RE: [ActiveDir] salary(OT)
Joe, I'm not sure what you've been smoking lately, but it must be good. A few clarifications We had more reviewers for AD3e than any other book I've done recently. People were asking us to review the book so we never had a problem finding enough reviewers. Rick, don't take offense. The book is going to be released the last day of December and will be in stores in January. Originally they said it was going to be in stores by December, but apparently that isn't the case now. Lastly, they are expecting to sell quite a bit more than 2000 copies. The first sell-in may be more than 2000 copies. O'Reilly wouldn't have done this book (much less expedite it) if they thought they'd sell only 2000 copies. They intend to do some special promotions with this book and hopefully it will have a significant store presence (ie, a few copies in most stores.) The 100ft ocean liner is still out of the question, but you should have no problem purchasing a used hole-free 10ft jon boat with one oar off ebay. Regards, Robbie Allen http://www.rallenhome.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 14, 2005 7:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) Hey I needed to maintain a certain quality Did you send something to Robbie to say you wanted to review it? In the end we were begging for reviewers, I even took Dean as a reviewer and you know the edge I had to be on for that He kept wanting to spell words wrong. Eventually I just took out all references to the words color, humor, and other or words. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Friday, October 14, 2005 7:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) joe said: "Again, the reviewers did a fantastic job." Of which, you will all notice when the book comes out, I am _NOT_ one of those reviewers. joe said: "They kept me honest" Which is one of the reason _WHY_ I was not one of those reviewers Rick P.S. Hey, joe :op -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 14, 2005 6:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) Not out yet, I am expecting Mid November or Early December. I sent an email to see if I can find out. The book is NOT written in my voice, I tried as best as possible to maintain the voice that was there. I simply revised it though I did add a Chapter on ADAM and a chapter on some basic Exchange/AD Scripting. If you have the first or second edition I think you will find this edition worthy of picking up even if you don't have Windows Server 2003 SP1 or R2. I tried fleshing out and changing anything I didn't feel was "right". Also the reviewers all did a bangup job finding things I missed. I admit I didn't sleep much in August or September. Tony may have noticed a lull in the list volume, me working on that book saved at least 2 bazillion helpless bits from being sacrificed. I learned that revising a book may actually be harder than writing a book from scratch and you get paid less. Well maybe it is depending on if you know what you want to write about. With revising you can't just write, you have to read, reread, write, reread, write, reread, tweak, reread. When you change the flow and feel and voice it is like hitting a brick wall when reading. I am sure I didn't get rid of all of the bricks but I certainly tried to knock the walls down to a point where you can step over them without too much trouble. Anyway, I spent less time writing the ADAM chapter than I spent updating the security chapter. I know now that I probably should have just rewritten from scratch and it would have gone faster. Oh well, live and learn or don't live long. Again, the reviewers did a fantastic job. They kept me honest when I tried to skip over some stuff when I got tired and I thank them profusely. I tried to do them justice in the small space provided to me for acknowledgements. Those are the things people tend not to look at at the front of the book. I do ask that if you pick up the book, you do look. Those, folks, deserve, the: attention. joe List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Excel plugin for directory access
I vote for putting add functionality in admod and not breaking it out as a separate tool. (you didn't put AD deletions into a separate tool) Robbie Allen http://www.rallenhome.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Tuesday, November 02, 2004 1:51 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Excel plugin for directory access I haven't look at this but saw an email on it today... It is a Active Directory plugin for Excel 2003. This is not in any way related to joeware nor ADFind and I do not otherwise endorse or recommend, however I know some folks were looking for this capability so I thought I would let you know I ran into it so thought they may want to check it out. http://bink.nu/?ArticleID=2782 FYI, I am looking at the CSV options. I want to make sure that they are consistent across adfind, admod, and the up and coming adadd [1] joe [1] Yeah that is a stupid name I know but I have to stick with the convention or possibly wrap into admod which I may do just because of how bad that name is...
