Hi there,
I wonder if there is a way to know when a user has been deleted from AD other than using security audt, because at the time of the deletion, i forgot to activate the audit :(
So my boss urge me to find the guilty user AND the time of deletion.
I looked for attributes in adsi and found
Hi Yann,
You can find at the deletedobject folder via adfind
-showdel and see the Last modified date - that would be when the object is
deleted.
But as for who deleted - I dont think you can find it
without the auditing.
Thank you and have a splendid day!
Kind Regards,
Freddy Hartono Gr
Title: Domain Controller Consolidation utilizing Dual Core CPUs
Speaking of which Steve
I am starting to see questions of the type of how does 64
bit DC change the best practice 4:1 proc recommendations for Exchange to GC
processor. Does PSS/MCS/Dev have any thoughts? Especially if y
What you say, the employer might be on this forum.
-z.v.
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Tom
Kern
Sent: Wednesday, October 12, 2005 9:37 PM
To: activedirectory
Subject: [ActiveDir] salary(OT)
well, i've been consulting for 2 months full
Title: Domain Controller Consolidation utilizing Dual Core CPUs
I've been looking at HP DL385s for some SAP stuff. SAP's
benchmarking page (http://www50.sap.com/benchmarkdata/sd2tier.asp)
shows that a dual dual-core AMD box gives the same performance as a
4-way Intel box.
I've built a few
Frank – you can use WMI to enumerate the
printers, here is a _vbscript_ that will run your command against each shared
printer. Save it as a vbs and run it with the server name as an argument, i.e.
printers.vbs printsvr1
‘begin script -
On Error Resume Next
Dim ob
Title: Domain Controller Consolidation utilizing Dual Core CPUs
Nice box! Take this kind of hardware, put
terminal services on it, and call it a mainframe! LOL!
Mike Thommes
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Ken Cornetet
Sen
Yann,
There are some utilities you can purchase that will alert you when an
object is deleted, added, modified...
Dan
> Original Message
> Subject: [ActiveDir] Knowing when users were deleted.
> From: Yann <[EMAIL PROTECTED]>
> Date: Thu, October 13, 2005 11:56 pm
> To: ActiveD
Correct, you can currenlty only get the when and the where
(DC Where not Client Where).
Which raises the question. How many people would like a
metadata stamp with the GUID or SID of the userid that made the modification for
a given attribute (or value if appropriate)? Or would it be ok to
I would not be surprised. I know this list has become quite popular and for
good reason. It is one of the few places where I learn things that I don't
stumble over myself. Many times I learn things when people make random
comments about their environment which kicks a realization in myself on how
s
Title: Message
GUID
or SID of the user account that made the delete request. Last mod my not
be enough in case some process gets hold of that data in the deleted items, even
if unlikely. I want the id of the identity that put caused the object to
be there in the first place.
Having
t
Hi Freddy,
The information you gave rocks !
I did not think using the Last modified date attribute and query it with the magic joe's tool :
-> "adfind -default -showdel -f isdeleted=TRUE"
It saves my job ! :)
The security audit is now configured and on.
Thanks for your help.
YannFreddy HAR
true.
I was looking rather for free tools, and i found the free eventriggers tool form the 2k3 rktools that did the job.
It alerts you in real time for a specific eventID. You can tell eventriggers to do a particular action such as using dumpel.exe to dump the 630 id (frecnh specific id i presume
Another possibility is the pure scripting way ... and leverage WMI
with two event WQL queries:
1/
Select * From __InstanceDeletionEvent Within 60 Where
TargetInstance ISA "ds_user"
2/
Select * From __InstanceCreationEvent Where TargetInstance ISA
"Win32_NTLogEvent"And TargetInstance.Logfile
Eventtriggers tool uses WMI WQL query as described in my previous
mail referring to the WMI scripting technique.
Nothing different except that you don't have to deal with a script
... but if you have a script you master the logic better.
/Alain
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTE
Why not use CSVDE.EXE, while joe gives us the adfind with -CSV switch and custom delimeter, in next few days.
csvde -f output.txt -r
"(&(objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803:=2)(operatingSystem=Windows
Server 2003))" -l cn,description
only gripe is can't change the
Agree.
