[ActiveDir] Logon Takes too Long!
Hi people, Has anyone had logon problems with Windows 2003 server with AD installed? I have a test environment with Windows 2003 servers and Windows XP Pro workstations, no W2K/NT servers or workstations. After installing AD, users are taking around 20 minutes to logon to the domain. I have raised the domain and forest levels to 2003. Can anyone give me some suggestions or ideas? Regards, George George Arezina BA, A+, Net+, MCSE 2000 Information Technology Consultant National Bank of Serbia Pop Lukina 7-9, 11000 Belgrade. * E-mail: [EMAIL PROTECTED] ( Phone:+381 (11) 3202-474 ( GSM: +381 (63) 342-321 image001.jpg
Re: [ActiveDir] Logon Takes too Long!
can you do a dcdiag and post the results Rob George Arezina [EMAIL PROTECTED]To: [EMAIL PROTECTED] Sent by: cc: [EMAIL PROTECTED]Subject: [ActiveDir] Logon Takes too Long! tivedir.org 02/10/2003 10:21 Please respond to ActiveDir Hi people, Has anyone had logon problems with Windows 2003 server with AD installed? I have a test environment with Windows 2003 servers and Windows XP Pro workstations, no W2K/NT servers or workstations. After installing AD, users are taking around 20 minutes to logon to the domain. I have raised the domain and forest levels to 2003. Can anyone give me some suggestions or ideas? Regards, George (Embedded image moved to file: pic00041.jpg) George Arezina BA, A+, Net+, MCSE 2000 Information Technology Consultant National Bank of Serbia Pop Lukina 7-9, 11000 Belgrade. * E-mail: [EMAIL PROTECTED] ( Phone:+381 (11) 3202-474 ( GSM: +381 (63) 342-321 ** This E-mail and any files transmitted with it are in commercial confidence and intended solely for the use of the individual or entity to whom they are addressed. If you have received this E-mail in error please notify the Administrator by E-mail ([EMAIL PROTECTED]). Any views or opinions expressed are solely those of the author and do not necessarily represent those of DEK International., or its affiliates. ** This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.dek.com ** attachment: pic00041.jpg
RE: [ActiveDir] Logon Takes too Long!
ok -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, October 02, 2003 11:27 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] can you do a dcdiag and post the results Rob George Arezina [EMAIL PROTECTED]To: [EMAIL PROTECTED] Sent by: cc: [EMAIL PROTECTED]Subject: [ActiveDir] Logon Takes too Long! tivedir.org 02/10/2003 10:21 Please respond to ActiveDir Hi people, Has anyone had logon problems with Windows 2003 server with AD installed? I have a test environment with Windows 2003 servers and Windows XP Pro workstations, no W2K/NT servers or workstations. After installing AD, users are taking around 20 minutes to logon to the domain. I have raised the domain and forest levels to 2003. Can anyone give me some suggestions or ideas? Regards, George (Embedded image moved to file: pic00041.jpg) George Arezina BA, A+, Net+, MCSE 2000 Information Technology Consultant National Bank of Serbia Pop Lukina 7-9, 11000 Belgrade. * E-mail: [EMAIL PROTECTED] ( Phone:+381 (11) 3202-474 ( GSM: +381 (63) 342-321 ** This E-mail and any files transmitted with it are in commercial confidence and intended solely for the use of the individual or entity to whom they are addressed. If you have received this E-mail in error please notify the Administrator by E-mail ([EMAIL PROTECTED]). Any views or opinions expressed are solely those of the author and do not necessarily represent those of DEK International., or its affiliates. ** This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.dek.com ** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Logon Takes too Long!
Almost anytime there is an issue around latency with AD the answer is almost always DNS. Verify that all of your DNS entries are correct and proper and that all SRV records exist and are as they should be. Do this either by eyeballing DNS or using DCDIAG or any other monitoring/troubleshooting tool on the market that verifies AD DNS records. I prefer the eyeball method for one off checking. If they are, do a network trace of the logon process, that should give away the secret to where the issues are. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of George ArezinaSent: Thursday, October 02, 2003 5:21 AMTo: [EMAIL PROTECTED] Hi people, Has anyone had logon problems with Windows 2003 server with AD installed? I have a test environment with Windows 2003 servers and Windows XP Pro workstations, no W2K/NT servers or workstations. After installing AD, users are taking around 20 minutes to logon to the domain. I have raised the domain and forest levels to 2003. Can anyone give me some suggestions or ideas? Regards, George George Arezina BA, A+, Net+, MCSE 2000 Information Technology Consultant National Bank of Serbia Pop Lukina 7-9, 11000 Belgrade. * E-mail: [EMAIL PROTECTED] ( Phone:+381 (11) 3202-474 ( GSM: +381 (63) 342-321 image001.jpg
RE: [ActiveDir] Logon Takes too Long!
According to Robbie Allen's cook book, you could be experiencing Kerberos UDP fragmentation. You should really test your network connectivity, run portqry against your domain controllers testing ports 88, 389, 3268. Check your DNS make sure your GC's are published correctly. And as mentioned, run the netdiag remotely, and DCDIAG. I am also a big fan of Netpro's directory Troubleshooter for assisting some of this solutions since knowing all the various ways to run the tools is pretty tedious unless you have Robbie's book handy. Just my 2 cents. Toddler -Original Message- From: George Arezina [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 5:21 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Logon Takes too Long! Hi people, Has anyone had logon problems with Windows 2003 server with AD installed? I have a test environment with Windows 2003 servers and Windows XP Pro workstations, no W2K/NT servers or workstations. After installing AD, users are taking around 20 minutes to logon to the domain. I have raised the domain and forest levels to 2003. Can anyone give me some suggestions or ideas? Regards, George George Arezina BA, A+, Net+, MCSE 2000 Information Technology Consultant National Bank of Serbia Pop Lukina 7-9, 11000 Belgrade. * E-mail: [EMAIL PROTECTED] ( Phone:+381 (11) 3202-474 ( GSM: +381 (63) 342-321 attachment: image001.jpg
[ActiveDir] Secedit Errors
Hello all, I am getting repeated secedit errors which seem to be due to a corrupted secedit.sdb file on the DCs. After using ESENTUTL to repair the DB, and group policy applies correctly. A day or so later, those that were repaired now have the same errors. Anyone have any idea where to halt this cycle? What am I missing? Source: Userenv Name: Unexpected Error applying group policy to machine account Description: The Group Policy client-side extension Security was passed flags (145) and returned a failure status code of (1208). There were originally some group policy errors, which were fixed. Policy applies correct as per the winlogon.log after it is fixed, but the problem returns. any help would be appreciated. Jef Kazimer
RE: [ActiveDir] Logon Takes too Long!
Title: Message No fair :-( The rest of us haven't had a chance to read Robbie's book. Dan -Original Message-From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 4:25 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Logon Takes too Long! According to Robbie Allen's cook book, you could be experiencing Kerberos UDP fragmentation. You should really test your network connectivity, run portqry against your domain controllers testing ports 88, 389, 3268. Check your DNS make sure your GC's are published correctly. And as mentioned, run the netdiag remotely, and DCDIAG. I am also a big fan of Netpro's directory Troubleshooter for assisting some of this solutions since knowing all the various ways to run the tools is pretty tedious unless you have Robbie's book handy. Just my 2 cents. Toddler -Original Message-From: George Arezina [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 5:21 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Logon Takes too Long! Hi people, Has anyone had logon problems with Windows 2003 server with AD installed? I have a test environment with Windows 2003 servers and Windows XP Pro workstations, no W2K/NT servers or workstations. After installing AD, users are taking around 20 minutes to logon to the domain. I have raised the domain and forest levels to 2003. Can anyone give me some suggestions or ideas? Regards, George George Arezina BA, A+, Net+, MCSE 2000 Information Technology Consultant National Bank of Serbia Pop Lukina 7-9, 11000 Belgrade. * E-mail: [EMAIL PROTECTED] ( Phone:+381 (11) 3202-474 ( GSM: +381 (63) 342-321 attachment: image001.jpg
[ActiveDir] hello and a question
Hi I'm new to the list so excuse me if I come across as a lame-o! We have a win2k environment w/ exchange 2k. There's only one little problem I'm having with active directory, we would like to have our Admins (read administrative assistants, not sys-admins) do the chores of maintaining the active directory user information. i.e, updating a user's business phone, cell phone, address, etc. However, this person cannot have access to change anything else, such as disabling an account, adding an email address etc. I cannot, for the life of me, figure out how to assign permissions just so... Any advice would be greatly appreciated. -- Shadow Roldan IT Manager Zero G Software, Inc. tel: 1-415-512-7771 x306 cell: 1-415-370-3782 mailto: [EMAIL PROTECTED] www.ZeroG.com The leading provider of multi-platform software deployment solutions. -- List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Samba 3.0 release. Includes AD Support.
