RE: [ActiveDir] Kerberos Question
If you suspect it's the KerbTray tool, you may wish to use KList (part of the Reskit) to verify that both are showing the same output. Ryan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Thursday, January 25, 2007 1:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Question The Time is the same on the PDC emulator as my PC - no event logs I could find - I guess it might be a problem with the tool - I don't have any firewalls between my PC and the DC. The loss of the ticket information is what raised the flag for me. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Thursday, January 25, 2007 11:24 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Kerberos Question It could also mean you have a problem with the tool, right? Are you seeing some other symptoms that caused you to look at this tool? Time? you can check that pretty easily by checking the time on your machine and comparing to a DC in your environment. What do you see in your system event log? On 1/25/07, Mike Hogenauer [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] wrote: Just curious - I have the resource kit tool Kerbtray running on my taskbar - When I double click it; it list my tickets, etc... Twice during the day yesterday it turned red and said there was no tickets available. It's already done this once today - When it was showing information it had a ticket renewal until time up to 8 days and a start and end time offset of 10 minutes Does this mean my ticket is getting renewed or that I could have a time problem, connecting to the PDC emulator problem, etc. Thanks in advance for any insight on this. Mike
Re: [ActiveDir] AD - What to monitor?
You may want to start by looking at some commercial products and see what functions they perform and what they monitor. NetPro's Change Auditor is great, and the MOM AD MP (entire Technical Guide is available) would be two nice starting points. If I remember correctly, NetPro also has an AD Health product. If you don't want to pay, then you can start scripting based upon what you see common among all of the commercial products available. Ryan On 3/6/06, Adeel Ansari [EMAIL PROTECTED] wrote: AD Gurus,Can you guys expand on the topic of what should be monitored in AD? and Why?I am talking in terms of Security events only to protect AD and also protect from attacks of any kind.Obviously, one would monitor failed logon, too many accounts creations etc.What else should we monitor?Regards,AdeelList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] NTLM Authentication Security Principal
In the NTDS performance object there are two counters: NTLM Authentcations and Kerberos Authentications. They wouldn't be able to tell you who is authencating using those methods, but they would be able to provide a better idea. Both counters are in number of requests per second. Ryan On 3/3/06, Rachui, Scott [EMAIL PROTECTED] wrote: I have an interest in finding out how many of the users in our primaryforest are authenticating via NTLM instead of Kerberos.I know that in Windows 2003 there is a new well-known security principal called NTLMAuthentication which dynamically contains the list of people whoauthenticated via NTLM.My question is, does anyone know how to query this security principal so I could get that list of people?Even if it's an ever-changing list, asnapshot at different times would be useful to see volumes.I wasthinking of comparing that list to the This Organization security principal so I could tell what % of authentication were NTLM.If there's another way to do this, I'm open to suggestions as well.Thanks in advance for any comments.ScottList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Null values in adfind results
adfind -default -f (objectcategory=organizationalperson)(!attributename=*) -csv should do the trick. Ryan On 2/17/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I'm looking for null values in several attributes of user objects but the result only returns the attributes where a value is present. I'd like to have the output in some kind of delimited text file so I can import it into a spreadsheet. Can adfind do that? I couldn't find a switch to specify returning null values. Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com
[ActiveDir] W2K3 Std. vs. Ent. for DCs
Dean posted this comment in a recent post: I have no concerns using Standard edition for DCs, I don't see it too often since the majority of my customers are licensed up the wazoo and use whatever ISO they stumble across first :o) As ironic as it is, we have recently been prodded by our internal server support group to provide sufficient documentation (beyond saying because we want it) as to why we need W2K3 Ent. instead of W2K3 Std. Thus far the only thing official I've been able to come up with is the fact that we have multiple DFS roots. They seem to think that the license costs for Ent. being 3x that of Std. doesn't justify implementation. Can anyone point me to some documentation or specific reasons to stick with Ent.? Ultimately this is what we want for AD, but somehow our desires are not good enough when it comes to $$$ savings. Thanks! Ryan
Re: [ActiveDir] W2K3 Std. vs. Ent. for DCs
Thanks to all... We've been aware of the ram justifications/limitations, but don't have a large enough DIT size (nor do we foresee one in the distant future) alone to justify the memory limitations. If Susan's post is correct about just having the bits loaded properly and we establish a potential MIIS integration with a Ent. DC then I'll toss our ideas out the Window and succumb to the fact that we should save the co. $$$. Ryan On 2/14/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: yes you could have a mix of DCs where some are std. and some are ent. AD does not care about that. and if you really wanna go nuts you could even throw in datacenter edition! ;-) don't forget what neil said: think about CURRENT and possible FUTURE requirementsjorgeFrom: [EMAIL PROTECTED] on behalf of Ryan A. ConradSent: Tue 2006-02-14 17:15To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] W2K3 Std. vs. Ent. for DCsJorge, Are you suggesting that some DCs an be Ent. Ed. and some Std.?I noticed in the matrix that MIIS integration/support was limited to Ent. Ed., as well as pieces of ADFS.We presently have an empty root (ignoring why we have it, as I don't want to spark any heated conversations), with several child domains that we are working on eliminating. Forest is at 