Search Results

Search found 16797 results on 672 pages for 'directory traversal'.

Page 65/672 | < Previous Page | 61 62 63 64 65 66 67 68 69 70 71 72  | Next Page >

  • FindByIdentity in System.DirectoryServices.AccountManagment Memory Issues

    - by MVC Fanatic
    I'm working on an active directory managament application. In addition to the typical Create A New User, Enable/Disable an account, reset my password etc. it also managages application permissions for all of the clients web applications. Application management is handled by thousands of AD groups such as which are built from 3 letter codes for the application, section and site, there are also hundreds of AD groups which determine which applications and locations a coordinator can grant rights to. All of these groups in turn belong to other groups so I typically filter the groups list with the MemberOf property to find the groups that a user directly belongs to (or everyone has rights to do everything). I've made extensive use of the System.DirectoryServices.AccountManagment namespace using the FindByIdentity method in 31 places throughout the application. This method calls a private method FindPrincipalByIdentRefHelper on the internal ADStoreCtx class. A SearchResultCollection is created but not disposed so eventually typically once or twice a day the web server runs out of memory and all of the applications on the web server stop responsing until iis is reset because the resources used by the com objects aren't ever relased. There are places where I fall back to the underlying directory objects, but there are lot of places where I'm using the properties on the Principal - it's a vast improvement over using the esoteric ad property names in the .Net 2.0 Directory services code. I've contacted microsoft about the problem and it's been fixed in .Net 4.0 but they don't currently have plans to fix it in 3.5 unless there is intrest in the community about it. I only found information about it in a couple of places the MDSN documentation in the community content state's there is a memory leak at the bottom (guess I should have read that before using the the method) http://msdn.microsoft.com/en-us/library/bb345628.aspx And the class in question is internal and doesn't expose SearchResultsCollection outside the offending method so I can't get at the results to dispose them or inherit from the class and override the method. So my questions are Has anyone else encountered this problem? If so were you able to work around it? Do I have any option besides rewriting the application not using any of the .Net 3.5 active directory code? Thanks

    Read the article

  • git - how do I clone into a non-empty directory?

    - by shovas
    I have directory A with files matching directory B. Directory A may have other needed files. Directory B is a git repo. I want to clone directory B to directory A but git-clone won't allow me to since the directory is non-empty. I was hoping it would just clone .git and since all the files match I could go from there? I can't clone into an empty directory because I have files in directory A that are not in directory B and I want to keep them. Copying .git is not an option since I want refs to push/pull with and I don't want to set them up manually. Is there any way to do this? Update: I think this works, can anyone see any problems? -- cd a git clone --no-hardlinks --no-checkout ../b a.tmp mv a.tmp/.git . rm -rf a.tmp git unstage # apparently git thinks all the files are deleted if you don't do this