I currently administer a child domain within a forest. Samba 3 is working great. One problem. Before we upgraded to 3, we could utilize accounts from the forest root to access the shares. Now, that is not working. Has anyone tried this before? This is the error that shows up in the logs: [2003/10/02 08:42:25, 1] smbd/sesssetup.c:reply_spnego_kerberos(218) Username ROOT.DOM\johndoe is invalid on this system [2003/10/02 08:43:41, 1] smbd/sesssetup.c:reply_spnego_kerberos(218) Username ROOT.DOM\johndoe is invalid on this system [2003/10/02 08:43:41, 1] smbd/sesssetup.c:reply_spnego_kerberos(218) Username ROOT.DOM\johndoe is invalid on this system [2003/10/02 08:43:41, 1] smbd/sesssetup.c:reply_spnego_kerberos(218) Username ROOT.DOM\johndoe is invalid on this system [2003/10/02 08:43:41, 1] smbd/sesssetup.c:reply_spnego_kerberos(218) Username ROOT.DOM\johndoe is invalid on this system --- Cory G. Stuart --- -Original Message- From: Allison M. Wittstock [mailto:[EMAIL PROTECTED] Sent: Friday, September 26, 2003 10:36 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Samba 3.0 release. Includes AD Support. On Thu, 2003-09-25 at 19:03, Myrick, Todd (NIH/CIT) wrote: http://de.samba.org/samba/whatsnew/samba-3.0.0.html Anyone try it out yet? Hi, I've been testing it since the Beta versions. My server is able to work in my domain, and I can authenticate against it with my AD user/passwd. So far I have not run into any problems. I've only tested with Windows 2000 clients and not XP. Allison List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] hello and a question
Shadow, Welcome Shadow. I am new to the list, too. You should be able to accomplish this with delegations. Right click an OU that has user objects that you want to have your admins maintain, and choose delegate control. The delegation wizard has some common tasks that you can delegate, or you can choose custom tasks to delegate various levels of control of specific attributes. Either way, the result is that the wizard will configure the ACL of the object properties to establish the control you are looking for. You can see the results on the security tab of the object properties. Susan Fosselman EDS - NMCI Messaging / Directory Services Engineer 3970 Sherman Street San Diego, CA 92110 Office: 619-817-3594 email: [EMAIL PROTECTED] -Original Message- From: Shadow Roldan [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 8:48 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] hello and a question Hi I'm new to the list so excuse me if I come across as a lame-o! We have a win2k environment w/ exchange 2k. There's only one little problem I'm having with active directory, we would like to have our Admins (read administrative assistants, not sys-admins) do the chores of maintaining the active directory user information. i.e, updating a user's business phone, cell phone, address, etc. However, this person cannot have access to change anything else, such as disabling an account, adding an email address etc. I cannot, for the life of me, figure out how to assign permissions just so... Any advice would be greatly appreciated. -- Shadow Roldan IT Manager Zero G Software, Inc. tel: 1-415-512-7771 x306 cell: 1-415-370-3782 mailto: [EMAIL PROTECTED] www.ZeroG.com The leading provider of multi-platform software deployment solutions. -- List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] hello and a question
You can create a group, add your admins to that group and then delegate permissions to the AD structure for only those options. -Original Message- From: Shadow Roldan [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 11:48 AM To: [EMAIL PROTECTED] Subject:[ActiveDir] hello and a question Hi I'm new to the list so excuse me if I come across as a lame-o! We have a win2k environment w/ exchange 2k. There's only one little problem I'm having with active directory, we would like to have our Admins (read administrative assistants, not sys-admins) do the chores of maintaining the active directory user information. i.e, updating a user's business phone, cell phone, address, etc. However, this person cannot have access to change anything else, such as disabling an account, adding an email address etc. I cannot, for the life of me, figure out how to assign permissions just so... Any advice would be greatly appreciated. -- Shadow Roldan IT Manager Zero G Software, Inc. tel: 1-415-512-7771 x306 cell: 1-415-370-3782 mailto: [EMAIL PROTECTED] www.ZeroG.com The leading provider of multi-platform software deployment solutions. -- List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT: DS Conference
Hi guys, Does anyone have info about the DS conference that was recently held ? Any comments ??? Yusuf __ For information about the Standard Bank group visit our web site www.standardbank.co.za__Disclaimer and confidentiality note Everything in this e-mail and any attachments relating to the official business of Standard Bank Group Limited is proprietary to the group. It is confidential, legally privileged and protected by law. Standard Bank does not own and endorse any other content. Views and opinions are those of the sender unless clearly stated as being that of the group. The person addressed in the e-mail is the sole authorised recipient. Please notify the sender immediately if it has unintentionally reached you and do not read, disclose or use the content in any way.Standard Bank can not assure that the integrity of this communication has been maintained nor that it is free of errors, virus, interception or interference.___
RE: [ActiveDir] OT: DS Conference
Title: Message I'm betting Gil will chime in here shortly (since I believe you're talking about his company's conference). http://www.netpro.com -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Mayet, Yusuf Y [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 11:55 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] OT: DS Conference Hi guys, Does anyone have info about the DS conference that was recently held ? Any comments ??? Yusuf __ For information about the Standard Bank group visit our web site www.standardbank.co.za__Disclaimer and confidentiality note Everything in this e-mail and any attachments relating to the official business of Standard Bank Group Limited is proprietary to the group. It is confidential, legally privileged and protected by law. Standard Bank does not own and endorse any other content. Views and opinions are those of the sender unless clearly stated as being that of the group. The person addressed in the e-mail is the sole authorised recipient. Please notify the sender immediately if it has unintentionally reached you and do not read, disclose or use the content in any way.Standard Bank can not assure that the integrity of this communication has been maintained nor that it is free of errors, virus, interception or interference.___
RE: [ActiveDir] OT: DS Conference
I was there and must say it was very worthwhile! Michael Parent MCSE MCT Analyst I - Web Services ITOS - Systems Enablement Maritime Life Assurance Company (902) 453-7300 x3456 Roger Seielstad [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 10/02/2003 01:32 PM Please respond to ActiveDir To:'[EMAIL PROTECTED]' [EMAIL PROTECTED] cc: Subject:RE: [ActiveDir] OT: DS Conference I'm betting Gil will chime in here shortly (since I believe you're talking about his company's conference). http://www.netpro.com -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Mayet, Yusuf Y [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 11:55 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT: DS Conference Hi guys, Does anyone have info about the DS conference that was recently held ? Any comments ??? Yusuf __ For information about the Standard Bank group visit our web site www.standardbank.co.za __ Disclaimer and confidentiality note Everything in this e-mail and any attachments relating to the official business of Standard Bank Group Limited is proprietary to the group. It is confidential, legally privileged and protected by law. Standard Bank does not own and endorse any other content. Views and opinions are those of the sender unless clearly stated as being that of the group. The person addressed in the e-mail is the sole authorised recipient. Please notify the sender immediately if it has unintentionally reached you and do not read, disclose or use the content in any way. Standard Bank can not assure that the integrity of this communication has been maintained nor that it is free of errors, virus, interception or interference. ___
RE: [ActiveDir] hello and a question
Barring a better way someone may suggest, typically you would grant the permission granularly at the attribute level. I prefer to create a group and grant the perms at the OU level for what they are going to update. Al -Original Message- From: Shadow Roldan [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 11:48 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] hello and a question Hi I'm new to the list so excuse me if I come across as a lame-o! We have a win2k environment w/ exchange 2k. There's only one little problem I'm having with active directory, we would like to have our Admins (read administrative assistants, not sys-admins) do the chores of maintaining the active directory user information. i.e, updating a user's business phone, cell phone, address, etc. However, this person cannot have access to change anything else, such as disabling an account, adding an email address etc. I cannot, for the life of me, figure out how to assign permissions just so... Any advice would be greatly appreciated. -- Shadow Roldan IT Manager Zero G Software, Inc. tel: 1-415-512-7771 x306 cell: 1-415-370-3782 mailto: [EMAIL PROTECTED] www.ZeroG.com The leading provider of multi-platform software deployment solutions. -- List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: DS Conference
Title: Message I was there too! Learned a lot. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 9:42 AMTo: [EMAIL PROTECTED]Cc: '[EMAIL PROTECTED]'; [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: DS ConferenceI was there and must say it was very worthwhile! Michael Parent MCSE MCTAnalyst I - Web Services ITOS - Systems EnablementMaritime Life Assurance Company(902) 453-7300 x3456 Roger Seielstad [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 10/02/2003 01:32 PM Please respond to ActiveDir To: "'[EMAIL PROTECTED]'" [EMAIL PROTECTED] cc: Subject:RE: [ActiveDir] OT: DS ConferenceI'm betting Gil will chime in here shortly (since I believe you're talking about his company's conference). http://www.netpro.com -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Mayet, Yusuf Y [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 11:55 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] OT: DS Conference Hi guys, Does anyone have info about the DS conference that was recently held ? Any comments ??? Yusuf __ For information about the Standard Bank group visit our web site www.standardbank.co.za__Disclaimer and confidentiality note Everything in this e-mail and any attachments relating to the official business of Standard Bank Group Limited is proprietary to the group. It is confidential, legally privileged and protected by law. Standard Bank does not own and endorse any other content. Views and opinions are those of the sender unless clearly stated as being that of the group. The person addressed in the e-mail is the sole authorised recipient. Please notify the sender immediately if it has unintentionally reached you and do not read, disclose or use the content in any way.Standard Bank can not assure that the integrity of this communication has been maintained nor that it is free of errors, virus, interception or interference.___
[ActiveDir] Exchange 2k ?
