| Author | Messages | |
dwells
Posts:39
 | | 09/08/2008 3:50 PM |
| Me too, specifically, these on a domain-joined Vista SP1 box -
C:\>klist tickets >foo.txt 2>&1
AES-256-CTS-HMAC-SHA1-96
forwardable forwarded renewable pre_authent
8/20/2008 15:36:21 8/21/2008 1:36:16 8/27/2008 15:36:16
AES-256-CTS-HMAC-SHA1-96
AES-256-CTS-HMAC-SHA1-96
forwardable renewable initial pre_authent
8/20/2008 15:36:16 8/21/2008 1:36:16 8/27/2008 15:36:16
AES-256-CTS-HMAC-SHA1-96
AES-256-CTS-HMAC-SHA1-96
forwardable renewable pre_authent ok_as_delegate
8/20/2008 15:36:46 8/21/2008 1:36:16 8/27/2008 15:36:16
AES-256-CTS-HMAC-SHA1-96
AES-256-CTS-HMAC-SHA1-96
forwardable renewable pre_authent ok_as_delegate
8/20/2008 15:36:21 8/21/2008 1:36:16 8/27/2008 15:36:16
AES-256-CTS-HMAC-SHA1-96
AES-256-CTS-HMAC-SHA1-96
forwardable renewable pre_authent ok_as_delegate
8/20/2008 15:36:21 8/21/2008 1:36:16 8/27/2008 15:36:16
AES-256-CTS-HMAC-SHA1-96
AES-256-CTS-HMAC-SHA1-96
forwardable renewable pre_authent ok_as_delegate
8/20/2008 15:36:19 8/21/2008 1:36:16 8/27/2008 15:36:16
AES-256-CTS-HMAC-SHA1-96
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
Error loading resource: 0x00003b01
--
Dean Wells
* Email: limeypride@gmail.com
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: Wednesday, August 20, 2008 3:14 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Filtering Computer Based Policies
Very strange. When I first started this, I opened a command shell by typing
cmd at the Start Menu, Run dialog. It explicitly says right below that "this
task will be created with administrative privileges" and indeed the
command-shell showed this title at the top: "Administrator:
c:\windows\system32\cmd.exe".
However, if I right-click "Command Shell" on the start menu and choose "Run
as Administrator", the klist command worked fine. No doubt yet another
subtle vagary of UAC biting me in the you-know-what.
Thanks,
Darren
BTW, I tried simply copying klist.exe from 2008 to Vista, SP1 and got a
bunch of resource errors every time I tried to run it. Presumably I'm
missing some other dependent module.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steve Linehan
Sent: Wednesday, August 20, 2008 11:56 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Filtering Computer Based Policies
If you are not running it from an elevated command prompt you will get that.
Thanks,
-Steve
Steve Linehan | { Infrastructure Architect } |
<http://www.microsoft.com/windowsserver200> |
<http://www.microsoft.com/windowsserver2008/en/us/try-it.aspx> Try Windows
Server 2008 |
<http://www.microsoft.com/heroeshappenhere/register/default.mspx> Attend a
Launch Event
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: Wednesday, August 20, 2008 1:45 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Filtering Computer Based Policies
No errors, just usage back at me:
C:\Users\Administrator.CPANDL>Klist -li 0x3e7 purge
Usage: Klist.exe [-lh <LogonId.HighPart>] [-li <LogonId.LowPart>] tickets |
tgt
| purge
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dean Wells
Sent: Wednesday, August 20, 2008 11:32 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Filtering Computer Based Policies
Post back the resulting error text.
--
Dean Wells
* Email: limeypride@gmail.com
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: Wednesday, August 20, 2008 2:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Filtering Computer Based Policies
Hmm. I had already tried that without the colon and it still fails. Could
this be a problem of running in a TS session?
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steve Linehan
Sent: Wednesday, August 20, 2008 11:04 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Filtering Computer Based Policies
Yes forgot to remove the :
C:\Windows\System32>klist -li 0x3e7 purge
Current LogonId is 0:0x92b72
Targetted LogonId is 0:0x3e7
Deleting all tickets:
Ticket(s) purged!
Thanks,
-Steve
Steve Linehan | { Infrastructure Architect } |
<http://www.microsoft.com/windowsserver200> |
<http://www.microsoft.com/windowsserver2008/en/us/try-it.aspx> Try Windows
Server 2008 |
<http://www.microsoft.com/heroeshappenhere/register/default.mspx> Attend a
Launch Event
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dean Wells
Sent: Wednesday, August 20, 2008 12:36 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Filtering Computer Based Policies
Remove the colon following -li
--
Dean Wells
* Email: limeypride@gmail.com
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: Wednesday, August 20, 2008 1:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Filtering Computer Based Policies
And actually, I just tried this on 2008 and when I entered the command
below, I got the usage back:
Usage: Klist.exe [-lh <LogonId.HighPart>] [-li <LogonId.LowPart>] tickets |
tgt
| purge
Something missing from that Steve?
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steve Linehan
Sent: Wednesday, August 20, 2008 9:42 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Filtering Computer Based Policies
For Windows Server 2008 we added a feature to help customers with this
issue. We added a switch to klist that would allow you to flush the systems
TGT, Klist -li:0x3e7 purge (0x3e7 is always the system process).
Thanks,
-Steve
Steve Linehan | { Infrastructure Architect } |
<http://www.microsoft.com/windowsserver200> |
<http://www.microsoft.com/windowsserver2008/en/us/try-it.aspx> Try Windows
Server 2008 |
<http://www.microsoft.com/heroeshappenhere/register/default.mspx> Attend a
Launch Event
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Wednesday, August 20, 2008 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Filtering Computer Based Policies
Yes Mr. Wells, that is why I was clarifying the question. 
LOL I said Mr. Wells... HAHAHA
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dean Wells
Sent: Wednesday, August 20, 2008 11:57 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Filtering Computer Based Policies
Computers logon in a similar manner to users. As a result, they suffer from
some of the same long-standing Windows limitations - that being, group
membership modifications require that the access-token be refreshed; in
user terms - that's a logoff/logon - in computer terms, that's a reboot . or
sufficient patience for the kerb. ticket to fall outside of its renewability
window and silently refresh in the background.
--
Dean Wells
* Email: limeypride@gmail.com
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Wednesday, August 20, 2008 11:50 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Filtering Computer Based Policies
So are you saying that after you reboot the machines after the group mods
have replicated it isn't handling the group filtering right away?
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Wednesday, August 20, 2008 11:45 AM
To: undisclosed-recipients:
Subject: [ActiveDir] Security Filtering Computer Based Policies
As part of a rollout for a specific policy we are applying to the company,
we are pushing a policy that will be effected by security filtering at the
outset. It works, and I can test it and when I check the GPResults I
definitely see that the policy was denied by security.
To perform the security filtering, I created a security group, added the
computer accounts that I do NOT want to be affected by the policy, and then
denied that security group the ability to apply the group policy. As I
stated before, it works. but slowly.
I was wondering if anyone else could explain why after making a change to
the membership of the security group, it seems to take "some time" for the
change to take effect as far as the security filtering is concerned. I know
it's not a replication issue (if that even matters) as I push out the
changes to the other DCs, yet it still takes awhile for the change in the
security group to effect the security filtering applied against the GPO.
Any thoughts?
Thanks,
~Ben
_______________________________________
Best way to <http://abcnews.go.com/print?id=5351908> annoy your co-workers?
E-mail.
| | | |
|
|