I'm not an expert but how weight does a possible "deletedtimestamp" attribute would take in the dit ?
MS has made available interesting attributes as whencreated, whenmodified, why not create some new one that stamp the deletion of an object or stamp the last owner that is the one who did
Thanks Alain,
I will look throught your link right now.
Cheers,
YannAlain Lissoir <[EMAIL PROTECTED]> a écrit :
Another possibility is the pure scripting way ... and leverage WMI with two event WQL queries:
1/
Select * From __InstanceDeletionEvent Within 60 Where TargetInstance ISA "ds_us
Ignoring the 16 bytes at the beginning of the metadata for version and
attr count info, and garbage wasted space ... the metadata for a single
attribute is 48 bytes, adding the SID (28 bytes) would be an expansion of
57% on the _raw_ per attribute metadata size.
A sampling of a corporate DB showe
Thanks.
I used dsquery
dsquery * dc=mydomain,dc=com -limit 0 -attr name -scope subtree -filter "(&(objectcategory=computer)(operatingSystem=windows server 2003)(useraccountcontrol:1.2.840.113556.1.4.804:=4096))"
Thanks again.
sorry to bug you. i should've posted i figured it out.
On 10/14
joe, > "Active Directory Third Edition"
What is this? Where is it?
RH
_
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, October 14, 2005 11:12 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Is that a "yes" you'll add it? Or no, "..and no bananas for you." answer?
Al
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: Friday, October 14, 2005 11:50 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Knowing when use
Well, first you should _never_ ever view anything _I_ am musing as a
possible feature from the product group, I muse ALOT of stuff. PMs will
be feature groups spokespeople, I am a dev. This feature (in various
forms) has been under consideration before, specicfically Win2k, Win2k3,
and Longhorn t
P.S. - You can't really insult me ...
P.P.S - and if we were smart, we would've compressed the metadata from the
get go ;) and we'd be trying to figure out how to stuff the SID in the
metadata w/o bloating the DIT by 10% ... and instead we'd have to be
really cunning (cunning is smarter than sma
"would you give up the planned Longhorn RODC features for something like
this?"
I'd happily give up RODC in favor of this. But I appreciate the honest
answer and wasn't looking for a commitment. I'll be more careful to word
things more appropriately in the future and to eat my vegetables at ever
"Now if only I could find that microsoft wish email address to send such a
request to"
Try http://www.windowsserverfeedback.com/
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Friday, October 14, 2005 9:48 AM
To: ActiveDir@mail.a
You might want to know,
checking for 4096 in useraccountcontrol will include disabled accounts also..
As bit 2 is set for account disabled, and and you are not checking its absence.
(http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144)
Just extract useraccountcontrol in your dsque
NetPro's ChangeAuditor for AD does this without requiring
auditing. The change log includes what was changed, before and after values,
when, where, and by whom.
See http://www.netpro.com/products/changemanager/
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
YannSent: Th
*raises hand*
sid of the last modify-er would be just nice for
me.
Usually we just want to know which admin is the culprit
without analyzing 30gig of DC security log (one day log)
Thank you and have a splendid day!
Kind Regards,
Freddy Hartono Group Support Engineer InternationalSOS Pte
I think there are a few types of questions one can ask in list such as
this...
1) questions where you have searched for an hour and nothing seems
relevant, or there is so much info that it would take days to sort
through
2) questions where the sh_t is down hard and what the heck is THIS and
you d
Ok, now you've done it Gil :-) I guess this is the geek
version of "dueling banjos" :-)
Quest's InTrust for Active Directory provides
detailed, real-time auditing and alerting of all changes to AD and Group Policy
Objects (GPOs), including changes to AD configuration and GPO settings. It a
I get to be Burt Reynolds! :)
-g
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren
Mar-EliaSent: Friday, October 14, 2005 10:33 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Knowing when
users were deleted.
Ok, now you've done it Gil :-) I guess this is
I’m having a tough time converting this kix script to
..vbs. Any Ideas?