We are having a debate on whether or not to make all of our DC's gc's in our new e2k environment. I would like to hear feedback from current e2k administrators. It is my contention that we have sufficient DC resources to NOT make all of our DC's gc's for exchange. Is there any drawback to doing this other than increased replication traffic? Simply we are an empty root with 2 child domain. The enterprise is moving towards an all e2k environment from a plethora of disjoined messaging / e-mail systems. Regards, David Chianese IT - Server Services Delaware Investments Office - (215) 255-8570 Mobile - (267) 549-4777 This e-mail and any accompanying attachments are confidential. The information is intended solely for the use of the individual to whom it is addressed. Any review, disclosure, copying, distribution, or use of this e-mail communication by others is strictly prohibited. If you are not the intended recipient, please notify us immediately by returning this message to the sender and delete all copies. Thank you for your cooperation. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] hello and a question
Excellent. The delegation wizard definitely seems to be where I need to be. Is there any resource I can look at to help me identify what these objects actually are? I am currently unable to identify what I should be delegating control of? I have no idea what these objects actually represent. Such as the Contact objects or address type objects or the msExchAdressListServiceContainer Objects. Maybe one of you fine people can tell me which objects I need to accomplish my goals :) Thanks! Shadow -Original Message- From: Fosselman, Susan [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 9:03 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] hello and a question Shadow, Welcome Shadow. I am new to the list, too. You should be able to accomplish this with delegations. Right click an OU that has user objects that you want to have your admins maintain, and choose delegate control. The delegation wizard has some common tasks that you can delegate, or you can choose custom tasks to delegate various levels of control of specific attributes. Either way, the result is that the wizard will configure the ACL of the object properties to establish the control you are looking for. You can see the results on the security tab of the object properties. Susan Fosselman EDS - NMCI Messaging / Directory Services Engineer 3970 Sherman Street San Diego, CA 92110 Office: 619-817-3594 email: [EMAIL PROTECTED] -Original Message- From: Shadow Roldan [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 8:48 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] hello and a question Hi I'm new to the list so excuse me if I come across as a lame-o! We have a win2k environment w/ exchange 2k. There's only one little problem I'm having with active directory, we would like to have our Admins (read administrative assistants, not sys-admins) do the chores of maintaining the active directory user information. i.e, updating a user's business phone, cell phone, address, etc. However, this person cannot have access to change anything else, such as disabling an account, adding an email address etc. I cannot, for the life of me, figure out how to assign permissions just so... Any advice would be greatly appreciated. -- Shadow Roldan IT Manager Zero G Software, Inc. tel: 1-415-512-7771 x306 cell: 1-415-370-3782 mailto: [EMAIL PROTECTED] www.ZeroG.com The leading provider of multi-platform software deployment solutions. -- List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Exchange 2k ?
Probably a good conversation for an Exchange group as well, but any GC's over 10 are not going to provide much in the way of value. Exchange 2K discovery keeps track of 10 of them for it's use and for giving information out to the clients. Depending on what you want the clients to be able to do (such as updating group membership etc from the client) you may want to have separate sites for the Exchange servers with their own GC's to try and ensure that the users will get a writeable copy of the GC information. Alternatively, you can specify which GC the client will use from a GC perspective, so it's not worth doing to many painful things. As for making them all GC's: If Exchange is the only reason, I don't buy it. -Original Message- From: Chianese, David P. [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 1:01 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Exchange 2k ? We are having a debate on whether or not to make all of our DC's gc's in our new e2k environment. I would like to hear feedback from current e2k administrators. It is my contention that we have sufficient DC resources to NOT make all of our DC's gc's for exchange. Is there any drawback to doing this other than increased replication traffic? Simply we are an empty root with 2 child domain. The enterprise is moving towards an all e2k environment from a plethora of disjoined messaging / e-mail systems. Regards, David Chianese IT - Server Services Delaware Investments Office - (215) 255-8570 Mobile - (267) 549-4777 This e-mail and any accompanying attachments are confidential. The information is intended solely for the use of the individual to whom it is addressed. Any review, disclosure, copying, distribution, or use of this e-mail communication by others is strictly prohibited. If you are not the intended recipient, please notify us immediately by returning this message to the sender and delete all copies. Thank you for your cooperation. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Exchange 2k ?
I think some clarification is fair here. I've already posted one about the processor and won't bore you with a repeat. I'd take that a bit further and say the same network segment which isn't necessarily the same thing as same site. Reason? Because you know that Exchange will use the heck out of the GC for everything. Every little thing that needs an answer will result in checking the cache and or the GC if it's not there. So you could potentially use the GC a lot and it doesn't make any sense to burn a router link with traffic that needs to be returned as fast as possible. Routing the requests provide no value anyway. Al -Original Message- From: Adams, Kenneth W (Ken) [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 1:53 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Exchange 2k ? Microsoft recommends 1 GC for every 4 Exchange 2000 servers, with 1 GC in each site with an E2K server. If you have sufficient GCs for the number of E2K servers, you likely don't need any more GCs. Kenneth W. (Ken) Adams, MCSA, MCSE -Original Message- From: Chianese, David P. [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 1:01 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Exchange 2k ? We are having a debate on whether or not to make all of our DC's gc's in our new e2k environment. I would like to hear feedback from current e2k administrators. It is my contention that we have sufficient DC resources to NOT make all of our DC's gc's for exchange. Is there any drawback to doing this other than increased replication traffic? Simply we are an empty root with 2 child domain. The enterprise is moving towards an all e2k environment from a plethora of disjoined messaging / e-mail systems. Regards, David Chianese IT - Server Services Delaware Investments Office - (215) 255-8570 Mobile - (267) 549-4777 This e-mail and any accompanying attachments are confidential. The information is intended solely for the use of the individual to whom it is addressed. Any review, disclosure, copying, distribution, or use of this e-mail communication by others is strictly prohibited. If you are not the intended recipient, please notify us immediately by returning this message to the sender and delete all copies. Thank you for your cooperation. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Secedit Errors
Title: Message Jef- I don't know if it helps but the flags (145) thing means the following: Machine Policy is being applied as opposed to user policy This policy is being applied as a background refresh (rather than foreground) No changes were detected to the GPO during this processing cycle (so nothing was applied) The failure status code is just a Win32 error code, which in this case means, "An extended error has occurred."-- Not very helpful. Are you seeing other problems in terms of policy application other than these errors? How often do these errors occur? Darren -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, October 02, 2003 10:41 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Secedit ErrorsHello all, I am getting repeated secedit errors which seem to be due to a corrupted secedit.sdb file on the DCs. After using ESENTUTL to repair the DB, and group policy applies correctly. A day or so later, those that were repaired now have the same errors. Anyone have any idea where to halt this cycle? What am I missing? Source: UserenvName: Unexpected Error applying group policy to machine accountDescription: The Group Policy client-side extension Security was passed flags (145) and returned a failure status code of (1208). There were originally some group policy errors, which were fixed. Policy applies correct as per the winlogon.log after it is fixed, but the problem returns. any help would be appreciated. Jef Kazimer
RE: [ActiveDir] hello and a question
The best treatment of the Delegation Wizard I have seen so far is in a book by Sakari Kouti and Mika Seitsonen Inside Active Directory http://www.kouti.com/ Must have book IMHO. You can download some tables from their website that would probably help you with the attribute mapping- http://www.kouti.com/tables/userattributes.htm You can look at (and customize) the delegwiz.inf to see what it is doing 'under the hood', some aditional insight can be found in 308404 - HOWTO: Customize the Task List in the Delegation Wizard: http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B308404 If you really want to get a good handle on it I would get the book. -Original Message- From: Shadow Roldan [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 10:21 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] hello and a question Excellent. The delegation wizard definitely seems to be where I need to be. Is there any resource I can look at to help me identify what these objects actually are? I am currently unable to identify what I should be delegating control of? I have no idea what these objects actually represent. Such as the Contact objects or address type objects or the msExchAdressListServiceContainer Objects. Maybe one of you fine people can tell me which objects I need to accomplish my goals :) Thanks! Shadow -Original Message- From: Fosselman, Susan [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 9:03 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] hello and a question Shadow, Welcome Shadow. I am new to the list, too. You should be able to accomplish this with delegations. Right click an OU that has user objects that you want to have your admins maintain, and choose delegate control. The delegation wizard has some common tasks that you can delegate, or you can choose custom tasks to delegate various levels of control of specific attributes. Either way, the result is that the wizard will configure the ACL of the object properties to establish the control you are looking for. You can see the results on the security tab of the object properties. Susan Fosselman EDS - NMCI Messaging / Directory Services Engineer 3970 Sherman Street San Diego, CA 92110 Office: 619-817-3594 email: [EMAIL PROTECTED] -Original Message- From: Shadow Roldan [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 8:48 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] hello and a question Hi I'm new to the list so excuse me if I come across as a lame-o! We have a win2k environment w/ exchange 2k. There's only one little problem I'm having with active directory, we would like to have our Admins (read administrative assistants, not sys-admins) do the chores of maintaining the active directory user information. i.e, updating a user's business phone, cell phone, address, etc. However, this person cannot have access to change anything else, such as disabling an account, adding an email address etc. I cannot, for the life of me, figure out how to assign permissions just so... Any advice would be greatly appreciated. -- Shadow Roldan IT Manager Zero G Software, Inc. tel: 1-415-512-7771 x306 cell: 1-415-370-3782 mailto: [EMAIL PROTECTED] www.ZeroG.com The leading provider of multi-platform software deployment solutions. -- List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] hello and a question
