RE: [ActiveDir] dumping DL permissions
Dumping all the DLs is easy. Something like adfind from joeware.net would do the trick. Id just query for groups with mail=* since you can have mail enabled security grups. The ACLs, I think adfind decodes ACLs, but, youll still need to parse this information into something useable. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Friday, November 11, 2005 3:42 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] dumping DL permissions One of our Exchange account admins wants to know if there is a tool that would dump a list of the name of each distribution list in the GAL along with who has the ability to add or remove members on each one. Would I approach this with a script or is there a tool I should point him towards? Thanks, Mark This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] dumping DL permissions
Yep adfind will dump the ntsecuritydescriptor and decode it if you specify the attribute and add the -sddc option. Note it will be in SDDL format which is probably one of the easier formats for scripting but worse for reading. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Friday, November 11, 2005 3:53 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] dumping DL permissions Dumping all the DLs is easy. Something like adfind from joeware.net would do the trick. Id just query for groups with mail=* since you can have mail enabled security grups. The ACLs, I think adfind decodes ACLs, but, youll still need to parse this information into something useable. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Friday, November 11, 2005 3:42 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] dumping DL permissions One of our Exchange account admins wants to know if there is a tool that would dump a list of the name of each distribution list in the GAL along with who has the ability to add or remove members on each one. Would I approach this with a script or is there a tool I should point him towards? Thanks, Mark This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] dumping DL permissions
Thanks Joe Brian, Time to take the feet down off the desk againK MC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, November 11, 2005 4:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dumping DL permissions Yep adfind will dump the ntsecuritydescriptor and decode it if you specify the attribute and add the -sddc option. Note it will be in SDDL format which is probably one of the easier formats for scripting but worse for reading. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Friday, November 11, 2005 3:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dumping DL permissions Dumping all the DLs is easy. Something like adfind from joeware.net would do the trick. Id just query for groups with mail=* since you can have mail enabled security grups. The ACLs, I think adfind decodes ACLs, but, youll still need to parse this information into something useable. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Friday, November 11, 2005 3:42 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] dumping DL permissions One of our Exchange account admins wants to know if there is a tool that would dump a list of the name of each distribution list in the GAL along with who has the ability to add or remove members on each one. Would I approach this with a script or is there a tool I should point him towards? Thanks, Mark This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] dumping DL permissions
GASP Joeware.net is suddenly blocked by SurfCONTROL. Not kidding unfortunately sigh Must be that opening pic. :-/ Oh well, thank God for my super top secret testing DSL connection so I can get to the usage documentation again. Now where the heck is that surf admin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Friday, November 11, 2005 4:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dumping DL permissions Thanks Joe Brian, Time to take the feet down off the desk againK MC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, November 11, 2005 4:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dumping DL permissions Yep adfind will dump the ntsecuritydescriptor and decode it if you specify the attribute and add the -sddc option. Note it will be in SDDL format which is probably one of the easier formats for scripting but worse for reading. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Friday, November 11, 2005 3:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dumping DL permissions Dumping all the DLs is easy. Something like adfind from joeware.net would do the trick. Id just query for groups with mail=* since you can have mail enabled security grups. The ACLs, I think adfind decodes ACLs, but, youll still need to parse this information into something useable. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Friday, November 11, 2005 3:42 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] dumping DL permissions One of our Exchange account admins wants to know if there is a tool that would dump a list of the name of each distribution list in the GAL along with who has the ability to add or remove members on each one. Would I approach this with a script or is there a tool I should point him towards? Thanks, Mark This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] dumping DL permissions
Interesting. Is that controlled locally or is that some blacklist service type item? I am digging around also. I think withsome small mods, the script I wrote for dumping ACLs for AD objects for AD3E could be used for this to generate a CSV with DLs and their perms. It could probably further be filtered to only show ACEs with the ability to modify membership. It is going to be considerably slower than adfind though because it is using ADO and ADSI. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Friday, November 11, 2005 4:26 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] dumping DL permissions GASP Joeware.net is suddenly blocked by SurfCONTROL. Not kidding unfortunately sigh Must be that opening pic. :-/ Oh well, thank God for my super top secret testing DSL connection so I can get to the usage documentation again. Now where the heck is that surf admin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Friday, November 11, 2005 4:17 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] dumping DL permissions Thanks Joe Brian, Time to take the feet down off the desk againK MC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, November 11, 2005 4:13 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] dumping DL permissions Yep adfind will dump the ntsecuritydescriptor and decode it if you specify the attribute and add the -sddc option. Note it will be in SDDL format which is probably one of the easier formats for scripting but worse for reading. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Friday, November 11, 2005 3:53 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] dumping DL permissions Dumping all the DLs is easy. Something like adfind from joeware.net would do the trick. Id just query for groups with mail=* since you can have mail enabled security grups. The ACLs, I think adfind decodes ACLs, but, youll still need to parse this information into something useable. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Friday, November 11, 2005 3:42 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] dumping DL permissions One of our Exchange account admins wants to know if there is a tool that would dump a list of the name of each distribution list in the GAL along with who has the ability to add or remove members on each one. Would I approach this with a script or is there a tool I should point him towards? Thanks, Mark This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] dumping DL permissions
