Release Notes - bv-Control for Active Directory v8.00

Article:TECH113269  |  Created: 2006-01-14  |  Updated: 2006-01-15  |  Article URL http://www.symantec.com/docs/TECH113269
Article Type
Technical Solution


Issue






Solution



bv-Control for Active Directory v8.00
bv-Control® for Active Directory® provides powerful querying capabilities to retrieve data from Microsoft® Active Directory® and Group Policies. From the BindView RMS® Console, you can run pre-defined queries, create custom queries, or export data to various formats.
System Requirements
The bv-Control for Active Directory product has minimum system requirements for installation and use. Before installing bv-Control for Active Directory, ensure that your system meets these requirements in addition to the system requirements for the BindView RMS Console v8.00:

The following minimum requirements include the requirements for the BindView RMS Console:

Console

· Pentium® II 450 MHz or equivalent


    · 256 MB RAM

    · 300 MB of free disk space

    · Virtual memory file size must be three times the size of RAM

    · SVGA monitor that supports 256 colors with the display set to 800 x 600 pixels

    · Windows 2000 SP3 (server or workstation), Microsoft® Windows XP® Professional SP1, or Windows Server™ 2003 or later

    · Microsoft® Internet Explorer 5.5 SP1 or later

    · Microsoft® Outlook® 2000, Novell® GroupWise® 5.5, Lotus Notes® 5.0, or Lotus Domino (only required for e-mailing export files)

    · Microsoft® Excel (required for Excel (using OLE) export files)

    · Client for Microsoft® Networks


Information Server

· Pentium III 800 MHz or equivalent


    · 512 MB RAM

    · 500 MB of free disk space

    · The BindView RMS Console and Information Server requires one of the following OS versions:

    Windows Server 2003 (Standard, Enterprise, Web Edition) or later

    Windows 2000 SP3 (Professional, Server, Advanced)

    Windows XP Professional SP1

    · Microsoft Internet Explorer 5.5 SP1 or later

    · Microsoft Outlook 2000, Novell GroupWise 5.5, Lotus Notes 5.0, or Lotus Domino (only required for e-mailing export files)

    · Microsoft Excel (required for Excel (using OLE) export files)

    · Client for Microsoft Networks


bv-Control for Active Directory

· Microsoft XML Parser v3.0 or later


    · Microsoft Windows Installer

    · BindView RMS Console v8.00

    Known Issues
We recommend that you review the following notes before using bv-Control for Active Directory with the BindView RMS Console:

· Problem: When first launching the BindView RMS Console, if you click "bv-Control for Active Directory (Checking Configuration)" in the Console tree before the RMS Console has finished opening, the RMS Console may lock up.


    Workaround: Close the BindView RMS Console and launch it again. Do not click on the snap-in product until the RMS Console has finished checking the configuration.

    · When moving a scoped object, the old scope name is displayed in the pre-defined report. This will happen when you build a query and select an OU as the scope, then save and run the query. Move the object to a new location. The next time the saved query is run, the Active Directory snap-in picks up the OU from the new location for querying, but the scope is displayed to the previous location. This problem only appears in the Query Builder.

    · A Console Administrator may not be able to add and/or refresh credentials when trying to add a new user or validate credentials. An error message will appear indicating that credentials are invalid. This may happen if the DNS server is locked or the DC is down or not reachable.

    · A false system failure message may be the result of a disconnected domain controller network cable. If you build a query in the domain data source and run the query, the query fails with the returned message, "Logon failure: unknown user name or bad password." The cause could be a disconnected network cable. The query uses the credentials supplied for the scope and a network problem prevents the logon attempt by Active Directory Service Interface that results in this system failure message.

    · Queries for the Groups, Users, or Computers data sources may use as much as 100% CPU. If a query includes fields in Groups, Users, or Computers data sources, the CPU utilization stays close to 100% until the query is completed. These three data sources use multiple threads to complete their searches through the supplied scope. In large Active Directory installations this improves the query performance. Only these data sources are expected to return a very large number of records, so only these data sources are using multiple threads to search through the scope. This applies to the Information Server.

    · The Site Links, Domain Links, and OU Links fields in the Group Policies data source will have a descriptor page that asks for the credential to use to search for the Sites, Domains, and OUs linked to the Group Policies. The field will only return the sites, domains, and OUs on which the given credential has read rights. To view complete results, the credential provided must at least have delegated rights to read the Group Policy link property of all sites, domains, or OUs in the forest.

    · If the installation path is longer than 50 characters, the installation will fail.

    · Boolean, Date, Large Numeric, Numeric and String descriptors under User Defined Fields Attributes display only single valued attributes. StringList is the only descriptor that displays multi-valued attributes.

