Re: Restricted groups, where have you been....

Can't execute from USB sticks due to my AppSense rules :-) 2009/4/23 Kurt Buff > fileacl.exe on a usb stick? Heh. > > On Thu, Apr 23, 2009 at 00:34, James Rankin wrote: > > Yes, but if they get around the restrictions that I have implemented, > then > > they can have a job :-) They can't change

Re: Restricted groups, where have you been....

good point. SeTakeOwnershipPrivilege is now about to be removed. You probably are right, it would have been easier to configure at the perimeter...but that is managed by my boss and I don't trust him to do it properly and/or not reverse it accidentally or deliberately 2009/4/24 Ken Schaefer >

RE: Restricted groups, where have you been....

What about SeBackupPrivilege (because that ignores File ACLs - I can just use NTBackup to make a backup of cacls.exe and restore it somewhere)? Cheers Ken From: James Rankin [mailto:kz2...@googlemail.com] Sent: Friday, 24 April 2009 5:22 PM To: NT System Admin Issues Subject: Re: Restricted grou

Re: Restricted groups, where have you been....

I suppose this could go on and on :-) The facts, which we all already know, is that admins can generally get around most restrictions at this level, given enough time and guile. The question which I am asking, when I get a spare minute, is why the scanning software in use needs admin privs anyway.

RE: Restricted groups, where have you been....

Yes, it will go on and on :-) That's the point - you can't really stop administrators from doing whatever they want on their own machines. You need something that's not under their control to do anything that can't be subverted. As Bob Fronk alluded to earlier, Mark Russinovich did a blog post o

RE: path longer than 1023- actually only about 200 or less

I had this problem earlier when hackers were breaking into windows computers that had open ftp sites. They would create folder paths that were longer than what windows would be able to handle. The way I did it was to move the folder to another path on the hard drive and then delete the fold

Re: Installing Acrobat with GP

That depends. Your software is OEM licensed, restricted to that machine. Depending on your environment that might be good or bad. If you software deployment outlives the life cycle of the machine, then purchasing OEM software is not as good a deal as it appears on first blush. You also lose the ab

RE: path longer than 1023- actually only about 200 or less

Here is a great way to kill the directories of death (too deep to navigate): Use robocopy to copy an empty directory to one of the lower levels with the /MIR option (mirror) like this: Robocopy c:\emptydirectory K:\Staff And Students\Programming Classes\NHS\Eng086037\web applet project\Coords\

Windows updates strrangeness

I've got a 2k3 server that has downloaded updates and is ready to install them. I see this as a selection if I want to shutdown the machine. Problem is I don't see the balloon icon which would allow me to choose which ones to install. I've tried restarting the server and the Automatic Update ser

RE: SQLServer 200 question - DTS to DMZ

When you put the name in manually, are you sure it's not trying to use Named Pipes instead of TCP/IP...that could also be why it doesn’t show up when you search for it. I always go into the Client Network Utility on the server running the DTS package and create a TCP/IP only alias and name it some

RE: Windows updates strrangeness

Trywuauclt /detectno maybe? From: Glen Johnson [mailto:gjohn...@vhcc.edu] Sent: Friday, April 24, 2009 9:36 AM To: NT System Admin Issues Subject: Windows updates strrangeness ve got a 2k3 server that has downloaded updates and is ready to install them. I see this as a select

RE: Windows updates strrangeness

I always forget that quotes, apostrophes, etc. get munched. The command is: wuauclt detectnow wuauclt /detectnow --- From: Richard Stovall [mailto:richard.stov...@researchdata.com] Sent: Friday, April 24, 2009 9:42 AM To: NT System Admin Issues Subject: RE:

Re: Windows updates strrangeness

I would stop Automatic Updates, remove the c:\windows\softwaredistribution folder, then restart the service and do a wuauclt /detectnow If that fails there is a web page somewhere that someone will surely supply that points you to the script that does *everything* AU related (too busy to find it m

RE: Restricted groups, where have you been....

You guys realize in James' case you STILL need to have a clue what you need to do. Russinovich is not exactly a household name to non computer dorks, and someone would still need some savvy to get past those settings. I mean really, they could always use a BartPE disk and get past most anything

RE: Restricted groups, where have you been....