I think they have a subscription type thing. The WebSense at work tells you what the site is blocked under usually. Does SurfControl do that? If I had to make a guess, Id say somebody reported your postcard: Adult/Sexually Explicit Adult products including sex toys, CD-ROMs, and videos Child Pornography/Pedophilia* Adult services including videoconferencing, escort services, and strip clubs Erotic stories and textual descriptions of sexual acts Explicit cartoons and animation Online groups, including newsgroups and forums, that are sexually explicit in nature Sexually-oriented or erotic full or partial nudity Depictions or images of sexual acts, including animals or inanimate objects used in a sexual manner Sexually exploitive or sexually violent text or graphics Bondage, fetishes, genital piercing Naturist sites that feature nudity Erotic or fetish photography, which depicts nudity NOTE:We do not include sites regarding sexual health, breast cancer, or sexually transmitted diseases (except in graphic examples). * SurfControl sends all child-oriented erotic sites to global advocacy groups, including the Australian Broadcasting Authority (AU), Bundesministerium fr Inneres (AT), Internet Watch Foundation (UK), Interpol, Meldpunt (NL) and the National Center for Missing and Exploited Children (US). Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, November 11, 2005 4:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dumping DL permissions Interesting. Is that controlled locally or is that some blacklist service type item? I am digging around also. I think withsome small mods, the script I wrote for dumping ACLs for AD objects for AD3E could be used for this to generate a CSV with DLs and their perms. It could probably further be filtered to only show ACEs with the ability to modify membership. It is going to be considerably slower than adfind though because it is using ADO and ADSI. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Friday, November 11, 2005 4:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dumping DL permissions GASP Joeware.net is suddenly blocked by SurfCONTROL. Not kidding unfortunately sigh Must be that opening pic. :-/ Oh well, thank God for my super top secret testing DSL connection so I can get to the usage documentation again. Now where the heck is that surf admin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Friday, November 11, 2005 4:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dumping DL permissions Thanks Joe Brian, Time to take the feet down off the desk againK MC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, November 11, 2005 4:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dumping DL permissions Yep adfind will dump the ntsecuritydescriptor and decode it if you specify the attribute and add the -sddc option. Note it will be in SDDL format which is probably one of the easier formats for scripting but worse for reading. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Friday, November 11, 2005 3:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dumping DL permissions Dumping all the DLs is easy. Something like adfind from joeware.net would do the trick. Id just query for groups with mail=* since you can have mail enabled security grups. The ACLs, I think adfind decodes ACLs, but, youll still need to parse this information into something useable. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Friday, November 11, 2005 3:42 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] dumping DL permissions One of our Exchange account admins wants to know if there is a tool that would dump a list of the name of each distribution list in the GAL along with who has the ability to add or remove members on each one. Would I approach this with a script or is there a tool I should point him towards? Thanks, Mark This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message
RE: [ActiveDir] dumping DL permissions
Its a filtering program that we use attached to ISA server. Basically it looks at each request and lets it through or redirects to our AUP internal web page. I was on joeware.net earlier this week, and it didnt block me. So I just went to www.surfcontrol.com (Test a Site link) to make sure it wasnt mis-categorized, because they will change it if found to be wrong. They have it as Computing and Internet. Hmmm. So were blocking that category now? I dont think so..Ive asked our admin to take a look. Either way, we can override here locally. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, November 11, 2005 4:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dumping DL permissions Interesting. Is that controlled locally or is that some blacklist service type item? I am digging around also. I think withsome small mods, the script I wrote for dumping ACLs for AD objects for AD3E could be used for this to generate a CSV with DLs and their perms. It could probably further be filtered to only show ACEs with the ability to modify membership. It is going to be considerably slower than adfind though because it is using ADO and ADSI. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Friday, November 11, 2005 4:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dumping DL permissions GASP Joeware.net is suddenly blocked by SurfCONTROL. Not kidding unfortunately sigh Must be that opening pic. :-/ Oh well, thank God for my super top secret testing DSL connection so I can get to the usage documentation again. Now where the heck is that surf admin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Friday, November 11, 2005 4:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dumping DL permissions Thanks Joe Brian, Time to take the feet down off the desk againK MC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, November 11, 2005 4:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dumping DL permissions Yep adfind will dump the ntsecuritydescriptor and decode it if you specify the attribute and add the -sddc option. Note it will be in SDDL format which is probably one of the easier formats for scripting but worse for reading. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Friday, November 11, 2005 3:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dumping DL permissions Dumping all the DLs is easy. Something like adfind from joeware.net would do the trick. Id just query for groups with mail=* since you can have mail enabled security grups. The ACLs, I think adfind decodes ACLs, but, youll still need to parse this information into something useable. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Friday, November 11, 2005 3:42 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] dumping DL permissions One of our Exchange account admins wants to know if there is a tool that would dump a list of the name of each distribution list in the GAL along with who has the ability to add or remove members on each one. Would I approach this with a script or is there a tool I should point him towards? Thanks, Mark This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate
RE: [ActiveDir] dumping DL permissions
I usually just look at the managedby attrib of any object where objectclass='group'. If the attrib is populated, I then fetch that value and dump it along with the displayname of the DL. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of joe Sent: Fri 11/11/2005 1:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dumping DL permissions Interesting. Is that controlled locally or is that some blacklist service type item? I am digging around also. I think with some small mods, the script I wrote for dumping ACLs for AD objects for AD3E could be used for this to generate a CSV with DLs and their perms. It could probably further be filtered to only show ACEs with the ability to modify membership. It is going to be considerably slower than adfind though because it is using ADO and ADSI. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Friday, November 11, 2005 4:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dumping DL permissions GASP Joeware.net is suddenly blocked by SurfCONTROL. Not kidding unfortunately sigh Must be that opening pic. :-/ Oh well, thank God for my super top secret testing DSL connection so I can get to the usage documentation again. Now where the heck is that surf admin... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Friday, November 11, 2005 4:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dumping DL permissions Thanks Joe Brian, Time to take the feet down off the desk again...:-| MC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, November 11, 2005 4:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dumping DL permissions Yep adfind will dump the ntsecuritydescriptor and decode it if you specify the attribute and add the -sddc option. Note it will be in SDDL format which is probably one of the easier formats for scripting but worse for reading. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Friday, November 11, 2005 3:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dumping DL permissions Dumping all the DLs is easy. Something like adfind from joeware.net would do the trick. I'd just query for groups with mail=* since you can have mail enabled security grups. The ACLs, I think adfind decodes ACLs, but, you'll still need to parse this information into something useable. Thanks, Brian Desmond [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Friday, November 11, 2005 3:42 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] dumping DL permissions One of our Exchange account admins wants to know if there is a tool that would dump a list of the name of each distribution list in the GAL along with who has the ability to add or remove members on each one. Would I approach this with a script or is there a tool I should point him towards? Thanks, Mark This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy
RE: [ActiveDir] dumping DL permissions
People can have the right to change DL membership through the ACL without that managed by attribute so far as I know. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, November 11, 2005 4:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dumping DL permissions I usually just look at the managedby attrib of any object where objectclass='group'. If the attrib is populated, I then fetch that value and dump it along with the displayname of the DL. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of joe Sent: Fri 11/11/2005 1:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dumping DL permissions Interesting. Is that controlled locally or is that some blacklist service type item? I am digging around also. I think with some small mods, the script I wrote for dumping ACLs for AD objects for AD3E could be used for this to generate a CSV with DLs and their perms. It could probably further be filtered to only show ACEs with the ability to modify membership. It is going to be considerably slower than adfind though because it is using ADO and ADSI. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Friday, November 11, 2005 4:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dumping DL permissions GASP Joeware.net is suddenly blocked by SurfCONTROL. Not kidding unfortunately sigh Must be that opening pic. :-/ Oh well, thank God for my super top secret testing DSL connection so I can get to the usage documentation again. Now where the heck is that surf admin... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Friday, November 11, 2005 4:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dumping DL permissions Thanks Joe Brian, Time to take the feet down off the desk again...:-| MC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, November 11, 2005 4:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dumping DL permissions Yep adfind will dump the ntsecuritydescriptor and decode it if you specify the attribute and add the -sddc option. Note it will be in SDDL format which is probably one of the easier formats for scripting but worse for reading. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Friday, November 11, 2005 3:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dumping DL permissions Dumping all the DLs is easy. Something like adfind from joeware.net would do the trick. I'd just query for groups with mail=* since you can have mail enabled security grups. The ACLs, I think adfind decodes ACLs, but, you'll still need to parse this information into something useable. Thanks, Brian Desmond [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Friday, November 11, 2005 3:42 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] dumping DL permissions One of our Exchange account admins wants to know if there is a tool that would dump a list of the name of each distribution list in the GAL along with who has the ability to add or remove members on each one. Would I approach this with a script or is there a tool I should point him towards? Thanks, Mark This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message
RE: [ActiveDir] dumping DL permissions
