Re: [ActiveDir] Number of Interactive Logons

[Ken Schaefer]

I looked at the WinXP link, and it seems very unclear. :-)

In the first paragraph:


Determines the number of times a user can log on to a Windows domain using
cached account information.


In the second paragraph:


This setting determines the number of unique users for which logon
information is cached locally.


So, which is it? The number of users, or the number of times a user can
logon? Your test seems to indicate the latter. However the hope that
"Microsoft can be deemed authoritative" seems misplaced in that Microsoft
doesn't seem to know! (or does know, but they're not telling!)

In a similar vein: the Windows 2000 document is titled: "Number of previous
logons to cache", which would indicate the number of successful logons to
cache locally (to allow to be reused later on). It doesn't seem to have
anything to do with the number of logons that the machine should allow if
the DC is not available.

Cheers
Ken

~~
From: "Rick Kingslan" <[EMAIL PROTECTED]>
Subject: RE: [ActiveDir] Number of Interactive Logons


And the correct answer is.

Not correct.

Look at this: (because the way that I wavered this morning  - I'm not
realiable)

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/579.asp
<--- Windows 2000
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
ol/winxppro/proddocs/579.asp < --- Windows XP
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
ol/windowsserver2003/proddocs/standard/579.asp <--- Windows 2003

Please let this resolve this and close off this thread.  I'm hoping that
Microsoft can be deemed  authoritative.

Oh, and by the way - I tried this, David.  I login 10 times, and it tells me
that, basically, I can't login anymore because a DC cannot be contacted on
the 11th try.  I have 11 dummy users (h... Maybe I'm the dummy user.)
and each of the 11 get 10 attempts and are denied on the 11th.

Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] SP4

[Hutchins, Mike]

Title: Message



indeed! lmao


From: Rick Kingslan [mailto:[EMAIL PROTECTED] 
Sent: Friday, August 22, 2003 4:56 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] 
SP4

LOL!  Nice to be in such GREAT company!  
:)
 

Rick Kingslan  MCSE, MCSA, MCTMicrosoft MVP - Active 
DirectoryAssociate ExpertExpert Zone - 
www.microsoft.com/windowsxp/expertzone  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Bjelke John A 
Contr AFRL/VSIOSent: Friday, August 22, 2003 12:54 PMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] 
SP4

Man, I 
must be havin a ball.
 
 
 
John A. Bjelke   
Unisys  505.853.6774 
  [EMAIL PROTECTED] 
"Many of life's failures are people who did not 
realize how close they were to success when they gave 
up." 
-Thomas Edison
    


  
  -Original Message-From: Hutchins, Mike 
  [mailto:[EMAIL PROTECTED] Sent: Friday, August 22, 2003 11:35 
  AMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] SP4
  its mucho funno to be wrong occasionally.. 
  ;->
  
  
  From: Rick Kingslan [mailto:[EMAIL PROTECTED] 
  Sent: Friday, August 22, 2003 7:08 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] 
  SP4
  
  Eh, no big deal.  Look how many times I'm wrong 
  around here.  Welcome to the club  ;-)
   
  Rick Kingslan  MCSE, MCSA, MCTMicrosoft MVP - Active 
  DirectoryAssociate ExpertExpert Zone - 
  www.microsoft.com/windowsxp/expertzone  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Hutchins, 
  MikeSent: Friday, August 22, 2003 7:56 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] 
  SP4
  
  And I hate to admit being wrong, but you are right. 
  :-)
   
  When we first patched all our machines, it was only 
  supported on SP3. However, as you stated, it has been regression tested woth 
  SP2 and is now supported. Our company would have to sign a waiver with pss to 
  do sp2, but we are sp3 and higher anyways.
  
  
  From: Rick Kingslan [mailto:[EMAIL PROTECTED] 
  Sent: Thursday, August 21, 2003 8:44 PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] 
  SP4
  
  Mike,
   
  I hate to disagree, but the minimum requirement for 
  MS03-026 DCOm Vuln patch is Windows 2000 SP2.
   
  
  Rick Kingslan  MCSE, MCSA, MCTMicrosoft MVP - Active 
  DirectoryAssociate ExpertExpert Zone - 
  www.microsoft.com/windowsxp/expertzone  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Hutchins, 
  MikeSent: Thursday, August 21, 2003 9:37 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] 
  SP4
  
  sp3
  
  
  From: Roger Seielstad 
  [mailto:[EMAIL PROTECTED] Sent: Thursday, August 21, 2003 
  8:34 AMTo: '[EMAIL PROTECTED]'Subject: RE: 
  [ActiveDir] SP4
  
  The 
  patch to stop the MSBlast virus only requires SP2 be installed on the 
  machine.
   
   
  -- 
  Roger D. Seielstad 
  - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 
  
  

-Original Message-From: Don Murawski 
(Lenox) [mailto:[EMAIL PROTECTED] Sent: Thursday, 
August 21, 2003 10:28 AMTo: 
'[EMAIL PROTECTED]'Subject: [ActiveDir] 
SP4
Has anyone had issues 
with SP4 on DC's?
We are getting hammered 
by the latest virus.
 
 
 
 
Don L. 
Murawski
Sr. Network 
Administrator

WorldTravel 
BTI
Phone: (404) 
923-9468
Fax: (404) 949-6710
Cell: (678) 549-1264
 

<>

RE: [ActiveDir] Number of Interactive Logons

[Rick Kingslan]

Title: Message



And the correct answer is.
 
Not correct.
 
Look at this: (because the way that I wavered this 
morning  - I'm not realiable)
 
http://msdn.microsoft.com/library/default.asp?url="">  
<--- Windows 2000
http://www.microsoft.com/technet/treeview/default.asp?url=""> < 
--- Windows XP
http://www.microsoft.com/technet/treeview/default.asp?url=""> <--- 
Windows 2003
 
Please let this resolve this and close off this 
thread.  I'm hoping that Microsoft can be deemed  
authoritative.
 
Oh, and by the way - I tried this, David.  I login 10 
times, and it tells me that, basically, I can't login anymore because a DC 
cannot be contacted on the 11th try.  I have 11 dummy users (h... Maybe 
I'm the dummy user.) and each of the 11 get 10 attempts and are denied on the 
11th.
 

Rick Kingslan  MCSE, MCSA, MCTMicrosoft MVP - Active 
DirectoryAssociate ExpertExpert Zone - 
www.microsoft.com/windowsxp/expertzone  
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David 
ASent: Friday, August 22, 2003 5:28 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Number of 
Interactive Logons

And 
the correct answer is
This 
setting has nothing to do with how many times a given user can log in when no DC 
is available.  It has everything to do with how many users will 
have their credentials cached on the workstation while it is 
connected.
 
Try 
this simple experiment in the lab.  Set the policy in question to a value 
of 2.  Make sure a workstation applies the GPO,  then log in and out 
as several different domain users.
 
Disconnect the workstation from the network.  Try logging in as each 
of those users.  You will find that you can log in with the credentials of 
the last two users, but none of the ones before that.  The two that DO work 
will work as many times as you like.
 
The 
value of 2 in the policy simply means it caches the credentials of the last two 
unique individuals that logged in, and any credentials previously cached 'roll 
off'.  The credentials that remain in the cache are valid forever once you 
disconnect from the network.
 
Now, 
as to the original question - a value of 10 or 50 makes little difference if 
less than 10 individuals ever need to use the same machine.  If no one 
should ever log in when disconnected, setting it at 0 can ensure that no one can 
do so.  A value of 1 is probably adequate for a laptop that's used by one 
person only.  However, if the last person that logged in was not the person 
that just grabbed it to take on the plane, you will have an unhappy road 
warrior.  Probably best to have at least a value of 2 in case an admin 
needs to do something with it while disconnected.  50 sounds like overkill 
- if you have 50 people sharing a portable PC, maybe you might be a tad on the 
frugal side !
 
Have a 
good weekend.
Dave

  -Original Message-From: deji Agba 
  [mailto:[EMAIL PROTECTED]On Behalf Of 
  [EMAIL PROTECTED]Sent: Friday, August 22, 2003 1:33 
  PMTo: [EMAIL PROTECTED]; 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Number of 
  Interactive Logons
  
  OK, Rick, I am confused (as 
  usual ;))
   
  Are you thanking Jens for his 
  interpretation of the question? That this has to do with the number of 
  "people" logging onto the network when the DC is down? As pointed out 
  previously, "cached logon" has nothing to do with this at all. It is the 
  number of successful logons/passwords that a client had made to the 
  network. am I the one misunderstanding the question?
   
  
  
   
  Sincerely,Dèjì Akómöláfé, 
  MCSE MCSA 
  MCP+Iwww.akomolafe.comwww.iyaburo.comDo you 
  now realize that Today is the Tomorrow you were worried about Yesterday?  
  -anon
  
  
  From: [EMAIL PROTECTED] on 
  behalf of Rick KingslanSent: Fri 8/22/2003 6:15 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Number of 
  Interactive Logons
  
  Jens,
   
  Thanks for jarring my tired and very overworked 
  noggin.  Correct - it is the number of cached credentials from users who 
  have alredy logged in.  But allowing 50 in any kind a secure computing 
  environment is insane.  Yes, they must have logged on there before, but 
  what is the liklihood that one of those passwords is going to be quite 
  crackable or guess-able.  As the number of users increases, the potential 
  for compromise increases.
   
  Given that if one of these boxes can be physically 
  tampered with, the ability to dump information and crack it off-line is 
  becoming more of a reality.  Reference the Knoppix STD CD, for 
  example.
   
  I'm still on board with my earlier statement.  50 is 
  over the top, 10, IMHO, is too many.
   
  
  Rick Kingslan  MCSE, MCSA, MCTMicrosoft MVP - Active 
  DirectoryAssociate ExpertExpert Zone - 
  www.microsoft.com/windowsxp/expertzone  
   
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Schwipper, 
  JensSent: Friday, August 22, 2003 8:01 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Nu

RE: [ActiveDir] Number of Interactive Logons

[Rick Kingslan]

Nope - I'm confused.  I'm officially correcting my correction.  
 
The number of cached logons specifically means that if  _IF_ you have logged
on to a given system before AND the DC is not available, you will have X
logons to that system (by default, X=10).  
 
This has nothing to do, as I incorrectly stated, with the NUMBER of CACHED
USERS.
 
If you have not logged on to the system before and the DC is not available -
you WILL NOT be able to logon regardless of the setting discussed.  This
will only allow users who have logged before to log on to the system in the
event that a DC is not available to authenticate credentials.
 
(Excuse my inability to carry on a coherent thought this morning...
This week has been absolutely whacked.  I guess I'm a bit whacked, too.
But, for those of you that know me - that's nothing new. :)  )
 
And, to that, I still suggest the number be 0.
 
Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
  



  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, August 22, 2003 1:33 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Number of Interactive Logons


OK, Rick, I am confused (as usual ;))
 
Are you thanking Jens for his interpretation of the question? That this has
to do with the number of "people" logging onto the network when the DC is
down? As pointed out previously, "cached logon" has nothing to do with this
at all. It is the number of successful logons/passwords that a client had
made to the network. am I the one misunderstanding the question?
 
 
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon

  _  

From: [EMAIL PROTECTED] on behalf of Rick Kingslan
Sent: Fri 8/22/2003 6:15 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Number of Interactive Logons


Jens,
 
Thanks for jarring my tired and very overworked noggin.  Correct - it is the
number of cached credentials from users who have alredy logged in.  But
allowing 50 in any kind a secure computing environment is insane.  Yes, they
must have logged on there before, but what is the liklihood that one of
those passwords is going to be quite crackable or guess-able.  As the number
of users increases, the potential for compromise increases.
 
Given that if one of these boxes can be physically tampered with, the
ability to dump information and crack it off-line is becoming more of a
reality.  Reference the Knoppix STD CD, for example.
 
I'm still on board with my earlier statement.  50 is over the top, 10, IMHO,
is too many.
 
Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
  

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Schwipper, Jens
Sent: Friday, August 22, 2003 8:01 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Number of Interactive Logons


if there 50 persons would like to logon in the time where the DC is down its
okay
but this 50 persons must have already loged on bevor the DC goes down (data
in cache)
i think it's not necessary for a normal user workstation where unusually
loged on a other person
 
jens

-Original Message-
From: De Schepper Marc [mailto:[EMAIL PROTECTED]
Sent: Freitag, 22. August 2003 13:41
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Number of Interactive Logons


Hey all, 
 
I would like to have some feedback of the following Policy setting:
 

Interactive logon: Number of previous logons to cache (in case domain
controller is not available) 
 
 
The default is 10, but our Security people would like to put it on 50.
 
Does anyone have some arguments not to use 50?
 
Marc 

*

Dit e-mail bericht inclusief eventuele ingesloten bestanden kan informatie
bevatten die vertrouwelijk is en/of beschermd door intellectuele
eigendomsrechten. Dit bericht is uitsluitend bestemd voor de
geadresseerde(n). Elk gebruik van de informatie vervat in dit bericht
(waaronder de volledige of gedeeltelijke reproductie of verspreiding onder
elke vorm) door andere personen dan de geadresseerde(n) is verboden. Indien
u dit bericht per vergissing heeft ontvangen, gelieve de afzender hiervan te
verwittigen en dit bericht te verwijderen. 

This e-mail and any attachment thereto may contain information which is
confidential and/or protected by intellectual property rights and are
intended for the sole use of the addressees. Any use of the information
contained herein (including but not limited to total or partial reproduction
or distribution in any form) by other persons than the addressees is
prohibited. If you have received this e-mail in error, please notify the
sender and delete its contents. 

***

RE: [ActiveDir] SP4

[Rick Kingslan]

Title: Message



LOL!  Nice to be in such GREAT company!  
:)
 

Rick Kingslan  MCSE, MCSA, MCTMicrosoft MVP - Active 
DirectoryAssociate ExpertExpert Zone - 
www.microsoft.com/windowsxp/expertzone  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Bjelke John A 
Contr AFRL/VSIOSent: Friday, August 22, 2003 12:54 PMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] 
SP4

Man, I 
must be havin a ball.
 
 
 
John A. Bjelke   
Unisys  505.853.6774 
  [EMAIL PROTECTED] 
"Many of life's failures are people who did not 
realize how close they were to success when they gave 
up." 
-Thomas Edison
    


  
  -Original Message-From: Hutchins, Mike 
  [mailto:[EMAIL PROTECTED] Sent: Friday, August 22, 2003 11:35 
  AMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] SP4
  its mucho funno to be wrong occasionally.. 
  ;->
  
  
  From: Rick Kingslan [mailto:[EMAIL PROTECTED] 
  Sent: Friday, August 22, 2003 7:08 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] 
  SP4
  
  Eh, no big deal.  Look how many times I'm wrong 
  around here.  Welcome to the club  ;-)
   
  Rick Kingslan  MCSE, MCSA, MCTMicrosoft MVP - Active 
  DirectoryAssociate ExpertExpert Zone - 
  www.microsoft.com/windowsxp/expertzone  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Hutchins, 
  MikeSent: Friday, August 22, 2003 7:56 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] 
  SP4
  
  And I hate to admit being wrong, but you are right. 
  :-)
   
  When we first patched all our machines, it was only 
  supported on SP3. However, as you stated, it has been regression tested woth 
  SP2 and is now supported. Our company would have to sign a waiver with pss to 
  do sp2, but we are sp3 and higher anyways.
  
  
  From: Rick Kingslan [mailto:[EMAIL PROTECTED] 
  Sent: Thursday, August 21, 2003 8:44 PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] 
  SP4
  
  Mike,
   
  I hate to disagree, but the minimum requirement for 
  MS03-026 DCOm Vuln patch is Windows 2000 SP2.
   
  
  Rick Kingslan  MCSE, MCSA, MCTMicrosoft MVP - Active 
  DirectoryAssociate ExpertExpert Zone - 
  www.microsoft.com/windowsxp/expertzone  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Hutchins, 
  MikeSent: Thursday, August 21, 2003 9:37 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] 
  SP4
  
  sp3
  
  
  From: Roger Seielstad 
  [mailto:[EMAIL PROTECTED] Sent: Thursday, August 21, 2003 
  8:34 AMTo: '[EMAIL PROTECTED]'Subject: RE: 
  [ActiveDir] SP4
  
  The 
  patch to stop the MSBlast virus only requires SP2 be installed on the 
  machine.
   
   
  -- 
  Roger D. Seielstad 
  - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 
  
  

-Original Message-From: Don Murawski 
(Lenox) [mailto:[EMAIL PROTECTED] Sent: Thursday, 
August 21, 2003 10:28 AMTo: 
'[EMAIL PROTECTED]'Subject: [ActiveDir] 
SP4
Has anyone had issues 
with SP4 on DC's?
We are getting hammered 
by the latest virus.
 
 
 
 
Don L. 
Murawski
Sr. Network 
Administrator

WorldTravel 
BTI
Phone: (404) 
923-9468
Fax: (404) 949-6710
Cell: (678) 549-1264
 

<>

RE: [ActiveDir] Number of Interactive Logons

[Fugleberg, David A]

Title: Message



And 
the correct answer is
This 
setting has nothing to do with how many times a given user can log in when no DC 
is available.  It has everything to do with how many users will 
have their credentials cached on the workstation while it is 
connected.
 
Try 
this simple experiment in the lab.  Set the policy in question to a value 
of 2.  Make sure a workstation applies the GPO,  then log in and out 
as several different domain users.
 
Disconnect the workstation from the network.  Try logging in as each 
of those users.  You will find that you can log in with the credentials of 
the last two users, but none of the ones before that.  The two that DO work 
will work as many times as you like.
 
The 
value of 2 in the policy simply means it caches the credentials of the last two 
unique individuals that logged in, and any credentials previously cached 'roll 
off'.  The credentials that remain in the cache are valid forever once you 
disconnect from the network.
 
Now, 
as to the original question - a value of 10 or 50 makes little difference if 
less than 10 individuals ever need to use the same machine.  If no one 
should ever log in when disconnected, setting it at 0 can ensure that no one can 
do so.  A value of 1 is probably adequate for a laptop that's used by one 
person only.  However, if the last person that logged in was not the person 
that just grabbed it to take on the plane, you will have an unhappy road 
warrior.  Probably best to have at least a value of 2 in case an admin 
needs to do something with it while disconnected.  50 sounds like overkill 
- if you have 50 people sharing a portable PC, maybe you might be a tad on the 
frugal side !
 
Have a 
good weekend.
Dave

  -Original Message-From: deji Agba 
  [mailto:[EMAIL PROTECTED]On Behalf Of 
  [EMAIL PROTECTED]Sent: Friday, August 22, 2003 1:33 
  PMTo: [EMAIL PROTECTED]; 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Number of 
  Interactive Logons
  
  OK, Rick, I am confused (as 
  usual ;))
   
  Are you thanking Jens for his 
  interpretation of the question? That this has to do with the number of 
  "people" logging onto the network when the DC is down? As pointed out 
  previously, "cached logon" has nothing to do with this at all. It is the 
  number of successful logons/passwords that a client had made to the 
  network. am I the one misunderstanding the question?
   
  
  
   
  Sincerely,Dèjì Akómöláfé, 
  MCSE MCSA 
  MCP+Iwww.akomolafe.comwww.iyaburo.comDo you 
  now realize that Today is the Tomorrow you were worried about Yesterday?  
  -anon
  
  
  From: [EMAIL PROTECTED] on 
  behalf of Rick KingslanSent: Fri 8/22/2003 6:15 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Number of 
  Interactive Logons
  
  Jens,
   
  Thanks for jarring my tired and very overworked 
  noggin.  Correct - it is the number of cached credentials from users who 
  have alredy logged in.  But allowing 50 in any kind a secure computing 
  environment is insane.  Yes, they must have logged on there before, but 
  what is the liklihood that one of those passwords is going to be quite 
  crackable or guess-able.  As the number of users increases, the potential 
  for compromise increases.
   
  Given that if one of these boxes can be physically 
  tampered with, the ability to dump information and crack it off-line is 
  becoming more of a reality.  Reference the Knoppix STD CD, for 
  example.
   
  I'm still on board with my earlier statement.  50 is 
  over the top, 10, IMHO, is too many.
   
  
  Rick Kingslan  MCSE, MCSA, MCTMicrosoft MVP - Active 
  DirectoryAssociate ExpertExpert Zone - 
  www.microsoft.com/windowsxp/expertzone  
   
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Schwipper, 
  JensSent: Friday, August 22, 2003 8:01 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Number of 
  Interactive Logons
  
  if 
  there 50 persons would like to logon in the time where the DC is down its 
  okay
  but 
  this 50 persons must have already loged on bevor the DC goes down (data in 
  cache)
  i 
  think it's not necessary for a normal user workstation where unusually loged 
  on a other person
   
  jens
  
-Original Message-From: De Schepper Marc 
[mailto:[EMAIL PROTECTED]Sent: Freitag, 22. 
August 2003 13:41To: 
[EMAIL PROTECTED]Subject: [ActiveDir] Number of 
Interactive Logons
Hey all, 
 
I 
would like to have some feedback of the following Policy 
setting:
 


  
  
Interactive logon: Number of previous logons to cache (in case 
  domain controller is not available)

   
 
The default is 10, but our Security people would like to put it on 
50.
 
Does anyone have some arguments not to use 
50?
 
Marc 
*
Dit e-mail bericht inclusief eventuele 
ingesloten bestanden kan info

RE: [ActiveDir] LDAP query on ObjectSID attribute

[Jimmy Andersson]

Set it like this:

Base DN 
Filter (&(ObjectCategory=*)(name=*))

Don't forget the '<' and '>' on the SID, you might also need to put in the
'-' symbol within the SID itself.

Also you might need to check in the control 'Return deleted objects' if the
object exist in the Deleted Object container. You'll find the controls in
Search - Options - Controls.
You also might need to 

Regards,
/Jimmy
-
Jimmy Andersson, Q Advice AB  
  CEO & Principal Advisor  
Microsoft MVP - Active Directory
-- www.qadvice.com -- 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of AD
Sent: Friday, August 22, 2003 9:58 PM
To: [EMAIL PROTECTED]

Tony,
 
I clicked on Browse and then Search in LDP. The little window comes up. (I
actually used bind first).
 
In the base DN field I typed in "SID=S15A913838F5E5A9AABF22742D54F69"
In the Filter field I type in "(&(ObjectCategory=*))"
My scope is set to Subtree.
I clicked on Run.
 
The ObjectSID was a cut and paste from my attribute.
 
I does not return anything. What am I doing wrong here? I tried SID=,
objectSID=, GUID=,objectGIUD=.
 
Any help would be appreciated.
 
Thanks
 
Y
 
 



From: Tony Murray
Sent: Fri 22/08/2003 10:02 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute


It's not really using an attribute as your Base DN.  The starting point for
a search can be SID, GUID or DN.  

It works as Jimmy describes below.

Tony

-- Original Message --
From: AD <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Date:  Fri, 22 Aug 2003 09:26:36 -0400

I never heard of using an attribute as your BaseDN. 

If this worked for you I really would like to know how you did it.

Thanks

Y



From: Jimmy Andersson
Sent: Thu 21/08/2003 7:34 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute


Why not use LDP and set it like this:

Base DN 
Filter (&(ObjectCategory=*)(name=*))

(I used a SID from my lab domain)

You might need to load the control for deleted objects, if it's deleted.

Regards,
/Jimmy
-
Jimmy Andersson, Q Advice AB  
  CEO & Principal Advisor  
Microsoft MVP - Active Directory
-- www.qadvice.com -- 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of AD
Sent: Friday, August 22, 2003 12:35 AM
To: [EMAIL PROTECTED]

Anyone know how to query AD on the ObjectSID?

 

My query looks like this:

 

(&(ObjectCategory=user)(SamAccountName=*)(ObjectSID=S15-2-4-3412341341234124
32412344))

 

Doesn't return anything. I know the sid must converted but I am not sure
what format it should be in.

 

Thanks

 

Y


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] LDAP query on ObjectSID attribute

[AD]

Tony,
 
I clicked on Browse and then Search in LDP. The little window comes up. (I actually used bind first).
 
In the base DN field I typed in "SID=S15A913838F5E5A9AABF22742D54F69"
In the Filter field I type in "(&(ObjectCategory=*))"
My scope is set to Subtree.
I clicked on Run.
 
