Search Results

Search found 16797 results on 672 pages for 'directory traversal'.

Page 14/672 | < Previous Page | 10 11 12 13 14 15 16 17 18 19 20 21  | Next Page >

  • Use alternative Active Directory server to gain administrative privileges

    - by Sharuzzaman Ahmat Raslan
    I have this idea, just want to see if it is implementable or not. Let say I have my office laptop, with no administrator privileges, using example domain ASDF Can I set at my home, another AD server (Microsoft or Samba 4), that have the same domain ASDF as my office laptop. Then I set an administrative user in my own AD server. Theoretically, is it possible to authenticate my office laptop with my own AD? If the above is possible, theoretically, is it possible to gain administrative privileges also with this setup? Thanks.

    Read the article

  • How to properly deny Railo directory access through Apache

    - by Sn3akyP3t3
    I've been battle tested on this and failed to achieve my goal which is to deny all access to all directories except the Public directory and only allow access to all all other directories with specific IP addresses. To get Railo+Apache+Tomcat installed I pretty much followed this script: https://github.com/talltroym/Railo-Ubuntu-Installer-Script then verified settings with this tutorial: http://blog.nictunney.com/2012/03/railo-tomcat-and-apache-on-amazon-ec2.html From the installation script these mods are enabled: sudo a2enmod ssl sudo a2enmod proxy sudo a2enmod proxy_http sudo a2enmod rewrite sudo a2ensite default-ssl Outside of the script I copied the sites-available to sites-enabled then reloaded Apache. I have a directory created for Railo cmfl located at /var/www/Railo/ Navigating the browser to http ://Server_IP_Address/Railo forces ssl and relocates to https ://Server_IP_Address/Railo which shows off index.cfm. Not providing index.cfm and omitting https indicates that the DirectoryIndex directive and RewriteCond of Apache appears to be working for the sites-enabled VirtualHost. The problem I'm encountering is that I cannot seem to deny access to all directories except Public. My directory structure is rather simple and looks like this: Railo error Public NotPublic Sandbox These are my sites-enabled configurations: <VirtualHost *:80> ServerAdmin webmaster@localhost DocumentRoot /var/www #Default Deny All to prevent walking backwards in file system Alias /Railo/ "/var/www/Railo/" <Directory ~ ".*/Railo/(?!Public).*"> Order Deny,Allow Deny from All </Directory> ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ <Directory "/usr/lib/cgi-bin"> AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </Directory> ErrorLog ${APACHE_LOG_DIR}/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog ${APACHE_LOG_DIR}/access.log combined Alias /doc/ "/usr/share/doc/" <Directory "/usr/share/doc/"> Options Indexes MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all Allow from 127.0.0.0/255.0.0.0 ::1/128 </Directory> DirectoryIndex index.cfm index.cfml default.cfm default.cfml index.htm index.html index.cfc RewriteEngine on RewriteCond %{SERVER_PORT} !^443$ RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R] </VirtualHost> and <IfModule mod_ssl.c> <VirtualHost _default_:443> ServerAdmin webmaster@localhost DocumentRoot /var/www Alias /Railo/ "/var/www/Railo/" <Directory ~ "/var/www/Railo/(?!Public).*"> Order Deny,Allow Deny from All </Directory> ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ <Directory "/usr/lib/cgi-bin"> AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </Directory> ErrorLog ${APACHE_LOG_DIR}/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined Alias /doc/ "/usr/share/doc/" <Directory "/usr/share/doc/"> Options Indexes MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all Allow from 127.0.0.0/255.0.0.0 ::1/128 </Directory> # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # A self-signed (snakeoil) certificate can be created by installing # the ssl-cert package. See # /usr/share/doc/apache2.2-common/README.Debian.gz for more info. # If both key and certificate are stored in the same file, only the # SSLCertificateFile directive is needed. SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key # Server Certificate Chain: # Point SSLCertificateChainFile at a file containing the # concatenation of PEM encoded CA certificates which form the # certificate chain for the server certificate. Alternatively # the referenced file can be the same as SSLCertificateFile # when the CA certificates are directly appended to the server # certificate for convinience. #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt # Certificate Authority (CA): # Set the CA certificate verification path where to find CA # certificates for client authentication or alternatively one # huge file containing all of them (file must be PEM encoded) # Note: Inside SSLCACertificatePath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCACertificatePath /etc/ssl/certs/ #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt # Certificate Revocation Lists (CRL): # Set the CA revocation path where to find CA CRLs for client # authentication or alternatively one huge file containing all # of them (file must be PEM encoded) # Note: Inside SSLCARevocationPath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCARevocationPath /etc/apache2/ssl.crl/ #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl # Client Authentication (Type): # Client certificate verification type and depth. Types are # none, optional, require and optional_no_ca. Depth is a # number which specifies how deeply to verify the certificate # issuer chain before deciding the certificate is not valid. #SSLVerifyClient require #SSLVerifyDepth 10 # Access Control: # With SSLRequire you can do per-directory access control based # on arbitrary complex boolean expressions containing server # variable checks and other lookup directives. The syntax is a # mixture between C and Perl. See the mod_ssl documentation # for more details. #<Location /> #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ #</Location> # SSL Engine Options: # Set various options for the SSL engine. # o FakeBasicAuth: # Translate the client X.509 into a Basic Authorisation. This means that # the standard Auth/DBMAuth methods can be used for access control. The # user name is the `one line' version of the client's X.509 certificate. # Note that no password is obtained from the user. Every entry in the user # file needs this password: `xxj31ZMTZzkVA'. # o ExportCertData: # This exports two additional environment variables: SSL_CLIENT_CERT and # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the # server (always existing) and the client (only existing when client # authentication is used). This can be used to import the certificates # into CGI scripts. # o StdEnvVars: # This exports the standard SSL/TLS related `SSL_*' environment variables. # Per default this exportation is switched off for performance reasons, # because the extraction step is an expensive operation and is usually # useless for serving static content. So one usually enables the # exportation for CGI and SSI requests only. # o StrictRequire: # This denies access when "SSLRequireSSL" or "SSLRequire" applied even # under a "Satisfy any" situation, i.e. when it applies access is denied # and no other module can change it. # o OptRenegotiate: # This enables optimized SSL connection renegotiation handling when SSL # directives are used in per-directory context. #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </Directory> # SSL Protocol Adjustments: # The safe and default but still SSL/TLS standard compliant shutdown # approach is that mod_ssl sends the close notify alert but doesn't wait for # the close notify alert from client. When you need a different shutdown # approach you can use one of the following variables: # o ssl-unclean-shutdown: # This forces an unclean shutdown when the connection is closed, i.e. no # SSL close notify alert is send or allowed to received. This violates # the SSL/TLS standard but is needed for some brain-dead browsers. Use # this when you receive I/O errors because of the standard approach where # mod_ssl sends the close notify alert. # o ssl-accurate-shutdown: # This forces an accurate shutdown when the connection is closed, i.e. a # SSL close notify alert is send and mod_ssl waits for the close notify # alert of the client. This is 100% SSL/TLS standard compliant, but in # practice often causes hanging connections with brain-dead browsers. Use # this only for browsers where you know that their SSL implementation # works correctly. # Notice: Most problems of broken clients are also related to the HTTP # keep-alive facility, so you usually additionally want to disable # keep-alive for those clients, too. Use variable "nokeepalive" for this. # Similarly, one has to force some clients to use HTTP/1.0 to workaround # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and # "force-response-1.0" for this. BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # MSIE 7 and newer should be able to use keepalive BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown DirectoryIndex index.cfm index.cfml default.cfm default.cfml index.htm index.html #Proxy .cfm and cfc requests to Railo ProxyPassMatch ^/(.+.cf[cm])(/.*)?$ http://127.0.0.1:8888/$1 ProxyPassReverse / http://127.0.0.1:8888/ #Deny access to admin except for local clients <Location /railo-context/admin/> Order deny,allow Deny from all # Allow from <Omitted> # Allow from <Omitted> Allow from 127.0.0.1 </Location> </VirtualHost> </IfModule> The apache2.conf includes the following: # Include the virtual host configurations: Include sites-enabled/ <IfModule !mod_jk.c> LoadModule jk_module /usr/lib/apache2/modules/mod_jk.so </IfModule> <IfModule mod_jk.c> JkMount /*.cfm ajp13 JkMount /*.cfc ajp13 JkMount /*.do ajp13 JkMount /*.jsp ajp13 JkMount /*.cfchart ajp13 JkMount /*.cfm/* ajp13 JkMount /*.cfml/* ajp13 # Flex Gateway Mappings # JkMount /flex2gateway/* ajp13 # JkMount /flashservices/gateway/* ajp13 # JkMount /messagebroker/* ajp13 JkMountCopy all JkLogFile /var/log/apache2/mod_jk.log </IfModule> I believe I understand most of this except the jk_module inclusion which I've noticed has an error that shows up in the logs that I can't sort out: [warn] No JkShmFile defined in httpd.conf. Using default /etc/apache2/logs/jk-runtime-status I've checked my Regular expression against the paths of the directories with RegexBuddy just to be sure that I wasn't correct. The problem doesn't appear to be Regex related although I may have something incorrect in the Directory directive. The Location directive seems to be working correctly for blocking out Railo admin site access.