RE: [ActiveDir] Missing enumeration for DNS Scripting
I'm a little late with this, but I just needed to figure these out myself. So through trial and error, here are the values: const ZONE_SECSECURE_NO_SECURITY = 0const ZONE_SECSECURE_NS_ONLY = 1const ZONE_SECSECURE_LIST_ONLY = 2const ZONE_SECSECURE_NO_XFR = 3 const ZONE_NOTIFY_OFF = 0const ZONE_NOTIFY_ALL_SECONDARIES = 1const ZONE_NOTIFY_LIST_ONLY = 2 BTW, I couldn't find these in the SDK either. Regards, Robbie Allen http://www.rallenhome.com/ http://www.rallenhome.com/blog/adcookbook/ (Active Directory Blog) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Wednesday, August 04, 2004 5:34 PMTo: [EMAIL PROTECTED]; joeSubject: RE: [ActiveDir] Missing enumeration for DNS Scripting Uh, not at least on the public page. SecureSecondaries [in] Specifies the security to be applied and must be one of the following: · ZONE_SECSECURE_NO_SECURITY · ZONE_SECSECURE_NS_ONLY · ZONE_SECSECURE_LIST_ONLY · ZONE_SECSECURE_NO_XFR What are the numeric values of ZONE_SECSECURE_NO_SECURITY and the others? Similarly, the numeric values for the Notify parameters… Thanks! Michael From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Wednesday, August 04, 2004 4:56 PMTo: joe; [EMAIL PROTECTED]Subject: RE: [ActiveDir] Missing enumeration for DNS Scripting I’m not sure I understand the question. Which enum are you looking for? That page specifies the values for the in’s. What am I not seeing that you’re looking for? From: joe [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 04, 2004 12:45 PMTo: [EMAIL PROTECTED]Cc: Eric FleischmanSubject: RE: [ActiveDir] Missing enumeration for DNS Scripting I just checked the Beta K3 SP1 SDK and it isn't there... Possibly you can sweet talk ~Eric into giving you the values. I have notified the MSDN folks and told them where to find the constants so they don't have to look too hard but who knows what the time frame will be. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Wednesday, August 04, 2004 12:11 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Missing enumeration for DNS Scripting Cute Do you have MSDN Universal access and have you looked in the Beta SDK's? I will send something to MS about it but don't expect a quick fix. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Wednesday, August 04, 2004 11:52 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Missing enumeration for DNS Scripting Oh scripting gurus http://msdn.microsoft.com/library/default.asp?url=""> Contains a number of values that I can't find in the platform SDK (ZONE_*) or on the web or on MSDN. Anyone have access to these values? Thanks.
RE: [ActiveDir] scripting admin
But of course :-) > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: Friday, April 16, 2004 4:44 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] scripting admin > > And you are writing this in perl I assume? > > > - > http://www.joeware.net (download joeware) > http://www.cafeshops.com/joewarenet (wear joeware) > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Robbie Allen > (rallen) > Sent: Thursday, April 15, 2004 8:23 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] scripting admin > > On a related note, I'm working on a VBScript to Perl code converter. > Input some VBScript code and output the (roughly) equivalent > Perl code. > I just started a couple of weeks ago, but should have > something in a month > or so if anyone is interested. > > Robbie Allen > http://www.rallenhome.com/ > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > Ken Cornetet > > Sent: Wednesday, April 14, 2004 2:38 PM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] scripting admin > > > > I'll second this. I've only run into one thing where I couldn't get > > Perl to work (deep, dark, ugly MAPI stuff...) > > > > Other than that, it's almost trivial to look at VBScript > and convert > > it to perl. > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of joe > > Sent: Tuesday, April 13, 2004 11:17 PM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] scripting admin > > > > > > I say Perl... > > > > The activestate dist is great. I am not aware of anything > off the top > > of my head you can do in vbscript that you can't do in > perl. You may > > want to learn enough vbscript to convert vbscripts others > have written > > to perl. > > > > Overall for really simple things vbscript may be easier at first > > glance, but as the complexity rises vbscript shows its > issues and perl > > starts to shine. > > > > Grab Robbie Allen's AD Cookbook which has some perl in it, also his > > Managing