Not giving you a hard time, your point is valid but in our environment a user doing what you describe will get you fired, or expelled if you are a student. At every login all our users agree not to do the kinds of things you describe, and anyone doing so knows very well they are far over the li

Re: Installing Acrobat with GP

On Fri, Apr 24, 2009 at 8:46 AM, Jonathan Link wrote: > If you software deployment outlives the life cycle of the machine ... Typically our machines outlive the support life of the software they run. We've got ten year old computers still in service. They work just fine for the tasks they're

Re: path longer than 1023- actually only about 200 or less

On Thu, Apr 23, 2009 at 11:51 PM, SMREKAR, JACK wrote: > some one did something stupid in a programming class. Okay, so it's not filesystem corruption. That's good. > but is there also a way to tell what files or directories are above the limit > or can not be deleted From the sound of yo

Re: Restricted groups, where have you been....

They don't even need to be local admins, if you're not whitelisting your apps http://blogs.technet.com/markrussinovich/archive/2005/12/12/circumventing-group-policy-as-a-limited-user.aspx But the point is valid, if they are clued up and/or determined enough to go this route, then they really need

Re: Windows updates strrangeness

On Fri, Apr 24, 2009 at 9:35 AM, Glen Johnson wrote: > Problem is I don’t see the balloon icon which would allow me to choose which > ones to install. Is Terminal Services enabled? If so, log out all the other Terminal Server sessions, log out the console session, then log back in on the conso

Re: Restricted groups, where have you been....

On Fri, Apr 24, 2009 at 4:41 AM, James Rankin wrote: > The question which I am asking, when I get a spare minute, is why the > scanning software in use needs admin privs anyway. A bit of process > monitor should hopefully provide the answer ... Use LUA BugLight instead. It does the same thing

Re: Restricted groups, where have you been....

I've had a copy of that downloaded for a while now and have been meaning to give it a go...old (process monitor trawling) habits appear to die hard :-) 2009/4/24 Ben Scott > On Fri, Apr 24, 2009 at 4:41 AM, James Rankin > wrote: > > The question which I am asking, when I get a spare minute, is

Re: Windows 2008 64 Bit and Windows 32 bit drivers

Thanks. I actually did resolve my problem by using the HP Universal Print Driver and the Xerox Global Print driver. Terri Webb, Brian (Corp) said the following on 4/23/2009 12:23 PM: > From my response last week: > > -Original Message- > From: Webb, Brian (Corp) > Sent: Wednesday, April

Re: SQLServer 200 question - DTS to DMZ

I will try that. I'm not terribly familiar with SQLServer - my last major work on it was back in the 7.0 days, so I appreciate the help. Kurt On Fri, Apr 24, 2009 at 06:37, Andy Ognenoff wrote: > When you put the name in manually, are you sure it's not trying to use Named > Pipes instead of TCP

RE: Server OS opinion

What's the reasoning for no DHCP on a DC - besides the extra stuff you need to do to make DNS updates work correctly? We're a very small shop with only 1 domain/2 DCs and I'm implementing DHCP soon - again, migrating from Netware.  - Andy O. From: Ziots,

RE: Windows updates strrangeness

Thanks for offering. Though that didn't fix it, I'll do some more googling. Glen. From: James Rankin [mailto:kz2...@googlemail.com] Sent: Friday, April 24, 2009 9:55 AM To: NT System Admin Issues Subject: Re: Windows updates strrangeness I would stop Automatic Updates, remove the c:\wind

NOD32 V4 CFG File Share

Hey guys; Anyone out there using nod32 version 4 that has a good config file for server / clients they want to share? I thought it would be a good resource to have handy. Thx! Carlos Garcia-Moran Server / Storage Engineer Sprague Energy www.spragueenergy.com

RE: Server OS opinion

As long as you set the alternate creds for DDNS it's not really a big deal IMO. For something as small as Andy's shop it wouldn't really be economical cost/benefit wise to split it up I expect. Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 Active Directory, 4th Ed - http://www.

RE: Server OS opinion

Agreed. FWIW my DC's are also DHCP servers in all my small biz (2 server) environments. Dave From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] Sent: Friday, April 24, 2009 9:13 AM To: NT System Admin Issues Subject: RE: Server OS opinion I may be missing something, but that articl

RE: Windows updates strrangeness

No term services on this one. Logged off and back on as admin and still no bubble. Thanks for the reply. Glen. -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Friday, April 24, 2009 10:25 AM To: NT System Admin Issues Subject: Re: Windows updates strrangeness On Fr

RE: Restricted groups, where have you been....