    Read the article

  • Setting up a very mixed Active Directory network to work with PowerShell Remote Administration

    - by erictheavg
    Summary: I want to be able to monitor the computers on my network, but don't need it to be automated. We're too small to purchase anything like MOM, but too big to do anything manually (~100 machines in two locations). I just keep running into issues, and was wondering if there's a master list of Group Policy settings I can distribute to my environment to get Remote Powershell working. Environment: Our AD network is pretty mixed. The end users have XP SP3, Win 7, and Win 7 x64. The servers include Win2k3 SP2, Win2k8, Win2k8 x64, Win2k8 R2, and Win2k8 R2 x64. Details: I'm trying to get it to work with Remote Powershell, but I run into errors like the following: Connecting to remote server failed with the following error message : The WinRM client cannot process the request. Default authentication may be used with an IP address under the following conditions: the transport is HTTPS or the destination is in the TrustedHosts list, and explicit credentials are provided. Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts list might not be authenticated. For more information on how to set TrustedHosts run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic. + CategoryInfo : OpenError: (:) [], PSRemotingTransportException + FullyQualifiedErrorId : PSSessionStateBroken Then I go to the computer (Win2k3 SP2 server) and run winrm quickconfig per the recommendations via google, and it says: Make these changes [y/n]? y WinRM has been updated to receive requests. WinRM service started. WSManFault Message = The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig". Error number: -2144108526 0x80338012 The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig". That's right. It tells me to remedy my winrm quickconfig failure by running winrm quickconfig. I don't want to band-aid this project one google search at a time. I'm sure there is a step-by-step tutorial out there on how to set up a network for powershell remote administration. Does anyone know of one? Books are acceptable. Thanks in advance! I didn't think my question would get this long.

    Read the article

  • Read access to Active Directory property (uSNCreated)

    - by Tom Ligda
    I have an issue with read access to the uSNCreated property when doing LDAP searches. If I do an LDAP search with a user that is a member of the Domain Admins group (UserA), I can see the uSNCreated property for every user. The problem is that if I do an LDAP search with a user (UserB) that is not a member of the Domain Admins group, I can see the uSNCreated property for some users (UserGroupA) and not for some users (UserGroupB). When I look at the users in UserGroupA and compare them to the users in UserGroupB, I see a crucial difference in the "Security" tab. The users in UserGroupA have the "Include inheritable permissions from this object's parent" unchecked. The users in UserGroupB have that option checked. I also noticed that the users in UserGroupA are users that were created earlier. The users in UserGroupB are users created recently. It's difficult to quantify, but I estimate the border between creation time between the users in UserGroupA and UserGroupB is about 6 months ago. What can cause the user creation to default to having that security property checked as opposed to unchecked? A while back (maybe around 6 months ago?) I changed the domain functional level from Windows Server 2003 to Windows Server 2008 R2. Would that have had this effect? (I can't exactly downgrade the domain functional level to test it out.) Is this security property actually the cause of the issue with read access to the uSNChanged property on LDAP searches? It seems correlated, but I'm not sure about causation. What I want in the end is for all authenticated users to have read access to the uSNCreated property for all users when doing an LDAP search. I would also be OK if I could grant read access for that property to an AD group. Then I can control access by adding members to the group.

    Read the article

  • Active Directory Restricted Group confusion

    - by pepoluan
    I am trying to implement Restricted Group policy for my company's AD infrastructure, namely standardizing the local "Administrators" group. The documentation (and various webpages) said that the "Members of this group" policy will wipe out the "Administrators" group. However, an experiment made me confused: I created 2 GPOs: GPO-A replaces the Local Administrators with a list of domain users (e.g., "Alice" and "Bob") GPO-B inserts a domain user (e.g., "Charlie" -- not part of GPO A) into the Local Administrators Experiment 1: GPO-A gets applied first (link order 2) Everything happens as expected: GPO-A cleans out Local Admins and add "Alice" & "Bob" gets added; GPO-B adds "Charlie". Experiment 2: GPO-B is applied first What happens: "Charlie" gets added to the Local Admins group (which also contains 2 local users) The local users on the PC gets deleted, and "Alice" and "Bob" gets added. Result: Local Admins contain "Alice", "Bob", and "Charlie" My confusion: In Experiment 2, I thought GPO-A will totally erase the Local Admins group, including users added by GPO-B (since GPO-A gets applied after GPO-B). As it happens, it only erase local users from the Local Admins, but keeps the domain users. So, is that the way it should be? Or am I doing something incorrectly?

