| Author | Messages | |
scott.rachui@xxxx.yyy
 | | 03/03/2006 2:24 AM |
| I have an interest in finding out how many of the users in our primary
forest are authenticating via NTLM instead of Kerberos. I know that in
Windows 2003 there is a new well-known security principal called "NTLM
Authentication" which dynamically contains the list of people who
authenticated via NTLM.
My question is, does anyone know how to query this security principal so
I could get that list of people? Even if it's an ever-changing list, a
snapshot at different times would be useful to see volumes. I was
thinking of comparing that list to the "This Organization" security
principal so I could tell what % of authentication were NTLM.
If there's another way to do this, I'm open to suggestions as well.
Thanks in advance for any comments.
Scott
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| ryanaconrad@xxxx.yyy
| | 03/03/2006 2:36 AM |
| Ryan
On 3/3/06, Rachui, Scott wrote:
I have an interest in finding out how many of the users in our primaryforest are authenticating via NTLM instead of Kerberos. I know that in
Windows 2003 there is a new well-known security principal called "NTLMAuthentication" which dynamically contains the list of people whoauthenticated via NTLM.My question is, does anyone know how to query this security principal so
I could get that list of people? Even if it's an ever-changing list, asnapshot at different times would be useful to see volumes. I wasthinking of comparing that list to the "This Organization" security
principal so I could tell what % of authentication were NTLM.If there's another way to do this, I'm open to suggestions as well.Thanks in advance for any comments.ScottList info :
http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| eyes2sky@xxxx.yyy
| | 03/03/2006 2:53 AM |
| If you are auditing logon events you can query the domain controller
security logs for NTLM logon events.
You'll need to use eventcombmt or some other utility to query all DCs for
these events.
Win2000 DCs records successful NTLM logons in event 680 and failed logons in
event 681.
Win2003 DCs records successful and failed NTLM logons in event 680.
John Roberts
JLR Technology Solutions
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Rachui, Scott
Sent: Friday, March 03, 2006 9:24 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] "NTLM Authentication" Security Principal
I have an interest in finding out how many of the users in our primary
forest are authenticating via NTLM instead of Kerberos. I know that in
Windows 2003 there is a new well-known security principal called "NTLM
Authentication" which dynamically contains the list of people who
authenticated via NTLM.
My question is, does anyone know how to query this security principal so I
could get that list of people? Even if it's an ever-changing list, a
snapshot at different times would be useful to see volumes. I was thinking
of comparing that list to the "This Organization" security principal so I
could tell what % of authentication were NTLM.
If there's another way to do this, I'm open to suggestions as well.
Thanks in advance for any comments.
Scott
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| scott.rachui@xxxx.yyy
| | 03/03/2006 2:56 AM |
| That would be helpful, but I was also
thinking how useful it would be if I could somehow use that information to
correlate back to which users were using NTLM so I could see if these were
users that were running NT, XP, etc. Also, I could find out if certain lines
of business were using NTLM because it may help me uncover things like custom
applications that aren™t using Kerberos, etc.
It™s just a thought and it may be
too difficult to implement. But I thought I™d see if anyone had done it.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Ryan A. Conrad
Sent: Friday, March 03, 2006 8:35
AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir]
"NTLM Authentication" Security Principal
In the NTDS performance object there are two counters: NTLM
Authentcations and Kerberos Authentications. They wouldn't be able to tell you
"who" is authencating using those methods, but they would be able to
provide a better idea. Both counters are in number of requests per
second.
Ryan
On 3/3/06, Rachui,
Scott
wrote:
I have an interest in finding out how many of the users in our primary
forest are authenticating via NTLM instead of Kerberos. I know that
in
Windows 2003 there is a new well-known security principal called "NTLM
Authentication" which dynamically contains the list of people who
authenticated via NTLM.
My question is, does anyone know how to query this security principal so
I could get that list of people? Even if it's an ever-changing list,
a
snapshot at different times would be useful to see volumes. I was
thinking of comparing that list to the "This Organization" security
principal so I could tell what % of authentication were NTLM.
If there's another way to do this, I'm open to suggestions as well.
Thanks in advance for any comments.
Scott
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| GuidoG
Posts:113
| | 03/04/2006 9:33 AM |
| both "NTLM Authentication" and "This Organization" are so called well-known-security principals. They are added dynamically to the token of a user when the users authenticate in their domain or accross a trust.
However, they're not groups that you can read any memberships from like you can with other groups in AD. As such you can either leverage the security eventlogs to check for NTLM and Kerberos authentication events (preferred approach), or you can query the user's token (e.g. by using sectok from www.joeware.com) for the respective security principal and do your reporting this way.
/Guido
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Rachui, Scott
Sent: Freitag, 3. März 2006 15:24
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] "NTLM Authentication" Security Principal
I have an interest in finding out how many of the users in our primary
forest are authenticating via NTLM instead of Kerberos. I know that in
Windows 2003 there is a new well-known security principal called "NTLM
Authentication" which dynamically contains the list of people who
authenticated via NTLM.
My question is, does anyone know how to query this security principal so
I could get that list of people? Even if it's an ever-changing list, a
snapshot at different times would be useful to see volumes. I was
thinking of comparing that list to the "This Organization" security
principal so I could tell what % of authentication were NTLM.
If there's another way to do this, I'm open to suggestions as well.
Thanks in advance for any comments.
Scott
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| listmail
Posts:822
| | 04/03/2006 1:27 AM |
| Err they may have better luck looking on www.joeware.net :o) Not much chance
of confusion though once you go there, that site has been under construction
for about 5 or so years now.
Anyway, to find many of my tools, you can usually just type in the tool name
in google now a days and get right there
http://www.joeware.net/win/free/tools/sectok.htm
Note that you can also use whoami /groups
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Grillenmeier, Guido
Sent: Saturday, March 04, 2006 4:32 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] "NTLM Authentication" Security Principal
both "NTLM Authentication" and "This Organization" are so called
well-known-security principals. They are added dynamically to the token of a
user when the users authenticate in their domain or accross a trust.
However, they're not groups that you can read any memberships from like you
can with other groups in AD. As such you can either leverage the security
eventlogs to check for NTLM and Kerberos authentication events (preferred
approach), or you can query the user's token (e.g. by using sectok from
www.joeware.com) for the respective security principal and do your reporting
this way.
/Guido
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Rachui, Scott
Sent: Freitag, 3. März 2006 15:24
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] "NTLM Authentication" Security Principal
I have an interest in finding out how many of the users in our primary
forest are authenticating via NTLM instead of Kerberos. I know that in
Windows 2003 there is a new well-known security principal called "NTLM
Authentication" which dynamically contains the list of people who
authenticated via NTLM.
My question is, does anyone know how to query this security principal so I
could get that list of people? Even if it's an ever-changing list, a
snapshot at different times would be useful to see volumes. I was thinking
of comparing that list to the "This Organization" security principal so I
could tell what % of authentication were NTLM.
If there's another way to do this, I'm open to suggestions as well.
Thanks in advance for any comments.
Scott
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
|
|