Hmmmm. Now I understand the bigger picture.
That's a bit of a stickler. Friend of mine is in IT at ASU and he's in the
same kind of fight all of the time.
Strange how our (arguably) most important right (1st
Amendment) is the anti-thesis of Security. Difficult balance, this
is.
Rick Kingslan MCSE, MCSA, MCT From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simpsen, Paul A. (HSC) Sent: Sunday, July 06, 2003 8:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Taking DC Offline The whole purpose of
this is all political. It has already been decided to enable password complexity
but to help make the campus more agreeable ( we are an
edu!) our Security director wants to shoot them some
stats. The % of PW’s that they could crack, etc… Why
this is good for you, you know the deal. I’m still hoping my boss will see the
light and just say no! J Thanks for all the
responses, there might be some other options. Paul -----Original
Message----- Paul, I'm
somewhat mystified by the request. I might be completely missing the
point, but unless the scan is going to be destructive, what is the value of
giving the Security Director a DC that has been taken off-line? I do agree
with what others have said here to this point (remove connection objects, clean
up the objects from the DIT via NTDSUTIL, etc.), but the value of the work that
is being done is still questionable. The DC is no longer in your
environment, which from the standpoint of testing the security or the password
complexity, makes it no longer a viable environment to do
such. And, if
the process is going to be destructive, is this something that they will want to
do on a quarterly basis (again with questionable value in the security
realm)? Also, do your Security Analysts already have Administrative
context access? If not, all passwords of this type should be nulled
out. Even if they do - those that are not theirs should be erased as
well. Rick
Kingslan MCSE, MCSA, MCT From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Simpsen, Paul A.
(HSC) Our Security Director has requested
that we build a temporary DC for his group. They want to take it offline and
audit the current password complexity and strength. This DC will never return to
the domain so I will have to manually remove the replication connections in the
NTDS settings for each repl partner, plus the DNS records created. I’m just
wondering if I’m missing something obvious and that this might not be such a
good idea. Possibility of orphaned objects or something to that nature? It won’t
be online long but….. ******************************************************************** Paul
Simpsen Windows
Server Administrator 405.271.2262 ext
50230 Fax:
405.271.2126 ******************************************************************** CONFIDENTIALITY
NOTICE: This e-mail communication and any attachments may contain confidential
and privileged information for the use of the designated recipients named above.
If you are not the intended recipient, you are hereby notified that you have
received this communication in error and that any review, disclosure,
dissemination, distribution or copying of it or its contents is prohibited. If
you have received this communication in error, please destroy all copies of this
communication and any attachments. |
- [ActiveDir] Taking DC Offline Simpsen, Paul A. (HSC)
- Re: [ActiveDir] Taking DC Offline Glenn Corbett
- RE: [ActiveDir] Taking DC Offline Joe
- RE: [ActiveDir] Taking DC Offline Rick Kingslan
- RE: [ActiveDir] Taking DC Offline Gil Kirkpatrick
- RE: [ActiveDir] Taking DC Offline Simpsen, Paul A. (HSC)
- RE: [ActiveDir] Taking DC Off... Rick Kingslan
- RE: [ActiveDir] Taking DC Offline Roger Seielstad
- RE: [ActiveDir] Taking DC Offline GRILLENMEIER,GUIDO (HP-Germany,ex1)
- RE: [ActiveDir] Taking DC Offline Simpsen, Paul A. (HSC)
- RE: [ActiveDir] Taking DC Off... Joe
- Re: [ActiveDir] Taking DC... Glenn Corbett
- RE: [ActiveDir] Taking DC Offline GRILLENMEIER,GUIDO (HP-Germany,ex1)