    Read the article

  • Upgrading my Active Directory domain from Server 2003 to Server 2008 R2

    - by drpcken
    We are currently a single domain on a single network running Server 2003 Standard and Exchange 2007. I have a new server up and running (added to the domain already) with Server 2008 R2 on it. I want this to become my Primary Domain Controller, thus replacing my old Server 2003 server. I know I should just be able to run dcpromo on the new server, then decomission my old server, and raise my domain functional level to match the 2008 server. My only concern is the Exchange 2007 server. Is there anything I need to know relevant to it before I start? Thanks!

    Read the article

  • Joining an Active Directory domain using netdom

    - by Cheezo
    I have a simple script to join an AD domain and rename the computer. When I execute these commands directly on the CLI, it works fine. When I execute the same via batch file, I get an error saying The network path was not found I am running as Administrator with full privileges. I have googled around microsoft forums but my case is unique because it works from the CLI and not from the batch file netdom join %%computername%% /domain:OPSCODEDEMO.COM /userd:Administrator /passwordd:xxx netdom renamecomputer %%computername%% /NewName:%hostname% /Force The environment is Windows 2k8 R2 SP1 running on Ninefold Cloud (Xenserver).

    Read the article

  • active directory servers synchronization

    - by Mit Naik
    I have 3 AD servers with windows server 2008 R2 at 3 different places, main server is at datacenter and 2 are in our local office which are at 2 different place. I want to synchornize all the 3 server together, were datacenter server should be central server and rest 2 servers should synch with the datacenter server. Please provide us the steps or tutorial to do this. Also we want that once the changes are done in 1 of the AD server the changes are automatically done in all the servers. For example if I change the password of user in our local server it should be updated in our main AD server and other branch server too. Please provide us the steps or tutorial to do this asap. I have one more question I have already created main datacenter AD as domain.local and other domains as xyz.local and abc.local, how can I replicate the additional AD domains with main datacenter DC, also do we require VPN connection, is there any other way to replicate the servers without using VPN connection?

    Read the article

  • shutdown -i all computers in active directory domain

    - by Sihan Zheng
    I'm not sure if this is possible, but this is my goal: At the end of the day, I want to be able to turn off all the computers in the domain from a client. My account has sufficient privileges to shutdown any single computer remotely using shutdown -I, and I can RDP into any computer in the domain. However, is there an automated technique that does this? the computers in the domain are predictably named (computer1, computer2, etc), but than manipulating a list of 2000 computers in shutdown -I is pretty clumsy. Is there a way to shutdown every single computer in the domain from a single client? The domain server is windows 2003, and the clients all run windows xp thanks

    Read the article

  • Managing SQL Server users via Active directory groups

    - by hyty
    I'm building SQL Server instance for reporting purposes. My plan is to use AD groups for server and database logins. I have several groups with different roles (admin, developer, user etc.), and I would like to map these roles into SQL Server database roles (db_owner, db_datawriter etc.). What are the pros and cons of using AD groups for logins? What kind of problems you have noticed?

    Read the article

  • Installation of Active Directory on separate VM from DNS does not entierly work - not sure why

    - by René Kåbis
    Not sure what I am doing wrong here. I have a moderately midrange server (16 cores, 2Ghz, 32GB ECC REG RAM, 6TB storage, nothing too extreme) where I am running Hyper-V (Server 2012 R2 Enterprise) in order to provision virtual machines. So why an AD separate from DNS? I want redundancy. I want to be able to move VMs and back them up individually and not have too many services on any one VM. I have already provisioned a VM with DNS, and have set it up right -- essentially, I have: Set up Static IP’s for everyone involved. Installed the DNS service on the DNS VM. Created a forward lookup zone and a reverse lookup zone (primary zone) xyz.ca Configured the zones to use nonsecure and secure dynamic updates (i will change this to secure later after the domain controller is online). Created a A record for the DC in the forward lookup zone (and a reverse ptr) Changed DC’s DNS server (network settings) to the new DNS server. Checked that I can ping the dns server from the new DC by hostname. When I went ahead and did a DCpromo on the DC, and un-cheked the “install DNS” option, everything seemed to go well (no error messages), but I saw no changes on the DNS server whatsoever (no additional settings). Plus, the DNS server seems to be unable to join the domain, as it claims that the domain is not discoverable. As a final note, I do run Symantec Endpoint Protection, which includes a firewall and most settings set as default. I have not yet tried turning this off, but my experience has been that if a service would open up a port on a Windows firewall, it would do the same through Symantec. There is pretty tight integration these days with corporate-class AV and Windows. I have a template vhdx fully set up (just short of any special roles and features) that I can use to replace the current AD VM with, so doing this all over again is not too much skin off of my nose.

