I have just discovered that my favourite Active Directory troubleshooting tool Replmon.exe has not made it to Windows 2008! (replmon technet link)
Here is a quote from a Technet blog;
"Unfortunately, replmon did not survive the transition to Win2008. It was actually developed by MS support, not the product group (along with many other support tools/resource kit tools), and without an actual owner to service the tool years later, it was a casualty."
The Windows 2003 version of Replmon appears to work okay though. You will need to install the Windows 2003 Support Tools (Suptools.msi)ignoring the Program Compatibility Assistant warning This program has known compatibility issues.
Let's just hope those compatibility issues do not cause instability issues on my server then!....
Showing posts with label Active Directory. Show all posts
Showing posts with label Active Directory. Show all posts
Tuesday, 5 August 2008
Thursday, 31 July 2008
Windows 2008 Active Directory, deleting OUs
Today I found some new default permissions on Windows 2008 Active Directory Organizational Units (OU). I had created an OU in my nice new Windows 2008 Active Directory to provision servers into. Now that I have created my OU structure I tried to delete my redundant OU and received the error message –
You do not have sufficient privileges to delete MyOUName, or this object is protected from accidental deletion.
So I immediately switched on Advanced Features in Active Directory Users and Computers so that I can access the Security tab of the OU. When I clicked Advanced there was one explicit Deny permission set for Everyone with Special permissions. These Special permissions were Deny Delete and Deny Delete Subtree. Of course by un-checking these options I could delete the OU.
I think this is an awesome subtle improvement. I have actually worked for a company were a user with Administrative permissions accidently deleted an enormous OU with thousands of users, computers, printers and customisations. By denying delete permissions to Everyone by default is means that you can no longer accidently delete an OU. You need to be fully aware of what you are doing to have to go and remove this permission each time. Kudos MS.
You do not have sufficient privileges to delete MyOUName, or this object is protected from accidental deletion.
So I immediately switched on Advanced Features in Active Directory Users and Computers so that I can access the Security tab of the OU. When I clicked Advanced there was one explicit Deny permission set for Everyone with Special permissions. These Special permissions were Deny Delete and Deny Delete Subtree. Of course by un-checking these options I could delete the OU.
I think this is an awesome subtle improvement. I have actually worked for a company were a user with Administrative permissions accidently deleted an enormous OU with thousands of users, computers, printers and customisations. By denying delete permissions to Everyone by default is means that you can no longer accidently delete an OU. You need to be fully aware of what you are doing to have to go and remove this permission each time. Kudos MS.
Wednesday, 30 July 2008
Active Directory “List Object Mode”
Active Directory normally has three visible READ permissions; List Contents, Read All Properties and Read Permissions. These permissions cover the majority of Active Directories READing related permissions. There is however a fourth READ permission not enabled by default; List Object.
The List Contents permission would normally list all immediate child objects. With the List Object permission enabled Active Directory has the ability to hide objects returned by the List Contents function.
Why is the useful?
In the shared Active Directory configuration of a multi-tenancy hosting solution, different organizations share the same domain. In this shared hosting environment, it is important to ensure that only authorized users can access the information and configuration settings for a given organization.
To set Active Directory to List Object mode open ADSIEdit.msc. Expand the Configuration container, CN=Services , CN=Windows NT. Right-click Directory Service, and click Properties. Change the dsHeuristics attribute to 001.
The List Contents permission would normally list all immediate child objects. With the List Object permission enabled Active Directory has the ability to hide objects returned by the List Contents function.
Why is the useful?
In the shared Active Directory configuration of a multi-tenancy hosting solution, different organizations share the same domain. In this shared hosting environment, it is important to ensure that only authorized users can access the information and configuration settings for a given organization.
To set Active Directory to List Object mode open ADSIEdit.msc. Expand the Configuration container, CN=Services , CN=Windows NT. Right-click Directory Service, and click Properties. Change the dsHeuristics attribute to 001.
Subscribe to:
Posts (Atom)
