Release Notes - bv-Control for Active Directory v8.00
|Article:TECH113269|||||Created: 2006-01-14|||||Updated: 2006-01-15|||||Article URL http://www.symantec.com/docs/TECH113269|
|bv-Control for Active Directory v8.00|
The following minimum requirements include the requirements for the BindView RMS Console:
· Pentium® II 450 MHz or equivalent
· 256 MB RAM
· 300 MB of free disk space
· Virtual memory file size must be three times the size of RAM
· SVGA monitor that supports 256 colors with the display set to 800 x 600 pixels
· Windows 2000 SP3 (server or workstation), Microsoft® Windows XP® Professional SP1, or Windows Server™ 2003 or later
· Microsoft® Internet Explorer 5.5 SP1 or later
· Microsoft® Outlook® 2000, Novell® GroupWise® 5.5, Lotus Notes® 5.0, or Lotus Domino (only required for e-mailing export files)
· Microsoft® Excel (required for Excel (using OLE) export files)
· Client for Microsoft® Networks
· Pentium III 800 MHz or equivalent
· 512 MB RAM
· 500 MB of free disk space
· The BindView RMS Console and Information Server requires one of the following OS versions:
Windows Server 2003 (Standard, Enterprise, Web Edition) or later
Windows 2000 SP3 (Professional, Server, Advanced)
Windows XP Professional SP1
· Microsoft Internet Explorer 5.5 SP1 or later
· Microsoft Outlook 2000, Novell GroupWise 5.5, Lotus Notes 5.0, or Lotus Domino (only required for e-mailing export files)
· Microsoft Excel (required for Excel (using OLE) export files)
· Client for Microsoft Networks
bv-Control for Active Directory
· Microsoft XML Parser v3.0 or later
· Microsoft Windows Installer
· BindView RMS Console v8.00
· Problem: When first launching the BindView RMS Console, if you click "bv-Control for Active Directory (Checking Configuration)" in the Console tree before the RMS Console has finished opening, the RMS Console may lock up.
Workaround: Close the BindView RMS Console and launch it again. Do not click on the snap-in product until the RMS Console has finished checking the configuration.
· When moving a scoped object, the old scope name is displayed in the pre-defined report. This will happen when you build a query and select an OU as the scope, then save and run the query. Move the object to a new location. The next time the saved query is run, the Active Directory snap-in picks up the OU from the new location for querying, but the scope is displayed to the previous location. This problem only appears in the Query Builder.
· A Console Administrator may not be able to add and/or refresh credentials when trying to add a new user or validate credentials. An error message will appear indicating that credentials are invalid. This may happen if the DNS server is locked or the DC is down or not reachable.
· A false system failure message may be the result of a disconnected domain controller network cable. If you build a query in the domain data source and run the query, the query fails with the returned message, "Logon failure: unknown user name or bad password." The cause could be a disconnected network cable. The query uses the credentials supplied for the scope and a network problem prevents the logon attempt by Active Directory Service Interface that results in this system failure message.
· Queries for the Groups, Users, or Computers data sources may use as much as 100% CPU. If a query includes fields in Groups, Users, or Computers data sources, the CPU utilization stays close to 100% until the query is completed. These three data sources use multiple threads to complete their searches through the supplied scope. In large Active Directory installations this improves the query performance. Only these data sources are expected to return a very large number of records, so only these data sources are using multiple threads to search through the scope. This applies to the Information Server.
· The Site Links, Domain Links, and OU Links fields in the Group Policies data source will have a descriptor page that asks for the credential to use to search for the Sites, Domains, and OUs linked to the Group Policies. The field will only return the sites, domains, and OUs on which the given credential has read rights. To view complete results, the credential provided must at least have delegated rights to read the Group Policy link property of all sites, domains, or OUs in the forest.
· If the installation path is longer than 50 characters, the installation will fail.
· Boolean, Date, Large Numeric, Numeric and String descriptors under User Defined Fields Attributes display only single valued attributes. StringList is the only descriptor that displays multi-valued attributes.
· Problem: Querying for the attributes tokenGroups, tokenGroupsNoGCAcceptable, tokenGroupsGlobalAndUniversal, using the User Defined Field "String SID List Attribute", for Users, Groups, and Computers data source, returns no results. this happens when SubTree and One-Level scope level options are selected for the scopes.