Greetings, and welcome to the best place on the Internet to get help on AD. No question is too new or old IMHO. The way it works here is that you must be self managed, and when someone answers your question, you say thank you... Then if you ever see the same question asked, respond with the information you obtained, adding any relevant materials and experiences of your own. Your question seems rather basic. The simple solution is to create a group, use the delegation of control Wizard in AD Users and Computers on the OU and delegate the responsibilities you want the group to do. Then add users to the group, and give the users a MMC that has AD Users and computers snap-in. For added security. Create a Task View/pad in the MMC, that only lets the user see the areas in the AD that they can manage. I recommend that you stand up a testing AD that has a AD, and a Workstation with the Admin tools on it. The Admins who create the delegations are considered the Directory Administrators. The Admins that are delegated management tasks are the Data Administrators. One you can create a Delegation as a DirAdmin then login as the Data Admin and try to do the work. It will take trial and error. You might need some practice dealing with ACE's and stuff. Also when users move in the directory, it is important to check and verify what ACE's transferred with them to make sure the user still has the same access. If you don't have two machines, I highly recommend that you use VMWare 4.0 to simulate your environment. Below are several articles I recommend that you review if you want more background information, or need additional references or tools to help you in your delegation. Good Luck Toddler http://www.winnetmag.com/Articles/Index.cfm?ArticleID=9646 AD Delegation of control wizard http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnw2kmag01/ html/BeyondtheActiveDirectory.asp Beyond the AD Delegation Wizard. http://www.aelita.com/library/whitepapers/AD_SIDH/Best_Practices_for_Designi ng_Secure_Active_Directory.pdf Best Practices in AD Security http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com: 80/support/kb/articles/Q235/5/31.ASPNoWebContent=1 Security Concerns in AD Delegation Wizard http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn ol/ad/windows2000/plan/bpaddsgn.asp Best Practices on AD and Delegation http://computing.astate.edu/win2k/GoalsnObjectives/Appendix%20E%20Delegation %20of%20Administration.htm Nice Synthesis Books on the Topic http://www.amazon.com/exec/obidos/tg/detail/-/0596004664/qid=1065119839/sr=8 -1/ref=sr_8_1/002-8836076-8329625?v=glances=booksn=507846 AD Second Edition - Robbie Allen http://www.amazon.com/exec/obidos/tg/detail/-/1565924916/ref=pd_bxgy_img_2/0 02-8836076-8329625?v=glances=books LDAP http://www.amazon.com/exec/obidos/ASIN/0596004648/qid%3D1065119941/sr%3D11-1 /ref%3Dsr%5F11%5F1/002-8836076-8329625 AD Cookbook http://www.amazon.com/exec/obidos/tg/detail/-/1578702429/qid=1065119839/sr=5 -2/ref=cm_lm_asin/002-8836076-8329625?v=glance Windows 2000 Design and Deployment http://www.amazon.com/exec/obidos/ASIN/0782128815/qid=1065120129/sr=2-1/ref= sr_2_1/002-8836076-8329625 Group Policies and Intellimirror http://www.amazon.com/exec/obidos/tg/detail/-/0321133455/qid=1065120092/sr=1 -1/ref=sr_1_1/002-8836076-8329625?v=glances=books Admin 911 Group Policies http://www.amazon.com/exec/obidos/tg/detail/-/0072129484/ref=pd_sim_books_1/ 002-8836076-8329625?v=glances=books Troubleshootin Microsoft Technologies Recommended Software (Major Players) www.aelita.com Enterprise Directory Administrator I currently use this and it won .Net Magazine's Award for best management tool. Great Web and 32bit console. Sports layered security model for delegation. Optimizes AD and can be used to manage multiple forest. www.bindview.com BV-Admin Some organizations where I work use this tool www.quest.com Active Roles Evaluated the software, and it set the standard for Native Role based delegation. -Original Message- From: Shadow Roldan [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 11:48 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] hello and a question Hi I'm new to the list so excuse me if I come across as a lame-o! We have a win2k environment w/ exchange 2k. There's only one little problem I'm having with active directory, we would like to have our Admins (read administrative assistants, not sys-admins) do the chores of maintaining the active directory user information. i.e, updating a user's business phone, cell phone, address, etc. However, this person cannot have access to change anything else, such as disabling an account, adding an email address etc. I cannot, for the life of me, figure out how to assign permissions just so... Any advice would be greatly appreciated. -- Shadow Roldan IT Manager Zero G Software, Inc. tel: 1-415-512-7771 x306 cell: 1-415-370-3782
[ActiveDir] Password Policy
I made a slight error when creating a group policy, and now need some advice on how to fix it. Hopefully some one will be kind enough to help out. I have a single domain with 2 sites. I created a Default Policy for the entire domain with fairly minimal settings (such as password policy, proxy settings and a few IE settings). Our manufacturing facility is our largest site, and our corporate offices is significantly smaller, so instead of applying one policy several times I set block policy inheritance for the corporate OU (so they wouldn't get the Proxy and IE settings). I then set password settings on the separate corporate OU. Well, I guess I didn't realize at the time that you could only have one password policy for the domain, so basically they haven't had to change their passwords for some time now. So here is the problem, I need to enable the password policy for corporate, but if I do I think it will immediately expire their passwords (since they are well over 90 days old). Is my thinking wrong here, and is there a way around this or am I going to have to call the corporate guys and have them manually change their passwords? Any ideas? Your suggestions are much appreciated, Thanks, Travis List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: DS Conference
Title: Message The Final Chicken hopes to make a cameo appearance at the next DEC. ;-) -Original Message-From: Sullivan, Kevin [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 10:56 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: DS Conference Second that (or third that). I could only be there for the first day but that day was Guido Grillenmeir, Robbie Allen, Nelson Roust (sp?) and of course Gil Kirkpatrick and Stuart Kwan. It was a great day. Stuart always gives a fantastic presentation which is not only entertaining but filled with great information. It is of course great to hear from Microsoft to help understand their roadmap. Guido's presentation on recovery has great detail and fully demonstrates the value of understanding the process and being prepared for unpredictable disaster. Robbie knows LPAD querying incredibly well and does a fantastic job presenting. It is great to hear from people like Robbie who use AD to its fullest extent in his current job and produces such great books to help the industry benefit from his experiences. Nelson's presentation was great (I missed much of it due to a con call), and Gil of course always adds a ton of value. I learned that Smarties are not what I thought they were (thanks Stuart), and that NetPro is banning the chicken (I have mixed reactions on this one). NetPro did a fantastic job hosting this event. My second time attending and I sure I will have it on my schedule moving forward! Kevin Sullivan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 12:51 PMTo: [EMAIL PROTECTED] I was there too! Learned a lot. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 9:42 AMTo: [EMAIL PROTECTED]Cc: '[EMAIL PROTECTED]'; [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: DS Conference I was there and must say it was very worthwhile! Michael Parent MCSE MCTAnalyst I - Web Services ITOS - Systems EnablementMaritime Life Assurance Company(902) 453-7300 x3456 Roger Seielstad [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 10/02/2003 01:32 PM Please respond to ActiveDir To:"'[EMAIL PROTECTED]'" [EMAIL PROTECTED] cc: Subject:RE: [ActiveDir] OT: DS Conference I'm betting Gil will chime in here shortly (since I believe you're talking about his company's conference). http://www.netpro.com -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Mayet, Yusuf Y [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 11:55 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] OT: DS Conference Hi guys, Does anyone have info about the DS conference that was recently held ? Any comments ??? Yusuf __ For information about the Standard Bank group visit our web site www.standardbank.co.za__Disclaimer and confidentiality note Everything in this e-mail and any attachments relating to the official business of Standard Bank Group Limited is proprietary to the group. It is confidential, legally privileged and protected by law. Standard Bank does not own and endorse any other content. Views and opinions are those of the sender unless clearly stated as being that of the group. The person addressed in the e-mail is the sole authorised recipient. Please notify the sender immediately if it has unintentionally reached you and do not read, disclose or use the content in any way.Standard Bank can not assure that the integrity of this communication has been maintained nor that it is free of errors, virus, interception or interference.___
RE: [ActiveDir] Exchange 2k ?
I think that was the old rule for Exchange 2000 SP1. Exchange 2000 SP3 and Exchange 2003 is different. We were told by Microsoft it is recommended that you base your AD/Exchange GC deployment on number of processors for exchange mailbox servers. Not number of servers. 1 GC (Dual Proc IMHO) for every 4 Exchange mailbox processors. Todd -Original Message- From: Adams, Kenneth W (Ken) [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 1:53 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Exchange 2k ? Microsoft recommends 1 GC for every 4 Exchange 2000 servers, with 1 GC in each site with an E2K server. If you have sufficient GCs for the number of E2K servers, you likely don't need any more GCs. Kenneth W. (Ken) Adams, MCSA, MCSE -Original Message- From: Chianese, David P. [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 1:01 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Exchange 2k ? We are having a debate on whether or not to make all of our DC's gc's in our new e2k environment. I would like to hear feedback from current e2k administrators. It is my contention that we have sufficient DC resources to NOT make all of our DC's gc's for exchange. Is there any drawback to doing this other than increased replication traffic? Simply we are an empty root with 2 child domain. The enterprise is moving towards an all e2k environment from a plethora of disjoined messaging / e-mail systems. Regards, David Chianese IT - Server Services Delaware Investments Office - (215) 255-8570 Mobile - (267) 549-4777 This e-mail and any accompanying attachments are confidential. The information is intended solely for the use of the individual to whom it is addressed. Any review, disclosure, copying, distribution, or use of this e-mail communication by others is strictly prohibited. If you are not the intended recipient, please notify us immediately by returning this message to the sender and delete all copies. Thank you for your cooperation. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Password Policy
Can you set the expiration date out far enough to allow you to have an expiration date. Then run a script that will expire a portion of the users in say two weeks. Re-run the script with a different set of users with expiration set to 4 weeks aways and so on?? Dan -Original Message- From: Travis Riddle [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 12:09 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Password Policy I made a slight error when creating a group policy, and now need some advice on how to fix it. Hopefully some one will be kind enough to help out. I have a single domain with 2 sites. I created a Default Policy for the entire domain with fairly minimal settings (such as password policy, proxy settings and a few IE settings). Our manufacturing facility is our largest site, and our corporate offices is significantly smaller, so instead of applying one policy several times I set block policy inheritance for the corporate OU (so they wouldn't get the Proxy and IE settings). I then set password settings on the separate corporate OU. Well, I guess I didn't realize at the time that you could only have one password policy for the domain, so basically they haven't had to change their passwords for some time now. So here is the problem, I need to enable the password policy for corporate, but if I do I think it will immediately expire their passwords (since they are well over 90 days old). Is my thinking wrong here, and is there a way around this or am I going to have to call the corporate guys and have them manually change their passwords? Any ideas? Your suggestions are much appreciated, Thanks, Travis List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Password Policy
