Adding new objects to AD Does anyone how one would add addition fields to the Active Directory? I have a requirement to add the employ id's to the AD.. I could use another field that is not being used, but, that wouldn't be professional. Ron Pennell [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] w2k / nt4 trust -possible fix
This is referring to restricting session keys to Kerberos only, correct? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Thursday, May 29, 2003 7:23 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] w2k / nt4 trust -possible fix Good catch, Stephen. -rtk -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wilkinson, Stephen (DrKW) Sent: Thursday, May 29, 2003 11:28 AM To: '[EMAIL PROTECTED]' We have fixed this now.. We had the policy "Require strong (Windows 2000 or later) session key" set to "enable"- which results in the failure to establish a secure channel with NT4 DCS in the trusted\trusting domain. MSDN explanation of policy is below Require strong (Windows 2000 or later) session key Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options Description If this policy is enabled, all outgoing secure channel traffic will require a strong (Windows 2000 or later) encryption key. If this policy is disabled, the key strength is negotiated with the DC. This option should only be enabled if all of the DCs in all trusted domains support strong keys. By default, this value is disabled. -Original Message- From: Wilkinson, Stephen (DrKW) [mailto:[EMAIL PROTECTED] Sent: 29 May 2003 14:37 To: '[EMAIL PROTECTED]' Graham, You will be pleased to know that we are currently experiencing exactly the same issues and are now stepping through resetting the polices we had applied on the AD DCS to the reverse and stepping through w2k3 version of the doc you referenced (PSS 325874). There is a PSS article (295335) referencing this issue and it supposedly is caused by name resolution errors.. although our name resolution, both DNS and WINS seems ok. Will keep you posted Stephen Wilkinson E-Mail: [EMAIL PROTECTED] -Original Message- From: Graham Turner [mailto:[EMAIL PROTECTED] Sent: 28 May 2003 18:40 To: [EMAIL PROTECTED] forgive me for a second post on the same topic but have just gone through a whole load of docs on issues of w2k / nt4 trusts have referenced Q308195 it would seem that this documents a process that is the reverse of the process by which one would establish trust between two NT4 domains is this by design or do i read it wrong ??? - why different as surely for a downlevel trust the process should be the same ?? ie on NT4 domains we would add the trusting domain on the trusted domain (permit it to trust the trusting domain) first and then add the trusted domain on the trusting domain GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to http://www.drkw.com/disc/email/ or contact the sender. -- List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to http://www.drkw.com/disc/email/ or contact the sender. -- List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/