    Read the article

  • Apache SSO through Kerberos using Machine Account

    - by watkipet
    I'm attempting to get Apache on Ubuntu 12.04 to authenticate users via Kerberos SSO to a Windows 2008 Active Directory server. Here are a few things that make my situation different: I don't have administrative access to the Windows Server (nor will I ever have access). I also cannot have any changes to the server made on my behalf. I've joined Ubuntu server to the Active Directory using PBIS open. Users can log into the Ubuntu server using their AD credentials. kinit also works fine for each user. Since I can't change AD (except for adding new machines and SPNs), I cannot add a service account for Apache on Ubuntu. Since I can't add I service account, I have to use the machine keytab (/etc/krb5.keytab), or at least use the machine password in another keytab. Right now I'm using the machine keytab and giving Apache readonly access (bad idea, I know). I've already added the SPN using net ads keytab add HTTP -U Since I'm using Ubuntu 12.04, the only encoding types that get added during "net ads keytab add" are arcfour-hmac, des-cbc-crc, and des-cbc-md5. PBIS adds the AES encoding types to the host and cifs principals when it joins the domain, but I have yet to get "net ads keytab add" to do this. ktpass and setspn are out of the question because of #1 above. I've configured (for Kerberos SSO) and tested both IE 8 Firefox. I'm using the following configuration in my Apache site config: <Location /secured> AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate On KrbMethodK5Passwd On KrbAuthRealms DOMAIN.COM Krb5KeyTab /etc/krb5.keytab KrbLocalUserMapping On require valid-user </Location> When Firefox tries to connect get the following in Apache's error.log (LogLevel debug): [Wed Oct 23 13:48:31 2013] [debug] src/mod_auth_kerb.c(1628): [client 192.168.0.2] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Wed Oct 23 13:48:31 2013] [debug] mod_deflate.c(615): [client 192.168.0.2] Zlib: Compressed 477 to 322 : URL /secured [Wed Oct 23 13:48:37 2013] [debug] src/mod_auth_kerb.c(1628): [client 192.168.0.2] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Wed Oct 23 13:48:37 2013] [debug] src/mod_auth_kerb.c(994): [client 192.168.0.2] Using HTTP/[email protected] as server principal for password verification [Wed Oct 23 13:48:37 2013] [debug] src/mod_auth_kerb.c(698): [client 192.168.0.2] Trying to get TGT for user [email protected] [Wed Oct 23 13:48:37 2013] [debug] src/mod_auth_kerb.c(609): [client 192.168.0.2] Trying to verify authenticity of KDC using principal HTTP/[email protected] [Wed Oct 23 13:48:37 2013] [debug] src/mod_auth_kerb.c(652): [client 192.168.0.2] krb5_rd_req() failed when verifying KDC [Wed Oct 23 13:48:37 2013] [error] [client 192.168.0.2] failed to verify krb5 credentials: Decrypt integrity check failed [Wed Oct 23 13:48:37 2013] [debug] src/mod_auth_kerb.c(1073): [client 192.168.0.2] kerb_authenticate_user_krb5pwd ret=401 user=(NULL) authtype=(NULL) [Wed Oct 23 13:48:37 2013] [debug] mod_deflate.c(615): [client 192.168.0.2] Zlib: Compressed 477 to 322 : URL /secured When IE 8 tries to connect I get: [Wed Oct 23 14:03:30 2013] [debug] src/mod_auth_kerb.c(1628): [client 192.168.0.2] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Wed Oct 23 14:03:30 2013] [debug] mod_deflate.c(615): [client 192.168.0.2] Zlib: Compressed 477 to 322 : URL /secured [Wed Oct 23 14:03:30 2013] [debug] src/mod_auth_kerb.c(1628): [client 192.168.0.2] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Wed Oct 23 14:03:30 2013] [debug] src/mod_auth_kerb.c(1240): [client 192.168.0.2] Acquiring creds for HTTP@apache_server [Wed Oct 23 14:03:30 2013] [debug] src/mod_auth_kerb.c(1385): [client 192.168.0.2] Verifying client data using KRB5 GSS-API [Wed Oct 23 14:03:30 2013] [debug] src/mod_auth_kerb.c(1401): [client 192.168.0.2] Client didn't delegate us their credential [Wed Oct 23 14:03:30 2013] [debug] src/mod_auth_kerb.c(1420): [client 192.168.0.2] GSS-API token of length 9 bytes will be sent back [Wed Oct 23 14:03:30 2013] [debug] src/mod_auth_kerb.c(1101): [client 192.168.0.2] GSS-API major_status:000d0000, minor_status:000186a5 [Wed Oct 23 14:03:30 2013] [error] [client 192.168.0.2] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, ) [Wed Oct 23 14:03:30 2013] [debug] mod_deflate.c(615): [client 192.168.0.2] Zlib: Compressed 477 to 322 : URL /secured Let me know if you'd like additional log and config files--the initial question is getting long enough.

    Read the article

  • How can I switch an existing set of Subversion repositories to use ActiveDirectory?

