| Author | Messages | |
Gabrie
Posts:14
 | | 05/18/2008 1:38 PM |
| Hi
Someone really fucked up and created a Group Policy that set the restricted
admins group on all servers to EMPTY and indeed, now all our servers have an
empty local admins group. Is there an easy way to recover which accounts /
groups were member of the local admins on each server? I guess the ADir
backup will not containt this info because it is on the local machines.
Gabrie
| | | |
| neilruston
Posts:155
| | 05/18/2008 1:40 PM |
| My immediate reaction is:
1. Perform a system state restore on all affected servers
2. Your post may be filtered by some mail systems due to your
<cough> colourful language! [I removed the offending word so my message
isn't blocked on the way out!]
neil
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabrie
Sent: 09 May 2008 11:14
To: activedir
Subject: [ActiveDir] All local admin groups have been cleand :-(
Hi
Someone really ****** up and created a Group Policy that set the
restricted admins group on all servers to EMPTY and indeed, now all our
servers have an empty local admins group. Is there an easy way to
recover which accounts / groups were member of the local admins on each
server? I guess the ADir backup will not containt this info because it
is on the local machines.
Gabrie
Barclays Wealth is the wealth management division of Barclays Bank PLC. This email may relate to or be sent from other members of the Barclays Group.
The availability of products and services may be limited by the applicable laws and regulations in certain jurisdictions. The Barclays Group does not normally accept or offer business instructions via internet email. Any action that you might take upon this message might be at your own risk.
This email and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this email in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this email or its attachments.
Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this email may be monitored by the Barclays Group for operational or business reasons.
Any opinion or other information in this email or its attachments that does not relate to the business of the Barclays Group is personal to the sender and is not given or endorsed by the Barclays Group.
Barclays Bank PLC. Registered in England and Wales (registered no. 1026167).
Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
Barclays Bank PLC is authorised and regulated by the Financial Services Authority.
| | | |
| sbradcpa
Posts:320
| | 05/18/2008 1:40 PM |
| Would the group policy tool included in MDOP have done this?
As I understand that tool does allow this?
joe wrote:
> I love the bluntness. 
>
> No AD does not maintain this info for you and I don't believe the GPO
> is smart enough to log the info for you either so you could scrape it
> and put it back... I mean seriously... who would ever want to undo a
> policy and return to previous state..... <eg>
>
> Was it successful in removing the local Administrator ID? I have not
> seen GPOs succeed at that though have seen some occasions of trying.
> My recollection of that is that the policy keeps trying to do it and
> keeps failing and in the meanwhile leaks some important memory
> resources along the way until the box starts saying "out of resources".
>
> System State restores will be your option other than having the owners
> come forth and let you know what they own.... Many companies, but not
> all, keep some sort of DB of all of their servers and pertinent info
> like who manages the servers which would be handy right now as well.
>
> joe
>
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
>
> ------------------------------------------------------------------------
> *From:* ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] *On Behalf Of *Gabrie
> *Sent:* Friday, May 09, 2008 6:14 AM
> *To:* activedir
> *Subject:* [ActiveDir] All local admin groups have been cleand :-(
>
> Hi
>
> Someone really xxx up and created a Group Policy that set the
> restricted admins group on all servers to EMPTY and indeed, now all
> our servers have an empty local admins group. Is there an easy way to
> recover which accounts / groups were member of the local admins on
> each server? I guess the ADir backup will not containt this info
> because it is on the local machines.
>
> Gabrie
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| darren
Posts:168
| | 05/18/2008 1:45 PM |
| Actually, for stuff like restricted groups, if the policy no longer applies,
the previous group membership (that which was applied on the local machine)
should be returned. That won't give you any discretionary groups that you
added beyond that, but you should at least get the defaults back. Of course,
in the case of the local Administrators group, that's not very meaningful J
Darren
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Friday, May 09, 2008 6:46 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] All local admin groups have been cleand :-(
I love the bluntness.
No AD does not maintain this info for you and I don't believe the GPO is
smart enough to log the info for you either so you could scrape it and put
it back... I mean seriously... who would ever want to undo a policy and
return to previous state..... <eg>
Was it successful in removing the local Administrator ID? I have not seen
GPOs succeed at that though have seen some occasions of trying. My
recollection of that is that the policy keeps trying to do it and keeps
failing and in the meanwhile leaks some important memory resources along the
way until the box starts saying "out of resources".