; This change will fix an IXOS problem where the default
paper size is A4 instead of Letter
If KeyExist("HKCU\Software\IXOS\IXOS_ARCHIVE") = 1
If
KeyExist("HKCU\Software\IXOS\IX
Dear List,
My Google-foo is apparently not sufficiently evolved to determine this and I
would like to ask this question. I have a Forest Root with two DCs and a
single child domain with three DCs. When I run DCDIAG on any DC in the
child domain it is coming back with the following:
"Latency info
>> Tony Murray Said:
>> Joe, I've had no complaints about you to date.
Good. I'll start. Here's your first.
He's an over-bearing know-it-all looking for his first and second million.
Plus, he uses more bandwidth than everyone combined.
If someone asks, he - "Could I stand a second domain
And this is why I absolutely *LOVE* this list - it's not only
informative, it's entertaining as well! Keep it coming, guys!
Mike Thommes
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Friday, October 14, 2005 1:33 PM
To: ActiveDir@ma
Gentlemen,
"WHICH IS
CHEAPER?"
LOL
RH
__
-Original Message-From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]On Behalf Of Darren
Mar-EliaSent: Friday, October 14, 2005 1:33 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Knowing
Was going to ask that myself.
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c -
312.731.3132
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb
Sent: Friday, October 14, 2005
2:54 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kn
Thanks for the thoughts. And thanks Tony for the reference
-- just finished reading it.
Unfortunately, deploying the DC at HQ or simply
authenticating over the WAN is not really an option. The WAN links are ok (and
getting better) but are located in places where environmental (as in the
we
Hi all:
I currently have my linux boxes configured to log into AD via ldap. I
noticed today that even thought I have the host ip hard coded to a local
server, each box is trying to authenticate to a DC at a remote site.
Has anyone experienced this issue?
Kind Regards,
Jennifer Fountain
Systems
"Does placing the DC inside a virtual machine add any
security? Would it be harder for someone with physical access to compromise the
DC?"
Hmmm
interesting. Yes, and no. Physical access is always an issue, but
the NTDS.DIT is not out there in the open on a disk as it might be in a
Come on...we're software companies. The price is directly
related to the number of days left in a particular quarter.
Its called "vendor management" :-)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian
DesmondSent: Friday, October 14, 2005 12:01 PMTo:
ActiveDir@m
When’s the end of the Quest FY?
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c -
312.731.3132
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Darren Mar-Elia
Sent: Friday, October 14, 2005
3:35 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDi
Well
To query for ANY DC (or LDAP server) in the domain you use:
_ldap._tcp.dc._msdcs..
To query for ANY DC (or LDAP server) in a certain site you use:
_ldap._tcp.._sites.dc._msdcs..
If a computer does not know its site it uses the first and if it know its site
it will use the second.
I
Right, the Host does not _have_ to be a member of the
domain. However, the white paper makes references to securing the directories
that contain the vhd and the NTDS.DIT (in the DC-as-VS model) for domain admins,
implying that it should be a member of the domain. And, as you said Rick, the
H
I’m curious, you said the WAN links
can have interruptions so you wouldn’t want to authenticate over the WAN…
but if all you have in a branch is a DC, what do you gain by having the DC
locally if the link is down – unless you have additional servers there
too (i.e. Exchange, F/P). Assuming
Title: Adding users to local Admin group
Doesn't matter. Computer policy is computer
policy. You can also simply link the GPO to the domain and filter it based
on another security group - one that simply holds the computer accounts in
question.
Here's an article on what you want to
do:
I believe the _msdcs sub domain is Microsoft/ Windows only. Non-Windows
clients will use _ldap._tcp. or _ldap._tcp.name>._sites..
- Original Message -
From: "Almeida Pinto, Jorge de" <[EMAIL PROTECTED]>
To: ;
Sent: Friday, October 14, 2005 8:50 PM
Subject: RE: [ActiveDir] Major issu
use regread for keyexist and readvalue functions of shell object
regwrite for addkey & writevalue fucntions
while, _vbscript_ will exit with error if regread couldn't find the key,
you can use " on error resume next" before validating the key existence, to continue the script execution.
reference
Hi,
Try the following:
Cheers,
jorge
'http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wmisdk/wmi/enumvalues_method_in_class_stdregprov.asp
###
Const HKCU = &H8001
Set
oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:Std
LDAP is not authentication [1]
If you hardcoded the ldap server, is there a referral going on? When you
say hardcoded, was it by ip address or ??