The ObjectSID was a cut and paste from my attribute.
 
I does not return anything. What am I doing wrong here? I tried SID=, objectSID=, GUID=,objectGIUD=.
 
Any help would be appreciated.
 
Thanks
 
Y
 
 


From: Tony MurraySent: Fri 22/08/2003 10:02 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute
It's not really using an attribute as your Base DN.  The starting point for a search can be SID, GUID or DN.  

It works as Jimmy describes below.

Tony

-- Original Message --
From: AD <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Date:  Fri, 22 Aug 2003 09:26:36 -0400

I never heard of using an attribute as your BaseDN. 

If this worked for you I really would like to know how you did it.

Thanks

Y



From: Jimmy Andersson
Sent: Thu 21/08/2003 7:34 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute


Why not use LDP and set it like this:

Base DN 
Filter (&(ObjectCategory=*)(name=*))

(I used a SID from my lab domain)

You might need to load the control for deleted objects, if it's deleted.

Regards,
/Jimmy
-
Jimmy Andersson, Q Advice AB  
  CEO & Principal Advisor  
Microsoft MVP - Active Directory
-- www.qadvice.com -- 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of AD
Sent: Friday, August 22, 2003 12:35 AM
To: [EMAIL PROTECTED]

Anyone know how to query AD on the ObjectSID?

 

My query looks like this:

 

(&(ObjectCategory=user)(SamAccountName=*)(ObjectSID=S15-2-4-3412341341234124
32412344))

 

Doesn't return anything. I know the sid must converted but I am not sure
what format it should be in.

 

Thanks

 

Y


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Number of Interactive Logons

[deji]

OK, Rick, I am confused (as usual ;))
 
Are you thanking Jens for his interpretation of the question? That this has
to do with the number of "people" logging onto the network when the DC is
down? As pointed out previously, "cached logon" has nothing to do with this
at all. It is the number of successful logons/passwords that a client had
made to the network. am I the one misunderstanding the question?
 
 
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Rick Kingslan
Sent: Fri 8/22/2003 6:15 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Number of Interactive Logons


Jens,
 
Thanks for jarring my tired and very overworked noggin.  Correct - it is the
number of cached credentials from users who have alredy logged in.  But
allowing 50 in any kind a secure computing environment is insane.  Yes, they
must have logged on there before, but what is the liklihood that one of those
passwords is going to be quite crackable or guess-able.  As the number of
users increases, the potential for compromise increases.
 
Given that if one of these boxes can be physically tampered with, the ability
to dump information and crack it off-line is becoming more of a reality.
Reference the Knoppix STD CD, for example.
 
I'm still on board with my earlier statement.  50 is over the top, 10, IMHO,
is too many.
 
Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
  

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Schwipper, Jens
Sent: Friday, August 22, 2003 8:01 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Number of Interactive Logons


if there 50 persons would like to logon in the time where the DC is down its
okay
but this 50 persons must have already loged on bevor the DC goes down (data
in cache)
i think it's not necessary for a normal user workstation where unusually
loged on a other person
 
jens

-Original Message-
From: De Schepper Marc [mailto:[EMAIL PROTECTED]
Sent: Freitag, 22. August 2003 13:41
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Number of Interactive Logons


Hey all, 
 
I would like to have some feedback of the following Policy setting:
 

Interactive logon: Number of previous logons to cache (in case domain
controller is not available)  
 
The default is 10, but our Security people would like to put it on
50.
 
Does anyone have some arguments not to use 50?
 
Marc 

*

Dit e-mail bericht inclusief eventuele ingesloten bestanden kan
informatie bevatten die vertrouwelijk is en/of beschermd door intellectuele
eigendomsrechten. Dit bericht is uitsluitend bestemd voor de
geadresseerde(n). Elk gebruik van de informatie vervat in dit bericht
(waaronder de volledige of gedeeltelijke reproductie of verspreiding onder
elke vorm) door andere personen dan de geadresseerde(n) is verboden. Indien u
dit bericht per vergissing heeft ontvangen, gelieve de afzender hiervan te
verwittigen en dit bericht te verwijderen. 

This e-mail and any attachment thereto may contain information which
is confidential and/or protected by intellectual property rights and are
intended for the sole use of the addressees. Any use of the information
contained herein (including but not limited to total or partial reproduction
or distribution in any form) by other persons than the addressees is
prohibited. If you have received this e-mail in error, please notify the
sender and delete its contents. 

*

<>

RE: [ActiveDir] SP4

[Hutchins, Mike]

Title: Message



he he


From: Bjelke John A Contr AFRL/VSIO 
[mailto:[EMAIL PROTECTED] Sent: Friday, August 22, 2003 
11:54 AMTo: '[EMAIL PROTECTED]'Subject: RE: 
[ActiveDir] SP4

Man, I 
must be havin a ball.
 
 
 
John A. Bjelke   
Unisys  505.853.6774 
  [EMAIL PROTECTED] 
"Many of life's failures are people who did not 
realize how close they were to success when they gave 
up." 
-Thomas Edison
    


  
  -Original Message-From: Hutchins, Mike 
  [mailto:[EMAIL PROTECTED] Sent: Friday, August 22, 2003 11:35 
  AMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] SP4
  its mucho funno to be wrong occasionally.. 
  ;->
  
  
  From: Rick Kingslan [mailto:[EMAIL PROTECTED] 
  Sent: Friday, August 22, 2003 7:08 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] 
  SP4
  
  Eh, no big deal.  Look how many times I'm wrong 
  around here.  Welcome to the club  ;-)
   
  Rick Kingslan  MCSE, MCSA, MCTMicrosoft MVP - Active 
  DirectoryAssociate ExpertExpert Zone - 
  www.microsoft.com/windowsxp/expertzone  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Hutchins, 
  MikeSent: Friday, August 22, 2003 7:56 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] 
  SP4
  
  And I hate to admit being wrong, but you are right. 
  :-)
   
  When we first patched all our machines, it was only 
  supported on SP3. However, as you stated, it has been regression tested woth 
  SP2 and is now supported. Our company would have to sign a waiver with pss to 
  do sp2, but we are sp3 and higher anyways.
  
  
  From: Rick Kingslan [mailto:[EMAIL PROTECTED] 
  Sent: Thursday, August 21, 2003 8:44 PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] 
  SP4
  
  Mike,
   
  I hate to disagree, but the minimum requirement for 
  MS03-026 DCOm Vuln patch is Windows 2000 SP2.
   
  
  Rick Kingslan  MCSE, MCSA, MCTMicrosoft MVP - Active 
  DirectoryAssociate ExpertExpert Zone - 
  www.microsoft.com/windowsxp/expertzone  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Hutchins, 
  MikeSent: Thursday, August 21, 2003 9:37 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] 
  SP4
  
  sp3
  
  
  From: Roger Seielstad 
  [mailto:[EMAIL PROTECTED] Sent: Thursday, August 21, 2003 
  8:34 AMTo: '[EMAIL PROTECTED]'Subject: RE: 
  [ActiveDir] SP4
  
  The 
  patch to stop the MSBlast virus only requires SP2 be installed on the 
  machine.
   
   
  -- 
  Roger D. Seielstad 
  - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 
  
  

-Original Message-From: Don Murawski 
(Lenox) [mailto:[EMAIL PROTECTED] Sent: Thursday, 
August 21, 2003 10:28 AMTo: 
'[EMAIL PROTECTED]'Subject: [ActiveDir] 
SP4
Has anyone had issues 
with SP4 on DC's?
We are getting hammered 
by the latest virus.
 
 
 
 
Don L. 
Murawski
Sr. Network 
Administrator

WorldTravel 
BTI
Phone: (404) 
923-9468
Fax: (404) 949-6710
Cell: (678) 549-1264
 

<>

RE: [ActiveDir] Event 1000 + error code 59

[Siddharth Sawkar]

If this was the case, non-VPN users would have the same problem.

On Fri, 22 Aug 2003, De Schepper Marc wrote:

> No this one
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;327825
> 
>
> But maybe it is not the solution for you
>
>_
>
> From: Lev Zdenek [mailto:[EMAIL PROTECTED]
> Sent: vrijdag 22 augustus 2003 16:02
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Event 1000 + error code 59
>
>
> Do you mean this ?
>
>  
> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q244474
>
> but netdiag test was OK
>
>
>
> -Original Message-
> From: De Schepper Marc [mailto:[EMAIL PROTECTED]
> Sent: Friday, August 22, 2003 3:01 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Event 1000 + error code 59
>
>
> Maxtokensize?
>
>_
>
> From: Lev Zdenek [mailto:[EMAIL PROTECTED]
> Sent: donderdag 21 augustus 2003 17:52
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] Event 1000 + error code 59
>
>
>
> Hello evr.
> Every time when I try to logon on my workstation W2k professional in AD
> (W2K) environment a get this error in apl. log
> "Windows cannot obtain the domain controller name for your computer network.
> Return value (59)."
> Netdiag and dcdiag logs are without error.
> There is error in userenv "DsGetDcName... error 59" too
> The result of this error is that GP`s are not applied.
> Any idea ?
>
> *
>
> Dit e-mail bericht inclusief eventuele ingesloten bestanden kan informatie
> bevatten die vertrouwelijk is en/of beschermd door intellectuele
> eigendomsrechten. Dit bericht is uitsluitend bestemd voor de
> geadresseerde(n). Elk gebruik van de informatie vervat in dit bericht
> (waaronder de volledige of gedeeltelijke reproductie of verspreiding onder
> elke vorm) door andere personen dan de geadresseerde(n) is verboden. Indien
> u dit bericht per vergissing heeft ontvangen, gelieve de afzender hiervan te
> verwittigen en dit bericht te verwijderen.
>
> This e-mail and any attachment thereto may contain information which is
> confidential and/or protected by intellectual property rights and are
> intended for the sole use of the addressees. Any use of the information
> contained herein (including but not limited to total or partial reproduction
> or distribution in any form) by other persons than the addressees is
> prohibited. If you have received this e-mail in error, please notify the
> sender and delete its contents.
>
> *
>
>
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] SP4

[Bjelke John A Contr AFRL/VSIO]

Title: Message



Man, I 
must be havin a ball.
 
 
 
John A. Bjelke   
Unisys  505.853.6774 
  [EMAIL PROTECTED] 
"Many of life's failures are people who did not 
realize how close they were to success when they gave 
up." 
-Thomas Edison
    


  
  -Original Message-From: Hutchins, Mike 
  [mailto:[EMAIL PROTECTED] Sent: Friday, August 22, 2003 11:35 
  AMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] SP4
  its mucho funno to be wrong occasionally.. 
  ;->
  
  
  From: Rick Kingslan [mailto:[EMAIL PROTECTED] 
  Sent: Friday, August 22, 2003 7:08 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] 
  SP4
  
  Eh, no big deal.  Look how many times I'm wrong 
  around here.  Welcome to the club  ;-)
   
  Rick Kingslan  MCSE, MCSA, MCTMicrosoft MVP - Active 
  DirectoryAssociate ExpertExpert Zone - 
  www.microsoft.com/windowsxp/expertzone  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Hutchins, 
  MikeSent: Friday, August 22, 2003 7:56 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] 
  SP4
  
  And I hate to admit being wrong, but you are right. 
  :-)
   
  When we first patched all our machines, it was only 
  supported on SP3. However, as you stated, it has been regression tested woth 
  SP2 and is now supported. Our company would have to sign a waiver with pss to 
  do sp2, but we are sp3 and higher anyways.
  
  
  From: Rick Kingslan [mailto:[EMAIL PROTECTED] 
  Sent: Thursday, August 21, 2003 8:44 PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] 
  SP4
  
  Mike,
   
  I hate to disagree, but the minimum requirement for 
  MS03-026 DCOm Vuln patch is Windows 2000 SP2.
   
  
  Rick Kingslan  MCSE, MCSA, MCTMicrosoft MVP - Active 
  DirectoryAssociate ExpertExpert Zone - 
  www.microsoft.com/windowsxp/expertzone  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Hutchins, 
  MikeSent: Thursday, August 21, 2003 9:37 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] 
  SP4
  
  sp3
  
  
  From: Roger Seielstad 
  [mailto:[EMAIL PROTECTED] Sent: Thursday, August 21, 2003 
  8:34 AMTo: '[EMAIL PROTECTED]'Subject: RE: 
  [ActiveDir] SP4
  
  The 
  patch to stop the MSBlast virus only requires SP2 be installed on the 
  machine.
   
