Title: Message
This
is what I run - it assumes a SQL database containing tables staff (basic
personal details) and tel_staff (phone numbers)
Our
user IDs are the same as the payroll numbers (which makes this easy!) and the
function GetAdsPath returns the path if the user exists or "not
Title: Message
Hey
all,
Is ther e a way to chnage
the default user setting? And how to chnage them.
For example, I don't want
to give our people the "Allow Terminal Server" property. or I want to set
another default session setting.
Marc
Probably won't work.
The deny is on the file system, but it all depends what's really writing to
that file system now, doesn't it? For instance, when you make a change via
ADUC, I'd expect that you're interacting with a service (LSASS or NetLogon,
most likely) on the DC. That service is what's
Although I haven't seen it in my environment, I've got a good idea of what's
going on - it's the same account being referenced by two different SIDs.
When you migrate to a new forest and preserve SID history, the new domain's
accounts have 2 SIDs, one from the new domain as well as one from the
Title: Message
Go to the script center at TechNet, you
will find a lot of examples that you can customize.
http://www.microsoft.com/technet/treeview/default.asp?url="">
Rick Gasper
Manager of Network Services
King's College
Wilkes-Barre PA 18706
Phone: 570-208-5845
Fax:
Title: Message
I normally use scripts to cretae my users, but the problem
is that when someelse (helpdek) creates them manualy the settings are off..tried
procedures but this won't work...
Marc
From: Gasper, Rick [mailto:[EMAIL PROTECTED]
Sent: maandag 21 juli 2003 13:49To:
[EMAIL
Thomas,
Did you use ADMT to migrate from one domain to another (or forest) with
SidHistory enabled? If so, that's the reason that you're seeing it. I
haven't delved deeply enough into it to understand at an atomic level why,
but I suspect that it has something to do with the way that SIDs are
Yep - makes sense. But, I'll have to test this, as I'm not sure on that
Roger. I've done lots of delegation for our Remote sites, and I don't
recall anything other than the user being associated with a process through
ADUC. Guess I'll have to bust out the Winternals tools and have a look
Title: Message
Marc,
It appears that you are asking about
enforcing business rules regardless of how a user is created and doing so in a
manner that can not be circumvented. Business rules in this sense would be dont
give Allow Terminal Server, or validate naming conventions, or
mandate
Title: Message
Could
you run a script at regular intervals to identify users which have been created
manually and then to reset anything about them which is
non-standard?
Steve
-Original Message-From: De Schepper Marc
[mailto:[EMAIL PROTECTED] Sent: 21 July 2003
13:34To:
Title: Message
Scenario: a user is
a member of two groups. Each group is in a seperate OU. A gpo is applied to each
group. Which gpo will take precedence for that user? In other words, which will
be the last to be applied and get the settings applied to that
user?
Chris Flesher
The
Title: Message
Hi Eric,
Unfortunately, I dont believe there
is. When adding/removing group memberships on a group you are adding/removing
entries to the member ldap attribute of the group. You can add
and remove write permissions to this attribute, but that will
only give them the
Title: Message
Thats my solution now...;-)
From: Steve Rochford
[mailto:[EMAIL PROTECTED] Sent: maandag 21 juli 2003
16:14To: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] Default User Settings
Could
you run a script at regular intervals to identify users which have been created
manually
Title: Message
I
guess you're using the groups to filterfor whom a GPO is applied - but
you're not applying a GPO to a group ;-)It doesn't matter which OU the
group resides in, it simply matters, which OU the respective GPO is applied
to.
Assuming you're talking about applying two GPOs to
Title: Message
Guido,
that's not quite what I had in mind. Two OU's that are not hierarchical to each
other. It could be a flat OU architecture. Two seperate OU's that have gpo's
applied to a group. If a user is a member of both groups, which gpo will take
precedence? Maybe it's a dumb
While on the subject of DC privileges, is it possible to allow server
administrators to administer DHCP, DNS while the policy of restricted
snap-ins is enabled?
Also, how do we allow non-domain admins (only server operators) rights to
modify IP configuration on the DC's. I know there are GPO's
Title: Message
I
believe there's nothing in TechNet on it because its technically impossible to
do. You can't have an object in more than one OU.
--
Roger D. Seielstad -
MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc.
Title: Message
Group Policy is not applied to
Groups. So Group Policy has nothing to do with Groups.
BE nice if you could ( I think there is a
third party Fazam?)
Brian Narkinsky
System Manager
Department of Environmental Protection
MS 6520
2600 Blairstone RD
Tallahassee, FL
Title: Message
What is group policy
or a GPO?
Group policy is a new Windows term for common configuration settings.
An administrator can create a group policy which applies to users or computers.
This group policy can set certain computer settings such as who can login to
the computer
I'm using terminal services to remotely manage a workstation on my
local network that I use for testing and stuff but I would like to use
it remotely also. Does anyone know what port it uses so I can forward
data to it?
