Posts
A great way to kill remote RDP sessions is built into Windows. Do the following:
qwinsta /server:(ServerName)
Write down the session ID
Now to kill it:
rwinsta /server:(servername)
That is it. Works like a charm.
Thursday, January 21, 2010
Tuesday, January 12, 2010
SDHolder AD Domain Admin Inherited Permissions
For those of you that have found issues with inherited permissions that you cant seem to get control of, read on. It may be because of the SDHolder object in AD. Here is an excerpt from Microsoft on it.
"Every hour, the Windows 20xx domain controller that holds the primary domain controller (PDC) Flexible Single Master Operation (FSMO) role compares the ACL on all security principals (users, groups, and machine accounts) present for its domain in Active Directory and that are in administrative groups against the ACL on the following object:
CN=AdminSDHolder,CN=System,DC=MyDomain,DC=Com
Replace "DC=MyDomain,DC=Com" in this path with the distinguished name (DN) of your domain.
If the ACL is different, the ACL on the user object is overwritten to reflect the security settings of the AdminSDHolder object (which includes disabling ACL inheritance). This protects these administrative accounts from being modified by unauthorized users if the accounts are moved to a container or organizational unit in which a user has been delegated administrative privilege for the modification of user accounts. Note that when a user is removed from the administrative group, the process is not reversed and must be manually changed."
"Every hour, the Windows 20xx domain controller that holds the primary domain controller (PDC) Flexible Single Master Operation (FSMO) role compares the ACL on all security principals (users, groups, and machine accounts) present for its domain in Active Directory and that are in administrative groups against the ACL on the following object:
CN=AdminSDHolder,CN=System,DC=MyDomain,DC=Com
Replace "DC=MyDomain,DC=Com" in this path with the distinguished name (DN) of your domain.
If the ACL is different, the ACL on the user object is overwritten to reflect the security settings of the AdminSDHolder object (which includes disabling ACL inheritance). This protects these administrative accounts from being modified by unauthorized users if the accounts are moved to a container or organizational unit in which a user has been delegated administrative privilege for the modification of user accounts. Note that when a user is removed from the administrative group, the process is not reversed and must be manually changed."
Subscribe to:
Posts (Atom)