| More on user permissions in a 2K AD domain |
|
 |
Index ‹ Windows OS ‹ Directory
|
- Previous
- 1
- Directory >> AD not openening from local serverHello,
I have a Windows 2003 server joined to a domain as an additional DC and the
problem I am having is that when I am opening AD Users and Computers the snap
in is opening it up from another DC across the WAN. This of course makes it
so long to open up. To resolve it, I just choose "Connect to Domain
Controller" and choose itself. AD then runs normally. When I close it and
reopen it, it still takes awhile and connects to the same DC across the WAN.
This also happens with AD Sites and Services as well as AD Domains and
Trusts. Can someone help how to make it open up locally? It is also happening
on another 2003 DC as well. Thanks,
Jimmy K
- 2
- WindowsServer >> Servers crashing. Eventlog filled with Windows Product Activation Error Code: 8: 0x800705afI have had 2 separate live servers (Windows Server 2003 Web Edition
SP1) die within a week with the same log messages (below). The
machines are completely disabled and often cant even open the control
panel. By 'die' I mean web request got a "Server Unavailable" message
at best, but i am guessing that many wouldnt even get that. The UI was
completely unresponsive in many cases.
For various reasons, these machines had not had any updates applied for
about 8 months. They were not exposed to the internet, so they would
not be able to access updates. Hard resets would not work. They
would stop serving content right away. They are only running IIS6
(=2ENET 1.1 but no 'active' content) on a vanilla install from DELL.
The only way I could get them back online was to put them on the live
internet--where these particular machines should not be--and get the
updates. Applying the updates and resetting magically alleviated the
problem. This concerns me an awful lot, because it appears that windows
killed itself while trying to get updates? Anybody have any clues on
this?? All input appreciated!!
significant event log messages, not recorded since update:
Event Type: Error
Event Source: Windows Product Activation
Event Category: None
Event ID: 1000
Date: 3/27/2006
Time: 2:13:50 AM
User: N/A
Computer: *omitted*
Description:
An error occurred while the wizard was checking the current Windows
product license. Error Code: 8: 0x800705af For more information, see
Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: W3SVC
Event Category: None
Event ID: 1002
Date: 3/27/2006
Time: 3:33:49 AM
User: N/A
Computer: *omitted*
Description:
Application pool 'DefaultAppPool' is being automatically disabled due
to a series of failures in the process(es) serving that application
pool.For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: Srv
Event Category: None
Event ID: 2000
Date: 3/26/2006
Time: 4:18:29 PM
User: N/A
Computer: *omitted*
Description:
The server's call to a system service failed unexpectedly.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 04 00 01 00 54 00 ......T.
0008: 00 00 00 00 d0 07 00 c0 ....=D0..=C0
0010: 00 00 00 00 9a 00 00 c0 ....?..=C0
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: 37 03 04 05 7...
- 3
- Directory >> Smart user removing domain admin group from local admin groupI have a couple of "smart" users that are removing the
Domain administrator group from the local admin group on
their pc. This is creating serious issues with trying to
administrate the environment. I remember from an old job I
had where there was a script that was put into Active
Directory that would force / readd the domain admin group
to the local admin group. The script would force this do to
the fact of connection and login to AD. This force was not
account linked but forced do to being in the login script
section of AD. If anyone has any ideas on this it would be
greatly appriciated.
Please feel free to email me as well.
J Riding
- 4
- 5
- WindowsServer >> Server of the user accounts for XP ClientsHi guys, i've a doubt of as i can it carry out the setup for than my server
(Windows Server 2003 Enterprise), can it serve for 60 machines clients with
Windows XP Professional SP2, the service of user accounts, where all accounts
have only 50 MB of the space in the disk of the server.
Please someone can help me!!
Junio Vitorino
Network Administrator CESSAL
http://www.facsal.br
- 6
- Drivers >> timershello all,
I would like to modify the MSVAD sample (virtual audio driver). I would like
to create a timer which ticks control the creation of the wavefile. My goal
is to create a wavefile every second.
How can I handle this?
I have seen that, there are routines which seem to be never used...
CMiniportWaveCyclicStreamMSVAD::SetState
CMiniportWaveCyclicStreamMSVAD::SetNotificationFreq
I think they can be usefull...
Any idea to help me do what I want?
Thanks a lot.
Giuseppe Maione
- 7
- WindowsServices >> Service not available after installing WSSWhen I try to start the Central Adminstation Page, I get a "Service Not
Available" message.
I just installed WSS on a clean Win2003 server following the
Administrator's Guide for WSS using SQL Server as database.
During the installation I didn't receive any error messages, I've
rebooted the server and restarted IIS 6, but that didn't do the trick.
Who can help me solve this problem?
Thanks in advance,
Thorsal
- 8
- active directory >> Problems with ldap-connectionsHello out there,
i´ve got a problem with a ldap-connection. We are using VOIP-WLAN-Phones made by Siemens. They use a ldap-connection to download active-directory data for the phonebook. I´ve found out that only those users will be displayed which have the group "anonymous-anmeldung" or, free translated "anonymous-login" as an read-entry in the security tab of "Active directory users and computers". The users without this setting will not be displayed and not be downloaded by the phones... so far so good: if i set the entry manually, it will disappear after a certain amount of time (sometime half´n hour, sometimes later...).