2003 FFL. Thanks again!RyanOn 2/14/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: I these are plain vanila DCs standard edition is OK. However it really depends on what additional features you want to use on your DCs. Compare the editions of W2K3 and see what you need for each DC. http://www.microsoft.com/windowsserver2003/evaluation/features/comparefeatures.mspx jorge From: [EMAIL PROTECTED] on behalf of Ryan A. Conrad Sent: Tue 2006-02-14 16:37 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] W2K3 Std. vs. Ent. for DCs Dean posted this comment in a recent post: I have no concerns using Standard edition for DCs, I don't see it too often since the majority of my customers are licensed up the wazoo and use whatever ISO they stumble across first :o) As ironic as it is, we have recently been prodded by our internal server support group to provide sufficient documentation (beyond saying because we want it) as to why we need W2K3 Ent. instead of W2K3 Std.Thus far the only thing official I've been able to come up with is the fact that we have multiple DFS roots.They seem to think that the license costs for Ent. being 3x that of Std. doesn't justify implementation. Can anyone point me to some documentation or specific reasons to stick with Ent.? Ultimately this is what we want for AD, but somehow our desires are not good enough when it comes to $$$ savings. Thanks! Ryan This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] OT: Web Servers
Use host headers in IIS for WSUS as an DNS alias, then you can also advertise it on any port you wish. Servername.domain.com:8159 Alias: wsus.domain.com You should be able to put both in your GPO. -Ryan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, November 03, 2005 9:47 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Web Servers I could install WSUS and elearning on the same box though and not have to worry about it? If I change the port for WSUS or SUS will that have a negative affect on my clients? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Thursday, November 03, 2005 9:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Web Servers Its likely Sharepoint thats messing things up for you. You can do a couple of things: De-extend the default website in the sharepoint site settings Exclude all of the WSUS and elearning paths from the managed paths setting in the WSS site (likely whats happening is WSS is trapping the requests). Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, November 03, 2005 8:37 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Web Servers Has anyone been able to figure out how to install multiple products to a single web server? I have noticed that if I want to have MS SUS, SharePoint Services and Microsoft eLearning Library all on the same server, they all want to install to the Default Web Site and I cant get them to work. Besides buying a separate server for each program, how can I get them all on the same webserver? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 646.505.3681 - office 917.455.0110 - cell [EMAIL PROTECTED] BEGIN:VCARD VERSION:2.1 N:Conrad;Ryan;A.;Mr. FN:Ryan A. Conrad ([EMAIL PROTECTED]) TEL;WORK;VOICE:(609) 818-6135 ADR;WORK:;;311 Pennington-Rocky Hill Road;Pennington;NJ;08534 LABEL;WORK;ENCODING=QUOTED-PRINTABLE:311 Pennington-Rocky Hill Road=0D=0APennington, NJ 08534 EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20051028T001447Z END:VCARD
RE: [ActiveDir] TS GPO and Citrix Settings
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services. Already have tried the deletion but you have to keep on doing it if you want to make changes to Citrix. I was hoping there was a Disable Secure RDP registry setting that wouldnt gray anything out (as in W2K). -Ryan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Derek Harris Sent: Monday, October 10, 2005 4:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] TS GPO and Citrix Settings If you just want to make a quick change, go into the registry and delete the policy subtrees (from HKCU or HKLM, or both). They'll come back on the next policy refresh, but it'll give you a few minutes. I can't remember off the top of my head where those setting are stored: [software\policies], [software\microsoft\windows\current version\policies] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ryan A. Conrad Sent: Monday, October 10, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] TS GPO and Citrix Settings We are experiencing what appears to be a strange problem (although its probably expected for all I know) with Terminal Service settings on W2K3 boxes. A GPO at our application server container sets various settings (timeout values, encryption, etc) for all systems (regardless of Admin/Application mode). The behavior is when any TS setting is set by a GPO the setting is grayed out and even administrators cannot change the settings. This itself would not be an issue, however, the default behavior of Citrix is to take the RDP settings and therefore we cannot change the ICA settings which presents a problem. So aside from blocking policy inheritance on the OUs where there are terminal servers does anyone know of a way to un-gray the settings for W2K3? This was not an issue in W2K. Hopefully Ive explained well enough. Thanks in advance, Ryan
RE: [ActiveDir] DC authentication
echo %logonserver% -Ryan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christine Allen Sent: Wednesday, August 31, 2005 4:58 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DC authentication Sorry, I'm have a brain hiccup. Does anyone know the command line utility that tells you which dc authenticates you? -Christine Christine N. Allen Systems Engineer BMC HealthNet Plan 2 Copley Place Boston, MA 02216 617-748-6034 617-293-4407 [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] All