    - by jpierson
    I have a set of private Subversion repositories on a Windows Server 2003 box which developers access via SVNServe over the svn:// protocol. Currently we have been using the authz and passwd files for each repository to control access however with the growing number of repositories and developers I'm considering switching to using their credentials from ActiveDirectory. We run in an all Microsoft shop and use IIS instead of Apache on all of our web servers so I would prefer to continue to use SVNServe if possible. Besides it being possible, I'm also concerned about how to migrate our repositories so that the history for the existing users map to the correct ActiveDirectory accounts. Keep in mind also that I'm not the network administrator and I'm not terrible familiar with ActiveDirectory so I'll probably have to go through some other people to get the changes made in ActiveDirectory if necessary. What are my options? UPDATE 1: It appears from the SVN documentation that by using SASL I should be able to get SVNServe to authenticate using ActiveDirectory. To clarify, the answer that I'm looking for is how to go about configuring SVNServe (if possible) to use ActiveDirectory for authentication and then how to modify an existing repository to remap existing svn users to their ActiveDirectory domain login accounts. UPDATE 2: It appears that the SASL support in SVNServe works off of a plugin model and the documentation only shows as an example. Looking at the Cyrus SASL Library it looks like a number of authentication "mechanisms" are supported but I'm not sure which one is to be used for ActiveDirectory support nor can I find any documentation about such matters. UPDATE 3: Ok, well it looks like in order to communication with ActiveDirectory I'm looking to use saslauthd instead of sasldb for the *auxprop_plugin* property. Unfortunately it appears that according to some posts (possibly outdated and inaccurate) saslauthd does not build on Windows and such endeavors are considered a work in progress. UPDATE 4: The lastest post I've found on this topic makes it sound as though the proper binaries () are available through the MIT Kerberos Library but it sounds like the author of this post on Nabble.com is still having issues getting things working. UPDATE 5: It looks like from the TortoiseSVN discussions and also this post on svn.haxx.se that even if saslgssapi.dll or whatever necessary binaries are available and configured on the Windows server that the clients will also need the same customization in order to work with these repositories. If this is true, we will only be able to get ActiveDirectory support from a windows client only if changes are made in these clients such as TortoiseSVN and CollabNet build of the client binaries to support such authentication schemes. Although thats what these posts suggest, this is contradictory from what I originally assumed from other reading in that being SASL compatible should require no changes on the client but instead only that the server be setup to handle the authentication mechanism. After reading a bit more carefully in the document about Cyrus SASL in Subversion section 5 states "1.5+ clients with Cyrus SASL support will be able to authenticate against 1.5+ servers with SASL enabled, provided at least one of the mechanisms supported by the server is also supported by the client." So clearly GSSAPI support (which I understand is required for Active Directory) must be available within the client and the server. I have to say, I'm learning way too much about the internals of how Subversion handles authentication than I ever wanted to and I juts simply want to get an answer about whether I can have Active Directory authentication support when using SVNServe on a Windows server and accessing this from Windows clients. According to the official documentation it seems that this is possible however you can see that the configuration is not trivial if even possible at all.

    Read the article

  • Sharepoint AD imported users are becomming sporadically corrupted, causing us to have to create a new account

    - by TrevJen
    Sharepoint 2007 MOSS with AD imported users. All servers are 2008. ***UPDATE More details in testing. This Sharepoint is in an AD Child domain (clients.mycompany.local), which is sub to the root of the AD tree (mycompany.local). The user is in the parent tree (as are half of the other functional users. I have elevated the user rights to Domain. In looking at the logs, it seems that the Sharepoint server is trying to authenticate them by querying the DC for the clients domain (which is the way it normally works and still works for all existing identically configured users). I think if I could force it to authenticate up to the top domain DC then it would be ok?? I have around 50 users, over the past 2 months, I have had a handful of the users suddenly unable to login to Sharepoint. When they login, they either get a blank screen or they are repropmted. These users are using accounts that have been used for many months, sometimes the problem originates with a password change. In all cases, the users account works on every other Active Directory authenticated resource (domain, exchange, LDAP). In the most recent case, last night I was forced deleted a user ("John smith") because of corruption. The orifinal account name was jsmith. I deleted him from active directory, then deleted him from the profile list in Sharepoint Shared Services. I could not find a way to delete him from the Sharepoint user list, but I reran the import after recreating his account (renamed it too just to be sure to "smithj"). At first, this did not wor, the user could still access all other resources but Sharepoint. then, some 30 minutes later it inexplicably started working. This morning, the user changed passwords, which immediatly broke the login on Sharepoint again. Logs by request from matt b Office SharePoint Server Date: 4/13/2010 2:00:00 PM Event ID: 7888 Task Category: Office Server General Level: Error Keywords: Classic User: N/A Computer: nb-portal-01.clients.netboundary.local Description: A runtime exception was detected. Details follow. Message: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) – TrevJen 19 hours ago Techinal Details: System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) at Microsoft.SharePoint.SPGlobal.HandleUnauthorizedAccessException(UnauthorizedAccessException ex) at Microsoft.SharePoint.Library.SPRequest.UpdateField(String bstrUrl, String bstrListName, String bstrXML) at Microsoft.SharePoint.SPField.UpdateCore(Boolean bToggleSealed) – TrevJen 19 hours ago at Microsoft.SharePoint.SPField.Update() at Microsoft.Office.Server.UserProfiles.SiteSynchronizer.UserSynchronizer.PushSchemaToList(Boolean& bAddedColumn) at Microsoft.Office.Server.UserProfiles.SiteSynchronizer.UserSynchronizer.SynchFull() at Microsoft.Office.Server.UserProfiles.SiteSynchronizer.Synch() at Microsoft.Office.Server.Diagnostics.FirstChanceHandler.ExceptionFilter(Boolean fRethrowException, TryBlock tryBlock, FilterBlock filter, CatchBlock catchBlock, FinallyBlock finallyBlock) – TrevJen 19 hours ago Log Name: Application Source: Office SharePoint Server Date: 4/13/2010 2:00:00 PM Event ID: 5553 Task Category: User Profiles Level: Error Keywords: Classic User: N/A Computer: nb-portal-01.clients.netboundary.local Description: failure trying to synch site 6fea15e2-0899-4c19-9016-44d77834c018 for ContentDB b2002b0b-3d4c-411a-8c4f-3d047ca9322c WebApp 3aff7051-455d-4a70-a377-5b1c36df618e. Exception message was Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)). – TrevJen 18 hours ago