Completely agree with you. I don't think anyone is debating that common controls, well configured will corral the majority of users but it's the last .1% that require the most work. I believe the point Ken and I are making is that it not a panacea and is easier to bypass than ever before. At l

RE: Server OS opinion

The logic is you shouldn't be running anything else on your DC. That statement is nebulous. If I compromise WINS and run arbitrary code, I can own your AD. If I compromise DNS and run arbitrary code, I can own your AD. Anything that runs in the context of SYSTEM or NETWORK SERVICE on an RWDC pr

RE: Server OS opinion

I may be missing something, but that article didn't convince me. It says: "...[I]f you're running your DHCP server on a domain controller then an attacker who compromises your DHCP server gains access to your accounts database and can cause all sorts of further problems." That's true, but that'

RE: HP 6535b dual monitor dupport

We use Dell D620's with the docking station and external monitors. Using the video settings, they can have dual screens, one on the laptop and one on the external. Kind of a poor man's dual screen. Michael Johnson KBHIT\Westwood 310-893-7301 Off 310-806-5524 Cell From: Klint Price - A

RE: Windows updates strrangeness

Start Microsoft Update from IE choosing "custom". You wil be prompte and able to choose GuidoElia HELPPC _ Da: Glen Johnson [mailto:gjohn...@vhcc.edu] Inviato: venerdì 24 aprile 2009 18.23 A: NT System Admin Issues Oggetto: RE: Windows updates strrangeness Thanks for offering.

RE: ?? on VoIP

I don't use them myself (our darned Cisco guys got a hold of our VOIP project before I got to vote). I have used their products at former companies and they have great systems. One of the things I really like about Shoretel is the fact that they play nicely with others, i.e. - you can use Cisco

Re: Spotted this a couple of days ago...

On Fri, Apr 24, 2009 at 12:52 PM, Kurt Buff wrote: > http://piotrbania.com/all/kon-boot/ Interesting indeed. It basically looks equivalent to a bootable debugger with included pre-made macros to crack logon checks. The technology existed before, but this is the first freely downloadable thing

RE: Spotted this a couple of days ago...

Hehe. I've got a similar CD. Doesn't work with domain accounts, but it'll fix local account passwords, including Admin accounts. Note, that it does not do anything for encrypted file systems, so if you've forgotten your password for your encrypted HDD, you're out of luck! Windows will boot fine,

RE: Spotted this a couple of days ago...

pnordahl's solution has been available for years... http://home.eunet.no/pnordahl/ntpasswd/ Perhaps I'm missing something, but it reads to be the same thing. From: John Aldrich [jaldr...@blueridgecarpet.com] Sent: Friday, April 24, 2009 1:04 PM To:

RE: ?? on VoIP

+1 Ive managed the system at two separate companies and love it. From: Tim Vander Kooi [mailto:tvanderk...@expl.com] Sent: Friday, April 24, 2009 10:02 AM To: NT System Admin Issues Subject: RE: ?? on VoIP I don't use them myself (our darned Cisco guys got a hold of our VOIP project befor

RE: Server OS opinion

The alternate creds for DDNS was what I was referring to for the extra stuff comment. As long as there isn’t another reason, I think I’m comfortable with running it on the DC. Thanks.  - Andy O. From: Brian Desmond [mailto:br...@briandesmond.com] Sent: F

?? on VoIP

Hellos all. Anyone worked with, heard of, familiar with, recommend, etc etc. Shoretel? Hope you have a great weekend. CAR This e-Mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are

Spotted this a couple of days ago...

Gotta love security researchers... Haven't tried this yet, but it looks, well, *interesting*... http://piotrbania.com/all/kon-boot/ >From his announcement: "No special usage instructions are required for Windows users, just boot from Kon-Boot CD/Floppy, select your profile and put any passwor

Re: ?? on VoIP

On Fri, Apr 24, 2009 at 12:51 PM, Cesare' A. Ramos wrote: > Anyone worked with, heard of, familiar with, recommend, etc etc. Shoretel? I've heard of them. Several other people on this list recommend them. I believe I've seen complaints that they are expensive. -- Ben ~ Finally, powerful e

Re: ?? on VoIP

Not to hijack this but will OCS do IP phones or do you need an actual phone system of some kind in place and then it works with it? I will be looking into doing something soon for call accounting. A lot of federal grants require call accounting if you are billing them certain ways and we will mos

RE: ?? on VoIP

OCS is designed so that the client PC acts as the phone, but they do have 3rd party phones (Polycom for one) that you can plug into the network and log on to OCS ...Tim From: Jon Harris [mailto:jk.har...@gmail.com] Sent: Friday, April 24, 2009 10:31 AM To: NT System Admin Issues Subject: Re: ?

Re: Spotted this a couple of days ago...