System State restores will be your option other than having the owners come
forth and let you know what they own.... Many companies, but not all, keep
some sort of DB of all of their servers and pertinent info like who manages
the servers which would be handy right now as well.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabrie
Sent: Friday, May 09, 2008 6:14 AM
To: activedir
Subject: [ActiveDir] All local admin groups have been cleand :-(
Hi
Someone really xxx up and created a Group Policy that set the restricted
admins group on all servers to EMPTY and indeed, now all our servers have an
empty local admins group. Is there an easy way to recover which accounts /
groups were member of the local admins on each server? I guess the ADir
backup will not containt this info because it is on the local machines.
Gabrie
| | | |
| listmail
Posts:463
| | 05/18/2008 1:45 PM |
| New AD Permission: Allow GPO Update but only after Backup of GPO
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: Friday, May 09, 2008 10:57 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] All local admin groups have been cleand :-(
Well, AGPM is just a change control tool around GPOs. If the group
memberships had previously been managed via GP, then yes, you could use AGPM
to roll back the errant GPO. But frankly, you don't need AGPM to perform
backups and restores of a GPO, GPMC has that basic capability. All GPOs
should be backed up prior to editing. What a tool like AGPM might have done
for them is encouraged their admins to make changes to GPOs only through
that tool, but if you have sufficient rights, you can get around it.
Frankly, I would not give anyone rights to edit any GPO if they are not
first backing up the GPO. Its just asking for trouble.
Darren
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan Bradley
Sent: Friday, May 09, 2008 7:38 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] All local admin groups have been cleand :-(
Would the group policy tool included in MDOP have done this?
As I understand that tool does allow this?
joe wrote:
> I love the bluntness.
>
> No AD does not maintain this info for you and I don't believe the GPO
> is smart enough to log the info for you either so you could scrape it
> and put it back... I mean seriously... who would ever want to undo a
> policy and return to previous state..... <eg>
>
> Was it successful in removing the local Administrator ID? I have not
> seen GPOs succeed at that though have seen some occasions of trying.
> My recollection of that is that the policy keeps trying to do it and
> keeps failing and in the meanwhile leaks some important memory
> resources along the way until the box starts saying "out of resources".
>
> System State restores will be your option other than having the owners
> come forth and let you know what they own.... Many companies, but not
> all, keep some sort of DB of all of their servers and pertinent info
> like who manages the servers which would be handy right now as well.
>
> joe
>
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
>
> ----------------------------------------------------------------------
> --
> *From:* ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] *On Behalf Of *Gabrie
> *Sent:* Friday, May 09, 2008 6:14 AM
> *To:* activedir
> *Subject:* [ActiveDir] All local admin groups have been cleand :-(
>
> Hi
>
> Someone really xxx up and created a Group Policy that set the
> restricted admins group on all servers to EMPTY and indeed, now all
> our servers have an empty local admins group. Is there an easy way to
> recover which accounts / groups were member of the local admins on
> each server? I guess the ADir backup will not containt this info
> because it is on the local machines.
>
> Gabrie
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| Gabrie
Posts:14
| | 05/18/2008 1:45 PM |
| Everyone thanks for the replies. They have decided to just go for hard labor
and recreate all groupmemberships by hand.... :-(
Somehow, I have the feeling, we'll be looking at stricter rights to edit
GPO's next week :-)
Gabrie
| | | |
| ZJORZ
Posts:100
| | 05/18/2008 1:45 PM |
| Not tested this.....
What happens when you remove the GPO. Are the default groups re-added to the groups or do the local groups remain empty? The CUSTOM members of those local groups are, well....ehhh....ehhh... bye bye, because that info is (as you said) stored on the local servers
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Consultant
MVP Identity & Access - Directory Services
Oxford Computer Group Benelux | (: +31 (0)6 26.26.62.80 | (: +31 (0)33 454.69.50 | 7: +31 (0)33 454.66.66 | -: Hardwareweg 4, 3821BM Amersfoort, The Netherlands
www.oxfordcomputergroup.com <blocked::blocked::http://www.oxfordcomputergroup.com/> | Expertise in Identity & Access Management
________________________________________________________________
MVP Profile à https://mvp.support.microsoft.com/profile/jorge1 <https://mvp.support.microsoft.com/profile/jorge1>
MVP Home Site à https://mvp.support.microsoft.com/ <https://mvp.support.microsoft.com/>
MVP Overview à https://mvp.support.microsoft.com/mvpexecsum <https://mvp.support.microsoft.com/mvpexecsum>
BLOG à http://blogs.dirteam.com/blogs/jorge/default.aspx <http://blogs.dirteam.com/blogs/jorge/default.aspx>
________________________________________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabrie
Sent: Friday, May 09, 2008 12:14
To: activedir
Subject: [ActiveDir] All local admin groups have been cleand :-(
Hi
Someone really fucked up and created a Group Policy that set the restricted admins group on all servers to EMPTY and indeed, now all our servers have an empty local admins group. Is there an easy way to recover which accounts / groups were member of the local admins on each server? I guess the ADir backup will not containt this info because it is on the local machines.
