Hey all,
I am looking for an application that can monitor and alert the usage of USB/PS2
devices on the clients (mostly XP). If a user plugs in a new keyboard,
disconnects a mouse or tries to use a DOK - I need to be able to record the
action and trigger alerts based on different criteria.
Anyo
sis
Tool 1.0. You can find pointers to it (+Webcast) at http://www.lissware.net.
Note, we will release the version 2.0 early next year.
Regards,
/Alain
Alain LISSOIR
[cid:114265316@01122006-02BE]
[EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>
Home Page: http:
http://www.myitforum.com/articles/8/view.asp?id=9284
Rod's been tracking that on myitforum and the Patch management listserve
for a while now.
Guy Teverovsky wrote:
>
> Hi all,
>
> Recently I had a case where we experiences high CPU utilization after
> deploying SMS client to DCs.
> By now
Hi all,
Recently I had a case where we experiences high CPU utilization after deploying
SMS client to DCs.
By now we have identified that the issue was caused by an extension of
sms_def.mof file containing the definitions of information that should be
collected from the agent.
The interesting
Using "runas /user: something" after establishing a VPN session
should do the trick.
Guy
From: [EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Wednesday, November 22, 2006 9:56 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Updating cached creden
I'll second that. Dups can be found not only across multiple domain NCs.
Not long ago I stumbled upon exactly the same error and it turned out
that it was a result of orphaned connection object in LostAndFoundConfig
container in Config partition. All the tests came up clean, repadmin was
coming up
Title: Re: [ActiveDir] Forestprep Failure
>> [EMAIL PROTECTED]
~]# ls / -R | grep dcpromo
Come on Brian ! man find + man locate/slocate.
This is the most inefficient (complexity
and memory wise) search you can ever do (and notice that grep is case sensitive.
You should have used "grep
Isn't it something that Exchange System
Policies are supposed to take care of ?
Why would you want to set mailbox quotas
for each and every user account instead of setting the defaults on the stores and
overriding only when necessary ?
Guy
From:
[EMAIL PROTECTED] [mailto:[E
Behalf Of Guy
Teverovsky
Sent: Friday, June 30, 2006 9:57
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Windows
2003 sp1 DNS problem
Another thing that is worth mentioning
is the loopback check that has been enforced since W2K3 SP1.
Try disabling the loopback check or
Another thing that is worth mentioning
is the loopback check that has been enforced since W2K3 SP1.
Try disabling the loopback check or
specifying additional FQDNs using one of the methods in the following KB:
http://support.microsoft.com/?kbid=896861
Guy
From:
[EMAIL PROTECT
Title: Self vs. the object name / effective permissions
I just call it "best effort". It's
totally ineffective over cross forest trusts.
Guy
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, June 27, 2006 10:56
AM
To: ActiveDir@mail.actived
Re: "Looks like domain admins, Self, and
account operators have hard-coded rights to the object."
Those are taken from defaultSecurityDescriptor of the
object class and can be changed to suite your needs (just watch out not to lock
out services like Exchange from reading the objects):
Title: Recieved X out of Y objects
Could be that I never took a better look at it and this is a well know issue, but when dcpromo-ing W2K SP4 to a DC I get "Replicating DC=domain,dc=tld: received X out of Y objects.", where X is larger than Y.
Could it be that X counts tombstones and Y d
If I had a self service web service for
resetting password, and wanted to let the users access it from anywhere, I'd
not be using domain accounts for logging into the workstation.
Probably the best would be having
dedicated workstations in kiosk mode, but if that is not an option, I'd p
lk softly and carry a very large Windows appliance. ;)
Al
On 6/19/06, Guy Teverovsky <[EMAIL PROTECTED]> wrote:
I will try to address all the points raised.
Al:
You are right. The idea is to provide highly available service as transparently as possible. This is one of those times whe
going to take place)?
What does Veritas recommend? (it is there product after all).
Al
On 6/17/06, Guy Teverovsky <[EMAIL PROTECTED]> wrote:
Howdy all,I am banging my head over this trying to come up with a solution for a client.To make the long story short: financial organization wh
Howdy all,
I am banging my head over this trying to come up with a solution for a client.