CV in the UK is like Resume in the US. -Ryan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, May 09, 2005 1:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] All Accenture? Compucom? CSC? I don't think MS would rank that high in the consulting arena. What's a Cv? Pardon my ignorance, but that has me puzzled. I mean, before Tony comes back online I'd like to know. :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, May 09, 2005 12:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] All Unless you got clearance from Tony to post this prepare to be thumped. As an aside, who are the largest 5 IT specific companies now? IBM, HP, Dell??, MS, Lockheed, Unisys, ?? joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simon Cooper Sent: Monday, May 09, 2005 11:58 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] All Importance: High Dear All, I am currently conducting a search for one of the top 5 largest IT companies in the world. They are looking for a number of Architects of varying levels from Junior to Guru level. You will gain exposure to the worlds largest programmes and Technical environments. You should have excellent MS Environment experience, in particular Active Directory. The client has numerous regional offices across the UK so location not a problem. Salaries range from £40k to £105k base salary with up to 40% bonuses. Please email your Cv or contact me if of interest. Simon Cooper IT Connect UK Ltd 5 Hampton Hill Business Park, High Street, Hampton Hill, Middlesex, TW12 1NP Tel Number +44 208 973 33 33 Fax Number +44 208 973 32 00 Mobile +44 7952 672 739 Email: [EMAIL PROTECTED] http://www.itconnect.co.uk List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] script to convert userID to first and lastname of users
This should work: strUserName = *INSERT NAME HERE* Set objConnection = CreateObject(ADODB.Connection) objConnection.Open Provider=ADsDSOObject; Set objCommand = CreateObject(ADODB.Command) objCommand.ActiveConnection = objConnection objCommand.CommandText = _ LDAP://dc=bob,dc=foo,dc=com;((objectCategory=User) _ (samAccountName= strUserName ));displayName;subtree Set objRecordSet = objCommand.Execute Wscript.echo objRecordset(0) Its definitely not as clean as ADFind, but it works. -Ryan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marie-Therese Fahmy Sent: Thursday, February 17, 2005 1:38 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] script to convert userID to first and lastname of users I need a script to search for userID for users and give me their full name. We have Active Directory 2003. Thanks, Marie List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] HELP!!! Undelete required
I agree with Neil. I've seen good results with ERDisk from Aelita, which is now called Recovery Manager for AD from Quest. -Ryan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Thursday, February 17, 2005 10:17 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] HELP!!! Undelete required Have you considered a 3rd party tool which offers object level restores? There is no rule that states that MS must provide all the functionality that we require, after all :) Have you considered delayed replication sites, which only receive changes on an infrequent basis? DCs in these sites can then be used to auth restore the deleted object and thus re-animate it back into the environment, before they have received the deletion event. Of course, your most proactive measure is to ensure that only a minimal number of admins have the ability to delete objects. The removal of a group or OU can be catastrophic and should be mitigated against proactively. HTH, neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aramide Adebanjo Sent: 17 February 2005 08:12 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] HELP!!! Undelete required Hi guys, I have resolved the issue..it could have been worse however but the group deleted was a distribution group. The painful fact was that it wasone that had 700 member users and I did not know howi could repopulate that fast. However I had done a csvde export just the day beforeand I ran iquery to get all users with the required attribute. Simply put, I recreated the distribution group again. I just pasted all the members into a text file with all usenames seperated by a semicolon and then pasted them all into the new group. The names were all resolved. My fear is this; what if it was a user or a security group that was mistakenly deleted. Micorsosft shld have a solution that enables u undelete..like a Cntrl Z.mistakes can be made by anyone...a mouse slip etc...no one is perfect. Thx all... A restore is one option I don't ever want to take in a production environment.!! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, February 16, 2005 9:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] HELP!!! Undelete required Heh, I actually typoed that response. It should have been If you had K3 you would have at least 2 options, one painful, one really painful. Here you only have the really painful answer. The really painful answer is obviously recovery from a backup. I have never really done this in production and I have no intention of ever doing it. It scares me. If something was deleted, I have faith that the person who deleted something is someone who could be trusted to have made that decision. If they made a bad decision, the trust was misplaced. This is yet another reason to not let people have native rights in the directory like that. The painful answer is to recover the object from the deleted objects container. Depending on the type of object and the schema mods made you will have various levels of frustration with this because not everything comes back the way you want. By default, very little comes back. However, I much prefer this solution to recovering from backup. This is something I would actually do. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E. Sent: Wednesday, February 16, 2005 2:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] HELP!!! Undelete required Joe, Out of curiousity, what do you define as the painful versus really painful option in 2K3? Now I'm curious. :-) Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aramide Adebanjo Sent: Wednesday, February 16, 2005 1:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] HELP!!! Undelete required Ah I need a miracle.a technical miracle. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, February 16, 2005 7:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] HELP!!! Undelete required You aren't going to like the answer... If you had K3 you would have at least 2 options, one painful, one really painful. Here you only have the painful answer. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aramide Adebanjo Sent: Wednesday, February 16, 2005 1:27 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] HELP!!! Undelete required Hi guys, What is the fastest way of recovering a group object deleted in AD 2000?? The changes have been replicated to all other DCs I want something precise, nothing fanciful, something tested and proved working...pls don't let it involve restoring from