Gabrie
| | | |
| habr
Posts:25
| | 05/18/2008 1:50 PM |
| Interesting ....
I could have sworn that I have read in this list where GPO induced actions
are not changed unless a follow on GPO is applied actually changing them.
So, if that is true, and the original GPO whacked/changed something, are you
saying that in some cases, what was whacked/changed, can be replaced with
something else WITH NO FOLLOW ON GPO APPLIED?
Where would that be written?
RH
______________________________
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]On Behalf Of Darren Mar-Elia
Sent: 09 May, 2008 12:57 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] All local admin groups have been cleand :-(
Jorge-
Yes, that was what I mentioned earlier. Any locally defined group
memberships do get reverted. That much is cached by the local machine.
Darren
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Jorge de Almeida
Pinto
Sent: Friday, May 09, 2008 9:45 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] All local admin groups have been cleand :-(
Not tested this
..
What happens when you remove the GPO. Are the default groups re-added to
the groups or do the local groups remain empty? The CUSTOM members of those
local groups are, well
.ehhh
.ehhh
bye bye, because that info is (as you
said) stored on the local servers
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Consultant
MVP Identity & Access - Directory Services
Oxford Computer Group Benelux | (: +31 (0)6 26.26.62.80 | (: +31 (0)33
454.69.50 | 7: +31 (0)33 454.66.66 | -: Hardwareweg 4, 3821BM Amersfoort,
The Netherlands
www.oxfordcomputergroup.com | Expertise in Identity & Access Management
________________________________________________________________
MVP Profile à https://mvp.support.microsoft.com/profile/jorge1
MVP Home Site à https://mvp.support.microsoft.com/
MVP Overview à https://mvp.support.microsoft.com/mvpexecsum
BLOG à http://blogs.dirteam.com/blogs/jorge/default.aspx
________________________________________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabrie
Sent: Friday, May 09, 2008 12:14
To: activedir
Subject: [ActiveDir] All local admin groups have been cleand :-(
Hi
Someone really fucked up and created a Group Policy that set the
restricted admins group on all servers to EMPTY and indeed, now all our
servers have an empty local admins group. Is there an easy way to recover
which accounts / groups were member of the local admins on each server? I
guess the ADir backup will not containt this info because it is on the local
machines.
Gabrie
| | | |
| AFidel
Posts:71
| | 05/18/2008 1:50 PM |
| Nah, just change GPMC so it does it automatically. In fact since AD is
based on a DB I think we should put the GPO's into AD so we can use a
rollback operation, the file share should just be a view into the DB (kind
of like the Exchange share of old but without the stupidity of allowing
changes to the DB through the share =)
Andrew
"joe" <listmail@joeware.net>
Sent by: ActiveDir-owner@mail.activedir.org
05/09/2008 11:20 AM
Please respond to
ActiveDir@mail.activedir.org
To
<ActiveDir@mail.activedir.org>
cc
Subject
RE: [ActiveDir] All local admin groups have been cleand :-(
New AD Permission: Allow GPO Update but only after Backup of GPO
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: Friday, May 09, 2008 10:57 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] All local admin groups have been cleand :-(
Well, AGPM is just a change control tool around GPOs. If the group
memberships had previously been managed via GP, then yes, you could use
AGPM
to roll back the errant GPO. But frankly, you don't need AGPM to perform
backups and restores of a GPO, GPMC has that basic capability. All GPOs
should be backed up prior to editing. What a tool like AGPM might have
done
for them is encouraged their admins to make changes to GPOs only through
that tool, but if you have sufficient rights, you can get around it.
Frankly, I would not give anyone rights to edit any GPO if they are not
first backing up the GPO. Its just asking for trouble.
Darren
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan Bradley
Sent: Friday, May 09, 2008 7:38 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] All local admin groups have been cleand :-(
Would the group policy tool included in MDOP have done this?
As I understand that tool does allow this?
joe wrote:
> I love the bluntness.
>
> No AD does not maintain this info for you and I don't believe the GPO
> is smart enough to log the info for you either so you could scrape it
> and put it back... I mean seriously... who would ever want to undo a
> policy and return to previous state..... <eg>
>
> Was it successful in removing the local Administrator ID? I have not
> seen GPOs succeed at that though have seen some occasions of trying.
> My recollection of that is that the policy keeps trying to do it and
> keeps failing and in the meanwhile leaks some important memory
> resources along the way until the box starts saying "out of resources".
