RE: [ActiveDir] Taking DC Offline

[Rick Kingslan]

Hmmmm.  Now I understand the bigger picture.  That's a bit of a stickler.  Friend of mine is in IT at ASU and he's in the same kind of fight all of the time.   Strange how our (arguably) most important right (1st Amendment) is the anti-thesis of Security.  Difficult balance, this is.   Rick Kingslan  MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simpsen, Paul A. (HSC) Sent: Sunday, July 06, 2003 8:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Taking DC Offline The whole purpose of this is all political. It has already been decided to enable password complexity but to help make the campus more agreeable ( we are an edu!) our Security director wants to shoot them some stats. The % of PW’s that they could crack, etc… Why this is good for you, you know the deal. I’m still hoping my boss will see the light and just say no! J Thanks for all the responses, there might be some other options. Paul     -----Original Message----- From: Rick Kingslan [mailto:[EMAIL PROTECTED]] Sent: Friday, July 04, 2003 4:51 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Taking DC Offline   Paul,   I'm somewhat mystified by the request.  I might be completely missing the point, but unless the scan is going to be destructive, what is the value of giving the Security Director a DC that has been taken off-line?  I do agree with what others have said here to this point (remove connection objects, clean up the objects from the DIT via NTDSUTIL, etc.), but the value of the work that is being done is still questionable.  The DC is no longer in your environment, which from the standpoint of testing the security or the password complexity, makes it no longer a viable environment to do such.   And, if the process is going to be destructive, is this something that they will want to do on a quarterly basis (again with questionable value in the security realm)?  Also, do your Security Analysts already have Administrative context access?  If not, all passwords of this type should be nulled out.  Even if they do - those that are not theirs should be erased as well.   Rick Kingslan  MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone       From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simpsen, Paul A. (HSC) Sent: Thursday, July 03, 2003 4:32 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Taking DC Offline Our Security Director has requested that we build a temporary DC for his group. They want to take it offline and audit the current password complexity and strength. This DC will never return to the domain so I will have to manually remove the replication connections in the NTDS settings for each repl partner, plus the DNS records created. I’m just wondering if I’m missing something obvious and that this might not be such a good idea. Possibility of orphaned objects or something to that nature? It won’t be online long but…..   ********************************************************************   Paul Simpsen Windows Server Administrator Enterprise Systems, IT University of Oklahoma HSC 405.271.2262 ext 50230 Fax: 405.271.2126   ******************************************************************** CONFIDENTIALITY NOTICE: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please destroy all copies of this communication and any attachments.