To make the long story short: financial organization which is very concerned
about security. They are setting up a new network segment that will be serving
some application to the internal network (there
Title: RE: [ActiveDir] FYI: Failing to create a trust
May be I am shooting blanks into the
great wide open, but I have lately been beaten on various occasions by LSA's
loopback check that has been enabled by default in W2K3 SP1 (mainly installing
MOM Reporting Services or having
If I am not mistaken, newly created
profiles take the defaults from:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Main]
Set the "Start Page" and
"Search Page" there and the newly created profiles will pick the settings
from there.
If you want to automate it, create a
custom a
problem is the IAS server cannot find
any DCs in those domains. Also, I get the following error with the netsh
command:
C:\>netsh ras tracing * ENABLED
The following command was not found: ras
tracing * ENABLED.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Beha
Are members in those 2 domains having UPN
suffix no in the namespace of the forest root ?
Example:
Forest root suffixes: @company.net
Child suffixes: @child.forest.com
Are the users trying to logon using UPN or
domain\samaccountname ?
Have you tried implicit Kerberos principal
([EM
I wonder whether anyone has tried the ADAM
Synchronizer for similar scenarios:
http://www.microsoft.com/downloads/details.aspx?familyid=06787254-d7f4-4fff-8e02-2609956cb19e&displaylang=en
The documentation is pretty vague about
the way the target objects are created.
Guy
> The preceding solution works great, but I've found that if we
establish a
> trust to a domain such as DOMAIN.SCHOOL.EDU (not in the same DNS
hierarchy
> as AD.SCHOOL.EDU) then user logons fail.
[Guy] There is a similar bug when changing passwords over cross forest
trust when the UPN suffix of t
Oopps... Should be:
for /F "delims=*" %i in ('dsquery * -filter
"(&(objectcategory=person)(objectclass=user)(memberof=))"
') do @dsmod group -addmbr %i
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Be
Try
for /F "delims=*" %i in ('dsquery * -filter
"(&(objectcategory=person)(objectclass=user)(memberof=))"
') @do dsmod group -addmbr %i
(all at one line)
It could be that you have stumbled upon dsmod's limitation when it can
not have more than one DN piped in as a parameter.
Guy
> -Orig
Guido,
How about:
1) rename the NetBios name of the target AD
2) perform the migration
3) rename the NetBios name of the AD back to the original
Because you are changing only NetBios name and not the DNS name, the fixups at
the AD side are rather minor...
Or are we talking about target AD be
at it still doesn't work! :-) It added the SAN to my cert; however, I
still can't use ldp.exe to connect using the LDAPS when I use the alternate
name. The alternate name shows up just as it did when I used the
Microsoft CA; however, when I used the Microsoft CA LDAPS worked. Now it
doe
The interesting thing is that the permissions of the newly created GP
Objects are not inherited neither from the System\Policies container in
the default NC, nor from the Policies folder in the SYSVOL. The
permissions are taken from the defaultSecurityDescriptor of the
groupPolicyContainer object c
it out on a third party CA tomorrow. I'll let you know how it goes.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy
Teverovsky
Sent: Monday, May 09, 2005 8:56 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAPS
question
It turned out to be a bit
dap.company.net")
The call goes through without generating
an error; however, it doesn't seem to take.
Has anyone out there successfully created
a CSR using this extension?
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy
Teverovsky
Sent: Friday,
Title: LDAPS question
You will need to issue new certificates to
the DCs with the ldap.company.net in the Subject Alternative Name section. The
certificate requirements for DCs are specified in the following KB:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q291010
Though it is
I just wonder whether W2K3 gets confused and tries to treat
authenticating against MIT Kerberos realm as fully bloated cross-forest
logon.
Do you have loopback enabled in this GPO ?
W2K3 and W2K behave a bit differently when doing cross-forest logons.
W2K by default does not process the user pol
ify will handle multi-realm.
joe
[1] Let's face it, a single kerberos realm is small or medium centralized
business or university class, it isn't enterprise class.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
/o this mechanism. In AD, the same logic
applies…..use a secure bind, and this will work just fine.
The mechanism as it exists in ADAM,
though, does not exist in AD. Sorry.