>
> System State restores will be your option other than having the owners
> come forth and let you know what they own.... Many companies, but not
> all, keep some sort of DB of all of their servers and pertinent info
> like who manages the servers which would be handy right now as well.
>
> joe
>
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
>
> ----------------------------------------------------------------------
> --
> *From:* ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] *On Behalf Of *Gabrie
> *Sent:* Friday, May 09, 2008 6:14 AM
> *To:* activedir
> *Subject:* [ActiveDir] All local admin groups have been cleand :-(
>
> Hi
>
> Someone really xxx up and created a Group Policy that set the
> restricted admins group on all servers to EMPTY and indeed, now all
> our servers have an empty local admins group. Is there an easy way to
> recover which accounts / groups were member of the local admins on
> each server? I guess the ADir backup will not containt this info
> because it is on the local machines.
>
> Gabrie
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| jw1
Posts:0
| | 05/18/2008 1:50 PM |
| There are a few products on market that will store GPO config in SQL...makes testing/migrating them across forests MUCH easier. Change management and delegated permission/proxy permission, too - similar to ActiveRoles.
Only seen technical details on NetIQ's product. I know Quest has a similar tool...
--James
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: Friday, May 09, 2008 1:04 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] All local admin groups have been cleand :-(
Interesting notion. I would actually go the other direction however. Given the wide variety of configuration data that a GPO can contain today, I think AD is a lousy store for it. I think GP should be de-coupled entirely from AD, except as a targeting mechanism.
Darren
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of AFidel@ddrc.com
Sent: Friday, May 09, 2008 10:34 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] All local admin groups have been cleand :-(
Nah, just change GPMC so it does it automatically. In fact since AD is based on a DB I think we should put the GPO's into AD so we can use a rollback operation, the file share should just be a view into the DB (kind of like the Exchange share of old but without the stupidity of allowing changes to
the DB through the share =)
Andrew
"joe" <listmail@joeware.net>
Sent by: ActiveDir-owner@mail.activedir.org
05/09/2008 11:20 AM
Please respond to
ActiveDir@mail.activedir.org
To
<ActiveDir@mail.activedir.org>
cc
Subject
RE: [ActiveDir] All local admin groups have been cleand :-(
New AD Permission: Allow GPO Update but only after Backup of GPO
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: Friday, May 09, 2008 10:57 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] All local admin groups have been cleand :-(
Well, AGPM is just a change control tool around GPOs. If the group
memberships had previously been managed via GP, then yes, you could use AGPM
to roll back the errant GPO. But frankly, you don't need AGPM to perform
backups and restores of a GPO, GPMC has that basic capability. All GPOs
should be backed up prior to editing. What a tool like AGPM might have done
for them is encouraged their admins to make changes to GPOs only through
that tool, but if you have sufficient rights, you can get around it.
Frankly, I would not give anyone rights to edit any GPO if they are not
first backing up the GPO. Its just asking for trouble.
Darren
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan Bradley
Sent: Friday, May 09, 2008 7:38 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] All local admin groups have been cleand :-(
Would the group policy tool included in MDOP have done this?
As I understand that tool does allow this?
joe wrote:
> I love the bluntness.
>
> No AD does not maintain this info for you and I don't believe the GPO
> is smart enough to log the info for you either so you could scrape it
> and put it back... I mean seriously... who would ever want to undo a
> policy and return to previous state..... <eg>
>
> Was it successful in removing the local Administrator ID? I have not
> seen GPOs succeed at that though have seen some occasions of trying.
> My recollection of that is that the policy keeps trying to do it and
> keeps failing and in the meanwhile leaks some important memory
> resources along the way until the box starts saying "out of resources".
>
> System State restores will be your option other than having the owners
> come forth and let you know what they own.... Many companies, but not
> all, keep some sort of DB of all of their servers and pertinent info
> like who manages the servers which would be handy right now as well.
>
> joe
>
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
>
> ----------------------------------------------------------------------
> --
> *From:* ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] *On Behalf Of *Gabrie
> *Sent:* Friday, May 09, 2008 6:14 AM
> *To:* activedir
> *Subject:* [ActiveDir] All local admin groups have been cleand :-(
>
> Hi
>
> Someone really xxx up and created a Group Policy that set the
> restricted admins group on all servers to EMPTY and indeed, now all
> our servers have an empty local admins group. Is there an easy way to
> recover which accounts / groups were member of the local admins on
> each server? I guess the ADir backup will not containt this info
> because it is on the local machines.