Can anyone "explain" this and how could I cancel this annoying behaviour? I this perhaps a "security feature" and are there other ways to get the ldap-dowloads?
with kind regards
Thomas Hartung
--------------= Posted using GrabIt =----------------
------= Binary Usenet downloading made easy =---------
-= Get GrabIt for free from http://www.shemes.com/ =-
- 9
- Security >> .NET Messenger Service StaffI have received about 13 emails from Microsoft since last
eve listing .NET Messenger Service Staff as the sender
and listing subject as Urgent .NET security update. I
doubt they are truly from Microsoft. Can anyone tell me
what they actually are. They seem to arrive every hour
or so. I have two systems here and they are coming in on
both of them. Thx, Jayne
- 10
- 11
- Security >> about:blank on explorer startupI have some kind of a problem with explorer when I open
it. Rather than going to my home page, it
says "about:blank" in the address bar and when I go to
another site, the system crashes.
Anyone know what this is? and what to do about it?
Thank You
jnordsell
- 12
- Directory >> Which policy would take precedence, user or computer?I have some policies setup per user in my AD setup. I want to apply some
changes but only on certain computers. I add those computers to their own
OU, make the changes (screensaver time) and when a user logs in (they have
different screensaver time settings), would the PC take the users GP
settings, or would the computer GP settings override them?
Work in a hospital so the screensaver coming on is a big deal with privacy
and all that stuff. Right now it's setup so when the nurses login, the
scrsvr is set to turn on after 60 seconds, well we only want certain
computers to do that because the doctors are complaining that it's too quick
and they want it at 10 minutes.
I guess you could separate the pc's in their own ou's, and then remove the
settings from the users, and apply it to the pc's, but I am still curious as
to which setting would take precedence, the computer, or the user.
- 13
- WindowsServer >> bulk adding usershello,
i'm pretty new to windows 2003 server, so please, bear with me.
i have to make a bunch of users(500, and all are devided in 7 groups). i
don't want to do this one by one. because there is this command line :
LDIFDE (and CSV??). that's where i got stuck.
i couldn't find anything helpfull about writing that file, or how to use it
with windows 2003 command line. so i was wondering if someone could help me
with that.
if you were wondering, these are the specified user accounts :
group name Account name
group 1 2000-2020
group 2 3000-3250
group 3 4000-4100
group 4 7000-7010
group 5 5000-5010
group 6 6000-6100
group 7 1000-1010
any help would be greatly appriciated,
jeroen
- 14
- Platbuilder >> Some problems about SDI0 WIFI DRIVERi port a sdio wifi driver according the sdio.
now it the connect with wireless AP.
and can be allocated a ip address.
but there are some errors in the debug ,
"The IE doesn't contain up to the Length field!
" will appear aways.
the debug information is:
4294930880 PID:400002 TID:1f1000e SDSetCardInterfaceForSlot - HC ClockRate
differs desired setting: desired: 100000 Hz, Actual : 400000 Hz
4294931191 PID:400002 TID:1f1000e SDBusDriver: Get CCCR
4294931193 PID:400002 TID:1f1000e SDBusDriver: get the card capabilities
register
4294931195 PID:400002 TID:1f1000e SDBusDriver: get the SD Spec rev
4294931197 PID:400002 TID:1f1000e SDBusDriver: get the CIS pointer
4294931203 PID:400002 TID:1f1000e SDBusDriver: get the Manufacturer ID
4294931483 PID:400002 TID:1f1000e OSAXST1: >>> Loading Module 'sdio8686.dll'
(0x8D62D3A8) at address 0xD0C00000-0xD0C42000 in Process 'NK.EXE' (0x8C248BC0)
PB Debugger Loaded 'SDIO8686.DLL', no matching symbolic information found.
4294931488 PID:400002 TID:1f1000e DEVICE!RegReadActivationValues
RegQueryValueEx(\Drivers\SDCARD\ClientDrivers\Custom\MANF-02DF-CARDID-9103-FUNC-1\BusPrefix) returned 2
4294931497 PID:400002 TID:1f1000e
DeviceFolder::LoadDevice(\Drivers\SDCARD\ClientDrivers\Custom\MANF-02DF-CARDID-9103-FUNC-1) last 10 Ticks
4294931507 PID:400002 TID:56e0006 ==>NdisInitializeWrapper
4294931507 PID:400002 TID:56e0006 <==NdisInitializeWrapper
4294931508 PID:400002 TID:56e0006 ==>NdisMRegisterMiniport:
NdisWrapperHandle D0B58150
4294931508 PID:400002 TID:56e0006 ==>ndisRegisterMiniportDriver:
NdisWrapperHandle D0B58150
4294931509 PID:400002 TID:56e0006 <==ndisRegisterMiniportDriver: MiniBlock
D0B58B70
4294931510 PID:400002 TID:56e0006 NdisMRegisterMiniport: MiniBlock D0B58B70
4294931510 PID:400002 TID:56e0006 <==NdisMRegisterMiniport: MiniBlock
D0B58B70, Status 0
4294931511 PID:400002 TID:56e0006
4294931513 PID:400002 TID:56e0006 ndisMInitializeAdapter: Miniport D0B58DB8,
4294931521 PID:400002 TID:56e0006 ==>ndisQueueMiniportOnDriver: Miniport
D0B58DB8, MiniBlock D0B58B70
4294931521 PID:400002 TID:56e0006 <==ndisQueueMiniportOnDriver: Miniport
D0B58DB8, MiniBlock D0B58B70, rc 1
4294931567 PID:400002 TID:56e0006 SDGetClientFunctions: +Init
4294931567 PID:400002 TID:56e0006 SDGetClientFunctions: -Init
4294931568 PID:400002 TID:56e0006 SDSetCardFeature: SD_IO_FUNCTION_DISABLE!
4294931588 PID:1de0002 TID:1510002 [NOTIFY] HandleSystemEvent 7 /ADD NDL1:
4294931659 PID:400002 TID:56e0006 SDEnableDisableFunction: Attempting to
disable function that is already disabled
4294960691 PID:400002 TID:56e0006 SDSetCardFeature: SD_IO_FUNCTION_ENABLE!
4294961203 PID:400002 TID:56e0006 SDSetCardFeature:
SD_IO_FUNCTION_SET_BLOCK_SIZE!