    Read the article

  • Testing for Active Directory Schema modification (not upgrade)

    - by Darktux
    I am trying to test a schema modification. That is i need to add one of the attributes to global catalog by modifying schema , initially in a lab which is exact replica.My questions are below; - What tests need to be done post schema change to determine if its safe for production? - Apart from measuring changes in DIT size post change, is there a way to find the whole size increase for adding an attribute to GC pre change? please let me know if any extra questions or info required.

    Read the article

  • Windows Server 2008 Active Directory DNS setup

    - by Mister IT Guru
    I have to setup a small windows network inside my bigger linux/mac infrastructure. In order to get the windows clients logging onto the domain, I have had to make the DC their primary DNS server, which seems to have worked. I would much prefer to have one DNS server running on my network, or at least one authoritative server running on the network. I have a USG 200 router/firewall and I can configure some static records for DNS, but I an not sure what I need to put in order to get DNS and AD working together, and hints and tips appreciated.

    Read the article

  • Logon script in Active Directory

    - by tareq838
    I am having a weird intermittent issue for only some users. I have a logon script that maps shared drives and issues a diisclaimer everytime the user logs on to a machine. The problem lately is that the logon script will not run for the user so we get a help desk call. When one of the help desk techs log on to the machine the script then comes up. The tech then logs off and the user will log back in and they will get the logon script. I am at wits end with this issue. Any help would be appreciated. It has happend on both Windows XP and Vista 64.

    Read the article

  • Active Directory Script: DSMOVE failed

    - by Malnizzle
    DSQUERY user -inactive 4 | DSMOVE -newparent <distinguished name of target OU> Running this script and getting "dsmove failed (user) is an unknown parameter". If I run the dsquery w/o the dsmove, it cleanly pulls a list for me. If I run with just one account, it works as well. Thoughts?

    Read the article

  • LDAP, Active Directory and bears, oh my!

    - by Tim Post
    What I have: Workstations running Ubuntu Jaunty mounting /home on a remote NFS server. User accounts are still created locally on each individual workstation. Workstations running Windows XP / Vista NFS server (as noted above) Windows 2008 server All machines share a single private network (LAN). What I need to accomplish: A single, intuitive (GUI driven) place for an office administrator to create user accounts. This should let anyone login to their (linux or windows) workstation, then fire up remote desktop and use the same login to the Windows 2008 server, from any machine on the network. I have read so much on samba, LDAP vs AD, etc and now I'm even more confused than I was before I began researching the problem. Ideally, Linux and Windows users should be able to get to their local files once logged into the Win2008 server. I am a programmer, not an interoperability guru and I'm completely lost on where to even start trying to accomplish this, plus I've run out of things to Google. How would you do this? Is it even possible?

    Read the article

  • Windows Shares / NTFS permissions on folder redirection in Active Directory

    - by Shawn Gradwell
    A client has folder redirection in AD setup on each user's Home Folder set to the Z:\ drive as \server\share\username. A Group Policy redirects the user's Documents to the user's Home Folder with the option 'Grant the user to exclusive rights to Documents' selected. The share on the server has permissions for the relevant user security group with 'Full Control', but each user's folder only have NTFS permissions only for 'CREATOR OWNER' and 'Domain Admins'. Why can the different users access other user's folders? I thought the most restrictive permissions applied effectively between the share and the NTFS permissions. Also, this setup has been like this for years, and this client recently updated all client computers to Windows 7. What is the best way to setup this redirection now? I assume only in Group Policy, also Basic Redirection - to create a folder for each user under the root path?