>
> Gabrie
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| darren
Posts:168
| | 07/16/2008 5:03 PM |
| I tend to agree, especially as it relates to configuration management.
Configuration across an environment is an extremely rich and complex set of
data. You need something that can flexibly store, model and deliver that
independent of "artificial" boundaries like domains. Think about those one
off DMZ-servers, workstations or remote home systems that you would like to
manage today via GP, but that aren't available to that because of the domain
requirements.
Darren
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Friday, May 09, 2008 11:19 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] All local admin groups have been cleand :-(
I would agree with this... Either pull it fully into AD and store the data
there versus SYSVOL (which is a bad idea really, you don't need that bloat
in the DIT) or better, yank it all out of AD and just remove SYSVOL
(excluding maybe the netlogon share) entirely. Maybe drop FRS/DFSR entirely
on the DCs (have to think about the legacy logon scripts for a bit... do we
really need multimaster replication for that alone? I say nay...) and then
realistically you could even set it up so the targeting was done through
ADAM or AD which might open up some additional options including GPO
implementation without necessarily needing an AD domain or cross forest
GPOs. I think long term the Domain is going to go the way of the dodo bird
but I am just tossing out guesses...
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: Friday, May 09, 2008 2:04 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] All local admin groups have been cleand :-(
Interesting notion. I would actually go the other direction however. Given
the wide variety of configuration data that a GPO can contain today, I think
AD is a lousy store for it. I think GP should be de-coupled entirely from
AD, except as a targeting mechanism.
Darren
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of AFidel@ddrc.com
Sent: Friday, May 09, 2008 10:34 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] All local admin groups have been cleand :-(
Nah, just change GPMC so it does it automatically. In fact since AD is based
on a DB I think we should put the GPO's into AD so we can use a rollback
operation, the file share should just be a view into the DB (kind of like
the Exchange share of old but without the stupidity of allowing changes to
the DB through the share =)
Andrew
"joe" <listmail@joeware.net>
Sent by: ActiveDir-owner@mail.activedir.org
05/09/2008 11:20 AM
Please respond to
ActiveDir@mail.activedir.org
To
<ActiveDir@mail.activedir.org>
cc
Subject
RE: [ActiveDir] All local admin groups have been cleand :-(
New AD Permission: Allow GPO Update but only after Backup of GPO
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: Friday, May 09, 2008 10:57 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] All local admin groups have been cleand :-(
Well, AGPM is just a change control tool around GPOs. If the group
memberships had previously been managed via GP, then yes, you could use AGPM
to roll back the errant GPO. But frankly, you don't need AGPM to perform
backups and restores of a GPO, GPMC has that basic capability. All GPOs
should be backed up prior to editing. What a tool like AGPM might have done
for them is encouraged their admins to make changes to GPOs only through
that tool, but if you have sufficient rights, you can get around it.
Frankly, I would not give anyone rights to edit any GPO if they are not
first backing up the GPO. Its just asking for trouble.
Darren
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Susan Bradley
Sent: Friday, May 09, 2008 7:38 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] All local admin groups have been cleand :-(
Would the group policy tool included in MDOP have done this?
As I understand that tool does allow this?
joe wrote:
> I love the bluntness.
>
> No AD does not maintain this info for you and I don't believe the GPO
> is smart enough to log the info for you either so you could scrape it
> and put it back... I mean seriously... who would ever want to undo a
> policy and return to previous state..... <eg>
>
> Was it successful in removing the local Administrator ID? I have not
> seen GPOs succeed at that though have seen some occasions of trying.
> My recollection of that is that the policy keeps trying to do it and
> keeps failing and in the meanwhile leaks some important memory
> resources along the way until the box starts saying "out of resources".
>
> System State restores will be your option other than having the owners
> come forth and let you know what they own.... Many companies, but not
> all, keep some sort of DB of all of their servers and pertinent info
> like who manages the servers which would be handy right now as well.
>
> joe
>
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
>
> ----------------------------------------------------------------------
> --
> *From:* ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] *On Behalf Of *Gabrie
> *Sent:* Friday, May 09, 2008 6:14 AM
> *To:* activedir
> *Subject:* [ActiveDir] All local admin groups have been cleand :-(
>
> Hi
>
> Someone really xxx up and created a Group Policy that set the
> restricted admins group on all servers to EMPTY and indeed, now all
> our servers have an empty local admins group. Is there an easy way to
> recover which accounts / groups were member of the local admins on
> each server? I guess the ADir backup will not containt this info
> because it is on the local machines.
>
> Gabrie
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| danholme
Posts:134
| | 07/16/2008 5:03 PM |
| No. Logging at the LOCAL SYSTEM level would have to be on, and even
then it does not have "pre change state" "post change state"
information... just "a change was made."