Good point, Brian. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Brian Desmond Sent: Fri 11/11/2005 2:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dumping DL permissions People can have the right to change DL membership through the ACL without that managed by attribute so far as I know. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, November 11, 2005 4:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dumping DL permissions I usually just look at the managedby attrib of any object where objectclass='group'. If the attrib is populated, I then fetch that value and dump it along with the displayname of the DL. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of joe Sent: Fri 11/11/2005 1:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dumping DL permissions Interesting. Is that controlled locally or is that some blacklist service type item? I am digging around also. I think with some small mods, the script I wrote for dumping ACLs for AD objects for AD3E could be used for this to generate a CSV with DLs and their perms. It could probably further be filtered to only show ACEs with the ability to modify membership. It is going to be considerably slower than adfind though because it is using ADO and ADSI. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Friday, November 11, 2005 4:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dumping DL permissions GASP Joeware.net is suddenly blocked by SurfCONTROL. Not kidding unfortunately sigh Must be that opening pic. :-/ Oh well, thank God for my super top secret testing DSL connection so I can get to the usage documentation again. Now where the heck is that surf admin... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Friday, November 11, 2005 4:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dumping DL permissions Thanks Joe Brian, Time to take the feet down off the desk again...:-| MC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, November 11, 2005 4:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dumping DL permissions Yep adfind will dump the ntsecuritydescriptor and decode it if you specify the attribute and add the -sddc option. Note it will be in SDDL format which is probably one of the easier formats for scripting but worse for reading. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Friday, November 11, 2005 3:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dumping DL permissions Dumping all the DLs is easy. Something like adfind from joeware.net would do the trick. I'd just query for groups with mail=* since you can have mail enabled security grups. The ACLs, I think adfind decodes ACLs, but, you'll still need to parse this information into something useable. Thanks, Brian Desmond [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Friday, November 11, 2005 3:42 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] dumping DL permissions One of our Exchange account admins wants to know if there is a tool that would dump a list of the name of each distribution list in the GAL along with who has the ability to add or remove members on each one. Would I approach this with a script or is there a tool I should point him towards? Thanks, Mark This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. This e-mail transmission contains
RE: [ActiveDir] dumping DL permissions
We've been using SurfControl, but I'm in the process of switching to Websense, because SurfControl does flaky things like this a little too frequently. Itinapropriately blocks or allows access to sites, even though they are correctly categorized. Restart the SurfControl Webfilter service, and the problem will probably resolve. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Friday, November 11, 2005 2:44 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] dumping DL permissions Its a filtering program that we use attached to ISA server. Basically it looks at each request and lets it through or redirects to our AUP internal web page. I was on joeware.net earlier this week, and it didnt block me. So I just went to www.surfcontrol.com (Test a Site link) to make sure it wasnt mis-categorized, because they will change it if found to be wrong. They have it as Computing and Internet. Hmmm. So were blocking that category now? I dont think so..Ive asked our admin to take a look. Either way, we can override here locally. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, November 11, 2005 4:35 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] dumping DL permissions Interesting. Is that controlled locally or is that some blacklist service type item? I am digging around also. I think withsome small mods, the script I wrote for dumping ACLs for AD objects for AD3E could be used for this to generate a CSV with DLs and their perms. It could probably further be filtered to only show ACEs with the ability to modify membership. It is going to be considerably slower than adfind though because it is using ADO and ADSI. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Friday, November 11, 2005 4:26 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] dumping DL permissions GASP Joeware.net is suddenly blocked by SurfCONTROL. Not kidding unfortunately sigh Must be that opening pic. :-/ Oh well, thank God for my super top secret testing DSL connection so I can get to the usage documentation again. Now where the heck is that surf admin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Friday, November 11, 2005 4:17 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] dumping DL permissions Thanks Joe Brian, Time to take the feet down off the desk againK MC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, November 11, 2005 4:13 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] dumping DL permissions Yep adfind will dump the ntsecuritydescriptor and decode it if you specify the attribute and add the -sddc option. Note it will be in SDDL format which is probably one of the easier formats for scripting but worse for reading. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Friday, November 11, 2005 3:53 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] dumping DL permissions Dumping all the DLs is easy. Something like adfind from joeware.net would do the trick. Id just query for groups with mail=* since you can have mail enabled security grups. The ACLs, I think adfind decodes ACLs, but, youll still need to parse this information into something useable. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Friday, November 11, 2005 3:42 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] dumping DL permissions One of our Exchange account admins wants to know if there is a tool that would dump a list of the name of each distribution list in the GAL along with who has the ability to add or remove members on each one. Would I approach this with a script or is there a tool I should point him towards? Thanks, Mark This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful