| Author | Messages | |
darren
Posts:159
 | | 09/08/2008 3:52 PM |
| Dean-
Both methods return Domain Admins as Enabled. This is a DC.
Darren
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dean Wells
Sent: Wednesday, August 20, 2008 12:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Filtering Computer Based Policies
I cant repro. that either
:0/
Can you spin up two shells using two distinct run techniques:
1) Start à Run à cmd (verify that it says This task will be created
with blah blah)
2) hit the Windows-key and immediately type cmd
then hit enter
whilst holding down CTRL+SHIFT
Within each shell, run this
C:\> whoami /groups | find 512
verify that both present the listed security principal as Enabled and
not Group used for deny only
Lemme know
PS is this a domain controller, member
?
--
Dean Wells
* Email: limeypride@gmail.com
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: Wednesday, August 20, 2008 3:14 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Filtering Computer Based Policies
Very strange. When I first started this, I opened a command shell by typing
cmd at the Start Menu, Run dialog. It explicitly says right below that this
task will be created with administrative privileges and indeed the
command-shell showed this title at the top: Administrator:
c:\windows\system32\cmd.exe.
However, if I right-click Command Shell on the start menu and choose Run
as Administrator, the klist command worked fine. No doubt yet another
subtle vagary of UAC biting me in the you-know-what
Thanks,
Darren
BTW, I tried simply copying klist.exe from 2008 to Vista, SP1 and got a
bunch of resource errors every time I tried to run it. Presumably Im
missing some other dependent module.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steve Linehan
Sent: Wednesday, August 20, 2008 11:56 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Filtering Computer Based Policies
If you are not running it from an elevated command prompt you will get that.
Thanks,
-Steve
Steve Linehan | { Infrastructure Architect } |
<http://www.microsoft.com/windowsserver200> |
<http://www.microsoft.com/windowsserver2008/en/us/try-it.aspx> Try Windows
Server 2008 |
<http://www.microsoft.com/heroeshappenhere/register/default.mspx> Attend a
Launch Event
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: Wednesday, August 20, 2008 1:45 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Filtering Computer Based Policies
No errors, just usage back at me:
C:\Users\Administrator.CPANDL>Klist -li 0x3e7 purge
Usage: Klist.exe [-lh <LogonId.HighPart>] [-li <LogonId.LowPart>] tickets |
tgt
| purge
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dean Wells
Sent: Wednesday, August 20, 2008 11:32 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Filtering Computer Based Policies
Post back the resulting error text.
--
Dean Wells
* Email: limeypride@gmail.com
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: Wednesday, August 20, 2008 2:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Filtering Computer Based Policies
Hmm. I had already tried that without the colon and it still fails. Could
this be a problem of running in a TS session?
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steve Linehan
Sent: Wednesday, August 20, 2008 11:04 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Filtering Computer Based Policies
Yes forgot to remove the :
C:\Windows\System32>klist -li 0x3e7 purge
Current LogonId is 0:0x92b72
Targetted LogonId is 0:0x3e7
Deleting all tickets:
Ticket(s) purged!
Thanks,
-Steve
Steve Linehan | { Infrastructure Architect } |
<http://www.microsoft.com/windowsserver200> |
<http://www.microsoft.com/windowsserver2008/en/us/try-it.aspx> Try Windows
Server 2008 |
<http://www.microsoft.com/heroeshappenhere/register/default.mspx> Attend a
Launch Event
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dean Wells
Sent: Wednesday, August 20, 2008 12:36 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Filtering Computer Based Policies
Remove the colon following -li
--
Dean Wells
* Email: limeypride@gmail.com
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: Wednesday, August 20, 2008 1:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Filtering Computer Based Policies
And actually, I just tried this on 2008 and when I entered the command
below, I got the usage back:
Usage: Klist.exe [-lh <LogonId.HighPart>] [-li <LogonId.LowPart>] tickets |
tgt
| purge
Something missing from that Steve?
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steve Linehan
Sent: Wednesday, August 20, 2008 9:42 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Filtering Computer Based Policies
For Windows Server 2008 we added a feature to help customers with this
issue. We added a switch to klist that would allow you to flush the systems
TGT, Klist li:0x3e7 purge (0x3e7 is always the system process).
Thanks,
-Steve
Steve Linehan | { Infrastructure Architect } |
<http://www.microsoft.com/windowsserver200> |
<http://www.microsoft.com/windowsserver2008/en/us/try-it.aspx> Try Windows
Server 2008 |
<http://www.microsoft.com/heroeshappenhere/register/default.mspx> Attend a
Launch Event
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Wednesday, August 20, 2008 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Filtering Computer Based Policies
Yes Mr. Wells, that is why I was clarifying the question. 
LOL I said Mr. Wells... HAHAHA
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dean Wells
Sent: Wednesday, August 20, 2008 11:57 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Filtering Computer Based Policies
Computers logon in a similar manner to users. As a result, they suffer from
some of the same long-standing Windows limitations that being, group
membership modifications require that the access-token be refreshed; in
user terms thats a logoff/logon in computer terms, thats a reboot
or
sufficient patience for the kerb. ticket to fall outside of its renewability
window and silently refresh in the background.
--
Dean Wells
* Email: limeypride@gmail.com
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Wednesday, August 20, 2008 11:50 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security Filtering Computer Based Policies
So are you saying that after you reboot the machines after the group mods
have replicated it isn't handling the group filtering right away?
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Wednesday, August 20, 2008 11:45 AM
To: undisclosed-recipients:
Subject: [ActiveDir] Security Filtering Computer Based Policies
As part of a rollout for a specific policy we are applying to the company,
we are pushing a policy that will be effected by security filtering at the
outset. It works, and I can test it and when I check the GPResults I
definitely see that the policy was denied by security.
To perform the security filtering, I created a security group, added the
computer accounts that I do NOT want to be affected by the policy, and then
denied that security group the ability to apply the group policy. As I
stated before, it works
but slowly.
I was wondering if anyone else could explain why after making a change to
the membership of the security group, it seems to take some time for the
change to take effect as far as the security filtering is concerned. I know
its not a replication issue (if that even matters) as I push out the
changes to the other DCs, yet it still takes awhile for the change in the
security group to effect the security filtering applied against the GPO.
Any thoughts?
Thanks,
~Ben
_______________________________________
Best way to <http://abcnews.go.com/print?id=5351908> annoy your co-workers?
E-mail.
| | | |
|
|