Even AD didn't have that level of detail until WS2008.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Kamlesh Parmar
Sent: Friday, May 09, 2008 8:53 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] All local admin groups have been cleand :-(
Correct me if I am wrong.
IF Account Management auditing is enabled, wouldn't addition or removal
of members from group be logged in security eventlog. Thus able to
revert back to original membership state using that info ?
--
Kamlesh
On Fri, May 9, 2008 at 3:43 PM, Gabrie <thegabeman@gmail.com> wrote:
Hi
Someone really fucked up and created a Group Policy that set the
restricted admins group on all servers to EMPTY and indeed, now all our
servers have an empty local admins group. Is there an easy way to
recover which accounts / groups were member of the local admins on each
server? I guess the ADir backup will not containt this info because it
is on the local machines.
Gabrie
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Argue for your limitations, and sure enough, they're yours.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | | |
| ZJORZ
Posts:100
| | 07/16/2008 5:03 PM |
| Apologies. Did not want to repeat your answer. Just got home and the OP's question was the first I saw thinking it just came in. (later on I saw it already answered)
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Consultant
MVP Identity & Access - Directory Services
Oxford Computer Group Benelux | (: +31 (0)6 26.26.62.80 | (: +31 (0)33 454.69.50 | 7: +31 (0)33 454.66.66 | -: Hardwareweg 4, 3821BM Amersfoort, The Netherlands
www.oxfordcomputergroup.com <blocked::blocked::http://www.oxfordcomputergroup.com/> | Expertise in Identity & Access Management
________________________________________________________________
MVP Profile à https://mvp.support.microsoft.com/profile/jorge1
MVP Home Site à https://mvp.support.microsoft.com/
MVP Overview à https://mvp.support.microsoft.com/mvpexecsum
BLOG à http://blogs.dirteam.com/blogs/jorge/default.aspx
________________________________________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: Friday, May 09, 2008 18:57
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] All local admin groups have been cleand :-(
Jorge-
Yes, that was what I mentioned earlier. Any locally defined group memberships do get reverted. That much is "cached" by the local machine.
Darren
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Jorge de Almeida Pinto
Sent: Friday, May 09, 2008 9:45 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] All local admin groups have been cleand :-(
Not tested this.....
What happens when you remove the GPO. Are the default groups re-added to the groups or do the local groups remain empty? The CUSTOM members of those local groups are, well....ehhh....ehhh... bye bye, because that info is (as you said) stored on the local servers
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Consultant
MVP Identity & Access - Directory Services
Oxford Computer Group Benelux | (: +31 (0)6 26.26.62.80 | (: +31 (0)33 454.69.50 | 7: +31 (0)33 454.66.66 | -: Hardwareweg 4, 3821BM Amersfoort, The Netherlands
www.oxfordcomputergroup.com <blocked::blocked::http://www.oxfordcomputergroup.com/> | Expertise in Identity & Access Management
________________________________________________________________
MVP Profile à https://mvp.support.microsoft.com/profile/jorge1
MVP Home Site à https://mvp.support.microsoft.com/
MVP Overview à https://mvp.support.microsoft.com/mvpexecsum
BLOG à http://blogs.dirteam.com/blogs/jorge/default.aspx
________________________________________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabrie
Sent: Friday, May 09, 2008 12:14
To: activedir
Subject: [ActiveDir] All local admin groups have been cleand :-(
Hi
Someone really fucked up and created a Group Policy that set the restricted admins group on all servers to EMPTY and indeed, now all our servers have an empty local admins group. Is there an easy way to recover which accounts / groups were member of the local admins on each server? I guess the ADir backup will not containt this info because it is on the local machines.
Gabrie
| | | |
| kamleshap
Posts:27
| | 07/16/2008 5:03 PM |
| :-) ohh I meant on local system only i.e. on member servers where GPO fouled
up membership.
I think you are confusing "change was made" case of any account property set
like modifying description of account with membership changes in group.
In all NORMAL case of membership change, there is a event logged.
636 for addition and 637 for removal.
In this case : pre change state would be known by gathering all 637 events
with all accounts removed.
I might be wrong in the case of "restricted group" functionality.
And all of it is moot, as Darren said, membership is reverted, after GPO
moving out of scope.
--
Kamlesh
Argue for your limitations, and sure enough, they're yours.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
On Sat, May 10, 2008 at 12:43 AM, Dan Holme <dan.holme@intelliem.com> wrote:
> No. Logging at the LOCAL SYSTEM level would have to be on, and even then
> it does not have "pre change state" "post change state" information… just "a
> change was made."