Enterprise Active Directory Services has quite a > bit of perl > > in it. Most everything I tend to post here in terms of > scripts and do > > in general is perl. > > > > joe > > > > > > > > - > > http://www.joeware.net (download joeware) > > http://www.cafeshops.com/joewarenet (wear joeware) > > > > > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom > > Sent: Tuesday, April 13, 2004 10:32 PM > > To: ActiveDir (E-mail) > > Subject: [ActiveDir] scripting admin > > > > sorry for what is more of a personal advice question- i'm a > perl guy > > and i was wondering if for proper windows scripting, should i learn > > VBscript or can i get away with most admining with perl and > > activestate. i run a couple of linux and unix servers, so > perl makes > > sense, but would it behove me to learn VBscript or even VB to > > effectively script my win2k ad enviorment or can i get away > with perl > > and its integer conversion et al and be a good admin mastering only > > one lang? thanks in advance > > List info : http://www.activedir.org/mail_list.htm > > List FAQ: http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ: http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ: http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] scripting admin
On a related note, I'm working on a VBScript to Perl code converter. Input some VBScript code and output the (roughly) equivalent Perl code. I just started a couple of weeks ago, but should have something in a month or so if anyone is interested. Robbie Allen http://www.rallenhome.com/ > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet > Sent: Wednesday, April 14, 2004 2:38 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] scripting admin > > I'll second this. I've only run into one thing where I > couldn't get Perl to work (deep, dark, ugly MAPI stuff...) > > Other than that, it's almost trivial to look at VBScript and > convert it to perl. > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: Tuesday, April 13, 2004 11:17 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] scripting admin > > > I say Perl... > > The activestate dist is great. I am not aware of anything off > the top of > my head you can do in vbscript that you can't do in perl. You may want > to learn enough vbscript to convert vbscripts others have written to > perl. > > Overall for really simple things vbscript may be easier at > first glance, > but as the complexity rises vbscript shows its issues and > perl starts to > shine. > > Grab Robbie Allen's AD Cookbook which has some perl in it, also his > Managing Enterprise Active Directory Services has quite a bit > of perl in > it. Most everything I tend to post here in terms of scripts and do in > general is perl. > > joe > > > > - > http://www.joeware.net (download joeware) > http://www.cafeshops.com/joewarenet (wear joeware) > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom > Sent: Tuesday, April 13, 2004 10:32 PM > To: ActiveDir (E-mail) > Subject: [ActiveDir] scripting admin > > sorry for what is more of a personal advice question- i'm a > perl guy and > i was wondering if for proper windows scripting, should i > learn VBscript > or can i get away with most admining with perl and > activestate. i run a > couple of linux and unix servers, so perl makes sense, but would it > behove me to learn VBscript or even VB to effectively script > my win2k ad > enviorment or can i get away with perl and its integer > conversion et al > and be a good admin mastering only one lang? thanks in advance > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Integrate Linux with AD
Depends on what you want to do. As far as allowing Linux clients to authenticate against AD, SFU doesn't do everything. The solutions guide is ok, but don't give it to any of your Linux/UNIX people to read ;-) Regards, Robbie Allen http://www.rallenhome.com/ > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Jennifer Fountain > Sent: Friday, February 06, 2004 5:12 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Integrate Linux with AD > > > > > Hot off the press. > > > > Solution Guide for Windows Security and Directory Services > > for UNIX Using Active Directory and Kerberos for > > authentication and identity store in a heterogeneous UNIX and > > Windows IT environment. > > > > http://www.microsoft.com/downloads/details.aspx?FamilyId=144F7 > > B82-65CF-4105- > > B60C-44515299797D&displaylang=en > > > > Could I use Services for Unix? Would that work instead of buying VAS? > > Jennifer > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] How to track object deletion?
