Actually I went ahead and threw together a tool in Winbatch that resets the password on the local DC at the user's site, and our helpdesk is using now. So far so good.
Thanks all. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Thursday, April 29, 2004 10:23 PM To: '[EMAIL PROTECTED]' Subject: Re: [ActiveDir] Replication issues Hmmm. We've discussed this before on the thread, I believe. Bottom line is (or at least used to be .. W2K3 SP1 at least fixes this) that cleared intruder lockouts take a long time to replicate. So .. remote user calls central help desk after locking himself out. Help desk analyst (maybe resets password and) clears lockout. New password takes effect immediately through PDCE fallback. Cleared intruder lockout does not. User gets frustrated. One solution is to simply reset passwords and clear lockouts on the user's home DC. In case the user is elsewhere (on a business trip, for example), try to figure out which DC he will use, and reset/clear on that one as well. This is probably asking too much of the help desk analyst, who may not be aware of the AD structure, or the user's location / site / IP .... so some automation would help. <WARNING!! ADVERTISING MODE ON!!> We make a program that can reset passwords (self-service or assisted), and understands AD well enough to figure out on which DC(s) to reset passwords and clear intruder lockouts. http://psynch.com/ </NO MORE ADVERTISING> Good luck, -- Idan On Tue, 27 Apr 2004, Rimmerman, Russ wrote: > > We have always been having weird issues with replication. We have about 30 > AD sites all over the world. When we change or reset a password here for a > user at a remote site, it takes quite a long time (30-60 minutes or more) to > replicate to the users site. So, we are having to connect to their local > domain contoller and reset the password there. What is the best practice > for setting up and tuning replication and resetting passwords, and what > tools are recommended (replmon?) for "testing" it, and how long should it > take? > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > This e-mail is confidential, may contain proprietary information > of the Cooper Cameron Corporation and its operating Divisions > and may be confidential or privileged. > > This e-mail should be read, copied, disseminated and/or used only > by the addressee. If you have received this message in error please > delete it, together with any attachments, from your system. > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/