    · Problem: Querying for the attributes tokenGroups, tokenGroupsNoGCAcceptable, tokenGroupsGlobalAndUniversal, using the User Defined Field "String SID List Attribute", for Users, Groups, and Computers data source, returns no results. this happens when SubTree and One-Level scope level options are selected for the scopes.

    Workaround: Select the individual objects with base level scope option in the Scoping tab to query these attributes.

    · In domain environments having multiple domain controllers, there is a possibility of information that was updated at one Domain Controller may not be available at another Domain Controller. This information gets updated at the next scheduled replication. bv-Control for Active Directory retrieves information from the Domain Controller, which is located in the site of the Information Server or the nearest site. In such a case, if the domain controller does not have the latest updated information, bv-Control for Active Directory v8.00 may report old information. This affects all the data sources.

    · Problem: Effective Permission Analysis field may not account for recent changes made to group membership, in the subsequent runs of the query. This affects the effective permissions and the indirect permissions displayed in the form field. bv-Control for Active Directory caches the group memberships, which provides a better performance while calculating the effective permissions of security principals.

    Workaround: Close and relaunch the BindView RMS Console.

    · In Group Policy, the Windows settings folder redirection returns the wrong data. For example:

    Within Folder redirection, right-click on any folder to open the Properties.

    Select the Settings tab to open the Policy removal options. The Policy removal options are disabled when the policy is set to advanced and no security group is added in the target tab. This will appear as whatever was previously set for the policy removal settings. By default, this is "leave the folder in its location." The disabling is only a user interface technique and the selection is not stored.

    · Windows Server 2003 has changed the behavior of "Additional restrictions for Anonymous Connections" (this appears in Query Builder under "Windows Settings\Computer\ Configuration\Security Settings\Local Policies\Security Options" of Group Policy Windows Settings data source). This setting has been renamed in Windows 2003 as "Network Access: Do not allow enumeration of SAM accounts and shares". Though the title names are different, the registry key updated is the same. Also in Windows 2000 this setting had a drop-down box, while in Windows Server 2003 this setting has a single Checkbox to define the setting.

    bv-Control for Active Directory v8.00 has introduced a new field "Network Access: Do not allow enumeration of SAM accounts and shares" to report this setting in Windows Server 2003. Using this field to report against Windows 2000 will give wrong results. The case is the same with "Additional restrictions for Anonymous Connections," i.e., it will report correctly for Windows 2000, but not against Windows Server 2003.

    · The settings listed in the following table have changed in Windows Server 2003. In Windows 2000 these fields had a check box setting. In order to configure these, apart from selecting the Configured option button, the user needed to check the box. In Windows Server 2003 the check box has been removed. Now the user needs to select only the Configured option button. These are all settings of Group Policy Administrative Templates data source.

    Setting Location in Query builder
    Always install with elevated privileges \Administrative Templates\Computer Configuration\Windows Components\Windows Installer
    Prohibit Rollback \Administrative Templates\Computer Configuration\Windows Components\Windows Installer
    Remove browse dialog box for new source \Administrative Templates\Computer Configuration\Windows Components\Windows Installer
    Prohibit patching \Administrative Templates\Computer Configuration\Windows Components\Windows Installer
    Disable IE security prompt for Windows Installer scripts \Administrative Templates\Computer Configuration\Windows Components\Windows Installer
    Enable user control over installs \Administrative Templates\Computer Configuration\Windows Components\Windows Installer
    Enable user to browse for source while elevated \Administrative Templates\Computer Configuration\Windows Components\Windows Installer
    Enable user to use media source while elevated \Administrative Templates\Computer Configuration\Windows Components\Windows Installer
    Enable user to patch elevated products \Administrative Templates\Computer Configuration\Windows Components\Windows Installer
    Allow admin to install from Terminal Services session \Administrative Templates\Computer Configuration\Windows Components\Windows Installer
    Cache transforms in secure location on workstation \Administrative Templates\Computer Configuration\Windows Components\Windows Installer
      In bv-Control for Active Directory v8.00 a new field has been added for each of the above settings. To distinguish the Windows 2000 field from the corresponding one for Windows Server 2003, each field is suffixed with “[Windows 2003]”. For example, corresponding field for “Always install with elevated privileges” of Windows 2000 is “Always install with elevated privileges [Windows 2003]” for Windows Server 2003. If a Windows 2000 field is used to report against Windows Server 2003, then the results will display “Not Configured”. The case is the same for Windows 2000 fields reporting against Windows Server 2003.
· The "All Configured Settings" field of Group Policies data source, reports default values for a few settings, even if these are not configured. These GPO settings, though not configured, have default effective values. These default values get applied to the User when the policy is applied. Therefore these are reported in the "All Configured Settings" field.