Workaround: Select the individual objects with base level scope option in the Scoping tab to query these attributes.
· In domain environments having multiple domain controllers, there is a possibility of information that was updated at one Domain Controller may not be available at another Domain Controller. This information gets updated at the next scheduled replication. bv-Control for Active Directory retrieves information from the Domain Controller, which is located in the site of the Information Server or the nearest site. In such a case, if the domain controller does not have the latest updated information, bv-Control for Active Directory v8.00 may report old information. This affects all the data sources.
· Problem: Effective Permission Analysis field may not account for recent changes made to group membership, in the subsequent runs of the query. This affects the effective permissions and the indirect permissions displayed in the form field. bv-Control for Active Directory caches the group memberships, which provides a better performance while calculating the effective permissions of security principals.
Workaround: Close and relaunch the BindView RMS Console.
· In Group Policy, the Windows settings folder redirection returns the wrong data. For example:
Within Folder redirection, right-click on any folder to open the Properties.
Select the Settings tab to open the Policy removal options. The Policy removal options are disabled when the policy is set to advanced and no security group is added in the target tab. This will appear as whatever was previously set for the policy removal settings. By default, this is "leave the folder in its location." The disabling is only a user interface technique and the selection is not stored.
· Windows Server 2003 has changed the behavior of "Additional restrictions for Anonymous Connections" (this appears in Query Builder under "Windows Settings\Computer\ Configuration\Security Settings\Local Policies\Security Options" of Group Policy Windows Settings data source). This setting has been renamed in Windows 2003 as "Network Access: Do not allow enumeration of SAM accounts and shares". Though the title names are different, the registry key updated is the same. Also in Windows 2000 this setting had a drop-down box, while in Windows Server 2003 this setting has a single Checkbox to define the setting.
bv-Control for Active Directory v8.00 has introduced a new field "Network Access: Do not allow enumeration of SAM accounts and shares" to report this setting in Windows Server 2003. Using this field to report against Windows 2000 will give wrong results. The case is the same with "Additional restrictions for Anonymous Connections," i.e., it will report correctly for Windows 2000, but not against Windows Server 2003.
· The settings listed in the following table have changed in Windows Server 2003. In Windows 2000 these fields had a check box setting. In order to configure these, apart from selecting the Configured option button, the user needed to check the box. In Windows Server 2003 the check box has been removed. Now the user needs to select only the Configured option button. These are all settings of Group Policy Administrative Templates data source.
|Setting||Location in Query builder|
|Always install with elevated privileges||\Administrative Templates\Computer Configuration\Windows Components\Windows Installer|
|Prohibit Rollback||\Administrative Templates\Computer Configuration\Windows Components\Windows Installer|
|Remove browse dialog box for new source||\Administrative Templates\Computer Configuration\Windows Components\Windows Installer|
|Prohibit patching||\Administrative Templates\Computer Configuration\Windows Components\Windows Installer|
|Disable IE security prompt for Windows Installer scripts||\Administrative Templates\Computer Configuration\Windows Components\Windows Installer|
|Enable user control over installs||\Administrative Templates\Computer Configuration\Windows Components\Windows Installer|
|Enable user to browse for source while elevated||\Administrative Templates\Computer Configuration\Windows Components\Windows Installer|
|Enable user to use media source while elevated||\Administrative Templates\Computer Configuration\Windows Components\Windows Installer|
|Enable user to patch elevated products||\Administrative Templates\Computer Configuration\Windows Components\Windows Installer|
|Allow admin to install from Terminal Services session||\Administrative Templates\Computer Configuration\Windows Components\Windows Installer|
|Cache transforms in secure location on workstation||\Administrative Templates\Computer Configuration\Windows Components\Windows Installer|
- In bv-Control for Active Directory v8.00 a new field has been added for each of the above settings. To distinguish the Windows 2000 field from the corresponding one for Windows Server 2003, each field is suffixed with “[Windows 2003]”. For example, corresponding field for “Always install with elevated privileges” of Windows 2000 is “Always install with elevated privileges [Windows 2003]” for Windows Server 2003. If a Windows 2000 field is used to report against Windows Server 2003, then the results will display “Not Configured”. The case is the same for Windows 2000 fields reporting against Windows Server 2003.