Hi Travis, If I'm understanding correctly, that password policy isn't going to force them to all of a sudden change their passwords. It will commence its expiry and complexity and history awareness upon subsequent password change. Don't sweat it. I'm certain someone smarter than me will correct me within a few minutes, if I'm wrong. You can't set password policies on an OU. They're valid as domain policies only. -tom -Original Message- From: Travis Riddle [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 2:09 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Password Policy I made a slight error when creating a group policy, and now need some advice on how to fix it. Hopefully some one will be kind enough to help out. I have a single domain with 2 sites. I created a Default Policy for the entire domain with fairly minimal settings (such as password policy, proxy settings and a few IE settings). Our manufacturing facility is our largest site, and our corporate offices is significantly smaller, so instead of applying one policy several times I set block policy inheritance for the corporate OU (so they wouldn't get the Proxy and IE settings). I then set password settings on the separate corporate OU. Well, I guess I didn't realize at the time that you could only have one password policy for the domain, so basically they haven't had to change their passwords for some time now. So here is the problem, I need to enable the password policy for corporate, but if I do I think it will immediately expire their passwords (since they are well over 90 days old). Is my thinking wrong here, and is there a way around this or am I going to have to call the corporate guys and have them manually change their passwords? Any ideas? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: DS Conference
Title: Message A lot of people asked why I didn't attend this years Fall DEC so I will say it one time, it wasn't my doing... Believe me. I was asked to come and be a booth expert or something, so I began the process of government red tape to get approval. What I got was 10 boxes of Toilet paper instead of travel orders. I couldn't trade up the toilet paper for a rubber chicken in time to get a plane ticket. Then it went down hill. The final result was, we don't know why you can't go, but you can't go. And if you go on your own time, it is a Ethical issue. We can let you go, but we have to pay for it, since it is out of the country I have to wait four weeks for my orders to get cut, this is a week before the conference. So, I missed you all, and I am sorry that there was no Texas Hold'm tourney. Rich H. from Netpro was deeply disappointed. I hear rumors that Spring DEC 2004 might be coming to DC. This is my and Kevin S'sbackyard. So if it happens,I expecteveryone to show up. We willhave one hell ofa time. And there will be a poker night, nightlife, and most importantly a good educational experience. I also vote that the Fall DEC be in the Virgin Islands or some tropical destination. I missed seeing you all. Toddler -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 3:09 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: DS Conference The Final Chicken hopes to make a cameo appearance at the next DEC. ;-) -Original Message-From: Sullivan, Kevin [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 10:56 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: DS Conference Second that (or third that). I could only be there for the first day but that day was Guido Grillenmeir, Robbie Allen, Nelson Roust (sp?) and of course Gil Kirkpatrick and Stuart Kwan. It was a great day. Stuart always gives a fantastic presentation which is not only entertaining but filled with great information. It is of course great to hear from Microsoft to help understand their roadmap. Guido's presentation on recovery has great detail and fully demonstrates the value of understanding the process and being prepared for unpredictable disaster. Robbie knows LPAD querying incredibly well and does a fantastic job presenting. It is great to hear from people like Robbie who use AD to its fullest extent in his current job and produces such great books to help the industry benefit from his experiences. Nelson's presentation was great (I missed much of it due to a con call), and Gil of course always adds a ton of value. I learned that Smarties are not what I thought they were (thanks Stuart), and that NetPro is banning the chicken (I have mixed reactions on this one). NetPro did a fantastic job hosting this event. My second time attending and I sure I will have it on my schedule moving forward! Kevin Sullivan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 12:51 PMTo: [EMAIL PROTECTED] I was there too! Learned a lot. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 9:42 AMTo: [EMAIL PROTECTED]Cc: '[EMAIL PROTECTED]'; [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: DS Conference I was there and must say it was very worthwhile! Michael Parent MCSE MCTAnalyst I - Web Services ITOS - Systems EnablementMaritime Life Assurance Company(902) 453-7300 x3456 Roger Seielstad [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 10/02/2003 01:32 PM Please respond to ActiveDir To: "'[EMAIL PROTECTED]'" [EMAIL PROTECTED] cc: Subject:RE: [ActiveDir] OT: DS Conference I'm betting Gil will chime in here shortly (since I believe you're talking about his company's conference). http://www.netpro.com -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Mayet, Yusuf Y [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 11:55 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] OT: DS Conference Hi guys, Does anyone have info about the DS conference that was recently held ? Any comments ??? Yusuf
RE: [ActiveDir] OT: DS Conference
Title: Message Thanks for the compliments! I think this was our best Directory Experts Conference to date... the presentations were generally stronger than the previous DEC, and the logistics were nearly flawless, thanks to Christine and Stella (still got to get the wireless thing going in the conference room though). The hotel, food, and the city were great. Attendence was about 20%greater than the previous DEC, which has been the historical growth rate.There was a good mix, about 45% from Canada, eh?, 40% from the US, and 15% from Europe, and one attendee from Singapore. Session evaluationswere quite positive, averaging about 4.0 on a 1-5 scale. Overall usefulness of the conference averaged 4.4, and overall satisfaction with the conferenceaveraged 4.5. These are outstanding numbers, and are backed up by the universally positive comments I received from the attendees and speakers during and after the conferece. Quest, NetPro, HP, and Microsoft sponsored the event. Session titles and presenters (many names will be familiar to list denizens) Stuart Kwan, Microsoft - Microsoft Directory Services and Identity and Access Management Strategy and Roadmap Robbie Allen, Cisco - LDAP Searching: from Basics to Profiling Nelson Ruest, Resolution Enterprises - Redesigning GPO Structure for Improved Manageability Gil Kirkpatrick, NetPro - Active Directory Performance Guido Grillenmeier, HP CI - Recovering from Active Directory Disasters Rex Bachman, HP Software -Service Management of Active Directory, Fact or Fiction Mike McHargue, Internosis - Building an operating a Secure Active Directory Infrastructure Alan Isham, Intel - Managing Change in a Fortune 500 Active Directory Forest Alain Lissoir, HP CI - Disabling an Active Directory Schema Extension John Reijnders, LogicaCMG - To Trust or Not To Trust Jeremy Palenchar, Washington Mutual - Active Directory and Windows Server 2003 in a Customer Facing Role Ioan Donea, Infrascope - DSML: XML Functionality for Your Directory Services Wook Lee, HP Managed Services - Illegal Immigrants, No PAS Zones, and Other Hazards on the Road to Windows 2003 Alain Lissor, HP CI - Leverage Your Windows Infrastructure Monitoring to the WMI Scripting Power Dave Sayers, Mark Cribben, Microsoft MCS - Restructuring Active Directory in Windows Server 2003 Paul Rich, Microsoft OTG - Microsoft's Directory Architecture, Principles, and Multi-Forest Challenges We also had an informal AD haiku contest, won handily by Wook. I'll post links to the haiku later. Example: Authenitcation. Sometimes it works well. Sometimes it doesn't. The next DEC is being scheduled, but will most likely be in the Washington DC area in April 2004. A call for papers will be published soon. I hope you all can attend! -g Gil KirkpatrickCTO, NetPro -Original Message-From: Sullivan, Kevin [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 10:56 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: DS Conference Second that (or third that). I could only be there for the first day but that day was Guido Grillenmeir, Robbie Allen, Nelson Roust (sp?) and of course Gil Kirkpatrick and Stuart Kwan. It was a great day. Stuart always gives a fantastic presentation which is not only entertaining but filled with great information. It is of course great to hear from Microsoft to help understand their roadmap. Guido's presentation on recovery has great detail and fully demonstrates the value of understanding the process and being prepared for unpredictable disaster. Robbie knows LPAD querying incredibly well and does a fantastic job presenting. It is great to hear from people like Robbie who use AD to its fullest extent in his current job and produces such great books to help the industry benefit from his experiences. Nelson's presentation was great (I missed much of it due to a con call), and Gil of course always adds a ton of value. I learned that Smarties are not what I thought they were (thanks Stuart), and that NetPro is banning the chicken (I have mixed reactions on this one). NetPro did a fantastic job hosting this event. My second time attending and I sure I will have it on my schedule moving forward! Kevin Sullivan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 12:51 PMTo: [EMAIL PROTECTED] I was there too! Learned a lot. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 9:42 AMTo: [EMAIL PROTECTED]Cc: '[EMAIL PROTECTED]'; [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: DS Conference I was there and must say it was very worthwhile! Michael Parent MCSE MCTAnalyst I - Web Services ITOS - Systems EnablementMaritime Life Assurance Company(902) 453-7300 x3456
RE: [ActiveDir] OT: DS Conference
The DEC is the absolute killer conference on everything that has to do with AD! It's the only conference I know that focusses on this topic and is able to come up with new/relevant/interesting information for even the most experienced AD engineers! I've been to the DEC in Amsterdam last year and in Ottawa this year and the conference seems to be getting better every time! So don't miss the next one in the spring! - To DEC or not to DEC, that's NO question ;-) - Cheers! John -Original Message- From: Mayet, Yusuf Y To: [EMAIL PROTECTED] Sent: 2-10-2003 17:54 Subject: [ActiveDir] OT: DS Conference Hi guys, Does anyone have info about the DS conference that was recently held ? Any comments ??? Yusuf __ For information about the Standard Bank group visit our web site www.standardbank.co.za http://www.standardbank.co.za __ Disclaimer and confidentiality note Everything in this e-mail and any attachments relating to the official business of Standard Bank Group Limited is proprietary to the group. It is confidential, legally privileged and protected by law. Standard Bank does not own and endorse any other content. Views and opinions are those of the sender unless clearly stated as being that of the group. The person addressed in the e-mail is the sole authorised recipient. Please notify the sender immediately if it has unintentionally reached you and do not read, disclose or use the content in any way. Standard Bank can not assure that the integrity of this communication has been maintained nor that it is free of errors, virus, interception or interference. ___ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Password Policy