FYI, lastKnownParent is not supported on W2K. Robbie Allen http://www.rallenhome.com/ > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Darren Mar-Elia > Sent: Tuesday, January 20, 2004 9:25 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] How to track object deletion? > > Joe- > In Server 2003, lastKnownParent is reliably populated with the last > known home of the deleted object. However, I've not tried > Win2K and its quite possibly not. > > Darren > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: Tuesday, January 20, 2004 2:03 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] How to track object deletion? > > Hey Darren have you ever seen that attribute populated? I don't recall > ever seeing it on any objects. I never looked deeply into it though to > see what it was legally linked to. > > Joe > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Darren Mar-Elia > Sent: Monday, January 19, 2004 3:02 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] How to track object deletion? > > Check the lastKnownParent attribute on the deleted object. > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Monday, January 19, 2004 7:37 AM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] How to track object deletion? > > Hello, AD gurus. > I' ve been developing a DirSync program that tracks for object changes > in AD. > Everything is fine except for object deletion. > When AD object is deleted, as everybody knows here, it is > tombstoned. As > I figured out that means that the object is moved to the hidden > container called 'Deleted Objects'. So when I delete an object DirSync > returns me the following > > CN=user1\DEL:5fce35d1-42dc-4d42-b4d6-fd4a5c773acd,CN=Deleted > Objects,DC=sbhbd1,DC=local > > as the DN of changed object. > > In the example above I deleted object with DN: CN=user1,CN=Users, > DC=sbhbd1,DC=local. > But I've lost some part of original object DN like: * ,CN=Users, * > > The question is: How to track AD objects deletion? I need to > know object > original DN, but AD hides it from me. > I don't want to keep a copy of original AD or whatever similar to it. > > Thanks in advance! > > > > -- > Best regards, >(mailto:[EMAIL PROTECTED])19.01.2004, 18:27 > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] 2003 NTDS.DIT size
Title: Message W2K3 AD does single instance store of security descriptors which can save a lot of space over W2K AD. Robbie Allen http://www.rallenhome.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Thursday, January 15, 2004 8:51 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] 2003 NTDS.DIT size I blame it on cold water. Oh, you don't mean that shrinkage. From what I understand, its due to improvements in the database format and how data is stored within. I'm guessing that they've rearranged the table structures to better fit the actual usage patterns. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Joe Baguley [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 8:40 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 2003 NTDS.DIT size DIT size decreases are certainly what I am seeing in the field, with an 80,000 user AD I deal with shrinking in a similar fashion to the Compaq/HP one described below... Surely some people on here will be able to explain the shrinkage From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: 15 January 2004 13:19To: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] 2003 NTDS.DIT size According to Tony Redmond's Exchange 2003 book, the HP/Compaq combined DIT file was 12GB in AD on Win2k and dropped to 7GB under 2003. Not sure how typical that is. I'd think worst case you'd end up about the same place you are now. IIRC, there aren't that many schema changes, so the structural size shouldn't change that much. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Parker, Edward [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 8:03 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] 2003 NTDS.DIT size All, We have 53,000 user AD environment. The current size of the NTDS.DIT is just under 2GB. I am reading Chapter 9 of the 2003 planning document and on page 368 it states: "On the drive that will contain the Active Directory database, NTDS.dit, provide 0.4 gigabytes (GB) of storage for each 1,000 users. ..." Now, if this is true, that is saying when I upgrade to 2003, my database will grow from 2GB to 21GB. This seems a little hard to believe. We are going to be doing this in the lab shortly, but we are planning additional hardware, and this seems a little "off". Can anyone confirm this?
RE: [ActiveDir] LDIFDE and Perl...