The following settings have default values:
a. Windows Settings\User Configuration\Internet Explorer Maintenance\URL\Channels
|Turn on desktop Channel Bar by default||False|
|Customize Online support page URL||False|
|Customize Home Page URL||False|
|Customize Search bar URL||False|
|Custom Logo||Customize the static logo bitmap||False|
|Browser Title||Customize Title Bars||False|
|Customize Toolbar background bitmap||False|
|Turn on desktop Channel Bar by default||False|
|Only delete the favorites created by the administrator||False|
|Delete Existing Favorites and Links if Present||False|
|Application Data||Grant the user exclusive rights to Application Data||False|
|Move the contents of Application Data to the new location||False|
|Application Data Policy Removal Option||None|
|Application Data redirection option||No administrative policy specified|
|Desktop||Desktop redirection option||No administrative policy specified|
|Grant the user exclusive rights to Desktop||False|
|Move the contents of Desktop to the new location||False|
|Desktop Policy Removal Option||None|
|My Documents||My Documents redirection option||No administrative policy specified|
|Grant the user exclusive rights to My Documents||False|
|Move the contents of My Documents to the new location||False|
|My Pictures Preferences||Do not specify administrative policy for My Pictures|
|My Documents Policy Removal Option||None|
|My Pictures||My Pictures redirection option||No administrative policy specified|
|Grant the user exclusive rights to My Pictures||False|
|Move the contents of My Pictures to the new location||False|
|My Pictures Policy Removal Option||None|
|Start Menu||Start Menu redirection option||No administrative policy specified|
|Grant the user exclusive rights to Start Menu||False|
|Move the contents of Start Menu to the new location||False|
|Start Menu Policy Removal Option||None|
|Connection\User Agent String||Customize User Agent string||False|
|Connection\Proxy Settings||Do not use proxy server for local (intranet) addresses||False|
|Programs||Import the current Program Settings||False
- Problem: The fields for the new settings of Windows Server 2003 may report ‘Not Configured’ for configured settings, when ‘Turn Off Automatic Updates of Adm Files’ Group Policy setting is effective. This happens when the Information Server is on a Windows 2000/Windows XP machine and reporting against a Windows Server 2003 policy. When this setting is effective the Adms are not present in the Sysvol folder. Therefore the local Adms in the %windir%\Inf folder on the Information Server are used and these are older than the ones shipped with Windows Server 2003.
Workaround: Update the %windir%\Inf folder on the Information Server with the latest Adm files.
· Added new fields Active Directory Domain Functional Level and Active Directory Forest Functional Level to the Domain data source.
· Added new field SID to the Users and Groups data source.
· Added a new field User Logon Name (User Principal Name) to the Users data source.
· Added new pre-defined permissions to the Effective Trustee data source.
· Added new fields to the Groups Policy Windows Settings and Groups Policy Administrative Settings to report on new GPO settings introduced in Windows Server 2003.
· Added support for reporting on inetOrgPerson objects using the Users data source.
· Added MSI Installer for deploying the product.
· Changed these fields in the Users data source:
· Logon Name was changed to User Logon Name (pre-Windows 2000). This will report the User Logon Name (pre-Windows 2000), for example, "Bob Bill"
- · Logon Name With Context was changed to User Logon Name With Context (pre-Windows 2000).This will report the User Logon Name (pre-Windows 2000) with domain context, for example, "windom\Bob Bill".
· Added a new field User Logon Name (User Principal Name) to the Users data source. This reports the user's logon name in UPN format.
· Changed the name Raw Directory Attributes in the Query Builder to User Defined Fields. These fields have been enhanced to report on additional attribute types.
The bv-Control for Active Directory User Guide contains information about bv-Control for Active Directory and about the BindView RMS Console and Information Server. If you upgrade the BindView RMS Console and Information Server, you should consult the BindView RMS Console and Information Server User Guide version 8.00 for information about the new version of the Console.
© 2001-2004 BindView Corporation. All rights reserved.
Article URL http://www.symantec.com/docs/TECH113269