>
>
>
> Even AD didn't have that level of detail until WS2008.
>
>
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Kamlesh Parmar
> *Sent:* Friday, May 09, 2008 8:53 AM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* Re: [ActiveDir] All local admin groups have been cleand :-(
>
>
>
> Correct me if I am wrong.
>
>
> IF Account Management auditing is enabled, wouldn't addition or removal of
> members from group be logged in security eventlog. Thus able to revert back
> to original membership state using that info ?
>
> --
> Kamlesh
>
> On Fri, May 9, 2008 at 3:43 PM, Gabrie <thegabeman@gmail.com> wrote:
>
> Hi
>
> Someone really fucked up and created a Group Policy that set the restricted
> admins group on all servers to EMPTY and indeed, now all our servers have an
> empty local admins group. Is there an easy way to recover which accounts /
> groups were member of the local admins on each server? I guess the ADir
> backup will not containt this info because it is on the local machines.
>
> Gabrie
>
>
>
>
> --
>
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Argue for your limitations, and sure enough, they're yours.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | | |
| listmail
Posts:463
| | 07/16/2008 5:03 PM |
| "And all of it is moot, as Darren said, membership is reverted, after GPO
moving out of scope."
I don't think that is exactly what Darren said... If that were the case,
this would be an easy fix right? I think it is a "membership is sort of
reverted..."
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Kamlesh Parmar
Sent: Friday, May 09, 2008 3:47 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] All local admin groups have been cleand :-(
:-) ohh I meant on local system only i.e. on member servers where GPO fouled
up membership.
I think you are confusing "change was made" case of any account property set
like modifying description of account with membership changes in group.
In all NORMAL case of membership change, there is a event logged.
636 for addition and 637 for removal.
In this case : pre change state would be known by gathering all 637 events
with all accounts removed.
I might be wrong in the case of "restricted group" functionality.
And all of it is moot, as Darren said, membership is reverted, after GPO
moving out of scope.
--
Kamlesh
Argue for your limitations, and sure enough, they're yours.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
On Sat, May 10, 2008 at 12:43 AM, Dan Holme <dan.holme@intelliem.com> wrote:
No. Logging at the LOCAL SYSTEM level would have to be on, and even then it
does not have "pre change state" "post change state" information. just "a
change was made."
Even AD didn't have that level of detail until WS2008.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Kamlesh Parmar
Sent: Friday, May 09, 2008 8:53 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] All local admin groups have been cleand :-(
Correct me if I am wrong.
IF Account Management auditing is enabled, wouldn't addition or removal of
members from group be logged in security eventlog. Thus able to revert back
to original membership state using that info ?
--
Kamlesh
On Fri, May 9, 2008 at 3:43 PM, Gabrie <thegabeman@gmail.com> wrote:
Hi
Someone really fucked up and created a Group Policy that set the restricted
admins group on all servers to EMPTY and indeed, now all our servers have an
empty local admins group. Is there an easy way to recover which accounts /
groups were member of the local admins on each server? I guess the ADir
backup will not containt this info because it is on the local machines.
Gabrie
--
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Argue for your limitations, and sure enough, they're yours.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | | |
| amulnick
Posts:138
| | 07/16/2008 5:13 PM |
| | What are the chances that audit level exists on the workstations if the
change control that allowed the errant GPO to be implemented was in the
state it was? Could have happened, but it would be the rare exception that
both that level and the event log sizing was in place prior to this
happening.
On another note, both you and joe raise some interesting thoughts on GPO. I
think I like the idea of it being separate and therefore easily crossing the
boundaries, but I'd be pretty upset if it required a new product to be
purchased, licensed etc. It's one of the big differentiators from using a
linux directory service in my mind. There are many, but that's a big one.
It would also have to be able to live harmoniously on domain controllers of
all shapes and sizes even if it were decoupled. I for one am still in favor
of the idea of domain controllers that can withstand network outages and
still function.
My $0.06 worth.
-ajm
On Fri, May 9, 2008 at 3:23 PM, Darren Mar-Elia <darren@sdmsoftware.com>
wrote:
> You're right about local auditing needing to be on on the client, but I
> just tested removing myself from the local admin group on an XP system and
> this is what it reported:
>
>
>
> Security Enabled Local Group Member Removed:
>
> Member Name: -
>
> *Member ID: XP3\dmarelia*
>
> Target Account Name: Administrators
>
> Target Domain: Builtin
>
> Target Account ID: BUILTIN\Administrators
>
> Caller User Name: administrator
>
> Caller Domain: CPANDL
>
> Caller Logon ID: (0x0,0x3083CB)
>
> Privileges: -
>
>
>
> So it does report the name of the principal that was removed.
