| Author | Messages | |
slinehan
Posts:18
 | | 09/08/2008 3:52 PM |
| Hmm when I try it from an unelevated prompt it fails silently. There must be a corner case.
Thanks,
-Steve
Steve Linehan | { Infrastructure Architect } | [cid:image001.png@01C902DA.2616E310] <http://www.microsoft.com/windowsserver200> | Try Windows Server 2008<http://www.microsoft.com/windowsserver2008/en/us/try-it.aspx> | Attend a Launch Event<http://www.microsoft.com/heroeshappenhere/register/default.mspx>
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dean Wells
Sent: Wednesday, August 20, 2008 2:22 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Filtering Computer Based Policies
Nahhhhh, this particular dev. took their time Steve and gave us a decent error ... honest  -
C:\> klist -li 0x3e7 purge
Current login blah blah
Targetted logon blah blah
*** You must run this tool while being elevated, and you must have TCB or be a local admin. ***
klist failed blah blah
--
Dean Wells
* Email: limeypride@gmail.com
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steve Linehan
Sent: Wednesday, August 20, 2008 2:56 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Filtering Computer Based Policies
If you are not running it from an elevated command prompt you will get that.
Thanks,
-Steve
Steve Linehan | { Infrastructure Architect } | [cid:image001.png@01C902DA.2616E310] <http://www.microsoft.com/windowsserver200> | Try Windows Server 2008<http://www.microsoft.com/windowsserver2008/en/us/try-it.aspx> | Attend a Launch Event<http://www.microsoft.com/heroeshappenhere/register/default.mspx>
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: Wednesday, August 20, 2008 1:45 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Filtering Computer Based Policies
No errors, just usage back at me:
C:\Users\Administrator.CPANDL>Klist -li 0x3e7 purge
Usage: Klist.exe [-lh <LogonId.HighPart>] [-li <LogonId.LowPart>] tickets | tgt
| purge
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dean Wells
Sent: Wednesday, August 20, 2008 11:32 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Filtering Computer Based Policies
Post back the resulting error text.
--
Dean Wells
* Email: limeypride@gmail.com
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: Wednesday, August 20, 2008 2:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Filtering Computer Based Policies
Hmm. I had already tried that without the colon and it still fails. Could this be a problem of running in a TS session?
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steve Linehan
Sent: Wednesday, August 20, 2008 11:04 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Filtering Computer Based Policies
Yes forgot to remove the :
C:\Windows\System32>klist -li 0x3e7 purge
Current LogonId is 0:0x92b72
Targetted LogonId is 0:0x3e7
Deleting all tickets:
Ticket(s) purged!
Thanks,
-Steve
Steve Linehan | { Infrastructure Architect } | [cid:image001.png@01C902DA.2616E310] <http://www.microsoft.com/windowsserver200> | Try Windows Server 2008<http://www.microsoft.com/windowsserver2008/en/us/try-it.aspx> | Attend a Launch Event<http://www.microsoft.com/heroeshappenhere/register/default.mspx>
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dean Wells
Sent: Wednesday, August 20, 2008 12:36 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Filtering Computer Based Policies
Remove the colon following -li
--
Dean Wells
* Email: limeypride@gmail.com
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: Wednesday, August 20, 2008 1:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Filtering Computer Based Policies
And actually, I just tried this on 2008 and when I entered the command below, I got the usage back:
Usage: Klist.exe [-lh <LogonId.HighPart>] [-li <LogonId.LowPart>] tickets | tgt
| purge
Something missing from that Steve?
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steve Linehan
Sent: Wednesday, August 20, 2008 9:42 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Filtering Computer Based Policies
For Windows Server 2008 we added a feature to help customers with this issue. We added a switch to klist that would allow you to flush the systems TGT, Klist -li:0x3e7 purge (0x3e7 is always the system process).
Thanks,
-Steve
Steve Linehan | { Infrastructure Architect } | [cid:image001.png@01C902DA.2616E310] <http://www.microsoft.com/windowsserver200> | Try Windows Server 2008<http://www.microsoft.com/windowsserver2008/en/us/try-it.aspx> | Attend a Launch Event<http://www.microsoft.com/heroeshappenhere/register/default.mspx>
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Wednesday, August 20, 2008 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Filtering Computer Based Policies
Yes Mr. Wells, that is why I was clarifying the question.
LOL I said Mr. Wells... HAHAHA
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dean Wells
Sent: Wednesday, August 20, 2008 11:57 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Filtering Computer Based Policies
Computers logon in a similar manner to users. As a result, they suffer from some of the same long-standing Windows limitations - that being, group membership modifications require that the access-token be refreshed; in user terms - that's a logoff/logon - in computer terms, that's a reboot ... or sufficient patience for the kerb. ticket to fall outside of its renewability window and silently refresh in the background.
--
Dean Wells
* Email: limeypride@gmail.com
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Wednesday, August 20, 2008 11:50 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Filtering Computer Based Policies
So are you saying that after you reboot the machines after the group mods have replicated it isn't handling the group filtering right away?
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Wednesday, August 20, 2008 11:45 AM
To: undisclosed-recipients:
Subject: [ActiveDir] Security Filtering Computer Based Policies
As part of a rollout for a specific policy we are applying to the company, we are pushing a policy that will be effected by security filtering at the outset. It works, and I can test it and when I check the GPResults I definitely see that the policy was denied by security.
To perform the security filtering, I created a security group, added the computer accounts that I do NOT want to be affected by the policy, and then denied that security group the ability to apply the group policy. As I stated before, it works... but slowly.
I was wondering if anyone else could explain why after making a change to the membership of the security group, it seems to take "some time" for the change to take effect as far as the security filtering is concerned. I know it's not a replication issue (if that even matters) as I push out the changes to the other DCs, yet it still takes awhile for the change in the security group to effect the security filtering applied against the GPO.
Any thoughts?
Thanks,
~Ben
_______________________________________
Best way to annoy your co-workers? E-mail.<http://abcnews.go.com/print?id=5351908>
| | | |
|
|