| Author | Messages | |
Gil
Posts:77
 | | 09/08/2008 3:44 PM |
| Ahh yes, the old "command-line colonectomy".
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dean Wells
Sent: Wednesday, August 20, 2008 10:36 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Filtering Computer Based Policies
Remove the colon following -li
--
Dean Wells
* Email: limeypride@gmail.com
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: Wednesday, August 20, 2008 1:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Filtering Computer Based Policies
And actually, I just tried this on 2008 and when I entered the command below, I got the usage back:
Usage: Klist.exe [-lh <LogonId.HighPart>] [-li <LogonId.LowPart>] tickets | tgt
| purge
Something missing from that Steve?
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steve Linehan
Sent: Wednesday, August 20, 2008 9:42 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Filtering Computer Based Policies
For Windows Server 2008 we added a feature to help customers with this issue. We added a switch to klist that would allow you to flush the systems TGT, Klist -li:0x3e7 purge (0x3e7 is always the system process).
Thanks,
-Steve
Steve Linehan | { Infrastructure Architect } | [cid:image001.png@01C902B2.121C0430] <http://www.microsoft.com/windowsserver200> | Try Windows Server 2008<http://www.microsoft.com/windowsserver2008/en/us/try-it.aspx> | Attend a Launch Event<http://www.microsoft.com/heroeshappenhere/register/default.mspx>
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Wednesday, August 20, 2008 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Filtering Computer Based Policies
Yes Mr. Wells, that is why I was clarifying the question. 
LOL I said Mr. Wells... HAHAHA
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dean Wells
Sent: Wednesday, August 20, 2008 11:57 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Filtering Computer Based Policies
Computers logon in a similar manner to users. As a result, they suffer from some of the same long-standing Windows limitations - that being, group membership modifications require that the access-token be refreshed; in user terms - that's a logoff/logon - in computer terms, that's a reboot ... or sufficient patience for the kerb. ticket to fall outside of its renewability window and silently refresh in the background.
--
Dean Wells
* Email: limeypride@gmail.com
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Wednesday, August 20, 2008 11:50 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Filtering Computer Based Policies
So are you saying that after you reboot the machines after the group mods have replicated it isn't handling the group filtering right away?
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Wednesday, August 20, 2008 11:45 AM
To: undisclosed-recipients:
Subject: [ActiveDir] Security Filtering Computer Based Policies
As part of a rollout for a specific policy we are applying to the company, we are pushing a policy that will be effected by security filtering at the outset. It works, and I can test it and when I check the GPResults I definitely see that the policy was denied by security.
To perform the security filtering, I created a security group, added the computer accounts that I do NOT want to be affected by the policy, and then denied that security group the ability to apply the group policy. As I stated before, it works... but slowly.
I was wondering if anyone else could explain why after making a change to the membership of the security group, it seems to take "some time" for the change to take effect as far as the security filtering is concerned. I know it's not a replication issue (if that even matters) as I push out the changes to the other DCs, yet it still takes awhile for the change in the security group to effect the security filtering applied against the GPO.
Any thoughts?
Thanks,
~Ben
_______________________________________
Best way to annoy your co-workers? E-mail.<http://abcnews.go.com/print?id=5351908>
| | | |
|
|