How did you notice that these *nix machines are talking to a DC in a remote
location?
[1] there, I said it. I got that off my chest :)
-Origi
Sounds like something you could find on www.shutuplaura.com
BTW, it is annoying that I have to get an account to leave a comment. I
don't need any more accounts.
So congrats on signing up for the run, you will make Penn State proud!
-Original Message-
From: [EMAIL PROTECTED]
[mailto:
The host would reach across the WAN and auth assuming the
WAN was available at the time. Once the VS for the DC was up and running, the
host could use that local DC.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Noah
EigerSent: Friday, October 14, 2005 3:56 PMTo:
Activ
I don't think running a DC inside a virtual machine would give any added security; if someone could log onto the server running the VMs then it is just as bad as being able to have physcial access to a normal DC since they can control starting and stopping the VMs. As Rick mentioned they could also
Not out yet, I am expecting Mid November or Early December. I sent an email
to see if I can find out.
The book is NOT written in my voice, I tried as best as possible to maintain
the voice that was there. I simply revised it though I did add a Chapter on
ADAM and a chapter on some basic Exchange/
The assumption for us is that there is also a file and
print server there.
The solitaire thing is a whole angle I did not consider. Is
a DC required for solitaire? What about a virtual MP3 player running in cached
mode? Ok. I'm clearly ready for the weekend ;-) Thanks for all the thoughts,
I would have to concur with most if not all of this. I don't much mind the
OT posts as long as the subject is prefixed with a [OT] so it can be easily
filtered out when sorting by subject or even if you use outlook to colorize
the messages or folderize them or something else. Even the OT posts ofte
joe said: "Again, the reviewers did a fantastic job."
Of which, you will all notice when the book comes out, I am _NOT_ one of
those reviewers.
joe said: "They kept me honest"
Which is one of the reason _WHY_ I was not one of those reviewers
Rick
P.S. Hey, joe :op
-Origi
Rick Rick Rick...
Over-bearing yes.
Know-it-all no. More of a know-some-of-it-all.
Yeah I am hoping for more than 2000 copies as well. Actually I think
O'Reilly expects the book to do spectacularly well, even after I told them I
had a relatively small family and many of them can't read anyway and
Hey I needed to maintain a certain quality
Did you send something to Robbie to say you wanted to review it? In the end
we were begging for reviewers, I even took Dean as a reviewer and you know
the edge I had to be on for that He kept wanting to spell words wrong.
Eventually I just took o
On 10/14/05, joe <[EMAIL PROTECTED]> wrote:
I had done a couple of things, first I had learned Calc far better than Ihad ever learned in class all the way up to Calc IV and I had gotten a
reputation of only tuturing really smart girls. ;o)
You're even smarter than I thought ;)
Phil
This assumes that the client knows how to retrieve SRV records though.
The first thing I would say to do in troubleshooting this is to do drum roll
please. Network trace, yeah you knew I was going to pull that one didn't
you?
Another thing to do would be to use proper authentication with Kerb
Adfind saved your job?
Hmmm that sounds like it is work 25% of your salary for the
next year. ;o)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
YannSent: Friday, October 14, 2005 11:18 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Knowing when
users were
joe is too kind...he's glossing over the bit where he kept saying "If
that [EMAIL PROTECTED] Laura makes -one- -more- [EMAIL PROTECTED] grammar
fix...". :-)
(And joe, if you do Theory of Computation, you may become my best
friend during my next grad class. I fully expect to hire a tutor and
jus
Can you do some sort of backlink type of magic where you use some smaller
sized value to represent the real value via indirection or something?
I expect most companies would be willing to take the hit on DIT size to get
this kind of capability. ESE can handle it right?
