RE: [ActiveDir] "NTLM Authentication" Security Principal
Err they may have better luck looking on www.joeware.net :o) Not much chance of confusion though once you go there, that site has been under construction for about 5 or so years now. Anyway, to find many of my tools, you can usually just type in the tool name in google now a days and get right there http://www.joeware.net/win/free/tools/sectok.htm Note that you can also use whoami /groups joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Saturday, March 04, 2006 4:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] "NTLM Authentication" Security Principal both "NTLM Authentication" and "This Organization" are so called well-known-security principals. They are added dynamically to the token of a user when the users authenticate in their domain or accross a trust. However, they're not groups that you can read any memberships from like you can with other groups in AD. As such you can either leverage the security eventlogs to check for NTLM and Kerberos authentication events (preferred approach), or you can query the user's token (e.g. by using sectok from www.joeware.com) for the respective security principal and do your reporting this way. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rachui, Scott Sent: Freitag, 3. März 2006 15:24 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] "NTLM Authentication" Security Principal I have an interest in finding out how many of the users in our primary forest are authenticating via NTLM instead of Kerberos. I know that in Windows 2003 there is a new well-known security principal called "NTLM Authentication" which dynamically contains the list of people who authenticated via NTLM. My question is, does anyone know how to query this security principal so I could get that list of people? Even if it's an ever-changing list, a snapshot at different times would be useful to see volumes. I was thinking of comparing that list to the "This Organization" security principal so I could tell what % of authentication were NTLM. If there's another way to do this, I'm open to suggestions as well. Thanks in advance for any comments. Scott List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] "NTLM Authentication" Security Principal
both "NTLM Authentication" and "This Organization" are so called well-known-security principals. They are added dynamically to the token of a user when the users authenticate in their domain or accross a trust. However, they're not groups that you can read any memberships from like you can with other groups in AD. As such you can either leverage the security eventlogs to check for NTLM and Kerberos authentication events (preferred approach), or you can query the user's token (e.g. by using sectok from www.joeware.com) for the respective security principal and do your reporting this way. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rachui, Scott Sent: Freitag, 3. März 2006 15:24 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] "NTLM Authentication" Security Principal I have an interest in finding out how many of the users in our primary forest are authenticating via NTLM instead of Kerberos. I know that in Windows 2003 there is a new well-known security principal called "NTLM Authentication" which dynamically contains the list of people who authenticated via NTLM. My question is, does anyone know how to query this security principal so I could get that list of people? Even if it's an ever-changing list, a snapshot at different times would be useful to see volumes. I was thinking of comparing that list to the "This Organization" security principal so I could tell what % of authentication were NTLM. If there's another way to do this, I'm open to suggestions as well. Thanks in advance for any comments. Scott List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] "NTLM Authentication" Security Principal
That would be helpful, but I was also thinking how useful it would be if I could somehow use that information to correlate back to which users were using NTLM so I could see if these were users that were running NT, XP, etc. Also, I could find out if certain lines of business were using NTLM because it may help me uncover things like custom applications that aren’t using Kerberos, etc. It’s just a thought and it may be too difficult to implement. But I thought I’d see if anyone had done it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ryan A. Conrad Sent: Friday, March 03, 2006 8:35 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] "NTLM Authentication" Security Principal In the NTDS performance object there are two counters: NTLM Authentcations and Kerberos Authentications. They wouldn't be able to tell you "who" is authencating using those methods, but they would be able to provide a better idea. Both counters are in number of requests per second. Ryan On 3/3/06, Rachui, Scott <[EMAIL PROTECTED]> wrote: I have an interest in finding out how many of the users in our primary forest are authenticating via NTLM instead of Kerberos. I know that in Windows 2003 there is a new well-known security principal called "NTLM Authentication" which dynamically contains the list of people who authenticated via NTLM. My question is, does anyone know how to query this security principal so I could get that list of people? Even if it's an ever-changing list, a snapshot at different times would be useful to see volumes. I was thinking of comparing that list to the "This Organization" security principal so I could tell what % of authentication were NTLM. If there's another way to do this, I'm open to suggestions as well. Thanks in advance for any comments. Scott List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] "NTLM Authentication" Security Principal
If you are auditing logon events you can query the domain controller security logs for NTLM logon events. You'll need to use eventcombmt or some other utility to query all DCs for these events. Win2000 DCs records successful NTLM logons in event 680 and failed logons in event 681. Win2003 DCs records successful and failed NTLM logons in event 680. John Roberts JLR Technology Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rachui, Scott Sent: Friday, March 03, 2006 9:24 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] "NTLM Authentication" Security Principal I have an interest in finding out how many of the users in our primary forest are authenticating via NTLM instead of Kerberos. I know that in Windows 2003 there is a new well-known security principal called "NTLM Authentication" which dynamically contains the list of people who authenticated via NTLM. My question is, does anyone know how to query this security principal so I could get that list of people? Even if it's an ever-changing list, a snapshot at different times would be useful to see volumes. I was thinking of comparing that list to the "This Organization" security principal so I could tell what % of authentication were NTLM. If there's another way to do this, I'm open to suggestions as well. Thanks in advance for any comments. Scott List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] "NTLM Authentication" Security Principal
In the NTDS performance object there are two counters: NTLM Authentcations and Kerberos Authentications. They wouldn't be able to tell you "who" is authencating using those methods, but they would be able to provide a better idea. Both counters are in number of requests per second. Ryan On 3/3/06, Rachui, Scott <[EMAIL PROTECTED]> wrote: I have an interest in finding out how many of the users in our primaryforest are authenticating via NTLM instead of Kerberos. I know that in Windows 2003 there is a new well-known security principal called "NTLMAuthentication" which dynamically contains the list of people whoauthenticated via NTLM.My question is, does anyone know how to query this security principal so I could get that list of people? Even if it's an ever-changing list, asnapshot at different times would be useful to see volumes. I wasthinking of comparing that list to the "This Organization" security principal so I could tell what % of authentication were NTLM.If there's another way to do this, I'm open to suggestions as well.Thanks in advance for any comments.ScottList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