>
>
>
> Darren
>
>
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Dan Holme
> *Sent:* Friday, May 09, 2008 12:14 PM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] All local admin groups have been cleand :-(
>
>
>
> No. Logging at the LOCAL SYSTEM level would have to be on, and even then
> it does not have "pre change state" "post change state" information… just "a
> change was made."
>
>
>
> Even AD didn't have that level of detail until WS2008.
>
>
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Kamlesh Parmar
> *Sent:* Friday, May 09, 2008 8:53 AM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* Re: [ActiveDir] All local admin groups have been cleand :-(
>
>
>
> Correct me if I am wrong.
>
> IF Account Management auditing is enabled, wouldn't addition or removal of
> members from group be logged in security eventlog. Thus able to revert back
> to original membership state using that info ?
>
> --
> Kamlesh
>
> On Fri, May 9, 2008 at 3:43 PM, Gabrie <thegabeman@gmail.com> wrote:
>
> Hi
>
> Someone really up and created a Group Policy that set the restricted
> admins group on all servers to EMPTY and indeed, now all our servers have an
> empty local admins group. Is there an easy way to recover which accounts /
> groups were member of the local admins on each server? I guess the ADir
> backup will not containt this info because it is on the local machines.
>
> Gabrie
>
>
>
>
> --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Argue for your limitations, and sure enough, they're yours.
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
| | | |
| darren
Posts:168
| | 07/16/2008 5:15 PM |
| Al-
One can only speculate about the future but I agree that it would be nice if this continues to be part of the OS and not a SCCM-type add on. And, I do agree that fault tolerance would be a nice thing to continue to have. Ironically, Group Policy today is remarkably fault in-tolerant, despite the replicated nature of AD. For example, GP has no ability to failover to a 2nd DC if for some reason it cannot process policy on the 1st one it finds. The core part of the processing cycle falls over pretty easily if something is amiss, like the infamous 1030 and 1058 errors. In general, GP could be a A LOT more fault tolerant for my tastes, with or without AD.
Darren
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: Sunday, May 11, 2008 7:06 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] All local admin groups have been cleand :-(
What are the chances that audit level exists on the workstations if the change control that allowed the errant GPO to be implemented was in the state it was? Could have happened, but it would be the rare exception that both that level and the event log sizing was in place prior to this happening.
On another note, both you and joe raise some interesting thoughts on GPO. I think I like the idea of it being separate and therefore easily crossing the boundaries, but I'd be pretty upset if it required a new product to be purchased, licensed etc. It's one of the big differentiators from using a linux directory service in my mind. There are many, but that's a big one.
It would also have to be able to live harmoniously on domain controllers of all shapes and sizes even if it were decoupled. I for one am still in favor of the idea of domain controllers that can withstand network outages and still function.
My $0.06 worth.
-ajm
On Fri, May 9, 2008 at 3:23 PM, Darren Mar-Elia <darren@sdmsoftware.com> wrote:
You're right about local auditing needing to be on on the client, but I just tested removing myself from the local admin group on an XP system and this is what it reported:
Security Enabled Local Group Member Removed:
Member Name: -
Member ID: XP3\dmarelia
Target Account Name: Administrators
Target Domain: Builtin
Target Account ID: BUILTIN\Administrators
Caller User Name: administrator
Caller Domain: CPANDL
Caller Logon ID: (0x0,0x3083CB)
Privileges: -
So it does report the name of the principal that was removed.
Darren
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dan Holme
Sent: Friday, May 09, 2008 12:14 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] All local admin groups have been cleand :-(
No. Logging at the LOCAL SYSTEM level would have to be on, and even then it does not have "pre change state" "post change state" information… just "a change was made."
Even AD didn't have that level of detail until WS2008.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Kamlesh Parmar
Sent: Friday, May 09, 2008 8:53 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] All local admin groups have been cleand :-(
Correct me if I am wrong.
IF Account Management auditing is enabled, wouldn't addition or removal of members from group be logged in security eventlog. Thus able to revert back to original membership state using that info ?
--
Kamlesh
On Fri, May 9, 2008 at 3:43 PM, Gabrie <thegabeman@gmail.com> wrote:
Hi
Someone really up and created a Group Policy that set the restricted admins group on all servers to EMPTY and indeed, now all our servers have an empty local admins group. Is there an easy way to recover which accounts / groups were member of the local admins on each server? I guess the ADir backup will not containt this info because it is on the local machines.
Gabrie
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Argue for your limitations, and sure enough, they're yours.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | | |
|
|