-Original Message--
You know, there's a reason nobody likes you, Richards. ;o)
- L
On 10/14/05, joe <[EMAIL PROTECTED]> wrote:
> Sounds like something you could find on www.shutuplaura.com
>
> BTW, it is annoying that I have to get an account to leave a comment. I
> don't need any more accounts.
>
> So congrats on
The Oracle sales model. :) There was a link a couple
of days ago to Joel on Software describing this price
model.
The correct answer to this is probably closer to "Depends
on who you talk to last..."
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren
Mar-EliaSent
Just a small expansion. Checking for 4096 with a BITWISE
filter (which is used here) will not filter out disabled accounts.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh
ParmarSent: Friday, October 14, 2005 12:58 PMTo:
ActiveDir@mail.activedir.orgSubject: Re:
so how can i get just normal comp accounts which are NOT disabled?
would you not use a bitwise filter for those types of queries.
thanks
p.s- since you responded to this one after my stupid salary query and this actually is one of those questions which has nothing to do with my current job, but f
Tom-
I'll certainly not try to explain it while joe's around :-)
but here's a KB that helped me when I was trying to grasp this. That and
using adfind to look at the resultant values of objects that I knew the
flags for already...
How to use the UserAccountControl flags to manipulate user accoun
LDAP filter for disabled user accounts
"(&(objectCategory=person)(objectClass=user)(UserAccountControl:1.2.840.113556.1.4.803:=2))"
LDAP filter for enabled user accounts
"(&(objectCategory=person)(objectClass=user)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))"
Cheers,
Jorge
__
>you will make Penn State proud!
Don't folks at the University of Pennsylvania take umbrage when you call
it Penn State ?? They did when I lived there :-]
/Child of 2 Penn State alums
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, Oct
Hi all,
The linux client is configured with a host parameter in the ldap.conf
file and isn't srv aware. I was running several network traces and
sniffers, etc to determine what exactly was going on but the dumps came
up empty. But, I think the issue has "gone" away but not sure why.
On another
Glad you said something Al. I thought we completely glazed over this
part in her first post:
"I noticed today that even thought I have the host ip hard coded to a
local
Server..."
Host IP hard coded...?
:m:dsm:cci:mvp marcusoh.blogspot.com
-Original Message-
From: [EMAIL PROTECTED]
[mai
if you're not comparing it to any other bit in userAccountControl, i don't understand why you need the bitwise filter.
why can't you just have userAccountControl=2 then and just use "!", to find a disabled or enabled acouunt?
Thats where my confusion comes in.
Thanks
On 10/14/05, Almeida Pinto,
Boo, hiss. It's Engineering Services that offers it, not MCS. ;>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
> Sent: Thursday, October 13, 2005 11:22 AM
> To: Send - AD mailing list
> Subject: RE: [ActiveDir] AD/DNS BPA?
>
> The to
Actually, I think that book and the Windows XP book are the only two that I
Haven't reviewed.
As to why I wasn't asked - I dunno.
Rick
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, October 14, 2005 6:36 PM
To: ActiveDir@mail.activedi
So you have a publicly accessible DNS server that you manage and is in your DMZ and an internally accessible DNS server that is on your internal network. Is that right?
You have a domain on your publicly accessible DNS server for your public servers (web, email etc.) and currently you only have a
Useraccountcontrol is a bitmask. You can have a disabled account which
also has a non expiring password. This is no longer just “2”. It’s
1002 – 2 or 1000. :)
Thanks,
Brian
Desmond
[EMAIL PROTECTED]
c -
312.731.3132
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECT
Or get a better ISP or DNS record keeper that will allow you to do what
you need to do.
Phil Renouf wrote:
So you have a publicly accessible DNS server that you manage and is in
your DMZ and an internally accessible DNS server that is on your
internal network. Is that right?
You have a do
Why lurk when you can participate so effectively? :)
Phil
On 10/15/05, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] <[EMAIL PROTECTED]> wrote:
Or get a better ISP or DNS record keeper that will allow you to do whatyou need to do.
Phil Renouf wrote:> So you have a publicly accessible DNS server
81 matches
Mail list logo