4294961213 PID:400002 TID:56e0006 SDHCDSlotOptionHandler option =
SDHCDEnableSDIOInterrupts
4294961215 PID:400002 TID:56e0006 ==>NdisMSetAttributesEx: Miniport D0B58DB8
4612 PID:400002 TID:56e0006 ==>NdisMRegisterAdapterShutdownHandler:
Miniport D0B58DB8
4612 PID:400002 TID:56e0006 <==NdisMRegisterAdapterShutdownHandler:
Miniport D0B58DB8
4697 PID:400002 TID:333000e NDISPWR:: BIND notification for adapter
[SDIO86861]
4720 PID:400002 TID:3d60002 ZCF:: InfContext [0xd0c9b050] created..
PB Debugger Loaded symbols for
'D:\WINCE600\OSDESIGNS\OD_W90P910\OD_W90P910\RELDIR\WB_W90P910_ARMV4I_DEBUG\EAPOL.DLL'
4803 PID:400002 TID:3d60002 ZCF:: Failed set OID_802_11_SSID.
4816 PID:400002 TID:3d60002 OSAXST1: >>> Loading Module 'eapol.dll'
(0x8D6D2BB0) at address 0xC0B00000-0xC0B19000 in Process 'NK.EXE' (0x8C248BC0)
4853 PID:1de0002 TID:56e0006 [NOTIFY] HandleSystemEvent 5 none
4897 PID:1de0002 TID:420000a NETUIQC: Unable to open key
[Drivers\BuiltIn\Ethman\Log]
4989 PID:1de0002 TID:3290012 ETHMAN: Error updating connection status: 55
5996 PID:400002 TID:420000a OSAXST1: >>> Loading Module 'wzcsapi.dll'
(0x8D6DDA5C) at address 0x40420000-0x4042A000 in Process 'NK.EXE' (0x8C248BC0)
PB Debugger Loaded symbols for
'D:\WINCE600\OSDESIGNS\OD_W90P910\OD_W90P910\RELDIR\WB_W90P910_ARMV4I_DEBUG\WZCSAPI.DLL'
5998 PID:1de0002 TID:420000a OSAXST1: >>> Loading Module 'wzcsapi.dll'
(0x8D6DDA5C) at address 0x40420000-0x4042A000 in Process 'udevice.exe'
(0x8D23584C)
7444 PID:1de0002 TID:43a0006 NKCreateMsgQueue returns 00870203, dwErr =
000000b7
8563 PID:400002 TID:420000a DlgMgr: FindDlgItem id 1 returning NULL.
8948 PID:400002 TID:420000a DlgMgr: FindDlgItem id 1 returning NULL.
9030 PID:400002 TID:42b0006 ZCF:: Warning!
File[C:\ymzki\private\winceos\comm\layer2svc\zeroconfig\Server\.\ieparse.c]
-- Line[826] : The IE doesn't contain up to the Length field!
9035 PID:400002 TID:42b0006 ZCF:: Warning!
File[C:\ymzki\private\winceos\comm\layer2svc\zeroconfig\Server\.\ieparse.c]
-- Line[826] : The IE doesn't contain up to the Length field!
9043 PID:400002 TID:1e4000e UIO:: >> Read time out or forced out.. <<
9045 PID:400002 TID:42b0006 WZCSVC:: NIO:: $$$ EAPOL session with
NIO_CONTEXT [0xd0c9b930] deleted..
9074 PID:400002 TID:42b0006 ZCF:: Failed set OID_802_11_SSID.
10627 PID:400002 TID:420000a DlgMgr: FindDlgItem id 1 returning NULL.
10717 PID:1de0002 TID:43a0006 NETUIQC: Could not find the systray icon
associated with the given device name
13845 PID:400002 TID:420000a ZCF:: Warning!
File[C:\ymzki\private\winceos\comm\layer2svc\zeroconfig\Server\.\ieparse.c]
-- Line[826] : The IE doesn't contain up to the Length field!
13851 PID:400002 TID:420000a ZCF:: Warning!
File[C:\ymzki\private\winceos\comm\layer2svc\zeroconfig\Server\.\ieparse.c]
-- Line[826] : The IE doesn't contain up to the Length field!
13874 PID:400002 TID:420000a ZCF:: Warning!
File[C:\ymzki\private\winceos\comm\layer2svc\zeroconfig\Server\.\ieparse.c]
-- Line[826] : The IE doesn't contain up to the Length field!
13880 PID:400002 TID:420000a ZCF:: Warning!
File[C:\ymzki\private\winceos\comm\layer2svc\zeroconfig\Server\.\ieparse.c]
-- Line[826] : The IE doesn't contain up to the Length field!
18959 PID:400002 TID:420000a ZCF:: Warning!
File[C:\ymzki\private\winceos\comm\layer2svc\zeroconfig\Server\.\ieparse.c]
-- Line[826] : The IE doesn't contain up to the Length field!
18965 PID:400002 TID:420000a ZCF:: Warning!
File[C:\ymzki\private\winceos\comm\layer2svc\zeroconfig\Server\.\ieparse.c]
-- Line[826] : The IE doesn't contain up to the Length field!
- 15
- WindowsServer >> Dont whant install printer driverHi people, i'm trying to install 2 software (faxing soft) but they need to
install a printer driver.
but it seem windows 2003 R2 block them to install those driver printer ?!
why ? and how i can fix this ?
Thank a lot people...
|
| Author |
Message |
IdeaWell
|
 Posted: Mon Nov 15 08:55:40 PST 2004 |
Top |
Directory >> More on user permissions in a 2K AD domain
First, I would like to thank Gautam Anand, Oli Restorick, and Marco for
their feedback that has led to the following hypothesis.
Before I go off and attempt this and end up in a wild goose chase, is it
possible to create a user that has no login privleges, no resource access
and whatnot but can add computers to a domain? What I am wanting is to keep
the Domain Admins off of any workstation. I made the realization that the
computer only needs to be able to join a domain and then a *local* RunAs
Admin privilege combined with normal Domain User permissions is all that is
needed from then on for the remainder of the setup.
... or am I WAY off base?
And while I'm here, what are your feelings about Terminal Services running
on the DC? I'm thinking of not using TS on the DC at all and have only local
console access. (You might have guess by now that I'm one of those
"abstinence is the only sure protection" kind of people.)
Thanks again in advance.
Eric
(cross-posted in: microsoft.public.win2000.active_directory and
microsoft.public.win2000.security due to relevancy.)
Windows OS197
|
| |
|
| |
|
Lanwench
|
| Posted: Mon Nov 15 08:55:40 PST 2004 |
Top |
Directory >> More on user permissions in a 2K AD domain
Eric H. Vela wrote:
> First, I would like to thank Gautam Anand, Oli Restorick, and Marco
> for their feedback that has led to the following hypothesis.
>
> Before I go off and attempt this and end up in a wild goose chase, is
> it possible to create a user that has no login privleges, no resource
> access and whatnot but can add computers to a domain? What I am
> wanting is to keep the Domain Admins off of any workstation. I made
> the realization that the computer only needs to be able to join a
> domain and then a *local* RunAs Admin privilege combined with normal
> Domain User permissions is all that is needed from then on for the
> remainder of the setup.
>
> ... or am I WAY off base?
Actually, I may be a little confused as to what you're trying to do, but
users themselves by default can join up to 10 computers to the domain.
What's your desired end goal here? You can delegate pretty much anything you
want to an account, but I'm not sure what you're trying to do.
>
> And while I'm here, what are your feelings about Terminal Services
> running on the DC? I'm thinking of not using TS on the DC at all and
> have only local console access. (You might have guess by now that I'm
> one of those "abstinence is the only sure protection" kind of people.)
TS in admin mode is fine - if you mean in application mode, no, don't do it.
>
> Thanks again in advance.
> Eric
> (cross-posted in: microsoft.public.win2000.active_directory and
> microsoft.public.win2000.security due to relevancy.)
|
| |
|
| |
|
Eric
|
| Posted: Mon Nov 15 11:41:43 PST 2004 |
Top |
Directory >> More on user permissions in a 2K AD domain
TS in admin mode is what I was referring to. I'm not sure I particularly
like the idea. But it WOULD make certain aspects of management easier since
the target server is offsite.
The target DC and Domain are in a situation of being only one server in the
domain serving as DC, User, File, DNS and SQL servers. I know this is not
the recommended set up, but my hands are tied on that front so I am setting
up a test situation identical to that and wish to lock down the server
tighter than Ft. Knox with the intention of applying the same to the
server/domain in production. Though I'm out in the middle of nowhere, it
seems this area is a target for server hacking -- either that or the average
sys admin isn't knowledgable enough to protect their systems around these
parts. The current state of the target domain is poor on the security scale
and I intend to fix that as best as I can. Access to knowledgable personnel
locally is limited so I'm pretty much on my own on this one.
As always, the weakest link in the target domain is the users. My hands are
also tied on the local access of the workstations, but I can set the server
to any privilege I desire. Still formerly, the sys admin had used the
primary Domain Admin (was still named Administrator) for all administration
things on the workstations, and I'm aware that Windows 2K caches login
information locally on the workstations, and this information may be hacked
giving information about how to attack the server more easily with higher
access. However, if the Domain Admin logins never happen on the workstation,
the cached information is not created. Right? So my aim is to keep as much
information about the domain and its admins off of the workstations as
possible. The situation may arise where one of the above mentioned,
unrestrictable, workstation users will want to add another computer to the
domain themselves. (Again, not my recommendation, but my hands are tied.)
So essentially, it's a bad situation that I'm trying to make the best of. I
want to protect the server as best as possible if (or rather, when) a
workstation gets hacked. It is the heart of their entire operation.
Eric
"Lanwench [MVP - Exchange]"
<EMail@HideDomain.com> wrote in message
news:EMail@HideDomain.com...
> Eric H. Vela wrote:
>> First, I would like to thank Gautam Anand, Oli Restorick, and Marco
>> for their feedback that has led to the following hypothesis.
>>
>> Before I go off and attempt this and end up in a wild goose chase, is
>> it possible to create a user that has no login privleges, no resource
>> access and whatnot but can add computers to a domain? What I am
>> wanting is to keep the Domain Admins off of any workstation. I made
>> the realization that the computer only needs to be able to join a
>> domain and then a *local* RunAs Admin privilege combined with normal
>> Domain User permissions is all that is needed from then on for the
>> remainder of the setup.
>>
>> ... or am I WAY off base?
>
> Actually, I may be a little confused as to what you're trying to do, but
> users themselves by default can join up to 10 computers to the domain.
> What's your desired end goal here? You can delegate pretty much anything
> you
> want to an account, but I'm not sure what you're trying to do.
>
>>
>> And while I'm here, what are your feelings about Terminal Services
>> running on the DC? I'm thinking of not using TS on the DC at all and
>> have only local console access. (You might have guess by now that I'm
>> one of those "abstinence is the only sure protection" kind of people.)
>
> TS in admin mode is fine - if you mean in application mode, no, don't do
> it.
>
>>
>> Thanks again in advance.
>> Eric
>> (cross-posted in: microsoft.public.win2000.active_directory and
>> microsoft.public.win2000.security due to relevancy.)
>
>
|
| |
|
| |
|
Lanwench
|
| Posted: Mon Nov 15 19:25:26 PST 2004 |
Top |
Directory >> More on user permissions in a 2K AD domain
Eric H. Vela wrote:
> TS in admin mode is what I was referring to. I'm not sure I
> particularly like the idea. But it WOULD make certain aspects of
> management easier since the target server is offsite.
>
> The target DC and Domain are in a situation of being only one server
> in the domain serving as DC, User, File, DNS and SQL servers. I know
> this is not the recommended set up, but my hands are tied on that
> front so I am setting up a test situation identical to that and wish
> to lock down the server tighter than Ft. Knox with the intention of
> applying the same to the server/domain in production.
Yes - if you're nervous about using TS just over the Internet, what about
using VPN to connect first & then use TS?
> Though I'm out
> in the middle of nowhere, it seems this area is a target for server
> hacking -- either that or the average sys admin isn't knowledgable
> enough to protect their systems around these parts. The current state
> of the target domain is poor on the security scale and I intend to
> fix that as best as I can. Access to knowledgable personnel locally
> is limited so I'm pretty much on my own on this one.
What kind of firewall protection do they have? Are they kept current on
patches?
>
> As always, the weakest link in the target domain is the users. My
> hands are also tied on the local access of the workstations, but I
> can set the server to any privilege I desire.
Why can't you get rid of user's local admin rights?
> Still formerly, the sys
> admin had used the primary Domain Admin (was still named
> Administrator) for all administration things on the workstations, and
> I'm aware that Windows 2K caches login information locally on the
> workstations, and this information may be hacked giving information
> about how to attack the server more easily with higher access.
Well...it's not like the password is just sitting there in clear text. Use
complex passwords, rename administrator to something else, force users to
use complex passwords & force regular pw changes.
> However, if the Domain Admin logins never happen on the workstation,
> the cached information is not created. Right?
Not really relevant, I think.
> So my aim is to keep as
> much information about the domain and its admins off of the
> workstations as possible. The situation may arise where one of the
> above mentioned, unrestrictable, workstation users will want to add
> another computer to the domain themselves. (Again, not my
> recommendation, but my hands are tied.)
They can, without having admin rights - users can add up to 10 PCs to the
domain.
>
> So essentially, it's a bad situation that I'm trying to make the best
> of. I want to protect the server as best as possible if (or rather,
> when) a workstation gets hacked. It is the heart of their entire
> operation.
Yes - so, firewall, patches, centralized AV, no local admin rights, no
"visitor" laptops, and good password policies will help mitigate this. I
would happily use TS in admin mode - with or without VPN as you choose.
Sticking another cheap & cheerful box to run as another DC would be a VERY
good idea, however.
>
> Eric
>
> "Lanwench [MVP - Exchange]"
> <EMail@HideDomain.com> wrote in
> message news:EMail@HideDomain.com...
>> Eric H. Vela wrote:
>>> First, I would like to thank Gautam Anand, Oli Restorick, and Marco
>>> for their feedback that has led to the following hypothesis.
>>>
>>> Before I go off and attempt this and end up in a wild goose chase,
>>> is it possible to create a user that has no login privleges, no
>>> resource access and whatnot but can add computers to a domain? What
>>> I am wanting is to keep the Domain Admins off of any workstation. I
>>> made the realization that the computer only needs to be able to
>>> join a domain and then a *local* RunAs Admin privilege combined
>>> with normal Domain User permissions is all that is needed from then
>>> on for the remainder of the setup.
>>>
>>> ... or am I WAY off base?
>>
>> Actually, I may be a little confused as to what you're trying to do,
>> but users themselves by default can join up to 10 computers to the
>> domain. What's your desired end goal here? You can delegate pretty
>> much anything you
>> want to an account, but I'm not sure what you're trying to do.
>>
>>>
>>> And while I'm here, what are your feelings about Terminal Services
>>> running on the DC? I'm thinking of not using TS on the DC at all and
>>> have only local console access. (You might have guess by now that
>>> I'm one of those "abstinence is the only sure protection" kind of
>>> people.)
>>
>> TS in admin mode is fine - if you mean in application mode, no,
>> don't do it.
>>
>>>
>>> Thanks again in advance.
>>> Eric
>>> (cross-posted in: microsoft.public.win2000.active_directory and
>>> microsoft.public.win2000.security due to relevancy.)
|
| |
|
| |
|
Roger
|
| Posted: Tue Nov 16 00:55:28 PST 2004 |
Top |
Directory >> More on user permissions in a 2K AD domain
If you disable use of LM hashing of passwords via group policy
and you use a long, strong pass phrase for the admin accounts then
you really should not be concerned about caching left on uplevel
workstations due to a login (I assume admin accounts do not have
roaming profiles).
As the Lanwench has indicated, users by default can add computers
to the domain up to ten times. If this is insufficent, adding computers
to the domain can be delegated so that they have no ten limit. As you
say you have no choice in this, you may want to make the best of it.
You may want to make sure that you either have basic sanity policy
settings for workstations in a domain linked GPO, or that you change
the default location for newly added computers so they end up in an
OU to which such a GPO is linked. With this, when a user adds a
workstation it will be subjected to your basic sanity policies right
from the start. Without either of these, a new computer ends up in
the Computers container to which only domain linked (assuming no
site linked) GPOs apply, and in the default, there are very few policy
settings made at the domain level.
As far as remote management of your server, there are those that
advocate managing the domain only when logged in at the physical
console (i.e. no TS). Given you are remote from the server and it
runs so much, it may be difficult for you to adjust to such a tight
practice. Notice that you can use the configuration settings of the
Tcp RDP connectoid within the TS Mgmt UI to configure exactly
which accounts are allowed to connect (as opposed to all admins
as is the default), and that there are quite a few policies that may
be used via GPO in the TS adm template which allow you to set
heightened security aspects, like encryption strength, etc..
As to your initial question, whether such an account can be defined,
if I understand you correctly, then the answer is no, it cannot. In
order of an account to be of any use at all it must have access to
a fair amount of binaries in the Windows directory, to a profile,
etc.. So, not being too sure what you are envisioning, it sounds as
if you want an account that is so severely crippled that it would not
be allowed a login session and/or network connection. But then
again, I do not see what is the need given that users can add computers
to the domain. What thus you really need to do is to protect user accounts
from being misappropriated.
--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Eric H. Vela" <EMail@HideDomain.com> wrote in message
news:EMail@HideDomain.com...
> TS in admin mode is what I was referring to. I'm not sure I particularly
> like the idea. But it WOULD make certain aspects of management easier
since
> the target server is offsite.
>
> The target DC and Domain are in a situation of being only one server in
the
> domain serving as DC, User, File, DNS and SQL servers. I know this is not
> the recommended set up, but my hands are tied on that front so I am
setting
> up a test situation identical to that and wish to lock down the server
> tighter than Ft. Knox with the intention of applying the same to the
> server/domain in production. Though I'm out in the middle of nowhere, it
> seems this area is a target for server hacking -- either that or the
average
> sys admin isn't knowledgable enough to protect their systems around these
> parts. The current state of the target domain is poor on the security
scale
> and I intend to fix that as best as I can. Access to knowledgable
personnel
> locally is limited so I'm pretty much on my own on this one.
>
> As always, the weakest link in the target domain is the users. My hands
are
> also tied on the local access of the workstations, but I can set the
server
> to any privilege I desire. Still formerly, the sys admin had used the
> primary Domain Admin (was still named Administrator) for all
administration
> things on the workstations, and I'm aware that Windows 2K caches login
> information locally on the workstations, and this information may be
hacked
> giving information about how to attack the server more easily with higher
> access. However, if the Domain Admin logins never happen on the
workstation,
> the cached information is not created. Right? So my aim is to keep as much
> information about the domain and its admins off of the workstations as
> possible. The situation may arise where one of the above mentioned,
> unrestrictable, workstation users will want to add another computer to the
> domain themselves. (Again, not my recommendation, but my hands are tied.)
>
> So essentially, it's a bad situation that I'm trying to make the best of.
I
> want to protect the server as best as possible if (or rather, when) a
> workstation gets hacked. It is the heart of their entire operation.
>
> Eric
>
> "Lanwench [MVP - Exchange]"
> <EMail@HideDomain.com> wrote in
message
> news:EMail@HideDomain.com...
> > Eric H. Vela wrote:
> >> First, I would like to thank Gautam Anand, Oli Restorick, and Marco
> >> for their feedback that has led to the following hypothesis.
> >>
> >> Before I go off and attempt this and end up in a wild goose chase, is
> >> it possible to create a user that has no login privleges, no resource
> >> access and whatnot but can add computers to a domain? What I am
> >> wanting is to keep the Domain Admins off of any workstation. I made
> >> the realization that the computer only needs to be able to join a
> >> domain and then a *local* RunAs Admin privilege combined with normal
> >> Domain User permissions is all that is needed from then on for the
> >> remainder of the setup.
> >>
> >> ... or am I WAY off base?
> >
> > Actually, I may be a little confused as to what you're trying to do, but
> > users themselves by default can join up to 10 computers to the domain.
> > What's your desired end goal here? You can delegate pretty much anything
> > you
> > want to an account, but I'm not sure what you're trying to do.
> >
> >>
> >> And while I'm here, what are your feelings about Terminal Services
> >> running on the DC? I'm thinking of not using TS on the DC at all and
> >> have only local console access. (You might have guess by now that I'm
> >> one of those "abstinence is the only sure protection" kind of people.)
> >
> > TS in admin mode is fine - if you mean in application mode, no, don't do
> > it.
> >
> >>
> >> Thanks again in advance.
> >> Eric
> >> (cross-posted in: microsoft.public.win2000.active_directory and
> >> microsoft.public.win2000.security due to relevancy.)
> >
> >
>
>
|
| |
|
| |
|
Anthony
|
| Posted: Tue Nov 16 06:15:55 PST 2004 |
Top |
Directory >> More on user permissions in a 2K AD domain
You can give any user or group the ability to join computers to the domain
by delegating the appropriate rights in AD.
To finish a build they would need to be local admins of the PC. You can
achieve that by using Group Policy Restricted Groups to make a group a
member of the Local Admins group. No need to have Domain Admin rights at all
in building or supporting PC's.
Console access only on the DC is fine, but that means the server must be
accessible. Maybe someone will power it off or knock the LAN cable out.
Locked in a server room with TS access in Administration mode gives you more
physical security.
Anthony
"Eric H. Vela" <EMail@HideDomain.com> wrote in message
news:%EMail@HideDomain.com...
> First, I would like to thank Gautam Anand, Oli Restorick, and Marco for
> their feedback that has led to the following hypothesis.
>
> Before I go off and attempt this and end up in a wild goose chase, is it
> possible to create a user that has no login privleges, no resource access
> and whatnot but can add computers to a domain? What I am wanting is to
keep
> the Domain Admins off of any workstation. I made the realization that the
> computer only needs to be able to join a domain and then a *local* RunAs
> Admin privilege combined with normal Domain User permissions is all that
is
> needed from then on for the remainder of the setup.
>
> ... or am I WAY off base?
>
> And while I'm here, what are your feelings about Terminal Services running
> on the DC? I'm thinking of not using TS on the DC at all and have only
local
> console access. (You might have guess by now that I'm one of those
> "abstinence is the only sure protection" kind of people.)
>
> Thanks again in advance.
> Eric
> (cross-posted in: microsoft.public.win2000.active_directory and
> microsoft.public.win2000.security due to relevancy.)
>
>
|
| |
|
| |
|
| |
|
Index ‹ Windows OS ‹ Directory |
- Next
- 1
- 2
- WindowsServer >> DCDiag - failed with Error Win32 Error 8420Hi. We were in the process of upgrading our 2003 network to 2003 DCs (we
only had one 2000 DC) and have an error we can't seem to resolve when
running dcdiag. We added a second DC (2003) without problem, unfortunately
there was a terminal hardware failure on the new server a few days later and
the O/S was unbootable. Rather than restore we cleared out all the entries
for the failed DC and re-added it. At this point everything was working
successfully apart from one error listed below during DCDiag test. We
continued with our replacement of the last 2000 DC and replaced it with a
new server running 2003. Again the demotion and addition of the new DC went
without problem. Unfortunately we continue to get the DCDiag errors when
running tests against both DCs.
So far I have tried deleting the Forest and Domain DNS zones using ntdsutil,
allowing the deletion to replicate on both DCs then using the DNS Console
recreating the zones. This all appears to work visually but I then continue
to get the error below. After deleting the zone but before recreating using
the DNS console, if I run DCDiag the Topology and CutOffServer errors no
longer occur, they only reappear when the Forest and DNS Zones are
recreated.
Can anyone suggest what I can do to resolve this and whether it will be
having any impact on the system ?
Thanks,
Alex.
dcdiag /c /v :/dc1 Results, DC2 has the same results
Starting test: Topology
* Configuration Topology Integrity Check
* Analyzing the connection topology for
DC=ForestDNSZones,DC=Domain,DC=NET.
* Performing upstream (of target) analysis.
DsReplicaSyncAllw failed with error Win23 Error 8420.
* Performing downstream (of target) analysis.
DsReplicaSyncAllw failed with error Win23 Error 8420.
* Analyzing the connection topology for
DC=DomainDNSZones,DC=Domain,DC=NET.
* Performing upstream (of target) analysis.
DsReplicaSyncAllw failed with error Win23 Error 8420.
* Performing downstream (of target) analysis.
DsReplicaSyncAllw failed with error Win23 Error 8420.
* Analyzing the connection topology for CN=Schema,CN=Configuration,
DC=Domain,DC=NET.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for
CN=Configuration,DC=Domain,DC=NET.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for DC=Domain,DC=NET.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
........................................DC1 passed test Topology
Starting test: CutoffServers
* Configuration Topology Aliveness Check
* Analyzing the alive system replication topology for
DC=ForesetDNSZones,DC=Domain,DC=NET.
* Performing upstream (of target) analysis.
DsReplicaSyncAllw failed with error Win23 Error 8420.
* Performing downstream (of target) analysis.
DsReplicaSyncAllw failed with error Win23 Error 8420.
* Analyzing the alive system replication topology for
DC=DomainDNSZones,DC=Domain,DC=NET.
* Performing upstream (of target) analysis.
DsReplicaSyncAllw failed with error Win23 Error 8420.
* Performing downstream (of target) analysis.
DsReplicaSyncAllw failed with error Win23 Error 8420. ,
* Analyzing the alive system replication topology for
CN=Schema,CN=ConfigurationDC=Domain,DC=NET.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
CN=Configuration,DC=Domain,DC=NET.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for DC=Domain,DC=NET.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
........................................DC1 passed test CutoffServers
- 3
- active directory >> Commands to T/S ADHi all,
I just setup a Windows 2003 R2 AD domain, I was going to test out its
replication status with the repadmin command, but it seems that repadmin does
not exist on my server. Is there some sort of support tools for AD that I
need to install?
Robert
- 4
- Drivers >> What are the requirements to let the CMD.EXE copy command work?Hello,
I wrote a network redirector, read-only so far. I support mmap but not
the cache manager and notepad.exe works.
I'm now about to understand why some applications aren't working. The
CMD.EXE copy command for example.
I can drag'n'drop a file from the network drive to the desktop. But I
can't use the copy command. It just returned "0 file(s) copied".
When I use IrpTracker all requests succeed. Where is the difference
between explorer and the copy command while copying files? (I have
support for short file names)
Another application is winzip. I found several posts in the osr archive
about winzip, but none of the solutions solved my problem with winzip.
Any help is appreciated.
--
h.wulff
[dont send me an email]
- 5
- Directory >> Remote Reboot Registry KeysI am looking for the Rebote Reboot Registry keys but am having no luck in
locating them. I need these because I have added Guest and Interactive to the
users list and need to copy this to all my other stations remotely. Any one
with a suggestion is greatly appreciated.
Thanks
James
- 6
- Directory >> GPO helpI created a GPO called Generic
I applied it to my HQ OU which has sub OUs
I run secedit refresh to enforce the policy.
I went to my client Evt Viewer and applied succesfully, I
double check the machine and it is inside the HQ OU and
still no luck!!!(huwaaa).
I check using GPresult and find my policy and here is the
order.
- local policy
- generic
- Default domain Policy
I guess order is wrong since my generic should be process
last? How can I change the order?
In my GPO security I leave it default (authenticated
users) does this mean that all users in my domain even if
they are outside HQ OU will be affected?
Help Pleasssssssseeeeeeee
- 7
- 8
- WindowsMe >> Problems with Recycle BinII can't view the files in the recycle bin. I'm not sure if this is
only recycle bin, or if there's more to it, but for a while now, the
recycle bin has come up empty. I've already tried to do everything to
try and fix the recycle bin to show the items, but it still doesn't
help. I've gone to start/run/cmd, and whenever I tried to input the fix
by doing these steps:
Type CD \RECYCLED, and then press ENTER.
Type ATTRIB -r -s -h info2, and then press ENTER.
Type DEL INFO2, and then press ENTER.
I get stuck at cd \recycled, because for some reason, it says the
system cannot find the path specified. When I try attrib, it says "file
not found - info2"
Is there anything I can do to fix this problem? The help would be very
appreciated.
- 9
- Directory >> Moving Users from one domain to anotherI would like some advice on how to move users from one Active Directory
Domain to another.
I have just started with a company who have asked for Active Directory to be
installed. Currently the have one DC which has been setup with AD, the
domain is called "xxx.local". They have since installed Live Communication
Server onto it and have created users for this.
I have run ldifde and exported the users to a csv file.
My question is :
If I want to move the users to a domain called yyy.local what do I need to
change in the csv file so I can import it into the AD.
Thanks
Paul
- 10
- Security >> Remote Assistance SettingsWe just installed wireless on our laptop so it connects to our dekstop
modem/router.
We happened to be looking in System Properties on the laptop and noticed the
following in "Remote Assistance Settings"
"Allow this computer to be controlled remotely."
And "YES" is checked.
Is that OKAY? (Security Problem) Or should the "YES" be UN-checked?
- 11
- Platbuilder >> How to generate symbols for RealView JTAG Debugger from PBI am trying to use Realview Developer Suite (2.2) to debug Eboot on a new h/w
bring up via Relaview ICE JTAG debugger. I could connect the debugger with
the running system, and watch disassemly code in debugger window, but can not
match them with high-level source code. I tried to load symbol files
(eboot.pdb) onto the debugger, it says that it couldn't load symbol file due
to non-compatible object format.
Can anyone give me some help on how I can get source code associated with
RVD? Or how to generate an appropriate symbol files for RVD from Platform
Builder?
Thanks
Susan
- 12
- WindowsMe >> Is It Safe?Is it safe to delete Windows Update Files, files ending with extension- .bkf
---
This Message and All Attachments Scanned and
Certified Virus Free-
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.662 / Virus Database: 425 - Release Date: 4/20/2004
- 13
- Platbuilder >> Platform Builder for Windows CE 5.0Hello All:
I can't seem to find the download for the Platform Builder for Windows CE
5.0 evaluation. Everything is pointing me to the 6.0 version, but I need the
5.0 version. Does anyone know where to find this?
Alternatively, is there a resource that lists the size of each of the
components available in Windows CE 5.0? I'm trying to get an estimate of how
large my OS image will be with various components included.
Thanks, Robert
- 14
- win2000 >> Changed Computer NameI changed the name of a computer and it automatically rebooted. However, now
I can't log in. The old username and password don't work and the new
computer name doesn't work since I don't have a password.
Any suggestions on how to get in. (I don't have administrator access)
- 15
- win2000 >> C drive has changed!I've got win2000 pro sp4 and its been working just fine.
So today I added a RAID PCI controller and added some old 3GB drives
into a RAID 1 set.
Well, after doing this and rebooting I've found that my C: drive is no
longer my C: drive. Because when I try to login in normal or safe mode
it just logs me right back out.
I can do a 'PSINFO \\mypc' via another machine on my network to see
that the windows path has changed to g:\WINNT !
I've tried a win2000 CDROM bootup and using the recovery console I did
a FIXBOOT and FIXMBR with all my drives removed apart from my C: drive.
On reboot it still insists that on logging me out as soon as I try to
log in.
Any clues from a helpful soul? :-)
|
|
|