You are correct, your company passwords would expire. The solution I suggest is to crack all the passwords, then reset the original password to each account to reset expiration. Then implement the Domain Account policy again. Also remember that NTLM and Kerberos authentications count double. So if you client has problems with authentication it will try Kerberos then NTLM and a single bad logon counts twice. So 10 bad password attempt really means 5 within the limited time frame you set. Todd -Original Message- From: Travis Riddle [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 3:09 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Password Policy I made a slight error when creating a group policy, and now need some advice on how to fix it. Hopefully some one will be kind enough to help out. I have a single domain with 2 sites. I created a Default Policy for the entire domain with fairly minimal settings (such as password policy, proxy settings and a few IE settings). Our manufacturing facility is our largest site, and our corporate offices is significantly smaller, so instead of applying one policy several times I set block policy inheritance for the corporate OU (so they wouldn't get the Proxy and IE settings). I then set password settings on the separate corporate OU. Well, I guess I didn't realize at the time that you could only have one password policy for the domain, so basically they haven't had to change their passwords for some time now. So here is the problem, I need to enable the password policy for corporate, but if I do I think it will immediately expire their passwords (since they are well over 90 days old). Is my thinking wrong here, and is there a way around this or am I going to have to call the corporate guys and have them manually change their passwords? Any ideas? Your suggestions are much appreciated, Thanks, Travis List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Secedit Errors
I don't know the cause of this problem but you could try restoring an older version of the GPOs using the GPMC (Group Policy Management Console)... (if you made backups of your GPOs). If you haven't implemented this GPO management tool yet you should definitely have a look at it! It's the way to go for GPO management! Cheers! John -Original Message- From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: 2-10-2003 16:40 Subject: [ActiveDir] Secedit Errors Hello all, I am getting repeated secedit errors which seem to be due to a corrupted secedit.sdb file on the DCs. After using ESENTUTL to repair the DB, and group policy applies correctly. A day or so later, those that were repaired now have the same errors. Anyone have any idea where to halt this cycle? What am I missing? Source: Userenv Name: Unexpected Error applying group policy to machine account Description: The Group Policy client-side extension Security was passed flags (145) and returned a failure status code of (1208). There were originally some group policy errors, which were fixed. Policy applies correct as per the winlogon.log after it is fixed, but the problem returns. any help would be appreciated. Jef Kazimer List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Password Policy
Really, I was under a different impression. Easy way to test it is in a small AD environment. Set it to one day then change the date. Todd -Original Message- From: Tom Meunier [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 3:27 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Password Policy Hi Travis, If I'm understanding correctly, that password policy isn't going to force them to all of a sudden change their passwords. It will commence its expiry and complexity and history awareness upon subsequent password change. Don't sweat it. I'm certain someone smarter than me will correct me within a few minutes, if I'm wrong. You can't set password policies on an OU. They're valid as domain policies only. -tom -Original Message- From: Travis Riddle [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 2:09 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Password Policy I made a slight error when creating a group policy, and now need some advice on how to fix it. Hopefully some one will be kind enough to help out. I have a single domain with 2 sites. I created a Default Policy for the entire domain with fairly minimal settings (such as password policy, proxy settings and a few IE settings). Our manufacturing facility is our largest site, and our corporate offices is significantly smaller, so instead of applying one policy several times I set block policy inheritance for the corporate OU (so they wouldn't get the Proxy and IE settings). I then set password settings on the separate corporate OU. Well, I guess I didn't realize at the time that you could only have one password policy for the domain, so basically they haven't had to change their passwords for some time now. So here is the problem, I need to enable the password policy for corporate, but if I do I think it will immediately expire their passwords (since they are well over 90 days old). Is my thinking wrong here, and is there a way around this or am I going to have to call the corporate guys and have them manually change their passwords? Any ideas? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] hello and a question
There is a white paper coming from Microsoft soon (like in the next couple of weeks) that contains everything you could possibly want to know about delgation and access rights in AD. Some people on the list are reviewers, so they may be able to comment on its usefulness. -g Gil Kirkpatrick CTO, NetPro -Original Message- From: Free, Bob [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 11:55 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] hello and a question The best treatment of the Delegation Wizard I have seen so far is in a book by Sakari Kouti and Mika Seitsonen Inside Active Directory http://www.kouti.com/ Must have book IMHO. You can download some tables from their website that would probably help you with the attribute mapping- http://www.kouti.com/tables/userattributes.htm You can look at (and customize) the delegwiz.inf to see what it is doing 'under the hood', some aditional insight can be found in 308404 - HOWTO: Customize the Task List in the Delegation Wizard: http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B308404 If you really want to get a good handle on it I would get the book. -Original Message- From: Shadow Roldan [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 10:21 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] hello and a question Excellent. The delegation wizard definitely seems to be where I need to be. Is there any resource I can look at to help me identify what these objects actually are? I am currently unable to identify what I should be delegating control of? I have no idea what these objects actually represent. Such as the Contact objects or address type objects or the msExchAdressListServiceContainer Objects. Maybe one of you fine people can tell me which objects I need to accomplish my goals :) Thanks! Shadow -Original Message- From: Fosselman, Susan [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 9:03 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] hello and a question Shadow, Welcome Shadow. I am new to the list, too. You should be able to accomplish this with delegations. Right click an OU that has user objects that you want to have your admins maintain, and choose delegate control. The delegation wizard has some common tasks that you can delegate, or you can choose custom tasks to delegate various levels of control of specific attributes. Either way, the result is that the wizard will configure the ACL of the object properties to establish the control you are looking for. You can see the results on the security tab of the object properties. Susan Fosselman EDS - NMCI Messaging / Directory Services Engineer 3970 Sherman Street San Diego, CA 92110 Office: 619-817-3594 email: [EMAIL PROTECTED] -Original Message- From: Shadow Roldan [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 8:48 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] hello and a question Hi I'm new to the list so excuse me if I come across as a lame-o! We have a win2k environment w/ exchange 2k. There's only one little problem I'm having with active directory, we would like to have our Admins (read administrative assistants, not sys-admins) do the chores of maintaining the active directory user information. i.e, updating a user's business phone, cell phone, address, etc. However, this person cannot have access to change anything else, such as disabling an account, adding an email address etc. I cannot, for the life of me, figure out how to assign permissions just so... Any advice would be greatly appreciated. -- Shadow Roldan IT Manager Zero G Software, Inc. tel: 1-415-512-7771 x306 cell: 1-415-370-3782 mailto: [EMAIL PROTECTED] www.ZeroG.com The leading provider of multi-platform software deployment solutions. -- List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Exchange 2k ?
Um... Interesting. I think that depends on what you consider reasonable scale up vs. reasonable scale out doesn't it? I've seen many shops that scale up to consolidate server hardware (funny little thing going on in IT shops these days unless you work for DELL) and I've also seen some that scale out to get around network limitations or to reduce risk exposure. JET can scale up just fine from what I've seen. And there is still plenty of advantage to using 4 proc machines (HyperThreaded are beneficial by many tests) since Exchange can scale well up to 8 procs before seeing some issues that you need to be aware of. 2 proc boxes won't handle a densely populated server (5K users) of heavy profile users with AV on the server; at least not well. You'd run out of proc and would probably saturate the front-side bus to the point of bottleneck. There's always scale down ;) -Original Message- From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 3:36 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Exchange 2k ? One more thing, Microsoft says to scale out not up. I guess this is a JET issue. So 2 Proc Boxes are better than 4 proc boxes. I say your mileage may vary. Toddler -Original Message- From: Myrick, Todd (NIH/CIT) Sent: Thursday, October 02, 2003 3:16 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Exchange 2k ? I think that was the old rule for Exchange 2000 SP1. Exchange 2000 SP3 and Exchange 2003 is different. We were told by Microsoft it is recommended that you base your AD/Exchange GC deployment on number of processors for exchange mailbox servers. Not number of servers. 1 GC (Dual Proc IMHO) for every 4 Exchange mailbox processors. Todd -Original Message- From: Adams, Kenneth W (Ken) [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 1:53 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Exchange 2k ? Microsoft recommends 1 GC for every 4 Exchange 2000 servers, with 1 GC in each site with an E2K server. If you have sufficient GCs for the number of E2K servers, you likely don't need any more GCs. Kenneth W. (Ken) Adams, MCSA, MCSE -Original Message- From: Chianese, David P. [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 1:01 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Exchange 2k ? We are having a debate on whether or not to make all of our DC's gc's in our new e2k environment. I would like to hear feedback from current e2k administrators. It is my contention that we have sufficient DC resources to NOT make all of our DC's gc's for exchange. Is there any drawback to doing this other than increased replication traffic? Simply we are an empty root with 2 child domain. The enterprise is moving towards an all e2k environment from a plethora of disjoined messaging / e-mail systems. Regards, David Chianese IT - Server Services Delaware Investments Office - (215) 255-8570 Mobile - (267) 549-4777 This e-mail and any accompanying attachments are confidential. The information is intended solely for the use of the individual to whom it is addressed. Any review, disclosure, copying, distribution, or use of this e-mail communication by others is strictly prohibited. If you are not the intended recipient, please notify us immediately by returning this message to the sender and delete all copies. Thank you for your cooperation. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Password Policy