~Eric
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
Sent: Friday
Hello all,
In ADAM there is a nice feature, called “bind
redirects”, which is implemented using ms-DS-Bind-Proxy auxiliary class.
Now it appears that in AD there is no alternative for
something like this.
What I would like to do is, given 2 AD forests (resource
forest where hosts resi
What we did in our environment was:
-
disabled the links of DDP/DDCP to domain object and Domain
Controllers OU
-
remove “Group Policy Creator Owners” from the ACL of “CN=Policies,CN=System,DC=domain,DC=com”
and added our own group with permissions to create objects in the
uot;, the
default settings of W2K3 member servers will prevent them from talking to DCs using
NTLM. Forcing the clients to "Send NTLMv2" will make the problem disappear.
Guy
________
From: [EMAIL PROTECTED] on behalf of Guy Teverovsky
Sent: Thu 10/28/2004 5:00
Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
> Sent: Wednesday, October 27, 2004 6:50 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] A weird one (or Joeware vs. MS)
>
> Already tried most of what you mentioned. Same error
? If that works,
> the issue is probably somewhere in kerberos and I would start looking for
> ker errors and verify SPN's are properly registered and time between the
> machines is correct, etc.
>
> joe
>
>
>
> -----Original Message-
> From: [EMAIL PROTEC
Here is a weird one:
2 forests with one way forest trusts:
forestA.com trusts forestB.com
I try to schedule a a task on host.forestA.com with account FORESTA\user
(tried everything up to member of Enterprise Admins, Domain Admins,
BUILTIN\Administrators) and I get "0x80070005 Access Denied" error
Ken,
If you are lucky enough to have all your clients with XP, you can use
GPO to configure the Wireless policies.
Check it out under "Computer Configuration\Security Settings\Wireless
network (IEEE 802.11) policies"
The link below should answer your questions regarding computer/user
authenticat
tive for both forests. That said, that's something you want
your admin processes to compensate for and ensure that all accounts are unique across
forests that can talk to each other.
Al
From: Guy Teverovsky [mailto:[EMAIL PROTECTED] On Behalf Of Guy Tevero
application) could thus cause a DOS for
applications running on the other server.
/Guido
-----Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
Sent: Thursday, September 09, 2004 6:22 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Fun with Kerberos
Stumbled
Stumbled upon an issue couple of days ago and wanted to hear what you guys think about
it.
Suppose that your AD is called myad.com and you also configure additional UPN suffix
"company.com".
Now I create 2 users in child.myad.com child domain:
1) sAMAccountName: guy
userPrincipalName: [EMAIL
ur name resolution working? Anything in the event logs when this
> occurs? Especially the security logs on the clients/dc's/resources being
> accessed?
>
>
> Al
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of G
cific day
would be more than the memory allowed for the log, and no events are lost.
HTH
Gruesse - Sincerely,
Ulf B. Simon-Weidner
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Guy Teverovsky
> Sent: Saturday, August 21, 2
kes-Barre PA 18711
> > > PH: 570-208-5845
> > > Fax: 570-208-6072
> > > Cell: 570-760-0335
> > > [EMAIL PROTECTED]
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On Behalf Of Depp, Dennis
x27;s a testament to
> your architecture if the users never noticed :)
>
> Al
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
> Sent: Monday, August 23, 2004 4:24 PM
> To: [EMAIL PROTECTED]
> Subj
out of date, the client will request a new
> kerberos ticket and then be authenticated to the resource.
>
> Denny
>
>
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Guy
> > Teverovsky
> > Sent:
icket is cached or not. (I suspect not.) When
> a machine reconnects to the network and you attempt to access a network
> resource, the resource will ask for you ticket. If you don't have one, or
> if it is out of date, the client will request a new kerberos ticket and then
> b
In my environment, when W2K3 DC boots with security logs full, the
replication from that DC stops till the security log is cleared and the
box is rebooted.
The interesting thing is that after the security logs become full (while
the box is online) the replication continues to work till the box is
update the foreign DNS. This
> assumes again open dynamic updates.
>
> joe
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
> Sent: Thursday, August 12, 2004 7:52 PM
> To: [EMAIL PROTECTED]
> Subject:
tc.