   
  -- 
  Roger D. Seielstad 
  - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 
  
  

-Original Message-From: Don Murawski 
(Lenox) [mailto:[EMAIL PROTECTED] Sent: Thursday, 
August 21, 2003 10:28 AMTo: 
'[EMAIL PROTECTED]'Subject: [ActiveDir] 
SP4
Has anyone had issues 
with SP4 on DC's?
We are getting hammered 
by the latest virus.
 
 
 
 
Don L. 
Murawski
Sr. Network 
Administrator

WorldTravel 
BTI
Phone: (404) 
923-9468
Fax: (404) 949-6710
Cell: (678) 549-1264
 

<>

RE: [ActiveDir] SP4

[Hutchins, Mike]

Title: Message



its mucho funno to be wrong occasionally.. 
;->


From: Rick Kingslan [mailto:[EMAIL PROTECTED] 
Sent: Friday, August 22, 2003 7:08 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] 
SP4

Eh, no big deal.  Look how many times I'm wrong around 
here.  Welcome to the club  ;-)
 
Rick Kingslan  MCSE, MCSA, MCTMicrosoft MVP - Active 
DirectoryAssociate ExpertExpert Zone - 
www.microsoft.com/windowsxp/expertzone  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Hutchins, 
MikeSent: Friday, August 22, 2003 7:56 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] 
SP4

And I hate to admit being wrong, but you are right. 
:-)
 
When we first patched all our machines, it was only 
supported on SP3. However, as you stated, it has been regression tested woth SP2 
and is now supported. Our company would have to sign a waiver with pss to do 
sp2, but we are sp3 and higher anyways.


From: Rick Kingslan [mailto:[EMAIL PROTECTED] 
Sent: Thursday, August 21, 2003 8:44 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] 
SP4

Mike,
 
I hate to disagree, but the minimum requirement for 
MS03-026 DCOm Vuln patch is Windows 2000 SP2.
 

Rick Kingslan  MCSE, MCSA, MCTMicrosoft MVP - Active 
DirectoryAssociate ExpertExpert Zone - 
www.microsoft.com/windowsxp/expertzone  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Hutchins, 
MikeSent: Thursday, August 21, 2003 9:37 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] 
SP4

sp3


From: Roger Seielstad 
[mailto:[EMAIL PROTECTED] Sent: Thursday, August 21, 2003 
8:34 AMTo: '[EMAIL PROTECTED]'Subject: RE: 
[ActiveDir] SP4

The 
patch to stop the MSBlast virus only requires SP2 be installed on the 
machine.
 
 
-- 
Roger D. Seielstad - 
MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 

  
  -Original Message-From: Don Murawski 
  (Lenox) [mailto:[EMAIL PROTECTED] Sent: Thursday, 
  August 21, 2003 10:28 AMTo: 
  '[EMAIL PROTECTED]'Subject: [ActiveDir] 
  SP4
  Has anyone had issues 
  with SP4 on DC's?
  We are getting hammered 
  by the latest virus.
   
   
   
   
  Don L. 
  Murawski
  Sr. Network 
  Administrator
  
  WorldTravel 
  BTI
  Phone: (404) 
  923-9468
  Fax: (404) 949-6710
  Cell: (678) 549-1264
   
  
<>

RE: [ActiveDir] Event 1000 + error code 59

[Siddharth Sawkar]

Return code would have been different if it was maxtokensize.

On Fri, 22 Aug 2003, De Schepper Marc wrote:

> Maxtokensize?
>
>_
>
> From: Lev Zdenek [mailto:[EMAIL PROTECTED]
> Sent: donderdag 21 augustus 2003 17:52
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] Event 1000 + error code 59
>
>
>
> Hello evr.
> Every time when I try to logon on my workstation W2k professional in AD
> (W2K) environment a get this error in apl. log
> "Windows cannot obtain the domain controller name for your computer network.
> Return value (59)."
> Netdiag and dcdiag logs are without error.
> There is error in userenv "DsGetDcName... error 59" too
> The result of this error is that GP`s are not applied.
> Any idea ?
>
>
> *
>
> Dit e-mail bericht inclusief eventuele ingesloten bestanden kan informatie bevatten 
> die vertrouwelijk is en/of beschermd door intellectuele eigendomsrechten. Dit 
> bericht is uitsluitend bestemd voor de geadresseerde(n). Elk gebruik van de 
> informatie vervat in dit bericht (waaronder de volledige of gedeeltelijke 
> reproductie of verspreiding onder elke vorm) door andere personen dan de 
> geadresseerde(n) is verboden. Indien u dit bericht per vergissing heeft ontvangen, 
> gelieve de afzender hiervan te verwittigen en dit bericht te verwijderen.
>
> This e-mail and any attachment thereto may contain information which is confidential 
> and/or protected by intellectual property rights and are intended for the sole use 
> of the addressees. Any use of the information contained herein (including but not 
> limited to total or partial reproduction or distribution in any form) by other 
> persons than the addressees is prohibited. If you have received this e-mail in 
> error, please notify the sender and delete its contents.
>
> *
>
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] SP4

[Rick Kingslan]

Title: Message



Eh, no big deal.  Look how many times I'm wrong around 
here.  Welcome to the club  ;-)
 
Rick Kingslan  MCSE, MCSA, MCTMicrosoft MVP - Active 
DirectoryAssociate ExpertExpert Zone - 
www.microsoft.com/windowsxp/expertzone  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Hutchins, 
MikeSent: Friday, August 22, 2003 7:56 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] 
SP4

And I hate to admit being wrong, but you are right. 
:-)
 
When we first patched all our machines, it was only 
supported on SP3. However, as you stated, it has been regression tested woth SP2 
and is now supported. Our company would have to sign a waiver with pss to do 
sp2, but we are sp3 and higher anyways.


From: Rick Kingslan [mailto:[EMAIL PROTECTED] 
Sent: Thursday, August 21, 2003 8:44 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] 
SP4

Mike,
 
I hate to disagree, but the minimum requirement for 
MS03-026 DCOm Vuln patch is Windows 2000 SP2.
 

Rick Kingslan  MCSE, MCSA, MCTMicrosoft MVP - Active 
DirectoryAssociate ExpertExpert Zone - 
www.microsoft.com/windowsxp/expertzone  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Hutchins, 
MikeSent: Thursday, August 21, 2003 9:37 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] 
SP4

sp3


From: Roger Seielstad 
[mailto:[EMAIL PROTECTED] Sent: Thursday, August 21, 2003 
8:34 AMTo: '[EMAIL PROTECTED]'Subject: RE: 
[ActiveDir] SP4

The 
patch to stop the MSBlast virus only requires SP2 be installed on the 
machine.
 
 
-- 
Roger D. Seielstad - 
MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 

  
  -Original Message-From: Don Murawski 
  (Lenox) [mailto:[EMAIL PROTECTED] Sent: Thursday, 
  August 21, 2003 10:28 AMTo: 
  '[EMAIL PROTECTED]'Subject: [ActiveDir] 
  SP4
  Has anyone had issues 
  with SP4 on DC's?
  We are getting hammered 
  by the latest virus.
   
   
   
   
  Don L. 
  Murawski
  Sr. Network 
  Administrator
  
  WorldTravel 
  BTI
  Phone: (404) 
  923-9468
  Fax: (404) 949-6710
  Cell: (678) 549-1264
   
  
<>

RE: [ActiveDir] LDAP query on ObjectSID attribute

[Jimmy Andersson]

I use the SID as the BaseDN.

Regards,
/Jimmy
-
Jimmy Andersson, Q Advice AB  
  CEO & Principal Advisor  
Microsoft MVP - Active Directory
-- www.qadvice.com -- 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of AD
Sent: Friday, August 22, 2003 3:27 PM
To: [EMAIL PROTECTED]

I never heard of using an attribute as your BaseDN. 
 
If this worked for you I really would like to know how you did it.
 
Thanks
 
Y



From: Jimmy Andersson
Sent: Thu 21/08/2003 7:34 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute


Why not use LDP and set it like this:

Base DN 
Filter (&(ObjectCategory=*)(name=*))

(I used a SID from my lab domain)

You might need to load the control for deleted objects, if it's deleted.

Regards,
/Jimmy
-
Jimmy Andersson, Q Advice AB  
  CEO & Principal Advisor  
Microsoft MVP - Active Directory
-- www.qadvice.com -- 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of AD
Sent: Friday, August 22, 2003 12:35 AM
To: [EMAIL PROTECTED]

Anyone know how to query AD on the ObjectSID?

 

My query looks like this:

 

(&(ObjectCategory=user)(SamAccountName=*)(ObjectSID=S15-2-4-3412341341234124
32412344))

 

Doesn't return anything. I know the sid must converted but I am not sure
what format it should be in.

 

Thanks

 

Y


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Event 1000 + error code 59

[Lev Zdeněk]

Sorry for my mistake with set 1, I am now able to see my logon server. I have response 
from this one.
There is only 2 DC and both response for ping. Yes VPN is only within ISP routers. Evr 
machines on sites without DC has this problem, There are 10 sites without DC and 2 
other with DC.
Sorry for my English.
Zdenek



-Original Message-
From: Siddharth Sawkar [mailto:[EMAIL PROTECTED]
Sent: Friday, August 22, 2003 5:39 PM
To: Lev Zdeněk
Subject: RE: [ActiveDir] Event 1000 + error code 59


Not 'set 1' but 'set l'. l= logon server.  This will tell us who
authenticated you.  then after you connect to the network, ping the logon
server to see if you get a reply.  Use fully qualified domain name.


Something along your network path is corrupting traffic.  If this was not
the case, then all of your machines would be experiencing this problem.
But only your VPN clients are.  What do you mean the VPN is only between
the ISP routers?

/Siddharth

On Fri, 22 Aug 2003, [iso-8859-2] Lev Zdeněk wrote:

> Normal ping to server DC is successful. Could you explain pls to me what does it 
> mean "set 1" ?
>
> VPN is only between ISP routers. My environment seems to be like one WAN without 
> rescriction (No filters)
>
> Clients are W2K Prof. SP3 or SP4. I turned off slow link detection.
>
> Zdenek
>
>
>
> -Original Message-
> From: Siddharth Sawkar [mailto:[EMAIL PROTECTED]
> Sent: Friday, August 22, 2003 5:14 PM
> To: Lev Zdeněk
> Subject: RE: [ActiveDir] Event 1000 + error code 59
>
>
> THis is not a server side issue- it is strictly client side, so netdiags,
> dcdiags should come out clean.
>
> Your problem is with the VPN.  Some of your traffic seems to be blocked.
> Once you connect and authenticate with your DC, do a 'set l' and then ping
> that server.  Are you getting replies?
>
> /Siddharth
>
> On Fri, 22 Aug 2003, [iso-8859-2] Lev Zdeněk wrote:
>
> > When I tested it by netdiag ,nltest and DC diag the result was OK . I
> > use split DNS with one zone for internal usage (AD) with forwarder to
> > ISP DNS servers. There are 1 domain , 2 DC and 2 site. There are 10
> > another sites without DC.  The problematic clients are connected through
> > ISP VPN 128 kB (without any IP filters) from site without DC. The WAN
> > was working OK for 1 month. Evr. is function except new GP processing
> > and error 1000 in apl log. and error in userenv. There is log from
> > netlogon.log and usrenv.log process.
> >
> >
> > Netlogon.log
> >
> > 07/11 12:52:28 [MISC] DbFlag is set to 2000
> > 07/11 12:52:28 [INIT] Following are the effective values after parsing
> > 07/11 12:53:43 [MISC] DsrEnumerateDomainTrusts: Called, Flags = 0x3
> > 07/11 12:53:43 [MISC] SSHR: DsrEnumerateDomainTrusts: Domain List collected from 
> > \\post1.sshr.intra
> > 07/11 12:53:44 [DOMAIN] Setting LSA NetbiosDomain: SSHR DnsDomain: sshr.intra. 
> > DnsTree: sshr.intra. DomainGuid:d2455bd5-860c-4096-91f7-a3db072d6fc8
> > 07/11 12:53:44 [LOGON] NlSetForestTrustList: New trusted domain list:
> > 07/11 12:53:44 [LOGON] 0: SSHR sshr.intra (NT 5) (Forest Tree Root) (Primary 
> > Domain) (Native)
> > 07/11 12:53:44 [LOGON]Dom Guid: d2455bd5-860c-4096-91f7-a3db072d6fc8
> > 07/11 12:53:44 [LOGON]Dom Sid: S-1-5-21-796845957-861567501-682003330
> > 07/11 12:53:44 [MISC] DsrEnumerateDomainTrusts: returns: 0
> > 07/11 12:53:51 [MISC] DsGetDcName function called: Dom:SSHR Acct:(null) Flags: IP 
> > KDC
> > 07/11 12:53:51 [MISC] NetpDcGetName: sshr.intra. using cached information
> > 07/11 12:53:51 [MISC] DsGetDcName function returns 0: Dom:SSHR Acct:(null) Flags: 
> > IP KDC
> > 07/11 12:53:52 [MISC] DsGetDcName function called: Dom:SSHR Acct:(null) Flags: DSP
> > 07/11 12:53:52 [MISC] NetpDcGetName: sshr.intra. cache is too old. 11951385
> > 07/11 12:53:52 [MAILSLOT] NetpDcPingListIp: sshr.intra.: Sent UDP ping to 
> > 192.168.51.201
> > 07/11 12:53:52 [MISC] NlPingDcNameWithContext: Sent 1/1 ldap pings to 
> > post1.sshr.intra
> > 07/11 12:53:52 [MISC] NlPingDcNameWithContext: post1.sshr.intra responded over IP.
> > 07/11 12:53:52 [MISC] NetpDcGetName: sshr.intra. using cached information
> > 07/11 12:53:52 [MISC] DsGetDcName function returns 0: Dom:SSHR Acct:(null) Flags: 
> > DSP
> > 07/11 12:53:52 [MISC] DsrEnumerateDomainTrusts: Called, Flags = 0x3
> > 07/11 12:53:52 [MISC] DsrEnumerateDomainTrusts: returns: 0
> > 07/11 12:53:52 [MISC] DsGetDcName function called: Dom:SSHR Acct:administrator 
> > Flags: DS NETBIOS RET_DNS
> > 07/11 12:53:52 [MISC] NetpDcGetName: sshr.intra. cache doesn't have right account 
> > name.
> > 07/11 12:53:52 [MAILSLOT] NetpDcPingListIp: sshr.intra.: Sent UDP ping to 
> > 192.168.51.201
> > 07/11 12:53:52 [MISC] NlPingDcNameWithContext: Sent 1/1 ldap pings to 
> > post1.sshr.intra
> > 07/11 12:53:52 [MISC] NlPingDcNameWithContext: Ping response timeout for 
> > post1.sshr.intra.
> > 07/11 12:53:52 [MAILSLOT] NetpDcPingListIp: sshr.intra.: Sent UDP ping to 
> > 192.168.51.201
> > 07/11 12:53:52 [

RE: [ActiveDir] Event 1000 + error code 59

[De Schepper Marc]

Title: Event 1000 + error code 59



No this one
 
http://support.microsoft.com/default.aspx?scid=kb;en-us;327825
 
But maybe it is not the solution for 
you


From: Lev Zdenek [mailto:[EMAIL PROTECTED] 
Sent: vrijdag 22 augustus 2003 16:02To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Event 1000 + 
error code 59

Do you mean this ? 
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q244474
but netdiag test was 
OK 
 

  -Original Message-From: De Schepper Marc 
  [mailto:[EMAIL PROTECTED]Sent: Friday, August 22, 
  2003 3:01 PMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] Event 1000 + error code 59
  Maxtokensize?
  
  
  From: Lev Zdenek 
  [mailto:[EMAIL PROTECTED] Sent: donderdag 21 augustus 2003 
  17:52To: [EMAIL PROTECTED]Subject: 
  [ActiveDir] Event 1000 + error code 59
  
  Hello evr. Every time when I try to logon on my workstation W2k 
  professional in AD (W2K) environment a get this error in apl. log 
  "Windows cannot obtain the domain 
  controller name for your computer network. Return value (59)." 
  Netdiag and dcdiag logs are without 
  error. There is error in userenv 
  "DsGetDcName... error 59" too The 
  result of this error is that GP`s are not applied. Any idea ? 
  *
  Dit e-mail bericht inclusief eventuele ingesloten 
  bestanden kan informatie bevatten die vertrouwelijk is en/of beschermd door 
  intellectuele eigendomsrechten. Dit bericht is uitsluitend bestemd voor de 
  geadresseerde(n). Elk gebruik van de informatie vervat in dit bericht 
  (waaronder de volledige of gedeeltelijke reproductie of verspreiding onder 
  elke vorm) door andere personen dan de geadresseerde(n) is verboden. Indien u 
  dit bericht per vergissing heeft ontvangen, gelieve de afzender hiervan te 
  verwittigen en dit bericht te verwijderen. 
  This e-mail and any attachment thereto may 
  contain information which is confidential and/or protected by intellectual 
  property rights and are intended for the sole use of the addressees. Any use 
  of the information contained herein (including but not limited to total or 
  partial reproduction or distribution in any form) by other persons than the 
  addressees is prohibited. If you have received this e-mail in error, please 
  notify the sender and delete its contents. 
  *

Re: [ActiveDir] SP4

[Kevin Gent]

Seems many of you subscribe to Brian's Buzz. He published a story 
today;http://www.briansbuzz.com/w/030821/that 
included a bit about the statement we, TruSecure Corporation, had posted on our 
website.During the initial rush to get information out about Blaster, we 
included a statement that if you had Windows 2000 SP3, then applied MS03-026, 
you'd be patched. However, if you subsequently installed SP4, you would be 
reverted to an unpatched state.The testing that was used to come up with 
this statement was wrong. I did the testing, so I know it was wrong. Last week I 
rechecked this and found my mistake. Unfortunately, it took until Monday to get 
the TruSecure alert corrected. Brian refers to a different alert, the original 
alert about the RPC/DCOM overflow (TSA03-009). I'm not sure we ever had mention 
about SP4 reverting MS03-026 in that alert. I know we had it in TSA03-011, and 
that alert now contains the following;"TruSecure Corporation originally 
believed that Windows 2000 machines which were at SP3, then patched with 
MS03-026, and then updated to SP4, would become vulnerable to the attacks 
against RPC/DCOM (e.g. Blaster). Subsequent testing proved this not to be the 
case. Systems patched in this method will retain the MS03-026 patch after 
applying SP4 and do not need to re-apply the patch. "Apologies to all 
who read the incorrect information.Cheers,Russ - Surgeon General of 
TruSecure Corporation/NTBugtraq Editor

  - Original Message - 
  From: 
  jalen richard 
  
  To: [EMAIL PROTECTED] 
  
  Sent: Thursday, August 21, 2003 10:02 
  PM
  Subject: RE: [ActiveDir] SP4
  
  
  Windows 2000 upgrades to SP4 undo the 
  MS03-026 patch. Take Windows 2000 machines with Service Pack 3, patch them 
  with MS03-026, and then upgrade them to Service Pack 4. They become vulnerable 
  to Blaster again. If you don't need the features of SP4, either hold off on 
  installing it, or do install it and then manually disable the Windows DCOM 
  service. (That last step will break applications that use DCOM.) A more 
  complete description of this approach can be found in the Mitigations section 
  of TruSecure article 03-009.Roger Seielstad 
  <[EMAIL PROTECTED]> wrote: 
  



I 
would tend to agree with you.
Then again, I also witnessed no less than 3 different releases of 
the same patch over the last 10 days.
 
 
-- 
Roger D. 
Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator 
Inovis 
Inc. 

  
  -Original Message-From: Ken Cornetet 
  [mailto:[EMAIL PROTECTED] Sent: Thursday, August 21, 
  2003 11:26 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] 
  SP4
  Despite 
  what the FAQ says, I've seen some win2k pro workstations where the patch 
  would NOT install on SP2. Upgrading to SP3 allowed the patch to be 
  applied. My guess is that what is really required is SP2 + 
  some post SP2 hotfix. Again, this is only a guess on my part. Since 
  our internal standard is SP3, we didn't spend anytime investigating - we 
  just installed SP3.  
  

-Original Message-From: Andy David 
[mailto:[EMAIL PROTECTED] Sent: Thursday, August 21, 
2003 10:11 AMTo: 
[EMAIL PROTECTED]Subject: Re: [ActiveDir] 
SP4
Is the patch supported on Windows 2000 
Service Pack 2? 

This security patch will install on Windows 2000 Service Pack 2. 
However, Microsoft no longer supports this version, according to the 
Microsoft Support Lifecycle policy found at http://support.microsoft.com/lifecycle. 
In addition, this security patch has only received minimal testing on 
Windows 2000 Service Pack 2. Customers are strongly advised to upgrade 
to a supported service pack as soon as possible. Microsoft Product 
Support Services will support customers who have installed this patch on 
Windows 2000 Service Pack 2 if a problem results from installation of 
the patch. "
http://www.microsoft.com/technet/treeview/default.asp?url="">
 
 

  - Original Message - 
  From: 
  Hutchins, 
  Mike 
  To: [EMAIL PROTECTED] 
  
  Sent: Thursday, August 21, 2003 
  10:36 AM
  Subject: RE: [ActiveDir] 
SP4
  
  sp3
  
  
  From: Roger Seielstad 
  [mailto:[EMAIL PROTECTED] Sent: Thursday, August 
  21, 2003 8:34 AMTo: '[EMAIL PROTECTED]'Subject: 
  RE: [ActiveDir] SP4
  
  The patch to stop the MSBlast virus only requires SP2 be 
  installed on the machine.
   
   
  -- 
  Roger D. 
  Seielstad - MTS MCSE MS-MVP Sr. S

RE: [ActiveDir] Event 1000 + error code 59

[Dennis Schut]

Title: Event 1000 + error code 59








Hey Lev,

 

Are you in a specific site?

 

If so is the DC registering his AtSite SRV
records correctly in DNS, Seems to me that your client can’t query DNS
for a Appropriate DC SRV record 

 

Also from my part, it’s just a
thought

 

Regards

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of De Schepper Marc
Sent: Friday, August 22, 2003 15:09
To: [EMAIL PROTECTED]



 

Sorry Lev, for the Short answer

 

But I had a similar problem had a
different return value

 

My solution was that I had to many groups
and the Kerberos tokensize buffer is only 12000 tokens (12000 chars)...SO if yo
are in to many groups...

 

Also a good idea is to verify is security
is ok on Group Policy

 

It's just a thought ...

 







From: Lev
Zdenek [mailto:[EMAIL PROTECTED] 
Sent: donderdag 21 augustus 2003
17:52
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Event 1000 +
error code 59

Hello
evr. 
Every time when I try to logon on my workstation W2k professional in AD (W2K)
environment a get this error in apl. log 
"Windows cannot obtain the domain controller name for your computer
network. Return value (59)." 
Netdiag and dcdiag logs are without error. 
There is error in userenv "DsGetDcName... error 59" too 
The result of this error is that GP`s are not applied. 
Any idea ? 

*

Dit
e-mail bericht inclusief eventuele ingesloten bestanden kan informatie bevatten die vertrouwelijk is
en/of beschermd door intellectuele eigendomsrechten. Dit bericht is uitsluitend
bestemd voor de geadresseerde(n). Elk gebruik van de informatie vervat in dit
bericht (waaronder de volledige of gedeeltelijke reproductie of verspreiding
onder elke vorm) door andere personen dan de geadresseerde(n) is verboden.
Indien u dit bericht per vergissing heeft ontvangen, gelieve de afzender
hiervan te verwittigen en dit bericht te verwijderen. 

This
e-mail and any attachment thereto may contain information which is confidential
and/or protected by intellectual property rights and are intended for the sole
use of the addressees. Any use of the information contained herein (including
but not limited to total or partial reproduction or distribution in any form)
by other persons than the addressees is prohibited. If you have received this
e-mail in error, please notify the sender and delete its contents. 