    The following settings have default values:


a. Windows Settings\User Configuration\Internet Explorer Maintenance\URL\Channels
Setting Default
Turn on desktop Channel Bar by default False
b. Windows Settings\User Configuration\Internet Explorer Maintenance\URLs\Important URLs
Setting Default
Customize Online support page URL False
Customize Home Page URL False
Customize Search bar URL False
c. Windows Settings\User Configuration\Internet Explorer Maintenance\Browser User Interface
Sub category Setting Default
Custom Logo Customize the static logo bitmap False
Browser Title Customize Title Bars False
Customize Toolbar background bitmap False
d. Windows Settings\User Configuration\Internet Explorer Maintenance\Connection\User Agent String
Setting Default
Turn on desktop Channel Bar by default False
e. Windows Settings\User Configuration\Internet Explorer Maintenance\URLs\Favorites and Links
Setting Default
Only delete the favorites created by the administrator False
Delete Existing Favorites and Links if Present False
Favorites specified? No
Links specified? No
f. Windows Settings\User Configuration\Folder Redirection\
Sub category Setting Default
Application Data Grant the user exclusive rights to Application Data False
Move the contents of Application Data to the new location False
Application Data Policy Removal Option None
Application Data redirection option No administrative policy specified
Desktop Desktop redirection option No administrative policy specified
Grant the user exclusive rights to Desktop False
Move the contents of Desktop to the new location False
Desktop Policy Removal Option None
My Documents My Documents redirection option No administrative policy specified
Grant the user exclusive rights to My Documents False
Move the contents of My Documents to the new location False
My Pictures Preferences Do not specify administrative policy for My Pictures
My Documents Policy Removal Option None
My Pictures My Pictures redirection option No administrative policy specified
Grant the user exclusive rights to My Pictures False
Move the contents of My Pictures to the new location False
My Pictures Policy Removal Option None
Start Menu Start Menu redirection option No administrative policy specified
Grant the user exclusive rights to Start Menu False
Move the contents of Start Menu to the new location False
Start Menu Policy Removal Option None
g. Windows Settings\User Configuration\Folder Redirection\
Sub category Setting Default
Connection\User Agent String Customize User Agent string False
Connection\Proxy Settings Do not use proxy server for local (intranet) addresses False
Programs Import the current Program Settings False

·

    Problem: The fields for the new settings of Windows Server 2003 may report ‘Not Configured’ for configured settings, when ‘Turn Off Automatic Updates of Adm Files’ Group Policy setting is effective. This happens when the Information Server is on a Windows 2000/Windows XP machine and reporting against a Windows Server 2003 policy. When this setting is effective the Adms are not present in the Sysvol folder. Therefore the local Adms in the %windir%\Inf folder on the Information Server are used and these are older than the ones shipped with Windows Server 2003.

    Workaround: Update the %windir%\Inf folder on the Information Server with the latest Adm files.

    Change History
The following is a summary of the current change history of bv-Control for Active Directory:

· Added new fields Active Directory Domain Functional Level and Active Directory Forest Functional Level to the Domain data source.


    · Added new field SID to the Users and Groups data source.

    · Added a new field User Logon Name (User Principal Name) to the Users data source.

    · Added new pre-defined permissions to the Effective Trustee data source.

    · Added new fields to the Groups Policy Windows Settings and Groups Policy Administrative Settings to report on new GPO settings introduced in Windows Server 2003.

    · Added support for reporting on inetOrgPerson objects using the Users data source.

    · Added MSI Installer for deploying the product.

    · Changed these fields in the Users data source:


· Logon Name was changed to User Logon Name (pre-Windows 2000). This will report the User Logon Name (pre-Windows 2000), for example, "Bob Bill"
        · Logon Name With Context was changed to User Logon Name With Context (pre-Windows 2000).This will report the User Logon Name (pre-Windows 2000) with domain context, for example, "windom\Bob Bill".
· Changed the field Logon Name in the Computer data source to computer Name (pre-Windows 2000). This will report the Computer Name (pre-Windows 2000), for example, ALABAMASERVER.

    · Added a new field User Logon Name (User Principal Name) to the Users data source. This reports the user's logon name in UPN format.

    · Changed the name Raw Directory Attributes in the Query Builder to User Defined Fields. These fields have been enhanced to report on additional attribute types.

    Documentation
Your BindView product CD contains the bv-Control for Active Directory User Guide in Adobe® Acrobat®.

The bv-Control for Active Directory User Guide contains information about bv-Control for Active Directory and about the BindView RMS Console and Information Server. If you upgrade the BindView RMS Console and Information Server, you should consult the BindView RMS Console and Information Server User Guide version 8.00 for information about the new version of the Console.

© 2001-2004 BindView Corporation. All rights reserved.






Legacy ID



2006081413122553


Article URL http://www.symantec.com/docs/TECH113269


Terms of use for this information are found in Legal Notices