>
> - Aric
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
> Sent: Wednesday, August 11, 2004 10:11 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Anonymous bind (here we go again)
>
>
sage-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
> Sent: Wednesday, August 11, 2004 5:34 PM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] Anonymous bind (here we go again)
>
>
>
> We have W2K3 AD (FFL/DFL 2003) configured as
We have W2K3 AD (FFL/DFL 2003) configured as ad.company.com
There is a subset of workstations (located in pre-configured OUs) that
need to be resolvable using the "company.com" suffix (company.com zone
is managed by BIND, while ad.company.com is managed by MS DNS).
One of the ideas was to run (f
age-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
> Sent: Tuesday, May 25, 2004 7:23 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Anonymous bind
>
> LDAP with SSL/TLS is way better than NIS.
>
> As for environment, it's
be wrong, but doubt it. However what did you
> change in the GPO?
>
> What does repadmin /showreps say on the DC trying to pull?
>
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
> Sent: Wedn
easy part first.
>
> Invalid Checksum? Hmmm... Anything in the security logs that gives an
> indication?
>
> Al
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
> Sent: Tuesday, May 25, 2004 6:02 PM
> T
ied to help with the original post
> without all of the topology information.
>
> Sounds like an interesting problem though...
>
>
> -Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
> Sent: Friday, May 21, 2004 7:0
I am banging my head against the wall the whole day.
In pilot environment we applied a GPO to replace the Default DC GPO.
Apparently one of the DCs had some issues when the GPO was applied.
The result was: the inbound replication on the DC works, but no other DC
can pull from the sick one.
Closer
You can restrict access to Task Scheduler using GPO (Admin
Templates\Windows Components\Task Scheduler) and by changing permissions
on %SYSTEMROOT%\Tasks folder, but there are other ways around.
BTW, I remember reading somewhere that "at" command uses old style API
which is not enforced by GPO, an
MS insights :)
> and I do not want mangled attributes in AD.
>
> [EFLEIS] - So we think it is easier to sync over a subset of data to the
> other directory, extend there and populate there? Rather than just putting
> it all in the main directory? I'm sorry, I just disagree. :)
&
party of one of my
> friends, so my apologies for not coming up with more. Promise to be back
> to my senses tomorrow.
>
> [EFLEIS] - Hehe, I can't help you here. :)
>
>
>
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
gt; joe
>
>
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
> Sent: Wednesday, May 19, 2004 2:26 PM
> To: [EMAIL PROTECTED]
> Cc: ADS Customer Feedback
> Subject: RE: [ActiveDir] Anonymous b
oops...
Damn habit of hitting Reply to All acquired at another dist list.
Sorry again,
Guy
On Wed, 2004-05-19 at 21:26, Guy Teverovsky wrote:
> Eric,
>
> It looks like I was not clear enough. See my comments below.
>
> And as others have already stated, the solution should
ROTECTED]
> Subject: Re: [ActiveDir] Anonymous bind
>
>
>
>
> OK, I will try the second approach.
> So I have to copy (sync) all the AD data into my local openLDAP???
> creating a local schema with the user info???
> --
>
> Aitzol Naberan BurgaÃa
> CodeSyn
There are several solutions to that:
1) Grant Everyone read permissions (this object and all child objects)
to the domain object. The drawbacks are obvious: you are opening a HUGE
security hole. You will definitely not want that in production.
2) Setup OpenLDAP and sync the needed attributes from
Printers are user specific.
The script needs to run in user context.
Guy
On Tue, 2004-04-20 at 23:19, Kern, Tom wrote:
> Sorry for the off topic.
> I'm running a VBscript to set the default printer to always be the same printer on a
> workstation( we have a legacy Paradox dos app and it always
I will try to make the long story short:
2 W2K3 forests with transitive forest trust (abc.com and xyz.com)
xyz.com is "resource forest"
abc.com is "user accounts forest" (child.abc.com is a child domain)
I logged on to forest xyz.com DC with account from child domain of
forest abc.com ([EMAIL PRO
I would say that the link below gives a pretty good reason for not
plugging APs into internal LAN:
http://www.cisco.com/en/US/products/products_security_advisory09186a00802119c8.shtml
Guy
On Tue, 2004-04-13 at 18:12, Mulnick, Al wrote:
> That's a pretty valid argument to put any access to your ne
mber machines at a lower OU level that still encompasses all of those
> machines. I know I did this for lockout policy once.