    Read the article

  • Intraforest user account merge with Active Directory

    - by Neobyte
    I have a scenario where there is a root domain (RD) and two child domains (CD1 and CD2). Users have accounts on both CD1 and CD2, with identical samAccountNames, names etc, and various applications either use the CD1 or CD2 account for authentication to resources. I need to collapse CD2 into CD1, so I want to merge the accounts together. However ADMT does not allow me this option (merge options are greyed out), I think because it does not support intraforest merge of accounts (although it does not explicitly state this anywhere in the documentation). My question is - what is the easiest way for me to merge these accounts? Ultimately all I really need (I think) is for the SID of CD2\user1 to be added to the SIDHistory of CD1\user1 - is there a tool that supports this? Computer accounts and profiles are not a concern for this scenario. Group migration is unlikely to be an issue either - CD2\user1 is usually granted resource access through membership of a group on CD1.

    Read the article

  • Active Directory theme policies

    - by Tuinslak
    Hey, I'm currently managing a terminal server in a domain. As the TS-service just got installed, previous users (I logged in with every user once to test it and set up a few things) use the default windows 2008 theme. New users automatically use the fancy Aero theme. Is there a way to push the Aero theme to all current users? I currently have something like this in my policies: However, when logging in with a user, the theme is not changed. Only if I disable "prohibit access to the control panel", the theme can be changed (doesn't seem to change automatically). But this gives them access to every other control panel feature as well. And giving users only access to "desk.cpl" CP-applet, gives them an access error as well when attempting to change the theme. Another question: can I, as admin, take over and/or log in as another user when that user is not logged in? Thanks

    Read the article

  • NTFS Permission Structure to allow Traversal but no Modification except in Leaf Nodes?

    - by pepoluan
    Assume there's this folder structure: D:\ --+-- Acctg --+-- Payable | +-- Receivable | +-- Fin --+-- Inv | +-- Tax | +-- Treas | +-- Mrktg --+-- Ads +-- Promo Users are not allowed to change the structure, but they are free to create & delete files & folders in the leaf nodes (i.e., the rightmost folders). AGDLP principle said that I should assign permissions on the above folders to DL-Groups. Let's say I have a G-Group of users, G-Accounting-Payable, containing users that have access to the D:\Acctg\Payable folder. The way I see it, I have two strategies: - Strategy 1 Create three DL-Groups and assign them permissions: DL-D-Acctg_T -- allowed traversal of D:\Acctg folder DL-D-Acctg-Pay_LF -- allowed listing of D:\Acctg\Payable folder contents DL-D-Acctg-Pay__RW -- allowed full permissions to the contents of D:\Acctg\Payable folder Add G-Accounting-Payable as member to all the above DL-Groups - Strategy 2 Create just one DL-Group DL-D-Acctg-Pay__RW, and assign it the proper permissions for each level of the folder. Then, add G-Accounting-Payable as member to that DL-Group. - Which strategy is the Recommended Best Practice, and why?

    Read the article

  • Active Directory: Viewing "Attribute Editor" after finding an account via ADUC's "Find" option

    - by Beaming Mel-Bin
    When I activate the Advanced features (View - Advanced Features) and open a user's properties by navigating to their OU and right clicking the user object, I see the Attribute Editor tab. However, if I search for a user (right click the domain - Find - search for the user), and double click on the user, I do not see the tab. I cannot normally navigate to users because some OUs have too many users. Can someone suggest an alternative that allows me to view the Attribute Editor tab?

    Read the article

  • pfsense, active directory, local domain

    - by Dalton Conley
    First things first, I have no idea what I'm doing. Certainly not afraid to admit that.. but here is my network setup. I have 2 servers, one of them in a domain controller. Both are running windows server 2008. They have replicated directories. Each server is at a different location and has its own firewall for the network at that location. Both firewalls are using pfsense. Recently a firewall went down and my coworker reinstalled pfsense, and everything seems setup correctly. Again, I have no idea what I'm doing so I'm not sure. I have records from when the previous IT person had setup this network and the firewall settings are the same but those records could have been extremely old. Now, I have a domain name for my network.. we'll call it "mydomain.net". I use to be able to access this domain name and it would bring up the servers replicated drives(i.e. \\mydomain.net). Now I cannot. I can however access the servers individual host names on my network(i.e. \\server1 , \\server2). We didn't change anything on the server which is what makes me think its something to do with the firewall. I know this is probably a very general question and I don't have a lot of detail to add but could anyone give me some insight on to what could be causing this, or some debugging techniques I can apply to this? I'm a programmer, not a network administrator.

    Read the article

< Previous Page | 10 11 12 13 14 15 16 17 18 19 20 21  | Next Page >