    Read the article

  • Windows Server 2012 Migration (DNS/AD DS Standard Eval to Essentials OEM) P2V -> Do I need a Secondary Domain Controller during migration?

    - by Aubrey Robertson
    This is my first post on this exchange (although not my first on stack exchange), so please have patience. I am a 3rd year student intern, and I have been tasked with virtualizing the server systems at the company I work for. I have come a long way, and I am almost ready to install the VM Server in migration mode. Here is some information: Source Server: Windows Server 2012 Standard Evaluation DNS Server (local only) Advanced Directory Domain Services File and Storage stuff A few other server roles Destination Server: Windows Server 2012 Essentials OEM (Hyper-V client) Running under a temporary Hyper-V host (will migrate the Hyper-V host back to the old machine after the original server is virtualized as a client). Sitting currently at the "Select Installation Mode" screen. I have been following the guides on Microsoft tech net, and today I spent most of the day getting rid of issues in the Best Practices Analyser on the source machine. I have 3 remaining issues (which are all related): ERROR: DNS: DNS servers on Ethernet (adapter name) should include the loopback address, but not as the first entry (flavour text indicates that, during migration, the DNS server may not be found) WARNING: All domains should have at least two domain controllers for redundancy. WARNING: DNS: Ethernet should be configured to use both a preferred and an alternate DNS Server. All of these issues can be resolved by deploying a secondary domain controller, but I have never done that before (see my concerns below). The main issue here that I am concerned with for installing in migration mode is the FIRST one (the error). If I try and set-up the new server deployment, and the adapter domain controller is listed as localhost, then this may cause the installation to fail. (at least, this is what the Microsoft documentation suggests). But I do not have another IP address to enter here as I have no other local domain controllers. So I did the first obvious thing that came to my mind, and tried to use Google DNS servers as my alternates. That did not work because they couldn't recognize other computers in the "forest". Now I'm no expert when it comes to DNS, so please forgive my ignorance. This DNS server is concerned only with Active Directory stuffs for the local network. If I go ahead with migration, and it fails, then I will just have to go ahead and install a secondary DNS server I suppose. The problem I have here is that I am limited by the amount of Windows Server keys I have available (I have 2); however, I do have access to a Linux box running Debian Wheezy that I set-up two weeks ago as a Mantis server. I could install Windows Server 2012 as a secondary DNS (I think) in a VM and use that, but then it seems like I will be wasting time, and probably the Windows key too, and if there's another way to do it with Linux that would be much better. Even better still, do I even need a secondary DNS server for migration at all? The hints said that during migration the original machine "might" not be found. Thank you for your time and consideration.