I think I will give it a test by creating a new OU and setting block inheritance, moving one of the users over then taking it off. I will let you know how it works out. If that doesn't work I may just bite the bullet and send them an email telling them that sometime next week they will be required to change their password on login (I can just run a small script to set that attribute the accoutns in that OU). I don't know that my director will be to happy with a request for password hacking software :). Thanks for the replies everyone, ill update on what happens. Travis -Original Message- From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 1:46 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Password Policy Really, I was under a different impression. Easy way to test it is in a small AD environment. Set it to one day then change the date. Todd -Original Message- From: Tom Meunier [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 3:27 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Password Policy Hi Travis, If I'm understanding correctly, that password policy isn't going to force them to all of a sudden change their passwords. It will commence its expiry and complexity and history awareness upon subsequent password change. Don't sweat it. I'm certain someone smarter than me will correct me within a few minutes, if I'm wrong. You can't set password policies on an OU. They're valid as domain policies only. -tom -Original Message- From: Travis Riddle [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 2:09 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Password Policy I made a slight error when creating a group policy, and now need some advice on how to fix it. Hopefully some one will be kind enough to help out. I have a single domain with 2 sites. I created a Default Policy for the entire domain with fairly minimal settings (such as password policy, proxy settings and a few IE settings). Our manufacturing facility is our largest site, and our corporate offices is significantly smaller, so instead of applying one policy several times I set block policy inheritance for the corporate OU (so they wouldn't get the Proxy and IE settings). I then set password settings on the separate corporate OU. Well, I guess I didn't realize at the time that you could only have one password policy for the domain, so basically they haven't had to change their passwords for some time now. So here is the problem, I need to enable the password policy for corporate, but if I do I think it will immediately expire their passwords (since they are well over 90 days old). Is my thinking wrong here, and is there a way around this or am I going to have to call the corporate guys and have them manually change their passwords? Any ideas? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Password Policy
I don't have a spare AD environment to test on. This has been my impression for a long time, but I can't verify it beyond saying that the NSA thinks so, too: http://nsa2.www.conxion.com/win2k/guides/w2k-3.pdf Page 25. -Original Message- From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 2:46 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Password Policy Really, I was under a different impression. Easy way to test it is in a small AD environment. Set it to one day then change the date. Todd -Original Message- From: Tom Meunier [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 3:27 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Password Policy Hi Travis, If I'm understanding correctly, that password policy isn't going to force them to all of a sudden change their passwords. It will commence its expiry and complexity and history awareness upon subsequent password change. Don't sweat it. I'm certain someone smarter than me will correct me within a few minutes, if I'm wrong. You can't set password policies on an OU. They're valid as domain policies only. -tom List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Password Policy
I imagine that you could also create additional domain-level password policies, and deny the apply group policy security right to the objects you don't want the policy to affect. That way, you'll still be able to have domain policies for users in those OUs. There are also more robust password-compliance packages available for purchase. Avatier is one that I remember hearing positive reviews. http://www.avatier.com/ -tom -Original Message- From: Travis Riddle [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 3:20 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Password Policy I think I will give it a test by creating a new OU and setting block inheritance, moving one of the users over then taking it off. I will let you know how it works out. If that doesn't work I may just bite the bullet and send them an email telling them that sometime next week they will be required to change their password on login (I can just run a small script to set that attribute the accoutns in that OU). I don't know that my director will be to happy with a request for password hacking software :). Thanks for the replies everyone, ill update on what happens. Travis List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: DS Conference
Title: Message one word - Haiku -Original Message-From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 12:36 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] OT: DS Conference Thanks for the compliments! I think this was our best Directory Experts Conference to date... the presentations were generally stronger than the previous DEC, and the logistics were nearly flawless, thanks to Christine and Stella (still got to get the wireless thing going in the conference room though). The hotel, food, and the city were great. Attendence was about 20%greater than the previous DEC, which has been the historical growth rate.There was a good mix, about 45% from Canada, eh?, 40% from the US, and 15% from Europe, and one attendee from Singapore. Session evaluationswere quite positive, averaging about 4.0 on a 1-5 scale. Overall usefulness of the conference averaged 4.4, and overall satisfaction with the conferenceaveraged 4.5. These are outstanding numbers, and are backed up by the universally positive comments I received from the attendees and speakers during and after the conferece. Quest, NetPro, HP, and Microsoft sponsored the event. Session titles and presenters (many names will be familiar to list denizens) Stuart Kwan, Microsoft - Microsoft Directory Services and Identity and Access Management Strategy and Roadmap Robbie Allen, Cisco - LDAP Searching: from Basics to Profiling Nelson Ruest, Resolution Enterprises - Redesigning GPO Structure for Improved Manageability Gil Kirkpatrick, NetPro - Active Directory Performance Guido Grillenmeier, HP CI - Recovering from Active Directory Disasters Rex Bachman, HP Software -Service Management of Active Directory, Fact or Fiction Mike McHargue, Internosis - Building an operating a Secure Active Directory Infrastructure Alan Isham, Intel - Managing Change in a Fortune 500 Active Directory Forest Alain Lissoir, HP CI - Disabling an Active Directory Schema Extension John Reijnders, LogicaCMG - To Trust or Not To Trust Jeremy Palenchar, Washington Mutual - Active Directory and Windows Server 2003 in a Customer Facing Role Ioan Donea, Infrascope - DSML: XML Functionality for Your Directory Services Wook Lee, HP Managed Services - Illegal Immigrants, No PAS Zones, and Other Hazards on the Road to Windows 2003 Alain Lissor, HP CI - Leverage Your Windows Infrastructure Monitoring to the WMI Scripting Power Dave Sayers, Mark Cribben, Microsoft MCS - Restructuring Active Directory in Windows Server 2003 Paul Rich, Microsoft OTG - Microsoft's Directory Architecture, Principles, and Multi-Forest Challenges We also had an informal AD haiku contest, won handily by Wook. I'll post links to the haiku later. Example: Authenitcation. Sometimes it works well. Sometimes it doesn't. The next DEC is being scheduled, but will most likely be in the Washington DC area in April 2004. A call for papers will be published soon. I hope you all can attend! -g Gil KirkpatrickCTO, NetPro -Original Message-From: Sullivan, Kevin [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 10:56 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: DS Conference Second that (or third that). I could only be there for the first day but that day was Guido Grillenmeir, Robbie Allen, Nelson Roust (sp?) and of course Gil Kirkpatrick and Stuart Kwan. It was a great day. Stuart always gives a fantastic presentation which is not only entertaining but filled with great information. It is of course great to hear from Microsoft to help understand their roadmap. Guido's presentation on recovery has great detail and fully demonstrates the value of understanding the process and being prepared for unpredictable disaster. Robbie knows LPAD querying incredibly well and does a fantastic job presenting. It is great to hear from people like Robbie who use AD to its fullest extent in his current job and produces such great books to help the industry benefit from his experiences. Nelson's presentation was great (I missed much of it due to a con call), and Gil of course always adds a ton of value. I learned that Smarties are not what I thought they were (thanks Stuart), and that NetPro is banning the chicken (I have mixed reactions on this one). NetPro did a fantastic job hosting this event. My second time attending and I sure I will have it on my schedule moving forward! Kevin Sullivan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 12:51 PMTo: [EMAIL PROTECTED] I was there too! Learned a lot.
RE: [ActiveDir] Logon Takes too Long!.............. Hockey Season !
Title: Message Hey Toddler, Thanks for the info towards my problem. Your solution, rather info, was right on the money. Im originally from Canada, which is the Mecca of hockey. Therefore, according to your scoring system below you get a Good Solutionpoint. In other words, credit for a goal. Thanks. George George Arezina BA, A+, Net+, MCSE 2000 Information Technology Consultant National Bank of Serbia Pop Lukina 7-9, 11000 Belgrade. * E-mail: [EMAIL PROTECTED] ( Phone:+381 (11) 3202-474 ( GSM: +381 (63) 342-321 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Thursday, October 02, 2003 8:26 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Logon Takes too Long!.. Hockey Season ! No problem, Try KB 244474 then Hey wouldn't it be cool if there was a scoring system for those who submit solutions based on how helpful it was to the person requesting the help? I know I am just dreaming. But Just like Hockey, you could have stats like. Good Solution(Like Goals) Assisted Solution (Assists) Attempted Solution (Shots) Plus/Minus (Average good response to solutions, questions, and ideas, to no response on topic) Good Questions (Face offs won) Good Ideas for the future Good Implementation Good Stories I would say I had an Assist on this solution. If you can't tell Hockey Season is back. Hey if there are any softies on this list... what happen to www.mshockeychallenge.com ? Stuart! I hope one day I can be a MVP! Toddler -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 11:14 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Logon Takes too Long! No fair :-( The rest of us haven't had a chance to read Robbie's book. Dan -Original Message- From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 4:25 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Logon Takes too Long! According to Robbie Allen's cook book, you could be experiencing Kerberos UDP fragmentation. You should really test your network connectivity, run portqry against your domain controllers testing ports 88, 389, 3268. Check your DNS make sure your GC's are published correctly. And as mentioned, run the netdiag remotely, and DCDIAG. I am also a big fan of Netpro's directory Troubleshooter for assisting some of this solutions since knowing all the various ways to run the tools is pretty tedious unless you have Robbie's book handy. Just my 2 cents. Toddler -Original Message- From: George Arezina [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 5:21 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Logon Takes too Long! Hi people, Has anyone had logon problems with Windows 2003 server with AD installed? I have a test environment with Windows 2003 servers and Windows XP Pro workstations, no W2K/NT servers or workstations. After installing AD, users are taking around 20 minutes to logon to the domain. I have raised the domain and forest levels to 2003. Can anyone give me some suggestions or ideas? Regards, George George Arezina BA, A+, Net+, MCSE 2000 Information Technology Consultant National Bank of Serbia Pop Lukina 7-9, 11000 Belgrade. * E-mail: [EMAIL PROTECTED] ( Phone:+381 (11) 3202-474 ( GSM: +381 (63) 342-321 image001.jpgimage002.jpg
RE: [ActiveDir] hello and a question