List info : http://www.activedir.org/mail_list.htm
List FAQ:
Title: Strange Inherited Permissions Problem
Because Exchange 2000 can sometimes not apply permissions properly if you don't keep the Allow inheritable permissions from parent to propagate box checked on the security tab in ADUC, we tell all of the other domain admins who manage mailboxes on
3389
-glen
-Original Message-
From: Richard Sumilang [mailto:[EMAIL PROTECTED]
Sent: Monday, July 21, 2003 12:48 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Terminal Service Port
I'm using terminal services to remotely manage a workstation on my
local network that I use
I set up the VPN server on my Windows 2000 Box and need to be able to
connect to it remotely from wherever I am on the internet. What ports
do I need to open up on my router that need to be forwarded to the
server? I assume when this is working I can then from my home network
connect to the
Title: Message
a user
can be a member of more then one group. if a user is a member of two groups that
are in seperate OU's, then the user can have group policy applied to two
seperate groups based on ACL's within each OU? I don't need an object existing
in two seperate OU's. I just need
Still didn't work? I deleted C:\Winnt\System32\GroupPolicy and
restarted the computer and it still doesn't receive the group policy on
the server.
On Friday, July 18, 2003, at 09:48 AM, Richard Sumilang wrote:
Ok I'm willing to give that a try and just be clear he did that on the
client
Title: Message
I am
being nice.
Its
technically impossible to place a single object into multiple OU's, so the
presented scenario can't happen.
GPO's
can be filtered by groups, as has been noted before, but you are correct,
they're applied to the OU, Site or domain level, not directly to
Title: Message
Chris,
GPOs are not applied to Groups, they are
applied to Users and Computers. So, the fact that there are two groups that the
user is a member of existing in two different OUs is really not relevant. All
that matters is, where the Users are located and where the systems
Title: Message
I know
the settings are applied to users and computers.
You
can limit who it ( GPO ) is applied to within the OU through ACL's?
Chris Flesher
The University of Chicago
NSIT/DCS
1-773-834-8477
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL
Title: SID history
Might anyone have any pointers to documentation on the specifics of how SID history actually works? Specifically how the old group participation (and resource ACL'ing) relates to the new account/sid when those resources are accessed (if it does at all). I've looked and have
Title: Message
Let me
give more info as to why I'm asking this question. The idea has been floated of
putting all of our user accounts (20,000) into one OU. Other OU's would
exist, where groups would reside. Access would be give to 40-50 different OU
admins to the primary User OU, and they
Title: Message
So,
in that envrionment, the GPO's applied to the OU's holding Groups would never be
applied to anything.
--
Roger D. Seielstad -
MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc.
-Original
Title: Message
We applied SP4 to all of our windows 2000 servers
yesterday, and this morning Inoticed something very odd. DNS on alll of
our domain controllers for our main domain (a dozen or so servers) decided to
convert a standard secondary zone that they were all hosting into an AD
Title: Message
Not
sure where its written, but essentially the authenticating DC merges the SIDs
contained in the sIDHistory attribute, along with the SIDs of the groups the
principal is a member of, into the security token for the authenticating
process. When Windows does an access check,
Title: Message
I
think the key point for Chris is that the GPO must be linked to a Site, Domain,
or OU where the user exists if it is to have any bearing on that
user. You can filter by group to prevent a given GPO from being
applied, but only if it WOULD have been applied in the absence of
Title: Message
Chris,
I am sure you raised this issue to the "higher
ups" you mentioned, but, wouldn't be easier to develop an OU
architecture that broke the 20,000 users up into separate OUs for
management. That way those 40-50 OU
Admins would be further broken up to their respective
Title: Message
To make this clear to everyone.
Yes a user can be in more than one
group. The question you are asking is can a GPO be applied to a groups?
- NO
Read MS article 322176: http://support.microsoft.com/?kbid=322176
Hope that this helps,
Jason Crenshaw
Sandia
Title: Strange Inherited Permissions Problem
Were
these users ever a member of one of the admin groups (like Domain Admins)
? If so, you're probably being bitten by the adminSDHolder process - once
an hour, the DC with the PDC FSMO looks for accounts that belong to one of
several
Title: Message
Chris, you are correct, you can use security
groups to filter where a GPO gets applied, but GPOs still only get applied to a
user or computer object.
So, in your example you have OU1 and
OU2. Lets say you are using security groups to filter the GPOs so that in
OU1 the GPO
Our organization is
attempting to setup an automated procedure that will first create numerous
contacts representing external clients and second would be able to update the
contact information. The contact
information will change as email addresses and phone numbers change for each
Title: Message
Nope.
The problem is that applying a GPO to a group does NOT cause the members of the
group to inherit those policies. A user will get policy settings from GPOs on
the user's domain, the AD Site the user authenticates from, and the OU(s) the
user object is contained in. The
Unfortunately this won't work for reasons discussed in other threads
recently. The people who are domain admins will still be able to muck up
AD.