>
>
> -
> http://www.joeware.net (download joeware)
> http://www.cafeshops.com/joewarenet (wear joeware)
>
>
>
> -Origin
Actually I did it once. This way you can enforce different password
complexity requirements for domain accounts vs. machine local accounts
by applying stricter password complexity to GPO that is linked to Domain
Controllers OU.
This is rather simple: in Default Domain Controller Security policy y
t; it to run as local system anyways. Also, how is Windows supposed to know,
> if the service doesn't require network access and should thus use the
> Network Service instead...
>
> In summary: the default install account of a service should be the least of
> your worries. Be
Hi all,
Recently I have been playing around with an idea of how do you deal with
a situation when you must have a Domain Admin access to AD but do not
have Domain Admin password (this can happen in small outsourced
companies or when the only Domain Admin is suddenly unavailable).
In W2K this was
be done on the machine
> that it did its initial replication with. How do you know that it did that
> replication with the PDC? Is this info from the dcpromo log?
>
> joe
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of G
Yesterday, while dcpromoing a machine (which was already domain member),
I have noticed that while the LDAP session was initiated against PDCE in
site A, the computer account move to "Domain Controllers" OU was
performed on a DC in site B. Although after the replication everything
was nice and dan
You might also want to look at the following solution:
http://laaad.sourceforge.net/en/index.html
The idea behind the project is to apply SFU schema extensions, and
making the clients authenticate using LDAP/SSL instead of NIS as opposed
to vanilla SFU.
if you want, you can also make clients auth
You can try the following shell command:
RunDll32.exe Shell32.dll,SHExitWindowsEx 0x1
http://www.borncity.com/WSHBazaar/WSHExitWin3.htm for details.
Guy
On Tue, 2004-01-20 at 21:41, Creamer, Mark wrote:
> I noticed that there is a WMI core install for Win9x and I installed it on my test
> Win95
And if you mention Linux, you can go a little further and get your own
rescue CD with a nice set of tools for imaging and basic disaster
recovery:
http://www.t4k.org/~ebcd/
Can image even over the network.
Guy
On Wed, 2004-01-14 at 22:16, Ken Cornetet wrote:
> If you feel comfortable with Linux,
Use /SAFEBOOT:DSREPAIR /SOS switches in boot.ini:
http://support.microsoft.com/?kbid=256588
Guy
On Wed, 2004-01-14 at 03:26, David Adner wrote:
> Without using a lights-out type adapter or something else that will allow
> me to remotely view the bootup process, is there a way to reboot a server
Joe, I'm puzzled. Should I be looking under
CN=MicrosoftDNS,CN=System,DC=foobar,DC=com in the Domain naming context
?
Because I can only see there the child sub-domains (like
child.foobar.com), but not the _msdcs.foobar.com, _sites.foobar.com, etc
- zones which are AD integrated too.
The interestin
Thanks Marcus,
The dwTimeStamp attribute is also accessible by checking
"View-->Advanced" in the DNS snap-in.
The thing is that the timestamp is not the precise time the RR has been
refreshed - the hour is rouned (i.e.: update performed at 15:17
12/25/2003 is rounded to 15:00 12/25/2003).
The com
Michael,
I have DP 5.1 setup with local system account on a member server. Guess
it should work the same on a DC.
P.S.: Looks like I should look at the change log more frequently :-)
Cheers,
Guy
On Wed, 2003-12-10 at 22:39, Donovan, Michael wrote:
> Hi-
>
> I have a DC locally attached t
management for most
> of the GPO operations, for this we created a .NET GPMC Class. If you are
> interested in this you can download the code from http://www.activedir.org
> downloads.
>
> Cheers,
>
> Matty
>
>
> -Original Message-
> From: Guy Teverovsky
Hi all,
My organization is currently running a W2K3 pilot and i have been
assigned the task of defining GPO change management, backup and restore
procedures.
I have divided this into 3 sub-categories:
1) Procedures for tasks related to changes in the Group Policies
(testing new GPOs, archiving, e
85 matches
Mail list logo