    Read the article

  • CertificateServicesClient-CredentialRoaming error 1005

    - by PVitt
    We have a Microsoft Team Foundation Server (Single Server Installation, i.e. Microsoft SQL Server 2008, Microsoft Windows SharePonint Services 3.0) installed on a Windows Server 2008 machine. The TFS works fine, but there are error events logged frequently: Log Name: Application Source: Microsoft-Windows-CertificateServicesClient-CredentialRoaming Event ID: 1005 Level: Error Description: Certificate Services Client: Credential Roaming failed to write to the Active Directory. Error code 5 (Access is denied.) The problem is clear (the error message is quite precise) but I don't have a clue how to fix it! Where has the access to be granted? What permissions have to be set?

    Read the article

  • Get-ADGroupMember returns nothing while being completed successfully

    - by Volodymyr
    I've tried to list all of the members of one of the groups in AD, but nothing is returned, although the command is completed successfully. It neither works with group DN specified, instead of sAMAccountName. Get-ADGroupMember "sAMAccountName" -Recursive | select name See output below: The following message appears if one views Members from dsa.msc --------------------------- Active Directory Domain Services --------------------------- Some of the object names cannot be shown in their user-friendly form. This can happen if the object is from an external domain and that domain is not available to translate the object's name. --------------------------- OK --------------------------- Can this be a reason for powershell not returning results? Any thoughts? UPD: this doesn't seem to be permissions issue, since dsquery does return group members.

    Read the article

  • How to change local user home folder on Windows 2000 and above

    - by Adi Roiban
    I was using a local account on a Windows 7 desktop that is not connected to any Active Directory. After a while it was required to rename the local account. Renaming the account was simple using Local users and groups management tool. After renaming the user, the user home folder was not renamed and I could not find any information about how to change user home folder. I found the ProfileList registry folder but maybe there is a command line for doing such changes. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList Any help is much appreciated. Thanks!

    Read the article

  • Windows Server 2008 R2 LDAPS

    - by Chad Moran
    I have a Server 2008 R2 server with ADDS installed. I'm trying to configure HP's ILO utility to connect to it over SSL. I installed the Active Directory Certificate Service, after doing so I'm still not able to connect to LDAP over SSL. I checked the event log and it's showing warnings with Event ID 36886 saying that there aren't default credentials yet. I'm not too sure why this is happening. I haven't done anything with ADCS other than installing the service do I need to create a certificate for the server?

    Read the article

  • How to change local user home folder on Windows 2000 and above

    - by Adi Roiban
    I was using a local account on a Windows 7 desktop that is not connected to any Active Directory. After a while it was required to rename the local account. Renaming the account was simple using Local users and groups management tool. After renaming the user, the user home folder was not renamed and I could not find any information about how to change user home folder. I found the ProfileList registry folder but maybe there is a command line for doing such changes. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList Any help is much appreciated. Thanks!

    Read the article

  • Reset UAC on a folder after permitting access

    - by Roel Vlemmings
    When I access a folder in Program Files I get a UAC prompt confirming with me that I want to permit access to it. I say "yes" and get permanent access. My question is: how do I reset this folder so that it prompts me again. The reason I ask is that I am testing a .NET program I wrote that deals with directory access permissions and I need to test it with the UAC protection on. But now that I have permitted access manually, I can't figure out how to turn the UAC protection back on to retest my program.

    Read the article

  • Massive Network Upgrade

    - by Cliff Racer
    I find myself tasked with organizing an upgrade of our entire Active Directory from server 2003 to 2008. We run a few AD dependant services such as Exchange 2007 SQL Server 2008 SharePoint 2007 All of which we are looking to bring up to date as well with their most recent versions. The original AD was a little bit of a mess (the exchange upgrade from 2003 left some stuff in the AD database that I make references to servers that no longer exist for example). Here is what I want to accomplish Migrate the domain from our 2003 to a NEW clean 2008r2 domain Upgrade from Sharepoint 2007 to 2010 Upgrade Exchange from 2007 to 2010 My question is, in what order do we do things? Can I do a domain upgrade and simply migrate exchange after? On their own, these objectives are complicated enough, orchestrating them in our company while minimizing downtime is making my head spin. I have done a lot of the research on how to do them individually but I am having trouble figuring out how to do them all in concert.

    Read the article

  • Can you authenticate into SSAS with AD LDS (ADAM) accounts?