*

RE: [ActiveDir] Number of Interactive Logons

[De Schepper Marc]

Title: Message



STOP!!! :-)
 
They are convinced. This one is ours...
Thx for the quick respons
Marc


From: De Schepper Marc 
[mailto:[EMAIL PROTECTED] Sent: vrijdag 22 augustus 
2003 13:41To: [EMAIL PROTECTED]Subject: 
[ActiveDir] Number of Interactive Logons

Hey 
all, 
 
I 
would like to have some feedback of the following Policy 
setting:
 


  
  
Interactive logon: Number of previous logons to cache (in case domain 
  controller is not available)

   
 
The 
default is 10, but our Security people would like to put it on 
50.
 
Does 
anyone have some arguments not to use 50?
 
Marc 
*
Dit e-mail bericht inclusief eventuele ingesloten 
bestanden kan informatie bevatten die vertrouwelijk is en/of beschermd door 
intellectuele eigendomsrechten. Dit bericht is uitsluitend bestemd voor de 
geadresseerde(n). Elk gebruik van de informatie vervat in dit bericht (waaronder 
de volledige of gedeeltelijke reproductie of verspreiding onder elke vorm) door 
andere personen dan de geadresseerde(n) is verboden. Indien u dit bericht per 
vergissing heeft ontvangen, gelieve de afzender hiervan te verwittigen en dit 
bericht te verwijderen. 
This e-mail and any attachment thereto may contain 
information which is confidential and/or protected by intellectual property 
rights and are intended for the sole use of the addressees. Any use of the 
information contained herein (including but not limited to total or partial 
reproduction or distribution in any form) by other persons than the addressees 
is prohibited. If you have received this e-mail in error, please notify the 
sender and delete its contents. 
*

RE: [ActiveDir] Number of Interactive Logons

[Roger Seielstad]

Title: Message



I 
think you're not clear on what that option does - I believe its the number of 
times you can login using a set of cached credentials. So, setting it to 50 
means that only one out of every 51 authentications by a given user must be 
actively authenticated by a DC.
 
That's why its a security hole.
-- 
Roger D. Seielstad - 
MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 

  
  -Original Message-From: Schwipper, Jens 
  [mailto:[EMAIL PROTECTED] Sent: Friday, August 22, 2003 9:01 
  AMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] Number of Interactive Logons
  if 
  there 50 persons would like to logon in the time where the DC is down its 
  okay
  but 
  this 50 persons must have already loged on bevor the DC goes down (data in 
  cache)
  i 
  think it's not necessary for a normal user workstation where unusually loged 
  on a other person
   
  jens
  
-Original Message-From: De Schepper Marc 
[mailto:[EMAIL PROTECTED]Sent: Freitag, 22. 
August 2003 13:41To: 
[EMAIL PROTECTED]Subject: [ActiveDir] Number of 
Interactive Logons
Hey all, 
 
I 
would like to have some feedback of the following Policy 
setting:
 


  
  
Interactive logon: Number of previous logons to cache (in case 
  domain controller is not available)

   
 
The default is 10, but our Security people would like to put it on 
50.
 
Does anyone have some arguments not to use 
50?
 
Marc 
*
Dit e-mail bericht inclusief eventuele 
ingesloten bestanden kan informatie bevatten die vertrouwelijk is en/of 
beschermd door intellectuele eigendomsrechten. Dit bericht is uitsluitend 
bestemd voor de geadresseerde(n). Elk gebruik van de informatie vervat in 
dit bericht (waaronder de volledige of gedeeltelijke reproductie of 
verspreiding onder elke vorm) door andere personen dan de geadresseerde(n) 
is verboden. Indien u dit bericht per vergissing heeft ontvangen, gelieve de 
afzender hiervan te verwittigen en dit bericht te verwijderen. 
This e-mail and any attachment thereto may 
contain information which is confidential and/or protected by intellectual 
property rights and are intended for the sole use of the addressees. Any use 
of the information contained herein (including but not limited to total or 
partial reproduction or distribution in any form) by other persons than the 
addressees is prohibited. If you have received this e-mail in error, please 
notify the sender and delete its contents. 
*

RE: [ActiveDir] Event 1000 + error code 59

[Lev Zdeněk]

Title: Event 1000 + error code 59



User 
logon name, which I try to use for logon is in Domain User group only. 
I think that the security is OK 
 
I am 
not able find on Internet this event from userenv.log
 
USERENV(a0.70) 11:37:24:522 ProcessGPOs: DSGetDCName 
failed with 59.
 
Z.
 
 
 
 -Original Message-From: 
De Schepper Marc [mailto:[EMAIL PROTECTED]Sent: 
Friday, August 22, 2003 3:09 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Event 1000 + 
error code 59

  Sorry Lev, for the Short answer
   
  But I had a similar problem had a different return 
  value
   
  My solution was that I had to many groups and the 
  Kerberos tokensize buffer is only 12000 tokens (12000 chars)...SO if yo are in 
  to many groups...
   
  Also a good idea is to verify is security is ok on Group 
  Policy
   
  It's just a thought ...
  
  
  From: Lev Zdenek 
  [mailto:[EMAIL PROTECTED] Sent: donderdag 21 augustus 2003 
  17:52To: [EMAIL PROTECTED]Subject: 
  [ActiveDir] Event 1000 + error code 59
  
  Hello evr. Every time when I try to logon on my workstation W2k 
  professional in AD (W2K) environment a get this error in apl. log 
  "Windows cannot obtain the domain 
  controller name for your computer network. Return value (59)." 
  Netdiag and dcdiag logs are without 
  error. There is error in userenv 
  "DsGetDcName... error 59" too The 
  result of this error is that GP`s are not applied. Any idea ? 
  *
  Dit e-mail bericht inclusief eventuele ingesloten 
  bestanden kan informatie bevatten die vertrouwelijk is en/of beschermd door 
  intellectuele eigendomsrechten. Dit bericht is uitsluitend bestemd voor de 
  geadresseerde(n). Elk gebruik van de informatie vervat in dit bericht 
  (waaronder de volledige of gedeeltelijke reproductie of verspreiding onder 
  elke vorm) door andere personen dan de geadresseerde(n) is verboden. Indien u 
  dit bericht per vergissing heeft ontvangen, gelieve de afzender hiervan te 
  verwittigen en dit bericht te verwijderen. 
  This e-mail and any attachment thereto may 
  contain information which is confidential and/or protected by intellectual 
  property rights and are intended for the sole use of the addressees. Any use 
  of the information contained herein (including but not limited to total or 
  partial reproduction or distribution in any form) by other persons than the 
  addressees is prohibited. If you have received this e-mail in error, please 
  notify the sender and delete its contents. 
  *

RE: [ActiveDir] LDAP query on ObjectSID attribute

[Tony Murray]

It's not really using an attribute as your Base DN.  The starting point for a search 
can be SID, GUID or DN.  

It works as Jimmy describes below.

Tony

-- Original Message --
From: AD <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Date:  Fri, 22 Aug 2003 09:26:36 -0400

I never heard of using an attribute as your BaseDN. 

If this worked for you I really would like to know how you did it.

Thanks

Y



From: Jimmy Andersson
Sent: Thu 21/08/2003 7:34 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute


Why not use LDP and set it like this:

Base DN 
Filter (&(ObjectCategory=*)(name=*))

(I used a SID from my lab domain)

You might need to load the control for deleted objects, if it's deleted.

Regards,
/Jimmy
-
Jimmy Andersson, Q Advice AB  
  CEO & Principal Advisor  
Microsoft MVP - Active Directory
-- www.qadvice.com -- 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of AD
Sent: Friday, August 22, 2003 12:35 AM
To: [EMAIL PROTECTED]

Anyone know how to query AD on the ObjectSID?

 

My query looks like this:

 

(&(ObjectCategory=user)(SamAccountName=*)(ObjectSID=S15-2-4-3412341341234124
32412344))

 

Doesn't return anything. I know the sid must converted but I am not sure
what format it should be in.

 

Thanks

 

Y


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Event 1000 + error code 59

[Lev Zdeněk]

Title: Event 1000 + error code 59



Do you mean this ?
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q244474
but netdiag test was 
OK 
 

  -Original Message-From: De Schepper Marc 
  [mailto:[EMAIL PROTECTED]Sent: Friday, August 22, 
  2003 3:01 PMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] Event 1000 + error code 59
  Maxtokensize?
  
  
  From: Lev Zdenek 
  [mailto:[EMAIL PROTECTED] Sent: donderdag 21 augustus 2003 
  17:52To: [EMAIL PROTECTED]Subject: 
  [ActiveDir] Event 1000 + error code 59
  
  Hello evr. Every time when I try to logon on my workstation W2k 
  professional in AD (W2K) environment a get this error in apl. log 
  "Windows cannot obtain the domain 
  controller name for your computer network. Return value (59)." 
  Netdiag and dcdiag logs are without 
  error. There is error in userenv 
  "DsGetDcName... error 59" too The 
  result of this error is that GP`s are not applied. Any idea ? 
  *
  Dit e-mail bericht inclusief eventuele ingesloten 
  bestanden kan informatie bevatten die vertrouwelijk is en/of beschermd door 
  intellectuele eigendomsrechten. Dit bericht is uitsluitend bestemd voor de 
  geadresseerde(n). Elk gebruik van de informatie vervat in dit bericht 
  (waaronder de volledige of gedeeltelijke reproductie of verspreiding onder 
  elke vorm) door andere personen dan de geadresseerde(n) is verboden. Indien u 
  dit bericht per vergissing heeft ontvangen, gelieve de afzender hiervan te 
  verwittigen en dit bericht te verwijderen. 
  This e-mail and any attachment thereto may 
  contain information which is confidential and/or protected by intellectual 
  property rights and are intended for the sole use of the addressees. Any use 
  of the information contained herein (including but not limited to total or 
  partial reproduction or distribution in any form) by other persons than the 
  addressees is prohibited. If you have received this e-mail in error, please 
  notify the sender and delete its contents. 
  *

[ActiveDir] SP4

[James_Day]

Return Receipt
   
Your  [ActiveDir] SP4  
document   
:  
   
was   James Day/Contractor/NPS 
received   
by:
   
at:   08/21/2003 02:56:32 PM   
   





List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] LDAP query on ObjectSID attribute

[AD]

I never heard of using an attribute as your BaseDN. 
 
If this worked for you I really would like to know how you did it.
 
Thanks
 
Y


From: Jimmy AnderssonSent: Thu 21/08/2003 7:34 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute
Why not use LDP and set it like this:

Base DN 
Filter (&(ObjectCategory=*)(name=*))

(I used a SID from my lab domain)

You might need to load the control for deleted objects, if it's deleted.

Regards,
/Jimmy
-
Jimmy Andersson, Q Advice AB  
  CEO & Principal Advisor  
Microsoft MVP - Active Directory
-- www.qadvice.com -- 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of AD
Sent: Friday, August 22, 2003 12:35 AM
To: [EMAIL PROTECTED]

Anyone know how to query AD on the ObjectSID?

 

My query looks like this:

 

(&(ObjectCategory=user)(SamAccountName=*)(ObjectSID=S15-2-4-3412341341234124
32412344))

 

Doesn't return anything. I know the sid must converted but I am not sure
what format it should be in.

 

Thanks

 

Y


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Number of Interactive Logons

[Rick Kingslan]

Title: Message



Jens,
 
Thanks for jarring my tired and very overworked 
noggin.  Correct - it is the number of cached credentials from users who 
have alredy logged in.  But allowing 50 in any kind a secure computing 
environment is insane.  Yes, they must have logged on there before, but 
what is the liklihood that one of those passwords is going to be quite crackable 
or guess-able.  As the number of users increases, the potential for 
compromise increases.
 
Given that if one of these boxes can be physically tampered 
with, the ability to dump information and crack it off-line is becoming more of 
a reality.  Reference the Knoppix STD CD, for example.
 
I'm still on board with my earlier statement.  50 is 
over the top, 10, IMHO, is too many.
 