Shadow depending on how much delegation you will end up doing and how big your environment and how deeply you want to get into it you will either want to do this by hand, script it, or buy a product to do it. The delegation you asked for here specifically is pretty basic as others have layed out, however if you think it is just the start, I would definitely recommend looking into something like Quest's Active Roles product. They figure most of it out for you so you don't have to. I have to admit to actually having lunch with them today but can assure you that doesn't sway my thinking of what products are and aren't worth looking at. A deli sandwich isn't enough for me to recommend something I think isn't good. I really do think they have a good product. For someone who isn't wanting to dive into the depths that can sometimes be required for delegation of AD, this is a real good product. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shadow Roldan Sent: Thursday, October 02, 2003 11:48 AM To: [EMAIL PROTECTED] Hi I'm new to the list so excuse me if I come across as a lame-o! We have a win2k environment w/ exchange 2k. There's only one little problem I'm having with active directory, we would like to have our Admins (read administrative assistants, not sys-admins) do the chores of maintaining the active directory user information. i.e, updating a user's business phone, cell phone, address, etc. However, this person cannot have access to change anything else, such as disabling an account, adding an email address etc. I cannot, for the life of me, figure out how to assign permissions just so... Any advice would be greatly appreciated. -- Shadow Roldan IT Manager Zero G Software, Inc. tel: 1-415-512-7771 x306 cell: 1-415-370-3782 mailto: [EMAIL PROTECTED] www.ZeroG.com The leading provider of multi-platform software deployment solutions. -- List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: DS Conference
Title: Message Ditto only my toilet paper is spelled Exchange 2000... :oP I will be at the next one and Gil... I want a chicken damnit. And a nice NetPro Polo, my last one (kind of blue green) disintegrated and had to be put down. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT)Sent: Thursday, October 02, 2003 3:35 PMTo: '[EMAIL PROTECTED]' A lot of people asked why I didn't attend this years Fall DEC so I will say it one time, it wasn't my doing... Believe me. I was asked to come and be a booth expert or something, so I began the process of government red tape to get approval. What I got was 10 boxes of Toilet paper instead of travel orders. I couldn't trade up the toilet paper for a rubber chicken in time to get a plane ticket. Then it went down hill. The final result was, we don't know why you can't go, but you can't go. And if you go on your own time, it is a Ethical issue. We can let you go, but we have to pay for it, since it is out of the country I have to wait four weeks for my orders to get cut, this is a week before the conference. So, I missed you all, and I am sorry that there was no Texas Hold'm tourney. Rich H. from Netpro was deeply disappointed. I hear rumors that Spring DEC 2004 might be coming to DC. This is my and Kevin S'sbackyard. So if it happens,I expecteveryone to show up. We willhave one hell ofa time. And there will be a poker night, nightlife, and most importantly a good educational experience. I also vote that the Fall DEC be in the Virgin Islands or some tropical destination. I missed seeing you all. Toddler -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 3:09 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: DS Conference The Final Chicken hopes to make a cameo appearance at the next DEC. ;-) -Original Message-From: Sullivan, Kevin [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 10:56 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: DS Conference Second that (or third that). I could only be there for the first day but that day was Guido Grillenmeir, Robbie Allen, Nelson Roust (sp?) and of course Gil Kirkpatrick and Stuart Kwan. It was a great day. Stuart always gives a fantastic presentation which is not only entertaining but filled with great information. It is of course great to hear from Microsoft to help understand their roadmap. Guido's presentation on recovery has great detail and fully demonstrates the value of understanding the process and being prepared for unpredictable disaster. Robbie knows LPAD querying incredibly well and does a fantastic job presenting. It is great to hear from people like Robbie who use AD to its fullest extent in his current job and produces such great books to help the industry benefit from his experiences. Nelson's presentation was great (I missed much of it due to a con call), and Gil of course always adds a ton of value. I learned that Smarties are not what I thought they were (thanks Stuart), and that NetPro is banning the chicken (I have mixed reactions on this one). NetPro did a fantastic job hosting this event. My second time attending and I sure I will have it on my schedule moving forward! Kevin Sullivan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 12:51 PMTo: [EMAIL PROTECTED] I was there too! Learned a lot. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 9:42 AMTo: [EMAIL PROTECTED]Cc: '[EMAIL PROTECTED]'; [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: DS Conference I was there and must say it was very worthwhile! Michael Parent MCSE MCTAnalyst I - Web Services ITOS - Systems EnablementMaritime Life Assurance Company(902) 453-7300 x3456 Roger Seielstad [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 10/02/2003 01:32 PM Please respond to ActiveDir To: "'[EMAIL PROTECTED]'" [EMAIL PROTECTED] cc: Subject:RE: [ActiveDir] OT: DS Conference I'm betting Gil will chime in here shortly (since I believe you're talking about his company's conference). http://www.netpro.com -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis
RE: [ActiveDir] Password Policy - Challenge....
Alright Joe, I would be interested in hearing how to do the reset on the password timestamp. Privately if you think this could be abused? Toddler -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 9:30 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Password Policy - Challenge Yep passwords would expire. The policy is on the domain and it is a delta value that is stored in the domain partition that handles this. It causes the system to go back that delta value and then any accounts that haven't been changed since that calculated time are expired. Also this has to be done on the domain policy. You have a couple of options. 1. Send a note to everyone and tell them to change their password. 2. Expire portions of the id's each day until you have gotten through all of them. Then once all done, sey up the domain policy. See my expire tool on www.joeware.net site as that tool was specifically written for this scenario. 3. Get the passwords time reset. Todd's idea below will work but could take a while if you have decent passwords and really isn't the elegant way to do this. Instead you can reset the password timestamp on the user accounts so that they are all started out as if they had just been changed but really haven't and then turn on your policy Now I was going to post the way to do this, but thought, you know, let's test the group and see who else knows this little trick. I will post an answer within a day or if you need it quicker email me at [EMAIL PROTECTED] and I will send a little script to pull it off. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Thursday, October 02, 2003 3:44 PM To: '[EMAIL PROTECTED]' You are correct, your company passwords would expire. The solution I suggest is to crack all the passwords, then reset the original password to each account to reset expiration. Then implement the Domain Account policy again. Also remember that NTLM and Kerberos authentications count double. So if you client has problems with authentication it will try Kerberos then NTLM and a single bad logon counts twice. So 10 bad password attempt really means 5 within the limited time frame you set. Todd -Original Message- From: Travis Riddle [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 3:09 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Password Policy I made a slight error when creating a group policy, and now need some advice on how to fix it. Hopefully some one will be kind enough to help out. I have a single domain with 2 sites. I created a Default Policy for the entire domain with fairly minimal settings (such as password policy, proxy settings and a few IE settings). Our manufacturing facility is our largest site, and our corporate offices is significantly smaller, so instead of applying one policy several times I set block policy inheritance for the corporate OU (so they wouldn't get the Proxy and IE settings). I then set password settings on the separate corporate OU. Well, I guess I didn't realize at the time that you could only have one password policy for the domain, so basically they haven't had to change their passwords for some time now. So here is the problem, I need to enable the password policy for corporate, but if I do I think it will immediately expire their passwords (since they are well over 90 days old). Is my thinking wrong here, and is there a way around this or am I going to have to call the corporate guys and have them manually change their passwords? Any ideas? Your suggestions are much appreciated, Thanks, Travis List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Password Policy - Challenge....
Assign the pwdLastSet attribute a value of 0 per necessary user. At next logon, user's password will remain intact and pwdLastSet will be assigned current date and time (represented in FileTime) by the authenticating DC effectively setting user's next password expiry date to (now + password expiry policy days). -- Dean Wells MSEtechnology * Tel: +1 (954) 501-4307 * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Joe Sent: Thursday, October 02, 2003 6:30 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Password Policy - Challenge Yep passwords would expire. The policy is on the domain and it is a delta value that is stored in the domain partition that handles this. It causes the system to go back that delta value and then any accounts that haven't been changed since that calculated time are expired. Also this has to be done on the domain policy. You have a couple of options. 1. Send a note to everyone and tell them to change their password. 2. Expire portions of the id's each day until you have gotten through all of them. Then once all done, sey up the domain policy. See my expire tool on www.joeware.net site as that tool was specifically written for this scenario. 3. Get the passwords time reset. Todd's idea below will work but could take a while if you have decent passwords and really isn't the elegant way to do this. Instead you can reset the password timestamp on the user accounts so that they are all started out as if they had just been changed but really haven't and then turn on your policy Now I was going to post the way to do this, but thought, you know, let's test the group and see who else knows this little trick. I will post an answer within a day or if you need it quicker email me at [EMAIL PROTECTED] and I will send a little script to pull it off. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Thursday, October 02, 2003 3:44 PM To: '[EMAIL PROTECTED]' You are correct, your company passwords would expire. The solution I suggest is to crack all the passwords, then reset the original password to each account to reset expiration. Then implement the Domain Account policy again. Also remember that NTLM and Kerberos authentications count double. So if you client has problems with authentication it will try Kerberos then NTLM and a single bad logon counts twice. So 10 bad password attempt really means 5 within the limited time frame you set. Todd -Original Message- From: Travis Riddle [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 3:09 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Password Policy I made a slight error when creating a group policy, and now need some advice on how to fix it. Hopefully some one will be kind enough to help out. I have a single domain with 2 sites. I created a Default Policy for the entire domain with fairly minimal settings (such as password policy, proxy settings and a few IE settings). Our manufacturing facility is our largest site, and our corporate offices is significantly smaller, so instead of applying one policy several times I set block policy inheritance for the corporate OU (so they wouldn't get the Proxy and IE settings). I then set password settings on the separate corporate OU. Well, I guess I didn't realize at the time that you could only have one password policy for the domain, so basically they haven't had to change their passwords for some time now. So here is the problem, I need to enable the password policy for corporate, but if I do I think it will immediately expire their passwords (since they are well over 90 days old). Is my thinking wrong here, and is there a way around this or am I going to have to call the corporate guys and have them manually change their passwords? Any ideas? Your suggestions are much appreciated, Thanks, Travis List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/