    - by Jaxidian
    I'm very new to AD LDS and experienced but not qualified with SSAS, so my apologies for my ignorances with these. We have a couple implementations where we expose SSAS via an HTTPS proxy (msmdpump.dll) and currently we have a temporary domain setup handling this (where our end-users have a second account+creds to manage because of this = non-ideal). I want to move us towards a more permanent solution which I'm thinking of moving all authentication to AD LDS for our web apps, SSAS, and others. However, SSAS is where I'm concerned about this. I know SSAS requires Windows Authentication and to play nicely, and that this ultimately means Active Directory will be involved. Is there a way to get this done with AD LDS instead of having to use a full AD DS implementation? If so, how? (Note: My question over at StackOverflow had a suggestion that I post this question here on ServerFault instead. My apologies if I'm not asking in the right forum.)

    Read the article

  • Windows Service and Group Policy unable to access network share on Win2008 Domain

    - by Terence Johnson
    I have one computer on my domain that has suddenly stopped receiving software updates via group policy. Domain logins still work, and group policy on the machine is still being updated, so it knows that there are new packages to install and where to look for them, but every time it tries to install a package, it throws a 1622 error (location not found). Logged in users can reach the same network shares, and every other computer on network is installing the packages. Further investigation found that other services running as "System" on the problematic computer are also unable to authenticate to network shares. How do I diagnose/fix this computer's account in Active Directory? The computer account exists, and is a member of "Domain Computers" - or is there something else I should be looking at?

    Read the article

  • Windows server 2008 issue

    - by Matt Fitz
    We have 2 domains “pdc1” and “devkc” both are windows 2000 Active Directory domains with a 2-way trust relationship in place., has been this way for years. All of our developer machines are joined to the “devkc” domain but the users log into there accounts on the “pdc1” domain. This all works fine with Windows XP, 2000 and 2003 server. However with Windows Server 2008 the users can only log into the “devkc” domain that the machine is joined to, they can not log into the “pdc1” domain. The following error results: "The security database on this server does not have a computer account for this workstation trust relationship” Any ideas would be greatly appreaciated Thanks Matt Fitz

    Read the article

  • lsass.exe memory leak on windows 2003 server

    - by thelsdj
    In the past month or so I noticed that lsass.exe has started to leak memory, getting to 500MB+ of ram in under a week after reboot. Before this I had never noticed it using any significant amount of memory compared to other processes on the system. This is happening on 2 identical servers, neither of which has anything to do with Active Directory. Maybe a recent Windows Update has caused this? Any thoughts on things to check? As a side question is there some way to recycle the memory usage of lsass.exe without rebooting? Edit: Here is what I'm seeing in Process Monitor, there are thousands of registry open/query/close a minute from lsass.exe. How can I track down what is triggering these?

    Read the article

  • Using net group to add users to a AD group

    - by numone
    Hi, I'm trying to add users to the an Active Directory group using net group. We use Domain Local groups for everything. When I go to run the command net group "group name" "username" /add /domain it returns "The group name could not be found. More help is available by typing NET HELPMSG 2220." If I create a Global group and try to add them it works without issues. I would rather not re-do all of our groups just to be able to use this to add people to a group. Any thoughts/suggestions?

    Read the article

  • How to handle external and internal DNS on windows 2012

    - by ThePopcorn
    I'm trying to setup an Active Directory network on Server 2012 R2, and want AD's DNS to only be used internally (Ex: domain-controller.company.com) as well as some records that need both internal and external accessibility (Ex: mail.company.com) that use internal IP's on the internal network and finally some records that only need external access. The only solutions i have been able to think of, or look up are to either use a sub domain that handles all internal records, and use the plain company.com domain for all external records. These both seem to mean i have to manage two DNS servers separately. Is either of these the best ways or am i messing up somewhere?