It's not a Nordahl kinda thing - Nordahl changes passwords. This patches the Windows kernel at boot to bypass password checking. On Fri, Apr 24, 2009 at 10:04, Michael B. Smith wrote: > > > pnordahl's solution has been available for years... > > http://home.eunet.no/pnordahl/ntpasswd/ > > P

RE: Spotted this a couple of days ago...

Exactly what I was thinking. :-) -Original Message- From: Michael B. Smith [mailto:mich...@owa.smithcons.com] Sent: Friday, April 24, 2009 1:04 PM To: NT System Admin Issues Subject: RE: Spotted this a couple of days ago... pnordahl's solution has been available for years... ht

Re: Installing Acrobat with GP

Keywords and prhases. That depends. Effecitvely. On Fri, Apr 24, 2009 at 10:12 AM, Ben Scott wrote: > On Fri, Apr 24, 2009 at 8:46 AM, Jonathan Link > wrote: > > If you software deployment outlives the life cycle of the machine ... > > Typically our machines outlive the support life of the sof

ISP Info?

Anyone have experience with NuVox? Comments? Roger Wright Network Administrator Evatone, Inc. 727.572.7076 x388 _ "The older I get, the better I used to be." ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~

Re: ?? on VoIP

Okay not exactly what I was hoping but then this is way down the list for me at the moment. We have a 3com NBX system that is very functional but we did not purchase the software to do the auditing and dropped support several years ago so doing the upgrade and putting support back on the system wi

RE: ISP Info?

Experience with Nuvox yes. We were on and had a few clients on FDN, prior to they merged with Nuvox. We had great success both partner and service with FDN. With Nuvox, the service has been lacking both on the customer support and actual bandwidth. Again this is our experience. Currently we

RE: ?? on VoIP

+1 also at a former company. They make a solid system. From: Martin Blackstone [mailto:mblackst...@gmail.com] Sent: Friday, April 24, 2009 1:15 PM To: NT System Admin Issues Subject: RE: ?? on VoIP +1 Ive managed the system at two separate companies and love it. From: Tim Vander Kooi [mailto:tva

RE: ?? on VoIP

Depending on your needs and what features you have on your 3COM, there are ways to integrate OCS with your PBX and use OCS's call logging capability. For my Avaya system, we assign the user's extension to OCS, give them a "phantom" extension on the Avaya and use the EC500 (off station extension)

RE: Spotted this a couple of days ago...

My understanding is that it would protect against Peter Nordahl's utility. I don't know if it would protect against this other thing. -Original Message- From: David Lum [mailto:david@nwea.org] Sent: Friday, April 24, 2009 2:15 PM To: NT System Admin Issues Subject: RE: Spotted this

RE: NOD32 V4 CFG File Share

Lol yeah I was looking for a baseline, clearly no one would include their license info. -Original Message- From: Andy Ognenoff [mailto:andyognen...@gmail.com] Sent: Friday, April 24, 2009 2:17 PM To: NT System Admin Issues Subject: RE: NOD32 V4 CFG File Share Wouldn't that really depend

RE: ?? on VoIP

It can do either. With the release of OCS R2 it does work very nicely as a standalone phone system (they even make an OCS handset if you want them for users), while it can also be used tied to a different VOIP or PBX system. I wouldn't recommend OCS and the sole phone system for a +1000 installa

Re: ?? on VoIP

Thanks all. Jon On Fri, Apr 24, 2009 at 2:27 PM, Tim Vander Kooi wrote: > It can do either. > > With the release of OCS R2 it does work very nicely as a standalone phone > system (they even make an OCS handset if you want them for users), while it > can also be used tied to a different VOIP or

RE: ?? on VoIP - Email has different SMTP TO: and MIME TO: fields in the email addresses

FWIW, Mitel will play nicely with other IP phones as well. They also have a much longer track record than Shoretel does. Jonathan L. Raper, A+, MCSA, MCSE Technology Coordinator Eagle Physicians & Associates, PA www.eaglemds.comhttp://www.eaglemds.com/> From: Ce

RE: Spotted this a couple of days ago...

If you had disk encryption that would protect against this tool though yeah? Dave -Original Message- From: John Aldrich [mailto:jaldr...@blueridgecarpet.com] Sent: Friday, April 24, 2009 10:43 AM To: NT System Admin Issues Subject: RE: Spotted this a couple of days ago... Exactly what I

RE: NOD32 V4 CFG File Share

Wouldn’t that really depend on your requirements? For example, we have one that I have been using that seems pretty solid but I don’t use the HTTP scanner at all. That and your license info is usually included in the client config. :)  - Andy O. From: G

Re: ?? on VoIP

We use Shoretel at $WORK. I helped implement it, and do some of the administration on it occasionally, and it's a very nice system. FAR less expensive than, say, Avaya or Cisco, and a very nice design. We migrated from a very old Nortel Meridian SL1 system (probably over 20 years old, maybe 30 y

Re: Spotted this a couple of days ago...

