The web.config on a fresh IIS install contains the sites configuration details, except for <ipSecurity>. However, the (site local) IP restrictions work fine and can be edited through the IIS manager console.
In my web.config I do see things like
<rewrite>
<rules>
...
but I do not see any IP security rules, that I add tthrough the IIS manager (like feature settings or allow/forbidden addresses). I expected to find them here, just like any other setting.
I have set up Samba 4.12.14-Deb on Jessie as a member server for my AD and (so far) everything works fine. This machine does have a few Tun* Interfaces for openVPN tunnels (which are also working fine). Samba has to listen on those and it does perfectly (thanks to the interfaces setting in smb.conf).
Now, after every reboot, samba (I assume) registers alle the IP adresses listed in smb.conf as dynmic A records in my AD DNS. As good as this concept is, this causes a lot of trouble here, obviously. In Windows I can just uncheck the 'register this connection in DNS' option.
How do I prevent Samba (or whoever does this) from registering "all the adresses"?
Or, if that's not possible, how do I prevent it from registering itself in my DNS at all? In my case, a static (non-changing) entry would be more helpful than all the tunadresses.
I came into work last week, checked my first ticket (easy to fix one), RDP'd into the server needed for this and the login did not work. After clicking 'connect' I got the "Unable to Log You on Because of an Account Restriction" message. Checked another server (all machines are 2008R2/2012R2), the same message. No, I do not habe an empty password, not using network auth, my clint is Windows 10 (1607).
Here is what I did:
Any Ideas where to look for this? It is haunting me into my sleep :-(
Updates: Surely I checked the local policies on the server(s). any changes would have surprised me - there are a lot of servers. Also checked the clients GPO, nothing.
I have a very strange NTFS rights phenomenon on a fileserver and I cannot find my mistake, pulling my hair out for hours now. What am I missing?
My goal is:
Here is what I did:
The problem is, my user(s) can edit and delete files like they have full access. Even if the 'effective permissions' show no right to edit, the still can.
The script works fine and looks like this:
icacls d:\folder\Bild1.jpg /inheritance:d
icacls d:\folder\Bild1.jpg /remove:g Group-A"
After the script has run, The NTFS permission on file.jpg looks like this (looks correct to me):
So does the icacls output:
d:\folder>icacls Bild1.jpg
Bild1.jpg WM\DomainAdmin:(F)
WM\Domänen-Admins:(F)
WM\Group-A:(RX)
The effective permissions tab of that file shows exactly the same (right) thing:
The permissions for the parent folder, users should be able to add files here, look like this:
Artweger WM\Group-A:(I)(OI)(CI)(F)
WM\Domänen-Admins:(I)(OI)(CI)(F)
If this User logs on (he is just in two groups, Domain-Users and Group-A), he can edit, delete, rename and move the file bild1.jpg. How is this possible? What does NTFS do with my glorious plans?
I need to reference the "Domain-Admins" group in a batch file. The line in question looks like this:
icacls "test\folder" /grant mydomain.com\Domain-Admins:F
... and works as expected.
But how do I reference the "Domain-Admin" group in general? My german windows server tells me something about "Domänen-Admins", the Italians call ist "Amministratore-Admins" (or whatever) and I dont want to know what the russian Domain Admins call themselves. I did not want to offend any international names, there must just be a solution for a generic adressing of roles. I need a solution for everybody - like Microsoft had in mind (hopefully) when they used SIDs.
I know the SID of the domain admin group looks like S-1-5-21mydomainsid-512, but icacls does not understand S-1-5-21*-512.
How do I use icacls wisely when I need to reference international group names?