    Read the article

  • Best practice for authenticating DMZ against AD in LAN

    - by Sergei
    We have few customer facing servers in DMZ that also have user accounts , all accounts are in shadow password file. I am trying to consolidate user logons and thinking about letting LAN users to authenticate against Active Directory.Services needing authentication are Apache, Proftpd and ssh. After consulting security team I have setup authentication DMZ that has LDAPS proxy that in turn contacts another LDAPS proxy (proxy2) in LAN and this one passes authentication info via LDAP (as LDAP bind) to AD controller.Second LDAP proxy only needed because AD server refuses speak TLS with our secure LDAP implemetation. This works for Apache using appropriate module.At a later stage I may try to move customer accounts from servers to LDAP proxy so they are not scattered around servers. For SSH I joined proxy2 to Windows domain so users can logon using their windows credentials.Then I created ssh keys and copied them to DMZ servers using ssh-copy, to enable passwordless logon once users are authenticated. Is this a good way to implement this kind of SSO?Did I miss any security issues here or maybe there is a better way ofachieving my goal?

    Read the article

  • Tools for retrieving and modifying multi-value attributes in Microsoft ActiveDirectory

    - by Justin
    Most attributes in MSAD are single-valued and pose no problem. I am familiar with the dsquery user -samid jdoe | dsmod -webpg "http://some.url/" method. However, some attributes are multi-valued, such as telephone number and webpage. These values can be managed through the Active Directory Users & Computers Microsoft Console (dsa.msc) via the dialogue shown by clicking on the "Other..." button, but I'd really rather script the modifications. It seems to me that dsmod & dsget do not support multi-value retrieval and editing; only the first value of the set seems to be accesible. Am I correct? If I am not correct, I would appreciate a syntax example. If I am correct, would you please recommend an alternative scriptable tool that can handle multi-value attributes? The more "official and supported" the tool, the better.

    Read the article

  • How to fix? => Your system administrator does not allow the user of saved credentials to log on to the remote computer

    - by Pure.Krome
    At our office, any of our Windows 7 Clients get this error message when we try and RDP to a remote W2K8 Server outside of the office :- Your system administrator does not allow the user of saved credentials to log on to the remote computer XXX because its identity is not fully verified. Please enter new credentials A quick google search leads to some posts they all suggest I edit group policy, etc. I'm under the impression, that the common fix for this, is to follow those instructions -per Windows7 machine-. Ack :( Is there anyway I can do something via our office Active Directory .. which auto updates all Windows 7 clients in the office LAN?

    Read the article

  • When i log on then i get annyoing cmd windows in windows7

    - by user191542
    I am using windows 7 on my office PC and that is linked with Active directory. I dont't know what happend if installed something few days ago many small softwares. I don't know if there was some virus or something but anti virus didn't tell anything. Now when i log ion then i keep getting many cmd screen opening and closing and i can't do anything. If i switch user and log with my admin acount then it also happens again witha dmin account. Now when again if i go back to old screen by switching user. then annoying cmd windows are not there. i want to know how can i fix that I managed to get print screen of that

    Read the article

  • GPO best practices : Security-Group Filtering Versus OU

    - by Olivier Rochaix
    Good afternoon everyone, I'm quite new to Active Directory stuff. After upgraded Functional level of our AD from 2003 to 2008 R2 (I need it to put fine-grained password policy), I then start to reorganized my OUs. I keep in mind that a good OU organization facilitate application of GPO (and maybe GPP).But in the end, it feels more natural for me to use Security-group filtering (from Scope tab) to apply my policies, instead of direct OU. Do you think it is a good practice or should I stick to OU ? We are a small organisation with 20 users and 30-35 computers. So, we got a simple OU tree, but more subtle split with security-groups. The OU tree doesn't contain any objects except at the bottom level. Each bottom level OU contains Computers,Users, and of course security groups. These security groups contains Users & Computers of the same OU. Thanks for your advices, Olivier

    Read the article

  • Windows 2008 R2 File Sharing - 'Access denied' if groups are specified in ACL

    - by John Smith
    I am trying to move our old Windows 2003 File Server to Windows 2008 R2. What I have noticed, however, is that the entries for groups in the ACL are being ignored. For example, a user is part of a group in active directory. If I create a folder and enable full access for this group, then share this folder (and define sharing permissions for this group), users in that group do not get access to that folder. If I make an entry in the ACL for the user itself, it works perfectly. These even applies to my domain administrator account - If I create a folder and give full control to the local administrators group / domain administrators group, and I physically log on to the server, I still do not get access - I need to explicitly define my name to proceed. I am not sure what the problem is, tried looking it up in Google to no avail Any assistance will be greatly appreciated

    Read the article

< Previous Page | 61 62 63 64 65 66 67 68 69 70 71 72  | Next Page >