On Fri, Apr 24, 2009 at 2:15 PM, David Lum wrote: > If you had disk encryption that would protect against this tool though yeah? Disk encryption will protect you from a password editor, like pnordahl's ntpasswd utility. I don't think disk encryption will protect you from a runtime debugger/pat

RE: WS2008 R2 Active Directory Webcast - Friday 4/24

I want to personally thank Brian and Laura for that, I got to see most of it and there were some pretty cool features shown in regards to server 2008 R2 and Posh 2.0 (I'm excited about the powershell Integrated Scripting Environment) good stuff! John W. Cook Systems Administrator Partnership Fo

RE: WS2008 R2 Active Directory Webcast - Friday 4/24

Would like to see the recording. Please forward the details when it becomes available. Much appreciated! Don Guyer Systems Engineer - Information Services Prudential, Fox & Roach/Trident Group 431 W. Lancaster Avenue Devon, PA 19333 Direct: (610) 993-3299 Fax: (610) 650-5306 don.gu..

RE: path longer than 1023- actually only about 200 or less

I ran into a situation where I just did a simple ROBOCOPY /E (every subdir) of a VISTA HD I had removed from a laptop. There was some funny kind of file link (on all VISTA HD's) that fooled robocopy into creating a super long recursing directory much like Jack's. I was unable to delete the direct

Re: WS2008 R2 Active Directory Webcast - Friday 4/24

+2 Jon On Fri, Apr 24, 2009 at 4:42 PM, Matt Plahtinsky wrote: > +1 > > > On Fri, Apr 24, 2009 at 4:34 PM, Don Guyer wrote: > >> Would like to see the recording. Please forward the details when it >> becomes available. >> >> >> >> Much appreciated! >> >> >> >> Don Guyer >> >> Systems Engineer -

Re: SQLServer 200 question - DTS to DMZ

This worked. But, I needed to apply SP4 to SQLServer - whoever installed it didn't put any patches on SQLServer before putting it in the DMZ, so it wasn't listening on port 1433! IT'S CLOBBERIN' TIME! Sigh. On Fri, Apr 24, 2009 at 06:37, Andy Ognenoff wrote: > When you put the name in manually

At what point do you replace file servers with a NAS device?

Today, in the world of Server 2008, servers have VSRM reporting, flexible and granular soft/hard quotas, the ability to expand volumes, the ability to grow RAID containers (with the right RAID controller), the ability to participate in advanced 2003R2 style DFS replicas, and volume shadow copy to s

RE: What is Vmware thinking?

Yeah.. snaphunter or even better powershell works a treat!. Svmotion would have been cool in the gui but you can do that with powershell as well! -Original Message- From: Steven Peck [mailto:sep...@gmail.com] Sent: Saturday, 25 April 2009 6:43 AM To: NT System Admin Issues Subject: Re: Wh

Re: Spotted this a couple of days ago...

No, but Truecrypt != EFS, either, which was the context for that comment. On Fri, Apr 24, 2009 at 14:30, Mike Gill wrote: > If the computer boots to a Truecrypt boot loader, and waits for a valid > password to be supplied so that the disk can be decrypted and Windows may at > that point come into

Re: At what point do you replace file servers with a NAS device?

It depends on what you're trying to do in your situation. Keep in mind that a lot of the really cheap (ie under $2k US or so) NAS boxes are Linux or FreeBSD machines running Samba. As a result they aren't guaranteed to support something akin to VSS snapshots, will not participate in a NTFRS or DFS

RE: At what point do you replace file servers with a NAS device?

First off I would look at a product that offers SAN and NAS capabilities. You don't want to be locked into one thing. Eventually you may want to store SQL DB's or Exchange stores on there. Second, look at the software available with the devices. What can it do for you? Can it do snapshots, backups

Re: Spotted this a couple of days ago...

On Fri, Apr 24, 2009 at 5:30 PM, Mike Gill wrote: > If the computer boots to a Truecrypt boot loader, and waits for a valid > password to be supplied so that the disk can be decrypted and Windows may at > that point come into the picture and begin loading; you're saying this > defeats all that? It