| Author | Messages | |
listmail
Posts:445
 | | 09/08/2008 3:50 PM |
| Dean is, of course, referring to his own peacock plummage....
And yes I was trying to be funny. I wanted to see if Dean would respond to
my note as if Darren sent it. Unfortunately Dean's mom was reading all of
the message to him this time and not just the middle parts... ;o)
>From the sounds of the error Dean and Darren (hmm D&D) are describing,
sounds like some API call is being dynamically called out to and it is
failing.... From Dean it sounds like it is failing a whole lot over and over
again in fact.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dean Wells
Sent: Wednesday, August 20, 2008 3:19 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Filtering Computer Based Policies
Oh dear à @ joe = <smack>
Steve joe was trying to be funny
clearly, hes not!
For me though, the 2K8 binary fails regardless of beautiful plumage J
--
Dean Wells
* Email: limeypride@gmail.com
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steve Linehan
Sent: Wednesday, August 20, 2008 2:55 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Filtering Computer Based Policies
Sorry should have stated it more clearly. It will work on Vista but at the
moment we do not ship the binary on Vista. I had forgotten about that
piece. The pluming is there for it to work.
Thanks,
-Steve
Steve Linehan | { Infrastructure Architect } |
<http://www.microsoft.com/windowsserver200> |
<http://www.microsoft.com/windowsserver2008/en/us/try-it.aspx> Try Windows
Server 2008 |
<http://www.microsoft.com/heroeshappenhere/register/default.mspx> Attend a
Launch Event
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Wednesday, August 20, 2008 1:38 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Filtering Computer Based Policies
'klist' is not recognized as an internal or external command,
operable program or batch file.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dean Wells
Sent: Wednesday, August 20, 2008 2:32 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Filtering Computer Based Policies
Post back the resulting error text.
--
Dean Wells
* Email: limeypride@gmail.com
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: Wednesday, August 20, 2008 2:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Filtering Computer Based Policies
Hmm. I had already tried that without the colon and it still fails. Could
this be a problem of running in a TS session?
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steve Linehan
Sent: Wednesday, August 20, 2008 11:04 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Filtering Computer Based Policies
Yes forgot to remove the :
C:\Windows\System32>klist -li 0x3e7 purge
Current LogonId is 0:0x92b72
Targetted LogonId is 0:0x3e7
Deleting all tickets:
Ticket(s) purged!
Thanks,
-Steve
Steve Linehan | { Infrastructure Architect } |
<http://www.microsoft.com/windowsserver200> |
<http://www.microsoft.com/windowsserver2008/en/us/try-it.aspx> Try Windows
Server 2008 |
<http://www.microsoft.com/heroeshappenhere/register/default.mspx> Attend a
Launch Event
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dean Wells
Sent: Wednesday, August 20, 2008 12:36 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Filtering Computer Based Policies
Remove the colon following -li
--
Dean Wells
* Email: limeypride@gmail.com
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: Wednesday, August 20, 2008 1:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Filtering Computer Based Policies
And actually, I just tried this on 2008 and when I entered the command
below, I got the usage back:
Usage: Klist.exe [-lh <LogonId.HighPart>] [-li <LogonId.LowPart>] tickets |
tgt
| purge
Something missing from that Steve?
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steve Linehan
Sent: Wednesday, August 20, 2008 9:42 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Filtering Computer Based Policies
For Windows Server 2008 we added a feature to help customers with this
issue. We added a switch to klist that would allow you to flush the systems
TGT, Klist li:0x3e7 purge (0x3e7 is always the system process).
Thanks,
-Steve
Steve Linehan | { Infrastructure Architect } |
<http://www.microsoft.com/windowsserver200> |
<http://www.microsoft.com/windowsserver2008/en/us/try-it.aspx> Try Windows
Server 2008 |
<http://www.microsoft.com/heroeshappenhere/register/default.mspx> Attend a
Launch Event
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Wednesday, August 20, 2008 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Filtering Computer Based Policies
Yes Mr. Wells, that is why I was clarifying the question. 
LOL I said Mr. Wells... HAHAHA
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dean Wells
Sent: Wednesday, August 20, 2008 11:57 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Filtering Computer Based Policies
Computers logon in a similar manner to users. As a result, they suffer from
some of the same long-standing Windows limitations that being, group
membership modifications require that the access-token be refreshed; in
user terms thats a logoff/logon in computer terms, thats a reboot
or
sufficient patience for the kerb. ticket to fall outside of its renewability
window and silently refresh in the background.
--
Dean Wells
* Email: limeypride@gmail.com
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Wednesday, August 20, 2008 11:50 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Filtering Computer Based Policies
So are you saying that after you reboot the machines after the group mods
have replicated it isn't handling the group filtering right away?
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Wednesday, August 20, 2008 11:45 AM
To: undisclosed-recipients:
Subject: [ActiveDir] Security Filtering Computer Based Policies
As part of a rollout for a specific policy we are applying to the company,
we are pushing a policy that will be effected by security filtering at the
outset. It works, and I can test it and when I check the GPResults I
definitely see that the policy was denied by security.
To perform the security filtering, I created a security group, added the
computer accounts that I do NOT want to be affected by the policy, and then
denied that security group the ability to apply the group policy. As I
stated before, it works
but slowly.
I was wondering if anyone else could explain why after making a change to
the membership of the security group, it seems to take some time for the
change to take effect as far as the security filtering is concerned. I know
its not a replication issue (if that even matters) as I push out the
changes to the other DCs, yet it still takes awhile for the change in the
security group to effect the security filtering applied against the GPO.
Any thoughts?
Thanks,
~Ben
_______________________________________
Best way to <http://abcnews.go.com/print?id=5351908> annoy your co-workers?
E-mail.
| | | |
|
|