A lot of permissions granted to admins and domain admins in Active
Directory is through direct explicit ACE's. Inherited DENY ACE's will
bounce off of
Title: Message
Yes, you can limit who can read GPOs through ACLs. Denying
the Read attribute would prevent a user from receiving a particular GPO.
However, if you're doing this with 20,000+ users and 40-50 admins, you will end
up with FGBOC [1] user management. In the proposed scenario,
Title: Message
That explains it perfectly. Thank
you.
-Original Message-From: Fugleberg, David
A [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2003 5:02
PMTo: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] Strange Inherited Permissions Problem
Were
these users ever a
How do I block certain users from being able to connect to my terminal
server running in Remote Administration mode? I just installed it but
all users can log in to the server and manage it which isn't very good
:-\
List info : http://www.activedir.org/mail_list.htm
List FAQ:
Title: Message
When
you say they do you mean tools that inject into the internal processes and add
business rule logic or as Doug indicated, simply applies locks down and business
rules are applied through an approved update interface.
-Original Message-From:
[EMAIL
And, yep - that's what my research today showed as well. Netlogon, LSASS -
not much difference when you can't block the process from writing when you
need to
Ah, well
Rick Kingslan MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone -
Richard -
TCP 3389 would be the port that you would use.
Rick Kingslan MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Richard
Title: Message
Ken,
I can say that in all of the testing and in all of the
systems that we have moved - I haven't seen this behavior. But, there is a
first for almost everything.
Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active
DirectoryAssociate ExpertExpert Zone -
Title: Message
Nope,
this is not possible. The granularity only extends to WP (write property) for
the members attribute which does no verification of what you are writing so you
could clear values or add new values.
In
order to do this you would need to set up some sort of proxy method
LOL. You kill me Rick...
I haven't heard of anyone yet who has cracked the internal AD DIT
format. Not sure how feasible it even is. However the flaw in this that
the inherited perms don't override the explicit's so it isn't even worth
going to this level of protection with the DIT because the
I would look at the SID History attribute on the accounts. Most likely
you migrated the users with some tool that knows how to populate SID
history and that is being resoved into group memberships.
You can use ldp and I believe it will decode SIDHistory to readable
SID's, if not you can use
Richard,
You don't say if this is a PPTP or IPSec VPN (or, it's also possible that
either are acceptable). Anyway, these are the ports you'll be interested
in:
PPTP
PPTP TCP 1723
GRE Protocol ID 47
IPSec
IKE UDP 500
AH Protocol ID 51
ESP Protocol ID 50
And, yes - once authenticated to the
It is true that ADUC runs in the context of the user who spawed the
process. However the way it operates is that it connects to a service
and requests a change, that service is sponsored by LSASS so indeed runs
as localsystem. Obviously you can't remove the rights to the DIT for
LSASS Well I
Richard,
If you go to the Teminal Services Configuration applet in Administrative
Tools, then properties, then Permissions, who all is there? If it should
only be Administrators, remove every one (singly or by group) else and grant
only that group permissions. If not explicitly granted, then
Title: Message
Absolutely. The best way would be to set up a table somewhere of DC's
that you watch and the last USN that you successfully pulled from them and then
set up a query that asks for all user's that have a USN Created value of higher
than the value you had previously saved. You
It is permissions on the RPC connection itself via the TS manager. (I
think that is where it is). The default is Domain Admins it sounds like
someone changed the default and allowed other users to access the Server
in Administration Mode. You should still only be allowed 2 remote
connections
Errr check your admin group, who is listed there. Either everyone that
is connecting to that box is an admin on that box or someone has
modified your rdp permissions. I would most likely expect the former
versus the latter.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL
Yep - and that's what I concluded after seeing your last message and going
in and taking a look (Imagine - me actually LOOKING!)
Seems to be an odd contradiction, though. We're going to allow you to
delegate permissions so that you can better manage your environment. Oh,
but except here, and
I'm doing PPTP, sorry :-X
On Monday, July 21, 2003, at 04:40 PM, Rick Kingslan wrote:
Richard,
You don't say if this is a PPTP or IPSec VPN (or, it's also possible
that
either are acceptable). Anyway, these are the ports you'll be
interested
in:
PPTP
PPTP TCP 1723
GRE Protocol ID 47
IPSec
HAHAHA.
Yep. I like the inherited/explicit method, just wish there were A LOT
fewer explicit ACE's by default. Maybe MS could produce a Secure AD pack
which goes back through and locks AD all down with instructions on how
to open it back up with inherited ACE's for various things. It tightens
RDP, RPC man I keep getting TLA confusion today.
-Original Message-
From: Joe [mailto:[EMAIL PROTECTED]
Sent: Monday, July 21, 2003 7:59 PM
To: [EMAIL PROTECTED]
Errr check your admin group, who is listed there. Either everyone that
is connecting to that box is an admin on that box or
And, Joe emoted:
Well I guess you could but your system would
probably become extremely secure and you would
never have to worry about anyone including
yourself modifying it ever again.
Cool. Then once I have it configured and working, it shouldn't ever break.
Change control becomes a
62 matches
Mail list logo