You can find a bunch of Perl Net::LDAP examples here: http://www.rallenhome.com/books/managingenterprisead/code.html And the cookbook code page has a lot of Perl ADSI examples: http://www.rallenhome.com/books/adcookbook/code.html Let me know if you have any questions. Robbie Allen > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Mike > Hogenauer > Sent: Thursday, January 15, 2004 1:09 AM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] LDIFDE and Perl... > > > I need to import 1500 user accounts into a test environment, I would > like to use LDIFDE. First is there an easy way to batch or > create dummy > accounts for a test environment without having to type each one, and > second can any of this be done with Perl? > > I will also be consulting the Cookbook! > > Thanks in advance. > > Mike > > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] What is your favorite scripting language?
I wrote an article about this topic a few weeks ago: http://www.oreillynet.com/pub/a/network/2003/11/18/activedir_ckbk.html There was a fair amount of discussion (at the end of the article) so I asked O'Reilly to host the poll. Robbie Allen http://www.rallenhome.com/ > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn > Sent: Friday, December 12, 2003 10:29 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] What is your favorite scripting language? > > I'm afraid to ask... but... why is Perl the preferred > language (besides "it works on Unix/Linux")? > > Rich > > -Original Message- > From: Joe [mailto:[EMAIL PROTECTED] > Sent: Thursday, December 11, 2003 10:13 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] What is your favorite scripting language? > > But I did :oP > > joe > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Robbie Allen > (rallen) > Sent: Thursday, December 11, 2003 8:52 PM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] What is your favorite scripting language? > > O'Reilly is hosting a poll for the most popular scripting > language on the > Windows platform. To vote for your favorite language, visit > the O'Reilly > website (http://www.oreilly.com/) and look on the right side > of the page > under O'Reilly Poll. > > FYI, Perl has the early lead and no I didn't vote twice :-) > > Regards, > Robbie Allen > http://www.rallenhome.com/ > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- > PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in > this message or > any attachments. This information is strictly confidential and may be > subject to attorney-client privilege. This message is > intended only for the > use of the named addressee. If you are not the intended > recipient of this > message, unauthorized forwarding, printing, copying, > distribution, or using > such information is strictly prohibited and may be unlawful. > If you have > received this in error, you should kindly notify the sender > by reply e-mail > and immediately destroy this message. Unauthorized > interception of this > e-mail is a violation of federal criminal law. Applebee's > International, > Inc. reserves the right to monitor and review the content of > all messages > sent to and from this e-mail address. Messages sent to or > from this e-mail > address may be stored on the Applebee's International, Inc. > e-mail system. > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] What is your favorite scripting language?
O'Reilly is hosting a poll for the most popular scripting language on the Windows platform. To vote for your favorite language, visit the O'Reilly website (http://www.oreilly.com/) and look on the right side of the page under O'Reilly Poll. FYI, Perl has the early lead and no I didn't vote twice :-) Regards, Robbie Allen http://www.rallenhome.com/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC
Neither that I recall. CPU was around 30-40%. In my experience it is not uncommon to see occasional LDAP errors when the CPU reaches that level on DCs (at least with W2K). Robbie Allen > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Gil > Kirkpatrick > Sent: Thursday, December 11, 2003 6:37 PM > To: '[EMAIL PROTECTED]' > Subject: RE: AD as a possible target of attack? RE: > [ActiveDir] Virus soft wareon DC > > I usually have to run about 10 authentication threads on each > of 5 machines to get the CPU over 50% on my 1GHz P3 server. Of course the DIT is > essentially empty. I suppose that having them issue some > complex query over a large DIT would alter that picture substantially. > > That's interesting that clients were getting intermittent > errors even though the CPU wasn't pegged. Was the disk or network saturated? > > -g > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Robbie Allen > (rallen) > Sent: Thursday, December 11, 2003 4:00 PM > To: [EMAIL PROTECTED] > Subject: RE: AD as a possible target of attack? RE: > [ActiveDir] Virus soft > wareon DC > > > I don't think it would take all that many clients if they > used a threaded > app that spawned a bunch of simultaneous sessions to > different DCs. Heck, > I've seen a single client cause the number of queries per > second on a DC to > go from 80 to ~1000 for a 30 minute span. Now this didn't > cause the CPU to > spike greatly, but it did cause other clients using that DC to get > intermittent AD/LDAP errors. > > As far as denying IPs, that was available in W2K, but it was > removed (at > least from ntdsutil) in W2K3. I was told that it wouldn't be > supported > anymore in W2K3 (I haven't tested to see if it works still). > That would be > unfortunate if it isn't supported. > > Robbie Allen > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Gil > > Kirkpatrick > > Sent: Thursday, December 11, 2003 5:38 PM > > To: '[EMAIL PROTECTED]' > > Subject: RE: AD as a possible target of attack? RE: > > [ActiveDir] Virus soft wareon DC > > > > The problem with the built-in security model is that in most > > environments > > its easy to get around it by using one of the various LocalSystem > > escalations on the DC. All of a sudden the ACLs are > > meaningless, and AD will > > happily replicate the corrupted data for you. > > > > Its hard to do a system wide denial-of-service by flooding > > the DCs with > > queries (I assume this is what you were talking about) > > because of the number > > of clients you would have to bring to bear. It takes a lot of > > clients to > > generate enough traffic to kill a DC, and a lot more to kill > > all the DCs in > > the system. And if the clients are connected to the DCs via > slower WAN > > links, its probably impossible. > > > > You can disable anonymous queries (already done by default in > > W2K3), and you > > can configure IP addresses to deny connections from, but I > > don't know of a > > way to limit the number of LDAP queries per second. Sounds > like a cool > > feature. > > > > -gil > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > > Roger Seielstad > > Sent: Thursday, December 11, 2003 2:36 PM > > To: '[EMAIL PROTECTED]' > > Subject: RE: AD as a possible target of attack? RE: > > [ActiveDir] Virus soft > > wareon DC > > > > > > I'm not as worried about malicious, entry changing attacks > > due to the built > > in security model. Its cake and pie to do a denial of service > > attack against > > an LDAP system. Add to that a simple DNS query to find all > > the DC's, and the > > whole domain drops like a lead filled balloon. > > > > Is there a way to limit the number of LDAP queries per second > > on a DC, at > > least from a specific source address? > > > > Roger > > -- > > Roger D. Seielstad - MTS MCSE MS-MVP > > Sr. Systems Administrator > > Inovis Inc. > > > > > > > -Original Message- > > > From: GRILLENMEIER,GUIDO (HP-Germany,ex1) > > > [mailto:[EMAIL PROTECTED] > > > Sent: Thursday, December 11, 2003 4:14 PM &g
RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC
I don't think it would take all that many clients if they used a threaded app that spawned a bunch of simultaneous sessions to different DCs. Heck, I've seen a single client cause the number of queries per second on a DC to go from 80 to ~1000 for a 30 minute span. Now this didn't cause the CPU to spike greatly, but it did cause other clients using that DC to get intermittent AD/LDAP errors. As far as denying IPs, that was available in W2K, but it was removed (at least from ntdsutil) in W2K3. I was told that it wouldn't be supported anymore in W2K3 (I haven't tested to see if it works still). That would be unfortunate if it isn't supported. Robbie Allen > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Gil > Kirkpatrick > Sent: Thursday, December 11, 2003 5:38 PM > To: '[EMAIL PROTECTED]' > Subject: RE: AD as a possible target of attack? RE: > [ActiveDir] Virus soft wareon DC > > The problem with the built-in security model is that in most > environments > its easy to get around it by using one of the various LocalSystem > escalations on the DC. All of a sudden the ACLs are > meaningless, and AD will > happily replicate the corrupted data for you. > > Its hard to do a system wide denial-of-service by flooding > the DCs with > queries (I assume this is what you were talking about) > because of the number > of clients you would have to bring to bear. It takes a lot of > clients to > generate enough traffic to kill a DC, and a lot more to kill > all the DCs in > the system. And if the clients are connected to the DCs via slower WAN > links, its probably impossible. > > You can disable anonymous queries (already done by default in > W2K3), and you > can configure IP addresses to deny connections from, but I > don't know of a > way to limit the number of LDAP queries per second. Sounds like a cool > feature. > > -gil > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Roger Seielstad > Sent: Thursday, December 11, 2003 2:36 PM > To: '[EMAIL PROTECTED]' > Subject: RE: AD as a possible target of attack? RE: > [ActiveDir] Virus soft > wareon DC > > > I'm not as worried about malicious, entry changing attacks > due to the built > in security model. Its cake and pie to do a denial of service > attack against > an LDAP system. Add to that a simple DNS query to find all > the DC's, and the > whole domain drops like a lead filled balloon. > > Is there a way to limit the number of LDAP queries per second > on a DC, at > least from a specific source address? > > Roger > -- > Roger D. Seielstad - MTS MCSE MS-MVP > Sr. Systems Administrator > Inovis Inc. > > > > -Original Message- > > From: GRILLENMEIER,GUIDO (HP-Germany,ex1) > > [mailto:[EMAIL PROTECTED] > > Sent: Thursday, December 11, 2003 4:14 PM > > To: [EMAIL PROTECTED] > > Subject: RE: AD as a possible target of attack? RE: > > [ActiveDir] Virus soft wareon DC > > > > > > I don't even think you have to restrict the AD-related virus > > issue to the > > file-system. > > > > Something that your AV tools won't help you with is a > > "virus", that simply > > runs malicious LDAP queries - i.e. changing all kinds of > attributes on > > objects in AD or even delete a whole lot of objects at > > once... Obviously > > this virus would only be harmful for users with appropriate > > permissions on > > the AD objects. > > > > Again, AD will ensure that these malicious changes are > > replicated to all DCs > > and you could end up with quite a disaster which is certainly > > not very easy > > to recover of. > > > > /Guido > > > > -Original Message- > > From: Tony Murray [mailto:[EMAIL PROTECTED] > > Sent: Donnerstag, 11. Dezember 2003 14:55 > > To: [EMAIL PROTECTED] > > Subject: Re: AD as a possible target of attack? RE: > [ActiveDir] Virus > > softwareon DC > > > > > DO scan your DCs and reconsider excluding things like the Sysvol > > > > I fully agree with you here, John. I have seen for myself > > how good FRS is > > at distributing viruses throughout the infrastructure in > > short period of > > time!! Some of the major AV vendors previously had products > > that caused > > problems when scanning SYSVOL, but the recent offerings have > > resolved this. > > Bottom line: there is no good reason not to include SYSVOL > > (as long as > > you've checked with your AV vendor first). > > > > Tony > > > > -- Original Message -- > > Wrom: NNYCGPKYLEJGDGVCJVTLBXFGGMEPYOQKEDOTWFAOBUZXU > > Reply-To: [EMAIL PROTECTED] > > Date: Wed, 10 Dec 2003 23:18:52 +0100 > > > > I totally agree with all the guys out there that urge you > to scan your > > DCs!!! I've been thinking about this issue for some time > and I've come > > to the conclusion that Active Directory would be THE IDEAL > > target for a virus > > attack. The
RE: AD as a possible target of attack? RE: [ActiveDir] Virus soft wareon DC
I'm really surprised that a virus hasn't tried to use AD as a possible source of new users/computers to attack. It is real easy to write a query to enumerate every user in the domain. Even though Authenticated Users can't read all attributes of users, there are still plenty that are readable. And then there is the issue of modifying the attributes granted to SELF. There are several other ways AD could be used maliciously, but I don't want to give anyone ideas ;-) This really could become a problem (and a difficult one to solve). As you mentioned, by just looking at DNS, you could get all of the DCs, DNS servers, mail servers, etc. and start spamming them (unless you aren't populating all of them in DNS). I think all the virus writers have been programming geeks/kiddies. A clueful Sys Admin could devise much more creative/damaging exploits than we've seen so far ;-) To my knowledge there is no way to limit the number of LDAP queries per second. The best you can do is monitor the number of LDAP queries per second (available from Perfmon). It is also good to monitor expensive/inefficient queries (see recipe 15.8). Robbie Allen http://www.rallenhome.com/ > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Roger Seielstad > Sent: Thursday, December 11, 2003 4:36 PM > To: '[EMAIL PROTECTED]' > Subject: RE: AD as a possible target of attack? RE: > [ActiveDir] Virus soft wareon DC > > I'm not as worried about malicious, entry changing attacks > due to the built in security model. Its cake and pie to do a denial of service > attack against an LDAP system. Add to that a simple DNS query to find all > the DC's, and the whole domain drops like a lead filled balloon. > > Is there a way to limit the number of LDAP queries per second > on a DC, at least from a specific source address? > > Roger > -- > Roger D. Seielstad - MTS MCSE MS-MVP > Sr. Systems Administrator > Inovis Inc. > > > > -Original Message- > > From: GRILLENMEIER,GUIDO (HP-Germany,ex1) > > [mailto:[EMAIL PROTECTED] > > Sent: Thursday, December 11, 2003 4:14 PM > > To: [EMAIL PROTECTED] > > Subject: RE: AD as a possible target of attack? RE: > > [ActiveDir] Virus soft wareon DC > > > > > > I don't even think you have to restrict the AD-related virus > > issue to the > > file-system. > > > > Something that your AV tools won't help you with is a > > "virus", that simply > > runs malicious LDAP queries - i.e. changing all kinds of > attributes on > > objects in AD or even delete a whole lot of objects at > > once... Obviously > > this virus would only be harmful for users with appropriate > > permissions on > > the AD objects. > > > > Again, AD will ensure that these malicious changes are > > replicated to all DCs > > and you could end up with quite a disaster which is certainly > > not very easy > > to recover of. > > > > /Guido > > > > -Original Message- > > From: Tony Murray [mailto:[EMAIL PROTECTED] > > Sent: Donnerstag, 11. Dezember 2003 14:55 > > To: [EMAIL PROTECTED] > > Subject: Re: AD as a possible target of attack? RE: > [ActiveDir] Virus > > softwareon DC > > > > > DO scan your DCs and reconsider excluding things like the Sysvol > > > > I fully agree with you here, John. I have seen for myself > > how good FRS is > > at distributing viruses throughout the infrastructure in > > short period of > > time!! Some of the major AV vendors previously had products > > that caused > > problems when scanning SYSVOL, but the recent offerings have > > resolved this. > > Bottom line: there is no good reason not to include SYSVOL > > (as long as > > you've checked with your AV vendor first). > > > > Tony > > > > -- Original Message -- > > Wrom: NNYCGPKYLEJGDGVCJVTLBXFGGMEPYOQKEDOTWFAOBUZXU > > Reply-To: [EMAIL PROTECTED] > > Date: Wed, 10 Dec 2003 23:18:52 +0100 > > > > I totally agree with all the guys out there that urge you > to scan your > > DCs!!! I've been thinking about this issue for some time and > > I've come to > > the conclusion that Active Directory would be THE IDEAL > > target for a virus > > attack. The robustness of AD replication makes it the ideal > > distribution > > mechanism for virusses. Hey ... distributing virusses by mail > > is ancient > > technology ;-). Why not use the intense integration of > > Exchange 2000+ and AD > > to transport a virus from Exchange to AD? > > > > No guys... I'm very serious! DO scan your DCs and > reconsider excluding > > things like the Sysvol because this is another possible > > target for the sick > > minds out there that like to screw up enterprise > > environments! It's only a > > matter of time before the first AD virus is a fact of life we > > have to deal > > with! > > > > So go out and check (before you go to bed) whether or not > > dat-file updates > > are really succee