Rick Kingslan  MCSE, MCSA, MCTMicrosoft MVP - Active 
DirectoryAssociate ExpertExpert Zone - 
www.microsoft.com/windowsxp/expertzone  
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Schwipper, 
JensSent: Friday, August 22, 2003 8:01 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Number of 
Interactive Logons

if 
there 50 persons would like to logon in the time where the DC is down its 
okay
but 
this 50 persons must have already loged on bevor the DC goes down (data in 
cache)
i 
think it's not necessary for a normal user workstation where unusually loged on 
a other person
 
jens

  -Original Message-From: De Schepper Marc 
  [mailto:[EMAIL PROTECTED]Sent: Freitag, 22. August 
  2003 13:41To: [EMAIL PROTECTED]Subject: 
  [ActiveDir] Number of Interactive Logons
  Hey 
  all, 
   
  I 
  would like to have some feedback of the following Policy 
  setting:
   
  
  


  Interactive logon: Number of previous logons to cache (in case 
domain controller is not available)
  
 
   
  The 
  default is 10, but our Security people would like to put it on 
  50.
   
  Does 
  anyone have some arguments not to use 50?
   
  Marc 
  *
  Dit e-mail bericht inclusief eventuele ingesloten 
  bestanden kan informatie bevatten die vertrouwelijk is en/of beschermd door 
  intellectuele eigendomsrechten. Dit bericht is uitsluitend bestemd voor de 
  geadresseerde(n). Elk gebruik van de informatie vervat in dit bericht 
  (waaronder de volledige of gedeeltelijke reproductie of verspreiding onder 
  elke vorm) door andere personen dan de geadresseerde(n) is verboden. Indien u 
  dit bericht per vergissing heeft ontvangen, gelieve de afzender hiervan te 
  verwittigen en dit bericht te verwijderen. 
  This e-mail and any attachment thereto may 
  contain information which is confidential and/or protected by intellectual 
  property rights and are intended for the sole use of the addressees. Any use 
  of the information contained herein (including but not limited to total or 
  partial reproduction or distribution in any form) by other persons than the 
  addressees is prohibited. If you have received this e-mail in error, please 
  notify the sender and delete its contents. 
  *

RE: [ActiveDir] Event 1000 + error code 59

[De Schepper Marc]

Title: Event 1000 + error code 59



Sorry Lev, for the Short answer
 
But I had a similar problem had a different return 
value
 
My solution was that I had to many groups and the Kerberos 
tokensize buffer is only 12000 tokens (12000 chars)...SO if yo are in to many 
groups...
 
Also a good idea is to verify is security is ok on Group 
Policy
 
It's just a thought ...


From: Lev Zdenek [mailto:[EMAIL PROTECTED] 
Sent: donderdag 21 augustus 2003 17:52To: 
[EMAIL PROTECTED]Subject: [ActiveDir] Event 1000 + error 
code 59

Hello evr. Every time when I try to logon on my workstation W2k 
professional in AD (W2K) environment a get this error in apl. log 
"Windows cannot obtain the domain 
controller name for your computer network. Return value (59)." Netdiag and dcdiag logs are without error. 
There is error in userenv 
"DsGetDcName... error 59" too The result 
of this error is that GP`s are not applied. Any idea ? 
*
Dit e-mail bericht inclusief eventuele ingesloten 
bestanden kan informatie bevatten die vertrouwelijk is en/of beschermd door 
intellectuele eigendomsrechten. Dit bericht is uitsluitend bestemd voor de 
geadresseerde(n). Elk gebruik van de informatie vervat in dit bericht (waaronder 
de volledige of gedeeltelijke reproductie of verspreiding onder elke vorm) door 
andere personen dan de geadresseerde(n) is verboden. Indien u dit bericht per 
vergissing heeft ontvangen, gelieve de afzender hiervan te verwittigen en dit 
bericht te verwijderen. 
This e-mail and any attachment thereto may contain 
information which is confidential and/or protected by intellectual property 
rights and are intended for the sole use of the addressees. Any use of the 
information contained herein (including but not limited to total or partial 
reproduction or distribution in any form) by other persons than the addressees 
is prohibited. If you have received this e-mail in error, please notify the 
sender and delete its contents. 
*

RE: [ActiveDir] Number of Interactive Logons

[Rick Kingslan]

Title: Message



Marc,
 
I'm not sure if this is a typo or not - but your Security 
people are saying "Hey if someone steals this computer so that it can't connect 
to the DC to authenticate, we would like to give them 50 chances to hack 
into the box - not the ZERO that is typically recommended for a secured 
environment, or the 10 that is default."
 
And your certain when they said Security, they didn't mean 
the Keystone cop-type rental agency guys that roam around and ask to see 
badges?
 
Yes, I'm being brutally sarcastic, but this is toally the 
opposite thinking that you should be using in this case.  For a secure 
environment or systems that should not be authenticated to with a network logon 
UNLESS A DC is available, set this value to zero.  IMHO, 10 is too 
high.
 

Rick Kingslan  MCSE, MCSA, MCTMicrosoft MVP - Active 
DirectoryAssociate ExpertExpert Zone - 
www.microsoft.com/windowsxp/expertzone  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of De Schepper 
MarcSent: Friday, August 22, 2003 6:41 AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] Number of 
Interactive Logons

Hey 
all, 
 
I 
would like to have some feedback of the following Policy 
setting:
 


  
  
Interactive logon: Number of previous logons to cache (in case domain 
  controller is not available)

   
 
The 
default is 10, but our Security people would like to put it on 
50.
 
Does 
anyone have some arguments not to use 50?
 
Marc 
*
Dit e-mail bericht inclusief eventuele ingesloten 
bestanden kan informatie bevatten die vertrouwelijk is en/of beschermd door 
intellectuele eigendomsrechten. Dit bericht is uitsluitend bestemd voor de 
geadresseerde(n). Elk gebruik van de informatie vervat in dit bericht (waaronder 
de volledige of gedeeltelijke reproductie of verspreiding onder elke vorm) door 
andere personen dan de geadresseerde(n) is verboden. Indien u dit bericht per 
vergissing heeft ontvangen, gelieve de afzender hiervan te verwittigen en dit 
bericht te verwijderen. 
This e-mail and any attachment thereto may contain 
information which is confidential and/or protected by intellectual property 
rights and are intended for the sole use of the addressees. Any use of the 
information contained herein (including but not limited to total or partial 
reproduction or distribution in any form) by other persons than the addressees 
is prohibited. If you have received this e-mail in error, please notify the 
sender and delete its contents. 
*

RE: [ActiveDir] Number of Interactive Logons

[Schwipper, Jens]

Title: Message



if 
there 50 persons would like to logon in the time where the DC is down its 
okay
but 
this 50 persons must have already loged on bevor the DC goes down (data in 
cache)
i 
think it's not necessary for a normal user workstation where unusually loged on 
a other person
 
jens

  -Original Message-From: De Schepper Marc 
  [mailto:[EMAIL PROTECTED]Sent: Freitag, 22. August 
  2003 13:41To: [EMAIL PROTECTED]Subject: 
  [ActiveDir] Number of Interactive Logons
  Hey 
  all, 
   
  I 
  would like to have some feedback of the following Policy 
  setting:
   
  
  


  Interactive logon: Number of previous logons to cache (in case 
domain controller is not available)
  
 
   
  The 
  default is 10, but our Security people would like to put it on 
  50.
   
  Does 
  anyone have some arguments not to use 50?
   
  Marc 
  *
  Dit e-mail bericht inclusief eventuele ingesloten 
  bestanden kan informatie bevatten die vertrouwelijk is en/of beschermd door 
  intellectuele eigendomsrechten. Dit bericht is uitsluitend bestemd voor de 
  geadresseerde(n). Elk gebruik van de informatie vervat in dit bericht 
  (waaronder de volledige of gedeeltelijke reproductie of verspreiding onder 
  elke vorm) door andere personen dan de geadresseerde(n) is verboden. Indien u 
  dit bericht per vergissing heeft ontvangen, gelieve de afzender hiervan te 
  verwittigen en dit bericht te verwijderen. 
  This e-mail and any attachment thereto may 
  contain information which is confidential and/or protected by intellectual 
  property rights and are intended for the sole use of the addressees. Any use 
  of the information contained herein (including but not limited to total or 
  partial reproduction or distribution in any form) by other persons than the 
  addressees is prohibited. If you have received this e-mail in error, please 
  notify the sender and delete its contents. 
  *

RE: [ActiveDir] Event 1000 + error code 59

[De Schepper Marc]

Title: Event 1000 + error code 59



Maxtokensize?


From: Lev Zdenek [mailto:[EMAIL PROTECTED] 
Sent: donderdag 21 augustus 2003 17:52To: 
[EMAIL PROTECTED]Subject: [ActiveDir] Event 1000 + error 
code 59

Hello evr. Every time when I try to logon on my workstation W2k 
professional in AD (W2K) environment a get this error in apl. log 
"Windows cannot obtain the domain 
controller name for your computer network. Return value (59)." Netdiag and dcdiag logs are without error. 
There is error in userenv 
"DsGetDcName... error 59" too The result 
of this error is that GP`s are not applied. Any idea ? 
*
Dit e-mail bericht inclusief eventuele ingesloten 
bestanden kan informatie bevatten die vertrouwelijk is en/of beschermd door 
intellectuele eigendomsrechten. Dit bericht is uitsluitend bestemd voor de 
geadresseerde(n). Elk gebruik van de informatie vervat in dit bericht (waaronder 
de volledige of gedeeltelijke reproductie of verspreiding onder elke vorm) door 
andere personen dan de geadresseerde(n) is verboden. Indien u dit bericht per 
vergissing heeft ontvangen, gelieve de afzender hiervan te verwittigen en dit 
bericht te verwijderen. 
This e-mail and any attachment thereto may contain 
information which is confidential and/or protected by intellectual property 
rights and are intended for the sole use of the addressees. Any use of the 
information contained herein (including but not limited to total or partial 
reproduction or distribution in any form) by other persons than the addressees 
is prohibited. If you have received this e-mail in error, please notify the 
sender and delete its contents. 
*

RE: [ActiveDir] SP4

[Hutchins, Mike]

Title: Message



And I hate to admit being wrong, but you are right. 
:-)
 
When we first patched all our machines, it was only 
supported on SP3. However, as you stated, it has been regression tested woth SP2 
and is now supported. Our company would have to sign a waiver with pss to do 
sp2, but we are sp3 and higher anyways.


From: Rick Kingslan [mailto:[EMAIL PROTECTED] 
Sent: Thursday, August 21, 2003 8:44 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] 
SP4

Mike,
 
I hate to disagree, but the minimum requirement for 
MS03-026 DCOm Vuln patch is Windows 2000 SP2.
 

Rick Kingslan  MCSE, MCSA, MCTMicrosoft MVP - Active 
DirectoryAssociate ExpertExpert Zone - 
www.microsoft.com/windowsxp/expertzone  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Hutchins, 
MikeSent: Thursday, August 21, 2003 9:37 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] 
SP4

sp3


From: Roger Seielstad 
[mailto:[EMAIL PROTECTED] Sent: Thursday, August 21, 2003 
8:34 AMTo: '[EMAIL PROTECTED]'Subject: RE: 
[ActiveDir] SP4

The 
patch to stop the MSBlast virus only requires SP2 be installed on the 
machine.
 
 
-- 
Roger D. Seielstad - 
MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 

  
  -Original Message-From: Don Murawski 
  (Lenox) [mailto:[EMAIL PROTECTED] Sent: Thursday, 
  August 21, 2003 10:28 AMTo: 
  '[EMAIL PROTECTED]'Subject: [ActiveDir] 
  SP4
  Has anyone had issues 
  with SP4 on DC's?
  We are getting hammered 
  by the latest virus.
   
   
   
   
  Don L. 
  Murawski
  Sr. Network 
  Administrator
  
  WorldTravel 
  BTI
  Phone: (404) 
  923-9468
  Fax: (404) 949-6710
  Cell: (678) 549-1264
   
  
<>

RE: [ActiveDir] Number of Interactive Logons

[Tony Murray]

Personally, I've never given any thought to changing the default on this policy.  Do 
your security people have a good reason for wanting to change it?

It might be a good issue to pose to the experts at the Technical Chat next Tuesday:

Account Passwords and Policies in Windows Server 2003 

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itcommunity/chats/default.asp

Tony

-- Original Message --
From: Roger Seielstad <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Date:  Fri, 22 Aug 2003 08:03:43 -0400

So let me get this straight - your 'security' people are asking you to make
your systems less secure?
 
I would think increasing the number of cached logins decreases the security
of the system. IIRC, cached logins are reset basically whenever the system
comes 'online' - in other words has access to a DC. Therefore, the more you
cache the longer you're allowing the sytem to live autonomously, without
getting policy updates, etc.
 
Roger
-- 
Roger D. Seielstad - MTS MCSE MS-MVP 
Sr. Systems Administrator 
Inovis Inc. 

-Original Message-
From: De Schepper Marc [mailto:[EMAIL PROTECTED] 
Sent: Friday, August 22, 2003 7:41 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Number of Interactive Logons


Hey all, 
 
I would like to have some feedback of the following Policy setting:
 

Interactive logon: Number of previous logons to cache (in case domain
controller is not available) 
 
 
The default is 10, but our Security people would like to put it on 50.
 
Does anyone have some arguments not to use 50?
 
Marc 

*

Dit e-mail bericht inclusief eventuele ingesloten bestanden kan informatie
bevatten die vertrouwelijk is en/of beschermd door intellectuele
eigendomsrechten. Dit bericht is uitsluitend bestemd voor de
geadresseerde(n). Elk gebruik van de informatie vervat in dit bericht
(waaronder de volledige of gedeeltelijke reproductie of verspreiding onder
elke vorm) door andere personen dan de geadresseerde(n) is verboden. Indien
u dit bericht per vergissing heeft ontvangen, gelieve de afzender hiervan te
verwittigen en dit bericht te verwijderen. 

This e-mail and any attachment thereto may contain information which is
confidential and/or protected by intellectual property rights and are
intended for the sole use of the addressees. Any use of the information
contained herein (including but not limited to total or partial reproduction
or distribution in any form) by other persons than the addressees is
prohibited. If you have received this e-mail in error, please notify the
sender and delete its contents. 

*



List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Number of Interactive Logons

[Roger Seielstad]

Title: Message



So 
let me get this straight - your 'security' people are asking you to make your 
systems less secure?
 
I 
would think increasing the number of cached logins decreases the security of the 
system. IIRC, cached logins are reset basically whenever the system comes 
'online' - in other words has access to a DC. Therefore, the more you cache the 
longer you're allowing the sytem to live autonomously, without getting policy 
updates, etc.
 
Roger
-- 
Roger D. Seielstad - 
MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 


  
  -Original Message-From: De Schepper Marc 
  [mailto:[EMAIL PROTECTED] Sent: Friday, August 22, 
  2003 7:41 AMTo: [EMAIL PROTECTED]Subject: 
  [ActiveDir] Number of Interactive Logons
  Hey 
  all, 
   
  I 
  would like to have some feedback of the following Policy 
  setting:
   
  
  


  Interactive logon: Number of previous logons to cache (in case 
domain controller is not available)
  
 
   
  The 
  default is 10, but our Security people would like to put it on 
  50.
   
  Does 
  anyone have some arguments not to use 50?
   
  Marc 
  *
  Dit e-mail bericht inclusief eventuele ingesloten 
  bestanden kan informatie bevatten die vertrouwelijk is en/of beschermd door 
  intellectuele eigendomsrechten. Dit bericht is uitsluitend bestemd voor de 
  geadresseerde(n). Elk gebruik van de informatie vervat in dit bericht 
  (waaronder de volledige of gedeeltelijke reproductie of verspreiding onder 
  elke vorm) door andere personen dan de geadresseerde(n) is verboden. Indien u 
  dit bericht per vergissing heeft ontvangen, gelieve de afzender hiervan te 
  verwittigen en dit bericht te verwijderen. 
  This e-mail and any attachment thereto may 
  contain information which is confidential and/or protected by intellectual 
  property rights and are intended for the sole use of the addressees. Any use 
  of the information contained herein (including but not limited to total or 
  partial reproduction or distribution in any form) by other persons than the 
  addressees is prohibited. If you have received this e-mail in error, please 
  notify the sender and delete its contents. 
  *

[ActiveDir] Number of Interactive Logons

[De Schepper Marc]

Title: Message



Hey 
all, 
 
I 
would like to have some feedback of the following Policy 
setting:
 


  
  
Interactive logon: Number of previous logons to cache (in case domain 
  controller is not available)

   
 
The 
default is 10, but our Security people would like to put it on 
50.
 
Does 
anyone have some arguments not to use 50?
 
Marc 
*
Dit e-mail bericht inclusief eventuele ingesloten 
bestanden kan informatie bevatten die vertrouwelijk is en/of beschermd door 
intellectuele eigendomsrechten. Dit bericht is uitsluitend bestemd voor de 
geadresseerde(n). Elk gebruik van de informatie vervat in dit bericht (waaronder 
de volledige of gedeeltelijke reproductie of verspreiding onder elke vorm) door 
andere personen dan de geadresseerde(n) is verboden. Indien u dit bericht per 
vergissing heeft ontvangen, gelieve de afzender hiervan te verwittigen en dit 
bericht te verwijderen. 
This e-mail and any attachment thereto may contain 
information which is confidential and/or protected by intellectual property 
rights and are intended for the sole use of the addressees. Any use of the 
information contained herein (including but not limited to total or partial 
reproduction or distribution in any form) by other persons than the addressees 
is prohibited. If you have received this e-mail in error, please notify the 
sender and delete its contents. 
*

RE: [ActiveDir] Event 1000 + error code 59

[Lev Zdeněk]

When I tested it by netdiag ,nltest and DC diag the result was OK . I use split DNS 
with one zone for internal usage (AD) with forwarder to ISP DNS servers. There are 1 
domain , 2 DC and 2 site. There are 10 another sites without DC.  The problematic 
clients are connected through ISP VPN 128 kB (without any IP filters) from site 
without DC. The WAN was working  OK for 1 month. Evr. is function except new GP 
processing and error 1000 in apl log. and error in userenv. There is log from 
netlogon.log  and usrenv.log process.


Netlogon.log

07/11 12:52:28 [MISC] DbFlag is set to 2000
07/11 12:52:28 [INIT] Following are the effective values after parsing
07/11 12:53:43 [MISC] DsrEnumerateDomainTrusts: Called, Flags = 0x3
07/11 12:53:43 [MISC] SSHR: DsrEnumerateDomainTrusts: Domain List collected from 
\\post1.sshr.intra
07/11 12:53:44 [DOMAIN] Setting LSA NetbiosDomain: SSHR DnsDomain: sshr.intra. 
DnsTree: sshr.intra. DomainGuid:d2455bd5-860c-4096-91f7-a3db072d6fc8
07/11 12:53:44 [LOGON] NlSetForestTrustList: New trusted domain list:
07/11 12:53:44 [LOGON] 0: SSHR sshr.intra (NT 5) (Forest Tree Root) (Primary 
Domain) (Native)
07/11 12:53:44 [LOGON]Dom Guid: d2455bd5-860c-4096-91f7-a3db072d6fc8
07/11 12:53:44 [LOGON]Dom Sid: S-1-5-21-796845957-861567501-682003330
07/11 12:53:44 [MISC] DsrEnumerateDomainTrusts: returns: 0
07/11 12:53:51 [MISC] DsGetDcName function called: Dom:SSHR Acct:(null) Flags: IP KDC 
07/11 12:53:51 [MISC] NetpDcGetName: sshr.intra. using cached information
07/11 12:53:51 [MISC] DsGetDcName function returns 0: Dom:SSHR Acct:(null) Flags: IP 
KDC 
07/11 12:53:52 [MISC] DsGetDcName function called: Dom:SSHR Acct:(null) Flags: DSP 
07/11 12:53:52 [MISC] NetpDcGetName: sshr.intra. cache is too old. 11951385
07/11 12:53:52 [MAILSLOT] NetpDcPingListIp: sshr.intra.: Sent UDP ping to 
192.168.51.201
07/11 12:53:52 [MISC] NlPingDcNameWithContext: Sent 1/1 ldap pings to post1.sshr.intra
07/11 12:53:52 [MISC] NlPingDcNameWithContext: post1.sshr.intra responded over IP.
07/11 12:53:52 [MISC] NetpDcGetName: sshr.intra. using cached information
07/11 12:53:52 [MISC] DsGetDcName function returns 0: Dom:SSHR Acct:(null) Flags: DSP 
07/11 12:53:52 [MISC] DsrEnumerateDomainTrusts: Called, Flags = 0x3
07/11 12:53:52 [MISC] DsrEnumerateDomainTrusts: returns: 0
07/11 12:53:52 [MISC] DsGetDcName function called: Dom:SSHR Acct:administrator Flags: 
DS NETBIOS RET_DNS 
07/11 12:53:52 [MISC] NetpDcGetName: sshr.intra. cache doesn't have right account name.
07/11 12:53:52 [MAILSLOT] NetpDcPingListIp: sshr.intra.: Sent UDP ping to 
192.168.51.201
07/11 12:53:52 [MISC] NlPingDcNameWithContext: Sent 1/1 ldap pings to post1.sshr.intra
07/11 12:53:52 [MISC] NlPingDcNameWithContext: Ping response timeout for 
post1.sshr.intra.
07/11 12:53:52 [MAILSLOT] NetpDcPingListIp: sshr.intra.: Sent UDP ping to 
192.168.51.201
07/11 12:53:52 [MISC] NlPingDcNameWithContext: Sent 1/1 ldap pings to post1.sshr.intra
07/11 12:53:52 [MISC] NlPingDcNameWithContext: post1.sshr.intra responded over IP.
07/11 12:53:52 [MISC] NetpDcGetName: sshr.intra. using cached information
07/11 12:53:52 [MISC] DsGetDcName function returns 0: Dom:SSHR Acct:administrator 
Flags: DS NETBIOS RET_DNS 
07/11 12:53:54 [MISC] DsrEnumerateDomainTrusts: Called, Flags = 0x3
07/11 12:53:54 [MISC] DsrEnumerateDomainTrusts: returns: 0
07/11 12:53:54 [MISC] DsGetDcName function called: Dom:SSHR Acct:(null) Flags: DSP 
07/11 12:53:54 [MISC] NetpDcGetName: sshr.intra. using cached information
07/11 12:53:54 [MISC] DsGetDcName function returns 0: Dom:SSHR Acct:(null) Flags: DSP 
07/11 12:53:54 [MISC] DsGetDcName function called: Dom:SSHR Acct:(null) Flags: DS 
NETBIOS RET_DNS 
07/11 12:53:54 [MISC] NetpDcGetName: sshr.intra. using cached information
07/11 12:53:54 [MISC] DsGetDcName function returns 0: Dom:SSHR Acct:(null) Flags: DS 
NETBIOS RET_DNS 
07/11 12:54:11 [MISC] DsGetDcName function called: Dom:SSHR Acct:(null) Flags: FORCE 
DS NETBIOS RET_DNS 
07/11 12:54:11 [MAILSLOT] NetpDcPingListIp: sshr.intra.: Sent UDP ping to 
192.168.51.201
07/11 12:54:11 [MISC] DsGetDcName function returns 0: Dom:SSHR Acct:(null) Flags: 
FORCE DS NETBIOS RET_DNS 
07/11 12:54:31 [MISC] DsrEnumerateDomainTrusts: Called, Flags = 0x3
07/11 12:54:31 [MISC] DsrEnumerateDomainTrusts: returns: 0
07/11 12:54:35 [MISC] DsrEnumerateDomainTrusts: Called, Flags = 0x3f
07/11 12:54:35 [MISC] DsrEnumerateDomainTrusts: returns: 0
07/11 12:54:35 [MISC] DsGetDcName function called: Dom:SSHR Acct:(null) Flags: NETBIOS 
07/11 12:54:35 [MISC] NetpDcGetName: sshr.intra. using cached information
07/11 12:54:35 [MISC] DsGetDcName function returns 0: Dom:SSHR Acct:(null) Flags: 
NETBIOS 
07/11 12:54:36 [SESSION] I_NetLogonGetAuthData: (null) SSHR
07/11 12:54:38 [MISC] DsGetDcName function called: Dom:SSHR Acct:(null) Flags: NETBIOS 
RET_NETBIOS 
07/11 12:54:38 [MISC] NetpDcGetName: sshr.intra. using cached information
07/11 12:54:38 [MISC] DsGetDcName function returns 0: Dom:SSHR A